IETF Logo Mail Archive

Re: [TLS] Merkle Tree Certificates

David Benjamin <davidben@chromium.org> Mon, 20 March 2023 18:54 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9929AC17B33A for <tls@ietfa.amsl.com>; Mon, 20 Mar 2023 11:54:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.246
X-Spam-Level:
X-Spam-Status: No, score=-14.246 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tcpgP3R-D1L4 for <tls@ietfa.amsl.com>; Mon, 20 Mar 2023 11:54:42 -0700 (PDT)
Received: from mail-yb1-xb2e.google.com (mail-yb1-xb2e.google.com [IPv6:2607:f8b0:4864:20::b2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6ACF0C169531 for <tls@ietf.org>; Mon, 20 Mar 2023 11:54:42 -0700 (PDT)
Received: by mail-yb1-xb2e.google.com with SMTP id e194so14389242ybf.1 for <tls@ietf.org>; Mon, 20 Mar 2023 11:54:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1679338481; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=DdsqxNGUGjEXaUxgDX0OnMKRdWH24pZn6o7/3KFRgZU=; b=oNQdMw/elEoI4lhmFRYzObhhbP7ODdO99wVHYfZTX2OSJQt0Xkx5HhIkKJ/1rMYfzA SPrIElnY3D1l0hpGg3PMBolhtBK/xojderBqAJ/oFQm+lx/Dv26g277WrVzxwhXJ6JGc JiDRsKY5WJ9WNYRoYdqugVUn2nSYsEwgfKaTo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679338481; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=DdsqxNGUGjEXaUxgDX0OnMKRdWH24pZn6o7/3KFRgZU=; b=nPfEGmR7wKJ+0SD2wNMk0f2hAKDxc2xyrfcSTdWWxntPHBpx3lTbRi9NsV+wuFyuXa Mg3Njqr9weyI6hdZFzGLBCmN2Gs92Tz7YrYtwuSpcWU+BLaSvN73ZIom5MB5lfDP4yeD zlFGiZxMM0WqCYf+VylNOBx1A/SqNlBYssy5VcvuG3SFXmauTIAErum/k4GcGm/xhpAi CE+3pqJ9LXXmIwEaOCDqas7m1inN7/5h13+GTcCF+i25GkKlBNDcDdIu8AdGhD/TKu+j TkL/wII0/dg0p47s/eiK1e3AfoSZw5dC/8aRwsXxxaOCOBlC42NOkjYMBVfPa6BTVaOk rWPw==
X-Gm-Message-State: AAQBX9dD01liFLUudV7OIH0uhh648nNfxep96PPfyXPe8DT8Z/ZbAUF/ pB5bw9MGFldkZIHdeiupZtMT6AICmfvOfg2Hx2cb
X-Google-Smtp-Source: AKy350ZHVA859vAfQJ+EpmIPSRlZHtoHXFhBwPXgwMbKuGkkQ+FisNWrD5mjmibQMUeovca7BiqaTk6S+d5fRGZ/gVw=
X-Received: by 2002:a25:abd1:0:b0:9fe:1493:8b9 with SMTP id v75-20020a25abd1000000b009fe149308b9mr182378ybi.8.1679338481315; Mon, 20 Mar 2023 11:54:41 -0700 (PDT)
MIME-Version: 1.0
References: <167848430887.5487.1347334366320377305@ietfa.amsl.com> <CAF8qwaD9x5v1uU6mLtnUAGMnBW881ZE0ymK8rsQzrV2hfj7yHA@mail.gmail.com> <e1bffaf7-bca0-45d0-a844-39d20473c446@redhat.com> <a24924a2cc2b4afba890660bdc2c220d@amazon.com>
In-Reply-To: <a24924a2cc2b4afba890660bdc2c220d@amazon.com>
From: David Benjamin <davidben@chromium.org>
Date: Mon, 20 Mar 2023 14:54:24 -0400
Message-ID: <CAF8qwaBe6o3ASer_wnztse_Wk7RwofkpzuPfVGdo7AGjN6T9aw@mail.gmail.com>
To: "Kampanakis, Panos" <kpanos@amazon.com>
Cc: Hubert Kario <hkario@redhat.com>, "<tls@ietf.org>" <tls@ietf.org>, Devon O'Brien <asymmetric@google.com>
Content-Type: multipart/alternative; boundary="000000000000a36b6605f75975ba"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/l2DPA3hLQOLi59wVpHgjsg1B2Bc>
Subject: Re: [TLS] Merkle Tree Certificates
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Mar 2023 18:54:46 -0000

I don't think flattening is the right way to look at it. See my other reply
for a discussion about flattening, and how this does a bit more than that.
(It also handles SCTs.)

As for RFC 7924, in this context you should think of it as a funny kind of
TLS resumption. In clients that talk to many servers[0], the only
plausible source of cached information is a previous TLS exchange. Cached
info is then: if I previously connected to you *and I am willing to
correlate that previous connection to this new one*, we can re-connect more
efficiently. It's a bit more flexible than resumption---it doesn't replace
authentication, so we could conceivably use larger lifetimes. But it's
broadly the same w.r.t. when it can be used. It doesn't help the first
connection to a service, or a service that was connected long enough ago
that it's fallen off the cache. And it doesn't help across contexts where
we don't want correlation. Within a web browser, things are a bit more
partitioned these days, see
https://github.com/MattMenke2/Explainer---Partition-Network-State/blob/main/README.md
and https://github.com/privacycg/storage-partitioning.

In comparison, this design doesn't depend on this sort of per-destination
state and can apply to the first time you talk to a server.

David

[0] If you're a client that only talks to one or two servers, you could
imagine getting this cached information pushed out-of-band, similar to how
this document pushes some valid tree heads out-of-band. But that doesn't
apply to most clients, certainly not a web browser.

On Tue, Mar 14, 2023 at 9:46 AM Kampanakis, Panos <kpanos@amazon.com> wrote:

> Hi Hubert,
>
> I am not an author of draft-davidben-tls-merkle-tree-certs, but I had some
> feedback on this question:
>
> RFC7924 was a good idea but I don’t think it got deployed. It has the
> disadvantage that it allows for connection correlation and it is also
> challenging to demand a client to either know all its possible destination
> end-entity certs or be able to have a caching mechanism that keeps getting
> updated. Given these challenges and that CAs are more static and less
> (~1500 in number) than leaf certs, we have proposed suppressing the ICAs in
> the chain (draft-kampanakis-tls-scas-latest which replaced
> draft-thomson-tls-sic ) , but not the server cert.
>
> I think draft-davidben-tls-merkle-tree-certs is trying to achieve
> something similar by introducing a Merkle tree structure for certs signed
> by a CA. To me it seems to leverage a Merkle tree structure which "batches
> the public key + identities" the CA issues. Verifiers can just verify the
> tree and thus assume that the public key of the peer it is talking to is
> "certified by the tree CA". The way I see it, this construction flattens
> the PKI structure, and issuing CA's are trusted now instead of a more
> limited set of roots. This change is not trivial in my eyes, but the end
> goal is similar, to shrink the amount of auth data.
>
>
>
> -----Original Message-----
> From: TLS <tls-bounces@ietf.org> On Behalf Of Hubert Kario
> Sent: Monday, March 13, 2023 11:08 AM
> To: David Benjamin <davidben@chromium.org>
> Cc: <tls@ietf.org> <tls@ietf.org>; Devon O'Brien <asymmetric@google.com>
> Subject: RE: [EXTERNAL][TLS] Merkle Tree Certificates
>
> CAUTION: This email originated from outside of the organization. Do not
> click links or open attachments unless you can confirm the sender and know
> the content is safe.
>
>
>
> Why not rfc7924?
>
> On Friday, 10 March 2023 23:09:10 CET, David Benjamin wrote:
> > Hi all,
> >
> > I've just uploaded a draft, below, describing several ideas we've been
> > mulling over regarding certificates in TLS. This is a
> > draft-00 with a lot of moving parts, so think of it as the first pass
> > at some of ideas that we think fit well together, rather than a
> > concrete, fully-baked system.
> >
> > The document describes a new certificate format based on Merkle Trees,
> > which aims to mitigate the many signatures we send today, particularly
> > in applications that use Certificate Transparency, and as post-quantum
> > signature schemes get large. Four signatures (two SCTs, two X.509
> > signatures) and an intermediate CA's public key gets rather large,
> > particularly with something like Dilithium3's 3,293-byte signatures.
> > This format uses a single Merkle Tree inclusion proof, which we
> > estimate at roughly 600 bytes. (Note that this proposal targets
> > certificate-related signatures but not the TLS handshake signature.)
> >
> > As part of this, it also includes an extensibility and certificate
> > negotiation story that we hope will be useful beyond this particular
> > scheme.
> >
> > This isn't meant to replace existing PKI mechanisms. Rather, it's an
> > optional optimization for connections that are able to use it. Where
> > they aren't, you negotiate another certificate. I work on a web
> > browser, so this has browsers and HTTPS over TLS in mind, but we hope
> > it, or some ideas in it, will be more broadly useful.
> >
> > That said, we don't expect it's for everyone, and that's fine!
> > With a robust negotiation story, we don't have to limit ourselves to a
> > single answer for all cases at once. Even within browsers and the web,
> > it cannot handle all cases, so we're thinking of this as one of
> > several sorts of PKI mechanisms that might be selected via
> > negotiation.
> >
> > Thoughts? We're very eager to get feedback on this.
> >
> > David
> >
> > On Fri, Mar 10, 2023 at 4:38 PM <internet-drafts@ietf.org> wrote:
> >
> > A new version of I-D, draft-davidben-tls-merkle-tree-certs-00.txt
> > has been successfully submitted by David Benjamin and posted to the
> > IETF repository.
> >
> > Name:           draft-davidben-tls-merkle-tree-certs
> > Revision:       00
> > Title:          Merkle Tree Certificates for TLS
> > Document date:  2023-03-10
> > Group:          Individual Submission
> > Pages:          45
> > URL:
> > https://www.ietf.org/archive/id/draft-davidben-tls-merkle-tree-certs-0
> > 0.txt
> > Status:
> >
> > https://datatracker.ietf.org/doc/draft-davidben-tls-merkle-tree-certs/
> > Html:
> >
> > https://www.ietf.org/archive/id/draft-davidben-tls-merkle-tree-certs-0
> > 0.html
> > Htmlized:
> >
> > https://datatracker.ietf.org/doc/html/draft-davidben-tls-merkle-tree-c
> > erts
> >
> >
> > Abstract:
> >    This document describes Merkle Tree certificates, a new certificate
> >    type for use with TLS.  A relying party that regularly fetches
> >    information from a transparency service can use this certificate type
> >    as a size optimization over more conventional mechanisms with post-
> >    quantum signatures.  Merkle Tree certificates integrate the roles of
> >    X.509 and Certificate Transparency, achieving comparable security
> >    properties with a smaller message size, at the cost of more limited
> >    applicability.
> >
> >
> >
> >
> > The IETF Secretariat
> >
> >
> >
>
> --
> Regards,
> Hubert Kario
> Principal Quality Engineer, RHEL Crypto team
> Web: www.cz.redhat.com
> Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email