IETF Logo Mail Archive

Re: [TLS] Merkle Tree Certificates

"Kampanakis, Panos" <kpanos@amazon.com> Tue, 14 March 2023 13:46 UTC

Return-Path: <prvs=4307c1b8f=kpanos@amazon.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 880E4C13AE3D for <tls@ietfa.amsl.com>; Tue, 14 Mar 2023 06:46:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sek519djpk-r for <tls@ietfa.amsl.com>; Tue, 14 Mar 2023 06:46:54 -0700 (PDT)
Received: from smtp-fw-6001.amazon.com (smtp-fw-6001.amazon.com [52.95.48.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88D8AC152577 for <tls@ietf.org>; Tue, 14 Mar 2023 06:46:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1678801615; x=1710337615; h=from:to:cc:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version:subject; bh=DKpJOinDjyNjgFm0fMBxzknFVSeat3mD7Ys2tBHRY3E=; b=ZGba3KTwBlJ6KCNst1dTIU4DXjgO3bueSlzZdJoNZpG8GQ8wLtZ49Ul5 uAzHGg3xphopqmYT/MMf2xWmtGDAQGkMhQ/0fW9CKWewYdhaUonuRR9lJ b+vpHbGRjYJj9esidimFOjMBtFMuV6yi5300dgeHRH4vjEsQHG690ZjVf s=;
X-IronPort-AV: E=Sophos;i="5.98,260,1673913600"; d="scan'208";a="308971906"
Thread-Topic: [TLS] Merkle Tree Certificates
Received: from iad12-co-svc-p1-lb1-vlan2.amazon.com (HELO email-inbound-relay-pdx-2b-m6i4x-f253a3a3.us-west-2.amazon.com) ([10.43.8.2]) by smtp-border-fw-6001.iad6.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Mar 2023 13:46:48 +0000
Received: from EX19MTAUWB002.ant.amazon.com (pdx1-ws-svc-p6-lb9-vlan2.pdx.amazon.com [10.236.137.194]) by email-inbound-relay-pdx-2b-m6i4x-f253a3a3.us-west-2.amazon.com (Postfix) with ESMTPS id 8951181C56; Tue, 14 Mar 2023 13:46:47 +0000 (UTC)
Received: from EX19D001ANA004.ant.amazon.com (10.37.240.187) by EX19MTAUWB002.ant.amazon.com (10.250.64.231) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.25; Tue, 14 Mar 2023 13:46:41 +0000
Received: from EX19D001ANA001.ant.amazon.com (10.37.240.156) by EX19D001ANA004.ant.amazon.com (10.37.240.187) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1118.24; Tue, 14 Mar 2023 13:46:40 +0000
Received: from EX19D001ANA001.ant.amazon.com ([fe80::4f78:75cd:3117:8055]) by EX19D001ANA001.ant.amazon.com ([fe80::4f78:75cd:3117:8055%5]) with mapi id 15.02.1118.024; Tue, 14 Mar 2023 13:46:40 +0000
From: "Kampanakis, Panos" <kpanos@amazon.com>
To: Hubert Kario <hkario@redhat.com>, David Benjamin <davidben@chromium.org>
CC: "<tls@ietf.org>" <tls@ietf.org>, Devon O'Brien <asymmetric@google.com>
Thread-Index: AQHZVb2z+ApIKJHf4kCp29rGAFijJq75j15Q
Date: Tue, 14 Mar 2023 13:46:39 +0000
Message-ID: <a24924a2cc2b4afba890660bdc2c220d@amazon.com>
References: <167848430887.5487.1347334366320377305@ietfa.amsl.com> <CAF8qwaD9x5v1uU6mLtnUAGMnBW881ZE0ymK8rsQzrV2hfj7yHA@mail.gmail.com> <e1bffaf7-bca0-45d0-a844-39d20473c446@redhat.com>
In-Reply-To: <e1bffaf7-bca0-45d0-a844-39d20473c446@redhat.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.37.240.172]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/QeKY57yKUqPcUN0uurtmeduUrHA>
Subject: Re: [TLS] Merkle Tree Certificates
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Mar 2023 13:46:55 -0000

Hi Hubert, 

I am not an author of draft-davidben-tls-merkle-tree-certs, but I had some feedback on this question: 

RFC7924 was a good idea but I don’t think it got deployed. It has the disadvantage that it allows for connection correlation and it is also challenging to demand a client to either know all its possible destination end-entity certs or be able to have a caching mechanism that keeps getting updated. Given these challenges and that CAs are more static and less (~1500 in number) than leaf certs, we have proposed suppressing the ICAs in the chain (draft-kampanakis-tls-scas-latest which replaced draft-thomson-tls-sic ) , but not the server cert. 

I think draft-davidben-tls-merkle-tree-certs is trying to achieve something similar by introducing a Merkle tree structure for certs signed by a CA. To me it seems to leverage a Merkle tree structure which "batches the public key + identities" the CA issues. Verifiers can just verify the tree and thus assume that the public key of the peer it is talking to is "certified by the tree CA". The way I see it, this construction flattens the PKI structure, and issuing CA's are trusted now instead of a more limited set of roots. This change is not trivial in my eyes, but the end goal is similar, to shrink the amount of auth data. 



-----Original Message-----
From: TLS <tls-bounces@ietf.org> On Behalf Of Hubert Kario
Sent: Monday, March 13, 2023 11:08 AM
To: David Benjamin <davidben@chromium.org>
Cc: <tls@ietf.org> <tls@ietf.org>; Devon O'Brien <asymmetric@google.com>
Subject: RE: [EXTERNAL][TLS] Merkle Tree Certificates

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.



Why not rfc7924?

On Friday, 10 March 2023 23:09:10 CET, David Benjamin wrote:
> Hi all,
>
> I've just uploaded a draft, below, describing several ideas we've been 
> mulling over regarding certificates in TLS. This is a
> draft-00 with a lot of moving parts, so think of it as the first pass 
> at some of ideas that we think fit well together, rather than a 
> concrete, fully-baked system.
>
> The document describes a new certificate format based on Merkle Trees, 
> which aims to mitigate the many signatures we send today, particularly 
> in applications that use Certificate Transparency, and as post-quantum 
> signature schemes get large. Four signatures (two SCTs, two X.509 
> signatures) and an intermediate CA's public key gets rather large, 
> particularly with something like Dilithium3's 3,293-byte signatures. 
> This format uses a single Merkle Tree inclusion proof, which we 
> estimate at roughly 600 bytes. (Note that this proposal targets 
> certificate-related signatures but not the TLS handshake signature.)
>
> As part of this, it also includes an extensibility and certificate 
> negotiation story that we hope will be useful beyond this particular 
> scheme.
>
> This isn't meant to replace existing PKI mechanisms. Rather, it's an 
> optional optimization for connections that are able to use it. Where 
> they aren't, you negotiate another certificate. I work on a web 
> browser, so this has browsers and HTTPS over TLS in mind, but we hope 
> it, or some ideas in it, will be more broadly useful.
>
> That said, we don't expect it's for everyone, and that's fine!
> With a robust negotiation story, we don't have to limit ourselves to a 
> single answer for all cases at once. Even within browsers and the web, 
> it cannot handle all cases, so we're thinking of this as one of 
> several sorts of PKI mechanisms that might be selected via 
> negotiation.
>
> Thoughts? We're very eager to get feedback on this.
>
> David
>
> On Fri, Mar 10, 2023 at 4:38 PM <internet-drafts@ietf.org> wrote:
>
> A new version of I-D, draft-davidben-tls-merkle-tree-certs-00.txt
> has been successfully submitted by David Benjamin and posted to the 
> IETF repository.
>
> Name:           draft-davidben-tls-merkle-tree-certs
> Revision:       00
> Title:          Merkle Tree Certificates for TLS
> Document date:  2023-03-10
> Group:          Individual Submission
> Pages:          45
> URL:
> https://www.ietf.org/archive/id/draft-davidben-tls-merkle-tree-certs-0
> 0.txt
> Status:
>  
> https://datatracker.ietf.org/doc/draft-davidben-tls-merkle-tree-certs/
> Html:
>  
> https://www.ietf.org/archive/id/draft-davidben-tls-merkle-tree-certs-0
> 0.html
> Htmlized:
>  
> https://datatracker.ietf.org/doc/html/draft-davidben-tls-merkle-tree-c
> erts
>
>
> Abstract:
>    This document describes Merkle Tree certificates, a new certificate
>    type for use with TLS.  A relying party that regularly fetches
>    information from a transparency service can use this certificate type
>    as a size optimization over more conventional mechanisms with post-
>    quantum signatures.  Merkle Tree certificates integrate the roles of
>    X.509 and Certificate Transparency, achieving comparable security
>    properties with a smaller message size, at the cost of more limited
>    applicability.
>
>
>
>
> The IETF Secretariat
>
>
>

--
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email