IETF Logo Mail Archive

Re: [TLS] Merkle Tree Certificates

Stephen Farrell <stephen.farrell@cs.tcd.ie> Sat, 11 March 2023 19:43 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D2D9C15154E for <tls@ietfa.amsl.com>; Sat, 11 Mar 2023 11:43:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D1_SkPfrbLaa for <tls@ietfa.amsl.com>; Sat, 11 Mar 2023 11:43:48 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on0702.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0d::702]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A386C14F75F for <tls@ietf.org>; Sat, 11 Mar 2023 11:43:47 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FmZzxtQw/WWDa1yzkEd3ihphV7wO3mswWL8Rbpn8rowP38/1u/gpbPwI+L6VWAsMSA9+QoARODsYo3uXMn3OEDhVHnrj9dy/EI0+39NZhx0wcJqWuafkiGcHIUFny02c8syFJVL7NiSrQTKDXgrjFCOmTiALJX4qj3oSlgwavLi7VTMpvCQoVMHTJk9KbYC0Qn18GcaTGlaiL5A5xD4xThQz8kMb6hG3QRmyt9dnPeodxfgFsthRpwEj7S+h4DNuWtj2F64vjbpFE7aqtBzxA23byUALY8GgCfaKP8b5PS50xQRJW+hrVLs8WA9aBNtn/rK9d3HW4KZle34PdgC1QA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ZNQK45qam8pJpomYtKuQ8nD5TDN6xavRFlk6yZFRIbI=; b=I2qB2mkiN/P9MdecuJol6+1exsdpGRKdVJtg/+fTqWWsMsN3wvZWFt2/jx741fm1///I1rQymZAefD4xKASMQyIZqS09q7pNXMUO4E5JFoKeTso9aX/OxFG/obMlqob7UJmj3qv9GOTsY9P5K7Pch3zQBfNlT03gkc5TU43+3oEz1lIWgAQY27S0o5zaU9W1BqlrX653BvC4tinu15kkaYeC/8VmDo+wqYQhxR4SUvezcGmWkeqlsKn1y8c2JN2a6bKQ3z+kHd45K29U7LCyipMAFAwfw/ncd446Qcap0xOEimnni8AXNzOdyRtla+3EXWCHnybhW07X1a0VwaN1+g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZNQK45qam8pJpomYtKuQ8nD5TDN6xavRFlk6yZFRIbI=; b=QPOnYSi7tVC/2MsXTTzAeyeACYdHAazxv+Kv3JgSLeN5Vou49byfQq3YbP25JBpUWskXtNh5ZpPDmRHfYXH/gg7n2tqh6ckZIZ9b0NtEekz5rEQLfmTTSizSBjnQfExqrPPR49iTM7YQtJ5e5fX5NAexi7B/wKqzgVJQxchozDQTJcSIr7jQTCz1dXN24LIYjBg1rXU8vo9SdetgMPLoRgSLD9KOVK+poswnclCjOTsA4V5X2DDTX1OPQJ4MC8CZYYbt80Cob1wOdYHJVBL5C++dx14SDg5Ar4iVDbUGAfBbWyoE0lDwNpH6Zek8o45Ok89Kut098xZOvgmGLOBZkg==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by PR3PR02MB6105.eurprd02.prod.outlook.com (2603:10a6:102:6b::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6178.23; Sat, 11 Mar 2023 19:43:41 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::cd:791c:5e7a:a678]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::cd:791c:5e7a:a678%4]) with mapi id 15.20.6178.022; Sat, 11 Mar 2023 19:43:41 +0000
Message-ID: <189f6bfc-40bf-28ca-5cc1-43c96a5584d7@cs.tcd.ie>
Date: Sat, 11 Mar 2023 19:43:39 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.7.1
Content-Language: en-US
To: David Benjamin <davidben@chromium.org>, tls@ietf.org
Cc: Devon O'Brien <asymmetric@google.com>
References: <167848430887.5487.1347334366320377305@ietfa.amsl.com> <CAF8qwaD9x5v1uU6mLtnUAGMnBW881ZE0ymK8rsQzrV2hfj7yHA@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <CAF8qwaD9x5v1uU6mLtnUAGMnBW881ZE0ymK8rsQzrV2hfj7yHA@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------HlKafT0GE9ZSXIOOfZ1SRJmL"
X-ClientProxiedBy: DUZPR01CA0212.eurprd01.prod.exchangelabs.com (2603:10a6:10:4b4::18) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB7PR02MB5113:EE_|PR3PR02MB6105:EE_
X-MS-Office365-Filtering-Correlation-Id: 699fae81-8f67-4a8b-096f-08db2268ea6b
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: nFvHCDNWNeOjn0yeHiLQ6p8elWxy3vcxz7jF/TKLJ0dmlbfoqnLQsf8dmO4FuPvaZaZsPwYFKfG8lHxdrqzawowx9DCIHNE0DzEkG/Gze229qSkE7lL3w+kRvhwk82HrxIiUM4wMF+pzLWWEYUXi6Vr6gWCyFRPdPJ6MVxuQJSPV8/pspjqjLcK5GGPJm9Sqkm4hv8Di4CPMoIo4BlxDDkNOEZpnZmkLOgST8uJ2nvUiEky1WBU0FmctwcvvEZmyskBIzNHUtCW2OTdQJlspk+gRKToZTXuJGJvdRWAMNbk8SJSVeF7vNQ9s484CAY8AaZc763rb2SkZkNR2YCf8xTrKhWDkceanPnpdH0dxsaqjAHxk6j55QmZQEcfwjQk8AT/wJjjlwlIIDutDvAyXOKpGkH2TPW53Fb91TrzTpxl7sRB/Z6GOrkFO73rA4uUYNAMy5QVC2/TbYinzVfVMQtlEr9JZyyMapcGNZ20fXbj2GtVE2a6K0mRy7ArU5IeXdN6spTn924zgGMoV9I9iaeYTXyC3bZ91xGCwhAq0BA1IRxHmVhIPqYUWegO3CspgGDCVWaRBGc5ls81f6pi4WSgccOp3w4Uj50k3zpVwcbRVIuZXiGedSZsA5Y3c9ImGlueglxrxr4WufPIDIltTtX7rPFM8nQ1EuoldfLqd4Lq/n/jwtmz6upo67cGSFcikOItXiQmmVh5WCG/tVO/E3o9bsuQfQmy2rhhQvmXRHSrr9ceLLfaCaZs4neeH+xFT
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(4636009)(346002)(39860400002)(136003)(366004)(396003)(376002)(451199018)(36756003)(44832011)(235185007)(5660300002)(83380400001)(66574015)(478600001)(6486002)(6512007)(6506007)(966005)(21480400003)(2616005)(53546011)(33964004)(186003)(41320700001)(4326008)(66476007)(66946007)(66556008)(8676002)(8936002)(41300700001)(31696002)(86362001)(786003)(38100700002)(316002)(31686004)(2906002)(45980500001)(43740500002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: c7b54bxKdXRMa/HImY14cUP4Zri2Jznky61LCEMx8+958PGW19W9NvXRrBzhkQ9JRmt6MLyqsNPTLInRAyHTOrB/KYNQLM0TF+UZWoMCWVu0Iy79seKiingoq+1f+Udv9U8CaJmEdX2UQUuXIV/5ELdwdG2RVBcgHow+KDNhO6+/lXcgZfqDevHLinOGYFjgpmEyhA6mWjd2N6TS+9YyJWe2kWS9MLpBeJHZ6kdRRdVjL2DjR5sqAzqgjTPyLyz1x+K6eMiyFyrB8xfZDo03BIGVd39GQ7JZkD2CWHk1mwdEYTpgAqwl6d6DoGAifSbaPc6Pp95dh9zpwdhX/TRRWF3HWvOckd1Jes48ApePCiUGO/IkVC6LPewqFoOYGvJP/qrWt+17EzyCx4uomxAhpe8hf4y86cbPOysT3oueSAAFBozGRiq0hC9EY1lk4ZFml5rdgiGf8/F07A+Iur6Z0qtaguxDxBFed+xTaeyOytHYIpKVk00QuS5XQE+idPDbv50NhfmIZP8GQL8Nl1nRPFLT3yL2V3HyeH0mb5CEFhKPl2YO/JD0RCQG3D42aXkiG+ZZtCpsDgHX3rQGXoWF5nC0arjjpEoeVLm+Jdzgxoykn9f110Vibx8oAnTzMYYhWlvUhSfoAj7KaRiIBdfwl829C1tBH/IkeUWbuuMTCe7BLG1PXgJW9xOUrztU6XYub3kS8VM9sNM+So69nXiJA427bTtbjVRkbo45gms2dZRJcgnD67yGiYiKnifTAH/p0xJt+CV1Iz3VeQ6Pfxfkl2WeaqSKvg8KBwKv6V+jLamOKQjxoe6IyXUpMO6uPrSZTjvfoUITsmRRye+fERHEYNMG3hrHTGNOKQ64KipA+i5iNkzOwMh0+6vqey1OBwRWh0dhZrwC45xlxOf4jzAUNvA/bVnItdUm8FEw9GhoQQ8ehEAolvvXC00bf6Nq79ChBZm1Sg4Rsd+y5pfSdqraczPehXvtRBz6B+GgWTf3xSC5cgAF2nMjlfpwaAT79QvXTnpTEyHAb42Ex/gzCgRyssHH55L04yoob7cE+IF/DROVzkwnLKGxak/sn38rPHR4Nl9P6yEUa7IO38Ol5tpf+60cijJdN5sgXF+KEltGuwnQv9XibSVfWIiFfu080kGQwZAgEDoSCiIcHw9w0RN35KH/f429ucYNbNg56ehVvXkJ2uAGb4AEj6Htw8sCvlaETLQbtn1Zv/6jpgvu7wUUbJqSN8P3PrkiUpMc1yTqvdsy8JqmQKaYVVSsLvnTr/Nuvq5m6E1HLS7YoqAxV2blLkfGIEUVWlEb4AzsbEylF+bl138rBIs7owCuCLJrEI2x0ZauiBEilnpl3DFw2IdQM0XRmY1giIe7xj/k03sTftjPDmyLRsRGTQUgFYsBgn0NrEZUKJWf6+sp08SHQRN/DhdgUls6Dn295K9VZb9bWxard9WnsW7DAEdPilYYsUuJZkaRo4BBk1mZwelzGPohiIluIWAxMPawLcSKlg73EokQpeamesJpG9O6ZKMdkP0jPxBlJISEQunGvtNCD/0mdXWdd1AStvmhX3jcN0nhJnKwTgghf9TuDRbYIrSTqh3hGrNIWCbMOmp+xvdVFkWn/iiDo3QyNXiaFeIXeTo2btQI4CgSWs9QQOSVHTg7kVAx
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 699fae81-8f67-4a8b-096f-08db2268ea6b
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Mar 2023 19:43:41.2883 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: k2fvcPuYvnm/j6wm+Zx5X1jbk2C/sgASHPkZaiue8NPum87o1QUW3rR/0q2OZQ4o
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3PR02MB6105
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/PfBakletTKVbOT6VHkeO7KaFi5I>
Subject: Re: [TLS] Merkle Tree Certificates
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Mar 2023 19:43:53 -0000

Hiya,

I had a read and think this is a great topic for
discussion.

A few points:

- I think we'd benefit from trying to think through
the dynamics of this, e.g. how many of each entity
might we see and how'd that differ from the current
web PKI and possibly affect the web? (It's fine that
that analysis emerge in time, not asking for it now.)

- I do think the trust_anchors extension values might
be better off as e.g. truncated hashes of public keys
or something like that.

- Aside from better on-the-wire efficiency, I think
another reason to examine designs like this is that
adding multiple public keys and signatures to x.509
certs (one of the alternative designs) seems like it
might be a bit of a nightmare, as PKI libraries are
buggily updated to try handle that - designs like
this seem better in terms of keeping the new code in
a less risky place.

Cheers,
S.

On 10/03/2023 22:09, David Benjamin wrote:
> Hi all,
> 
> I've just uploaded a draft, below, describing several ideas we've been
> mulling over regarding certificates in TLS. This is a draft-00 with a lot
> of moving parts, so think of it as the first pass at some of ideas that we
> think fit well together, rather than a concrete, fully-baked system.
> 
> The document describes a new certificate format based on Merkle Trees,
> which aims to mitigate the many signatures we send today, particularly in
> applications that use Certificate Transparency, and as post-quantum
> signature schemes get large. Four signatures (two SCTs, two X.509
> signatures) and an intermediate CA's public key gets rather large,
> particularly with something like Dilithium3's 3,293-byte signatures. This
> format uses a single Merkle Tree inclusion proof, which we estimate at
> roughly 600 bytes. (Note that this proposal targets certificate-related
> signatures but not the TLS handshake signature.)
> 
> As part of this, it also includes an extensibility and certificate
> negotiation story that we hope will be useful beyond this particular scheme.
> 
> This isn't meant to replace existing PKI mechanisms. Rather, it's an
> optional optimization for connections that are able to use it. Where they
> aren't, you negotiate another certificate. I work on a web browser, so this
> has browsers and HTTPS over TLS in mind, but we hope it, or some ideas in
> it, will be more broadly useful.
> 
> That said, we don't expect it's for everyone, and that's fine! With a
> robust negotiation story, we don't have to limit ourselves to a single
> answer for all cases at once. Even within browsers and the web, it cannot
> handle all cases, so we're thinking of this as one of several sorts of PKI
> mechanisms that might be selected via negotiation.
> 
> Thoughts? We're very eager to get feedback on this.
> 
> David
> 
> On Fri, Mar 10, 2023 at 4:38 PM <internet-drafts@ietf.org> wrote:
> 
>>
>> A new version of I-D, draft-davidben-tls-merkle-tree-certs-00.txt
>> has been successfully submitted by David Benjamin and posted to the
>> IETF repository.
>>
>> Name:           draft-davidben-tls-merkle-tree-certs
>> Revision:       00
>> Title:          Merkle Tree Certificates for TLS
>> Document date:  2023-03-10
>> Group:          Individual Submission
>> Pages:          45
>> URL:
>> https://www.ietf.org/archive/id/draft-davidben-tls-merkle-tree-certs-00.txt
>> Status:
>> https://datatracker.ietf.org/doc/draft-davidben-tls-merkle-tree-certs/
>> Html:
>> https://www.ietf.org/archive/id/draft-davidben-tls-merkle-tree-certs-00.html
>> Htmlized:
>> https://datatracker.ietf.org/doc/html/draft-davidben-tls-merkle-tree-certs
>>
>>
>> Abstract:
>>     This document describes Merkle Tree certificates, a new certificate
>>     type for use with TLS.  A relying party that regularly fetches
>>     information from a transparency service can use this certificate type
>>     as a size optimization over more conventional mechanisms with post-
>>     quantum signatures.  Merkle Tree certificates integrate the roles of
>>     X.509 and Certificate Transparency, achieving comparable security
>>     properties with a smaller message size, at the cost of more limited
>>     applicability.
>>
>>
>>
>>
>> The IETF Secretariat
>>
>>
>>
> 
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.37.1 | Report a Bug | By Email | System Status