IETF Logo Mail Archive

Re: [TLS] Merkle Tree Certificates

Hubert Kario <hkario@redhat.com> Wed, 22 March 2023 12:45 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 843D8C15C528 for <tls@ietfa.amsl.com>; Wed, 22 Mar 2023 05:45:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5g_UW_kTctyO for <tls@ietfa.amsl.com>; Wed, 22 Mar 2023 05:45:50 -0700 (PDT)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66B73C15C522 for <tls@ietf.org>; Wed, 22 Mar 2023 05:45:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1679489149; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1fcwRAhBpz1WNlv+eUn0I9zVjkenL6lf4Du7tI+Aveo=; b=gm/zWZGhq7ck4b5O6SeOJlCzhO2ZNHWR1h6J4mqCicE1URtnmdp7Fi9v4dM7+yVe4jSGVX BrV42Lb7d6KscyOYEH9dya/GvPwcvyr9gAMtsO8GpWQp6lgukvgq19u+mB3TW5jRSliy9X lSnH2JVkrIRivDShq30qFqOolVUYupc=
Received: from mail-qt1-f198.google.com (mail-qt1-f198.google.com [209.85.160.198]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-395-gaP4hR8bPP6VIAhgYNy58g-1; Wed, 22 Mar 2023 08:45:48 -0400
X-MC-Unique: gaP4hR8bPP6VIAhgYNy58g-1
Received: by mail-qt1-f198.google.com with SMTP id s4-20020a05622a1a8400b003dbc6fc558aso8473037qtc.3 for <tls@ietf.org>; Wed, 22 Mar 2023 05:45:48 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679489148; h=content-transfer-encoding:user-agent:organization:references :in-reply-to:message-id:mime-version:date:subject:cc:to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=YCktDqCXKNogkrlXVd6C2mGP6CZeRo92JV4/9TCpgg8=; b=uSxn//9UzYjQepK2c/UWYeP1iO4Bu/hqi22ndi//YqKPO1LEv+fiN3wD/q4e4TXIDB aczKRnmvzUQHdAI9H0PYw+Ubz2YOawRYejgs0XelBeaX8MHFOX9AdK5+/RuweScjRe77 EdR+xNn1aTIcvxR27lKGJIef3WSTTnW4ohVQa+2SWCYlZ/yZzUcuOpp9mugDgkRC43vs sI7Uj+tb23ZEymhCniikusADoEJ8hibOqp3Gd0J5xEvueqrlfp8jQ+7GgUNcYR9I1vlP b+N6aA64/Y4X9VXGme2+ngt42wv7PztPRdMyfY6Ngds/ou5T3OnOBm0Qqvra9kvirYG9 OTtQ==
X-Gm-Message-State: AO0yUKXiBRbS/H4HvLrKy5bArMNqYxXmRVwZsmSeExhEXxAyq9nGwri8 x6/jLsVTU776eWsTp6FLvZFRM8DlKyrSv/UmyggT/jFx95S2TZrXNFckeVFUX6PmOFlkH5eX1cN uZ/M=
X-Received: by 2002:ac8:5bd3:0:b0:3d0:ba96:b00d with SMTP id b19-20020ac85bd3000000b003d0ba96b00dmr5641228qtb.16.1679489147790; Wed, 22 Mar 2023 05:45:47 -0700 (PDT)
X-Google-Smtp-Source: AK7set/0vqb9wRvBVSJlXZ8YAMLLuPIUi2m8dASrsk9DwgaW7f14zDU45Wx+Gz2BsSG6OhFCv3EhYg==
X-Received: by 2002:ac8:5bd3:0:b0:3d0:ba96:b00d with SMTP id b19-20020ac85bd3000000b003d0ba96b00dmr5641194qtb.16.1679489147437; Wed, 22 Mar 2023 05:45:47 -0700 (PDT)
Received: from localhost (ip-94-112-137-58.bb.vodafone.cz. [94.112.137.58]) by smtp.gmail.com with ESMTPSA id b13-20020ac8540d000000b003d2d815825fsm2851436qtq.40.2023.03.22.05.45.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Mar 2023 05:45:47 -0700 (PDT)
From: Hubert Kario <hkario@redhat.com>
To: David Benjamin <davidben@chromium.org>
Cc: "Kampanakis, Panos" <kpanos@amazon.com>, "<tls@ietf.org>" <tls@ietf.org>, Devon O'Brien <asymmetric@google.com>
Date: Wed, 22 Mar 2023 13:45:43 +0100
MIME-Version: 1.0
Message-ID: <7cf62fb9-6aaa-47cd-b988-bdfcf8911d63@redhat.com>
In-Reply-To: <CAF8qwaD4HnPvnuHDNeXLgMkuqkFnOfpwk4DsjDb-SBudumeiug@mail.gmail.com>
References: <167848430887.5487.1347334366320377305@ietfa.amsl.com> <CAF8qwaD9x5v1uU6mLtnUAGMnBW881ZE0ymK8rsQzrV2hfj7yHA@mail.gmail.com> <e1bffaf7-bca0-45d0-a844-39d20473c446@redhat.com> <a24924a2cc2b4afba890660bdc2c220d@amazon.com> <CAF8qwaBe6o3ASer_wnztse_Wk7RwofkpzuPfVGdo7AGjN6T9aw@mail.gmail.com> <8f6ffb56-ed99-46b9-92c4-e07b75f7d85c@redhat.com> <CAF8qwaD4HnPvnuHDNeXLgMkuqkFnOfpwk4DsjDb-SBudumeiug@mail.gmail.com>
Organization: Red Hat
User-Agent: Trojita/0.7-git; Qt/5.15.7; xcb; Linux; Fedora release 36 (Thirty Six)
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/pMcwnVkIalNIYVXI9_6bSYOhsZI>
Subject: Re: [TLS] Merkle Tree Certificates
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2023 12:45:54 -0000

On Tuesday, 21 March 2023 17:06:54 CET, David Benjamin wrote:
> On Tue, Mar 21, 2023 at 8:01 AM Hubert Kario <hkario@redhat.com> wrote:
>
>> On Monday, 20 March 2023 19:54:24 CET, David Benjamin wrote:
>>> I don't think flattening is the right way to look at it. See my
>>> other reply for a discussion about flattening, and how this does
>>> a bit more than that. (It also handles SCTs.)
>>> 
>>> As for RFC 7924, in this context you should think of it as a
>>> funny kind of TLS resumption. In clients that talk to many ...
>> https://github.com/MattMenke2/Explainer---Partition-Network-State/blob/main/README.md
>>> and https://github.com/privacycg/storage-partitioning.
>> 
>> Sorry, but as long as the browsers are willing to perform session
>> resumption
>> I'm not buying the "cached info is a privacy problem".
>> 
>
> I'm not seeing where this quote comes from. I said it had analogous
> properties to resumption, not that it was a privacy problem in the absolute.

I meant it as a summary not as a quote.

> The privacy properties of resumption and cached info on the situation. If
> you were okay correlating the two connections, both are okay in this
> regard. If not, then no. rfc8446bis discusses this:
> https://tlswg.org/tls13-spec/draft-ietf-tls-rfc8446bis.html#appendix-C.4
>
> In browsers, the correlation boundaries (across *all* state, not just TLS)
> were once browsing-profile-wide, but they're shifting to this notion of
> "site". I won't bore the list with the web's security model, but roughly
> the domain part of the top-level (not the same as destination!) URL. See
> the links above for details.
>
> That equally impacts resumption and any hypothetical deployment of cached
> info. So, yes, within those same bounds, a browser could deploy cached
> info. Whether it's useful depends on whether there are many cases where
> resumption wouldn't work, but cached info would. (E.g. because resumption
> has different security properties than cached info.)

The big difference is that tickets generally should be valid only for
a day or two, while cached info, just like cookies, can be valid for many
months if not years.

Now, a privacy focused user may decide to clear the cookies and cached
info daily, while others may prefer the slightly improved performance
on first visit after a week or month break.

>
>> It also completely ignores the encrypted client hello
>> 
>
> ECH helps with outside observers correlating your connections, but it
> doesn't do anything about the server correlating connections. In the
> context of correlation boundaries within a web browser, we care about the
> latter too.

How's that different from cookies? Which don't correlate, but 
cryptographically
prove previous visit?

>> Browser doesn't have to cache the certs since the beginning of time to be
>> of benefit, a few hours or even just current boot would be enough:
>> 
>> 1. if it's a page visited once then all the tracking cookies 
>> and javascript
>>    will be an order of magnitude larger download anyway
>> 2. if it's a page visited many times, then optimising for the subsequent
>>    connections is of higher benefit anyway
>> 
>
> I don't think that's quite the right dichotomy. There are plenty of reasons
> to optimize for the first connection, time to first bytes, etc. Indeed,
> this WG did just that with False Start and TLS 1.3 itself. (Prior to those,
> TLS 1.2 was 2-RTT for the first connection and 1-RTT for resumption.)

In my opinion time to first byte is a metric that's popular because it's 
easy
to measure, not because it's representative. Feel free to point me to
double blind studies with representative sample sizes showing otherwise.

Yes, reducing round-trips is important as latency of connection is not
correlated with bandwidth available. But when a simple page is a megabyte 
of
data, and anything non trivial is multiple megabytes, looking at when the 
first
byte arrives it is completely missing the bigger picture.

Especially when users are trained to not interact with the page until it 
fully
loads (2018 Hawaii missile alert joke explanation):
https://gfycat.com/queasygrandiriomotecat

Neither cached data nor Merkle tree certificates reduce round-trips

> I suspect a caching for a few hours would not justify cached info because
> you may as well use resumption at that point.
>
>> In comparison, this design doesn't depend on this sort of
>>> per-destination state and can apply to the first time you talk
>>> to a server.
>> 
>> it does depend on complex code instead, that effectively duplicates the
>> functionality of existing code
>> 
>>> David
>>> 
>>> [0] If you're a client that only talks to one or two servers,
>>> you could imagine getting this cached information pushed
>>> out-of-band, similar to how this document pushes some valid tree
>>> heads out-of-band. But that doesn't apply to most clients, ...
>> 
>> web browser could get a list of most commonly accessed pages/cert pairs,
>> randomised to some degree by addition of not commonly accessed pages to
>> hide if
>> the connection is new or not, and make inference about previous visits
>> worthless
>> 
>
> True, we could preload cached info for a global list of common
> certificates. I'm personally much more interested in mechanisms that
> benefit popular and unpopular pages alike.

Unpopular pages are much more likely to deploy a solution that doesn't 
require
a parallel CA infrastructure and a cryptographer on staff.

-- 
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

v2.23.0 | Report a Bug | By Email