Re: [TLS] Merkle Tree Certificates
Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 22 March 2023 16:49 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F31F1C14CE5F for <tls@ietfa.amsl.com>; Wed, 22 Mar 2023 09:49:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eifmbfJGPvpJ for <tls@ietfa.amsl.com>; Wed, 22 Mar 2023 09:49:08 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1b.welho.com [83.102.41.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F115C13AE33 for <tls@ietf.org>; Wed, 22 Mar 2023 09:49:08 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id C43401F6CA for <tls@ietf.org>; Wed, 22 Mar 2023 18:49:05 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id IJqL2Ig_bBAY for <tls@ietf.org>; Wed, 22 Mar 2023 18:49:05 +0200 (EET)
Received: from LK-Perkele-VII2 (87-94-129-82.rev.dnainternet.fi [87.94.129.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 8390072 for <tls@ietf.org>; Wed, 22 Mar 2023 18:49:04 +0200 (EET)
Date: Wed, 22 Mar 2023 18:49:04 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Message-ID: <ZBsxgM/cv+vuBPEj@LK-Perkele-VII2.locald>
References: <167848430887.5487.1347334366320377305@ietfa.amsl.com> <CAF8qwaD9x5v1uU6mLtnUAGMnBW881ZE0ymK8rsQzrV2hfj7yHA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAF8qwaD9x5v1uU6mLtnUAGMnBW881ZE0ymK8rsQzrV2hfj7yHA@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/zihL0YGxT9PBDGbQrGQBgEdhIKY>
Subject: Re: [TLS] Merkle Tree Certificates
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2023 16:49:10 -0000
On Fri, Mar 10, 2023 at 05:09:10PM -0500, David Benjamin wrote: > > I've just uploaded a draft, below, describing several ideas we've > been mulling over regarding certificates in TLS. This is a draft-00 > with a lot of moving parts, so think of it as the first pass at > some of ideas that we think fit well together, rather than a > concrete, fully-baked system. > > Thoughts? We're very eager to get feedback on this. Some quick comments / ideas: - I think it would be easier for subscribers to get inclusion proofs from transparency service than certificate authority. This is because issuance is heavily asynchronous, whereas most servers assume ACME is essentially synchronous. If certificates are canonicalized (this is mostly matter of ensuring the names are always sorted), this could be endpoint to download known inclusion proofs by certificate hash. Or maybe even have both, and subscribers can use whichever is more convinient. - I don't think there are any sane uses for >64kB claims, so the claim_info length could be shortened to 16 bits. I don't see rule for how claims are sorted within each type, only how different types are sorted. - If each claim was in its own Claim, then one could maybe even shorten it to 8 bits. Similarly, one could merge ipv4/ipv6 and dns/dns_wildcard. This could also simplify sorting: Sort by type, lexicographic sort by claim contents. - I don't think anybody is going to use signatures with >64kB keys, so subject_info length could be shortened to 16 bits. - What does it mean that in this document the hash is always SHA-256? - Apparently issuer id is limited to 32 octets. This could be noted in the definition. - I think it would be easier if lifetime was expressed in batch durations. Then one would not need window size, and especially not handle lifetime / batch_duration not being an integer! - The root hash being dependent on issuer and batch number iff there are multiple assertions looks very odd. Empty assertion list might be special. But this also happens for one assertion. - I think LabeledWindow should add 64 spaces in front, so it reuses the TLS 1.3 signature format. This reduces risks of cross-protocol attack if the key gets reused anyway (despite there being MUST NOT requirement). - Is there reason for type of trust_anchor_data to vary by proof_type? Why not always have MerkleTreeTrustAnchor there? - And proof_data length field should probably be 16 bits. I don't think proof_data will ever exceed 8kB. - For type-independent expiry info to be helpful, this must be somehow plumbed to the TLS server. - Even if ACME itself allows for long processing delays, many (most?) ACME clients do not. - Multiple orders from single newOrder or multiple certificates in single order sounds like it would break assumption made in ACME rather badly, and thus recipe for trouble. - Isn't cert_type deprecated? - "We may need to define a third one.", you men fourth one? - I think the uniform certificate format is already a requirement in TLS 1.3. And OpenPGP format is banned in TLS 1.3 anyway. So parsing to extension blocks without knowing certificate type is no problem. > On Fri, Mar 10, 2023 at 4:38 PM <internet-drafts@ietf.org> wrote: > > > > > A new version of I-D, draft-davidben-tls-merkle-tree-certs-00.txt > > has been successfully submitted by David Benjamin and posted to the > > IETF repository. > > > > Name: draft-davidben-tls-merkle-tree-certs > > Revision: 00 > > Title: Merkle Tree Certificates for TLS > > Document date: 2023-03-10 > > Group: Individual Submission > > Pages: 45 -Ilari
- [TLS] Merkle Tree Certificates David Benjamin
- Re: [TLS] Merkle Tree Certificates Stephen Farrell
- Re: [TLS] Merkle Tree Certificates Hubert Kario
- Re: [TLS] Merkle Tree Certificates Kampanakis, Panos
- Re: [TLS] Merkle Tree Certificates Kampanakis, Panos
- Re: [TLS] Merkle Tree Certificates Watson Ladd
- Re: [TLS] Merkle Tree Certificates David Benjamin
- Re: [TLS] Merkle Tree Certificates David Benjamin
- Re: [TLS] Merkle Tree Certificates Hubert Kario
- Re: [TLS] Merkle Tree Certificates David Benjamin
- Re: [TLS] Merkle Tree Certificates Kampanakis, Panos
- Re: [TLS] Merkle Tree Certificates Ilari Liusvaara
- Re: [TLS] Merkle Tree Certificates Hubert Kario
- Re: [TLS] Merkle Tree Certificates Bas Westerbaan
- Re: [TLS] Merkle Tree Certificates Ilari Liusvaara
- Re: [TLS] Merkle Tree Certificates Kampanakis, Panos
- Re: [TLS] Merkle Tree Certificates Hubert Kario
- Re: [TLS] Merkle Tree Certificates David Benjamin
- Re: [TLS] Merkle Tree Certificates David Benjamin
- Re: [TLS] Merkle Tree Certificates David Benjamin
- Re: [TLS] Merkle Tree Certificates David Benjamin
- Re: [TLS] Merkle Tree Certificates Ilari Liusvaara
- Re: [TLS] Merkle Tree Certificates Bas Westerbaan
- Re: [TLS] Merkle Tree Certificates Ilari Liusvaara
- Re: [TLS] Merkle Tree Certificates Rob Sayre
- Re: [TLS] Merkle Tree Certificates Bas Westerbaan