Re: [TLS] Merkle Tree Certificates
David Benjamin <davidben@chromium.org> Mon, 20 March 2023 18:54 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9929AC17B33A for <tls@ietfa.amsl.com>; Mon, 20 Mar 2023 11:54:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.246
X-Spam-Level:
X-Spam-Status: No, score=-14.246 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tcpgP3R-D1L4 for <tls@ietfa.amsl.com>; Mon, 20 Mar 2023 11:54:42 -0700 (PDT)
Received: from mail-yb1-xb2e.google.com (mail-yb1-xb2e.google.com [IPv6:2607:f8b0:4864:20::b2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6ACF0C169531 for <tls@ietf.org>; Mon, 20 Mar 2023 11:54:42 -0700 (PDT)
Received: by mail-yb1-xb2e.google.com with SMTP id e194so14389242ybf.1 for <tls@ietf.org>; Mon, 20 Mar 2023 11:54:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1679338481; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=DdsqxNGUGjEXaUxgDX0OnMKRdWH24pZn6o7/3KFRgZU=; b=oNQdMw/elEoI4lhmFRYzObhhbP7ODdO99wVHYfZTX2OSJQt0Xkx5HhIkKJ/1rMYfzA SPrIElnY3D1l0hpGg3PMBolhtBK/xojderBqAJ/oFQm+lx/Dv26g277WrVzxwhXJ6JGc JiDRsKY5WJ9WNYRoYdqugVUn2nSYsEwgfKaTo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679338481; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=DdsqxNGUGjEXaUxgDX0OnMKRdWH24pZn6o7/3KFRgZU=; b=nPfEGmR7wKJ+0SD2wNMk0f2hAKDxc2xyrfcSTdWWxntPHBpx3lTbRi9NsV+wuFyuXa Mg3Njqr9weyI6hdZFzGLBCmN2Gs92Tz7YrYtwuSpcWU+BLaSvN73ZIom5MB5lfDP4yeD zlFGiZxMM0WqCYf+VylNOBx1A/SqNlBYssy5VcvuG3SFXmauTIAErum/k4GcGm/xhpAi CE+3pqJ9LXXmIwEaOCDqas7m1inN7/5h13+GTcCF+i25GkKlBNDcDdIu8AdGhD/TKu+j TkL/wII0/dg0p47s/eiK1e3AfoSZw5dC/8aRwsXxxaOCOBlC42NOkjYMBVfPa6BTVaOk rWPw==
X-Gm-Message-State: AAQBX9dD01liFLUudV7OIH0uhh648nNfxep96PPfyXPe8DT8Z/ZbAUF/ pB5bw9MGFldkZIHdeiupZtMT6AICmfvOfg2Hx2cb
X-Google-Smtp-Source: AKy350ZHVA859vAfQJ+EpmIPSRlZHtoHXFhBwPXgwMbKuGkkQ+FisNWrD5mjmibQMUeovca7BiqaTk6S+d5fRGZ/gVw=
X-Received: by 2002:a25:abd1:0:b0:9fe:1493:8b9 with SMTP id v75-20020a25abd1000000b009fe149308b9mr182378ybi.8.1679338481315; Mon, 20 Mar 2023 11:54:41 -0700 (PDT)
MIME-Version: 1.0
References: <167848430887.5487.1347334366320377305@ietfa.amsl.com> <CAF8qwaD9x5v1uU6mLtnUAGMnBW881ZE0ymK8rsQzrV2hfj7yHA@mail.gmail.com> <e1bffaf7-bca0-45d0-a844-39d20473c446@redhat.com> <a24924a2cc2b4afba890660bdc2c220d@amazon.com>
In-Reply-To: <a24924a2cc2b4afba890660bdc2c220d@amazon.com>
From: David Benjamin <davidben@chromium.org>
Date: Mon, 20 Mar 2023 14:54:24 -0400
Message-ID: <CAF8qwaBe6o3ASer_wnztse_Wk7RwofkpzuPfVGdo7AGjN6T9aw@mail.gmail.com>
To: "Kampanakis, Panos" <kpanos@amazon.com>
Cc: Hubert Kario <hkario@redhat.com>, "<tls@ietf.org>" <tls@ietf.org>, Devon O'Brien <asymmetric@google.com>
Content-Type: multipart/alternative; boundary="000000000000a36b6605f75975ba"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/l2DPA3hLQOLi59wVpHgjsg1B2Bc>
Subject: Re: [TLS] Merkle Tree Certificates
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Mar 2023 18:54:46 -0000
I don't think flattening is the right way to look at it. See my other reply for a discussion about flattening, and how this does a bit more than that. (It also handles SCTs.) As for RFC 7924, in this context you should think of it as a funny kind of TLS resumption. In clients that talk to many servers[0], the only plausible source of cached information is a previous TLS exchange. Cached info is then: if I previously connected to you *and I am willing to correlate that previous connection to this new one*, we can re-connect more efficiently. It's a bit more flexible than resumption---it doesn't replace authentication, so we could conceivably use larger lifetimes. But it's broadly the same w.r.t. when it can be used. It doesn't help the first connection to a service, or a service that was connected long enough ago that it's fallen off the cache. And it doesn't help across contexts where we don't want correlation. Within a web browser, things are a bit more partitioned these days, see https://github.com/MattMenke2/Explainer---Partition-Network-State/blob/main/README.md and https://github.com/privacycg/storage-partitioning. In comparison, this design doesn't depend on this sort of per-destination state and can apply to the first time you talk to a server. David [0] If you're a client that only talks to one or two servers, you could imagine getting this cached information pushed out-of-band, similar to how this document pushes some valid tree heads out-of-band. But that doesn't apply to most clients, certainly not a web browser. On Tue, Mar 14, 2023 at 9:46 AM Kampanakis, Panos <kpanos@amazon.com> wrote: > Hi Hubert, > > I am not an author of draft-davidben-tls-merkle-tree-certs, but I had some > feedback on this question: > > RFC7924 was a good idea but I don’t think it got deployed. It has the > disadvantage that it allows for connection correlation and it is also > challenging to demand a client to either know all its possible destination > end-entity certs or be able to have a caching mechanism that keeps getting > updated. Given these challenges and that CAs are more static and less > (~1500 in number) than leaf certs, we have proposed suppressing the ICAs in > the chain (draft-kampanakis-tls-scas-latest which replaced > draft-thomson-tls-sic ) , but not the server cert. > > I think draft-davidben-tls-merkle-tree-certs is trying to achieve > something similar by introducing a Merkle tree structure for certs signed > by a CA. To me it seems to leverage a Merkle tree structure which "batches > the public key + identities" the CA issues. Verifiers can just verify the > tree and thus assume that the public key of the peer it is talking to is > "certified by the tree CA". The way I see it, this construction flattens > the PKI structure, and issuing CA's are trusted now instead of a more > limited set of roots. This change is not trivial in my eyes, but the end > goal is similar, to shrink the amount of auth data. > > > > -----Original Message----- > From: TLS <tls-bounces@ietf.org> On Behalf Of Hubert Kario > Sent: Monday, March 13, 2023 11:08 AM > To: David Benjamin <davidben@chromium.org> > Cc: <tls@ietf.org> <tls@ietf.org>; Devon O'Brien <asymmetric@google.com> > Subject: RE: [EXTERNAL][TLS] Merkle Tree Certificates > > CAUTION: This email originated from outside of the organization. Do not > click links or open attachments unless you can confirm the sender and know > the content is safe. > > > > Why not rfc7924? > > On Friday, 10 March 2023 23:09:10 CET, David Benjamin wrote: > > Hi all, > > > > I've just uploaded a draft, below, describing several ideas we've been > > mulling over regarding certificates in TLS. This is a > > draft-00 with a lot of moving parts, so think of it as the first pass > > at some of ideas that we think fit well together, rather than a > > concrete, fully-baked system. > > > > The document describes a new certificate format based on Merkle Trees, > > which aims to mitigate the many signatures we send today, particularly > > in applications that use Certificate Transparency, and as post-quantum > > signature schemes get large. Four signatures (two SCTs, two X.509 > > signatures) and an intermediate CA's public key gets rather large, > > particularly with something like Dilithium3's 3,293-byte signatures. > > This format uses a single Merkle Tree inclusion proof, which we > > estimate at roughly 600 bytes. (Note that this proposal targets > > certificate-related signatures but not the TLS handshake signature.) > > > > As part of this, it also includes an extensibility and certificate > > negotiation story that we hope will be useful beyond this particular > > scheme. > > > > This isn't meant to replace existing PKI mechanisms. Rather, it's an > > optional optimization for connections that are able to use it. Where > > they aren't, you negotiate another certificate. I work on a web > > browser, so this has browsers and HTTPS over TLS in mind, but we hope > > it, or some ideas in it, will be more broadly useful. > > > > That said, we don't expect it's for everyone, and that's fine! > > With a robust negotiation story, we don't have to limit ourselves to a > > single answer for all cases at once. Even within browsers and the web, > > it cannot handle all cases, so we're thinking of this as one of > > several sorts of PKI mechanisms that might be selected via > > negotiation. > > > > Thoughts? We're very eager to get feedback on this. > > > > David > > > > On Fri, Mar 10, 2023 at 4:38 PM <internet-drafts@ietf.org> wrote: > > > > A new version of I-D, draft-davidben-tls-merkle-tree-certs-00.txt > > has been successfully submitted by David Benjamin and posted to the > > IETF repository. > > > > Name: draft-davidben-tls-merkle-tree-certs > > Revision: 00 > > Title: Merkle Tree Certificates for TLS > > Document date: 2023-03-10 > > Group: Individual Submission > > Pages: 45 > > URL: > > https://www.ietf.org/archive/id/draft-davidben-tls-merkle-tree-certs-0 > > 0.txt > > Status: > > > > https://datatracker.ietf.org/doc/draft-davidben-tls-merkle-tree-certs/ > > Html: > > > > https://www.ietf.org/archive/id/draft-davidben-tls-merkle-tree-certs-0 > > 0.html > > Htmlized: > > > > https://datatracker.ietf.org/doc/html/draft-davidben-tls-merkle-tree-c > > erts > > > > > > Abstract: > > This document describes Merkle Tree certificates, a new certificate > > type for use with TLS. A relying party that regularly fetches > > information from a transparency service can use this certificate type > > as a size optimization over more conventional mechanisms with post- > > quantum signatures. Merkle Tree certificates integrate the roles of > > X.509 and Certificate Transparency, achieving comparable security > > properties with a smaller message size, at the cost of more limited > > applicability. > > > > > > > > > > The IETF Secretariat > > > > > > > > -- > Regards, > Hubert Kario > Principal Quality Engineer, RHEL Crypto team > Web: www.cz.redhat.com > Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Merkle Tree Certificates David Benjamin
- Re: [TLS] Merkle Tree Certificates Stephen Farrell
- Re: [TLS] Merkle Tree Certificates Hubert Kario
- Re: [TLS] Merkle Tree Certificates Kampanakis, Panos
- Re: [TLS] Merkle Tree Certificates Kampanakis, Panos
- Re: [TLS] Merkle Tree Certificates Watson Ladd
- Re: [TLS] Merkle Tree Certificates David Benjamin
- Re: [TLS] Merkle Tree Certificates David Benjamin
- Re: [TLS] Merkle Tree Certificates Hubert Kario
- Re: [TLS] Merkle Tree Certificates David Benjamin
- Re: [TLS] Merkle Tree Certificates Kampanakis, Panos
- Re: [TLS] Merkle Tree Certificates Ilari Liusvaara
- Re: [TLS] Merkle Tree Certificates Hubert Kario
- Re: [TLS] Merkle Tree Certificates Bas Westerbaan
- Re: [TLS] Merkle Tree Certificates Ilari Liusvaara
- Re: [TLS] Merkle Tree Certificates Kampanakis, Panos
- Re: [TLS] Merkle Tree Certificates Hubert Kario
- Re: [TLS] Merkle Tree Certificates David Benjamin
- Re: [TLS] Merkle Tree Certificates David Benjamin
- Re: [TLS] Merkle Tree Certificates David Benjamin
- Re: [TLS] Merkle Tree Certificates David Benjamin
- Re: [TLS] Merkle Tree Certificates Ilari Liusvaara
- Re: [TLS] Merkle Tree Certificates Bas Westerbaan
- Re: [TLS] Merkle Tree Certificates Ilari Liusvaara
- Re: [TLS] Merkle Tree Certificates Rob Sayre
- Re: [TLS] Merkle Tree Certificates Bas Westerbaan