Re: [Trans] Mutability of Certificate Signatures
Andrew Ayer <agwa@andrewayer.name> Wed, 19 July 2017 03:42 UTC
Return-Path: <agwa@andrewayer.name>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53F30127076 for <trans@ietfa.amsl.com>; Tue, 18 Jul 2017 20:42:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewayer.name
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eOB09nuGEKYm for <trans@ietfa.amsl.com>; Tue, 18 Jul 2017 20:42:58 -0700 (PDT)
Received: from alcazar.beanwood.com (alcazar.beanwood.com [70.85.129.230]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3E42126D85 for <trans@ietf.org>; Tue, 18 Jul 2017 20:42:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=andrewayer.name; s=beanwood20160511; t=1500435777; bh=KSsmPo3ju1bVOYcWYZHAgB7MzzMGF65a/p9ukEz6pds=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=LIMOul0dEhdhNweAzrwI6UG4KFE7MzvfQoPehQ3STCMGxv/3QVCjMscxv33V0rCi4 ub6wMqyuykRN4cbXpoIyjPKBn0P3IujrXoExsRP622BaCf13CNiQOzD/aB5JYh5FEP Z+nwHHorqwHLggUyupykYFAXiri+WQYEpeoYYx5dvWv04oZ+6NEuUTjy1OZX2r7D2b 9xgQL/tfxuIPgz+eMuXGk4c7hWD8OPmYGYNzTpBjjE1vlINdweVV8lVGMXMfLEPQJo H1jCpE76Mv+RSQb4NgPXSeMhvLGnc+Bv7WT3OfUdG1ZXJRw/2ISci5U1+52f5L10/k PP9SikidrX5vw==
Date: Tue, 18 Jul 2017 20:42:56 -0700
From: Andrew Ayer <agwa@andrewayer.name>
To: Eran Messeri <eranm@google.com>
Cc: "trans@ietf.org" <trans@ietf.org>
Message-Id: <20170718204256.d932dee67d792891bb20729e@andrewayer.name>
In-Reply-To: <CALzYgEf5TnSSrkk0rP=OckLN_cgim2-M4fmnd70FavW8mG0yZA@mail.gmail.com>
References: <20170528191028.20f285073eea33a3f23b6b5a@andrewayer.name> <20170703100241.9dd63b867d0181bae69a3999@andrewayer.name> <CALzYgEf5TnSSrkk0rP=OckLN_cgim2-M4fmnd70FavW8mG0yZA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/0AUdeqzeLTZ5__Q7BigqisNFSRw>
Subject: Re: [Trans] Mutability of Certificate Signatures
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jul 2017 03:42:59 -0000
On Tue, 18 Jul 2017 17:57:33 +0100 Eran Messeri <eranm@google.com> wrote: > Going back to the original email, I support the proposal to fix the > issue by adding language to the document saying that a failure to > produce a full, valid chain with the (immediate) issuer's key hash > identical to the key hash covered by the SCT signature. > > I do not think the full key should be present in the SCT - even > though it would be convenient for monitors, the full chain *is* > present in the get-entries response, and requiring that the chain > returned includes the intermediate with the same key whose hash is > covered by the SCT signature is enough to guarantee monitors have the > key. I'm not proposing storing the key in the SCT, but in the TimestampedCertificateEntryDataV2 structure (i.e. the Merkle leaf input). Logs would have to store some extra data (though in most cases they could dedupe it with the chain), but there would be no increase in the size of SCTs. To be clear, are you proposing a requirement that the chain always contain a certificate with the issuer's public key, even if the logged certificate is a trust anchor? This would be a new requirement, as 6962-bis currently allows a non-self-signed trust anchor to be logged without a chain containing its issuer. Such a requirement would fix the problem, but it seems rather awkward (chains wouldn't always end with a trust anchor) and it's such an edge case that I fear logs might get it wrong (and if that happens, the log can no longer be trusted). I think converting issuer_key_hash to issuer_key is a more conservative change, but I won't object to your approach if it's what you prefer. The wording would need to be extremely clear so there is no doubt that a log needs to make the issuer available in this case. > While a CT log can present different, valid chains, leading to > different trust anchors, for a particular entry (as long as the same > key was used for signing the submission) - but that is true when > certificates are used in TLS connections, and in the context of CT > this is more of a spam/log credibility problem than a security > problem: The log could present chains that seem "uninteresting" to > the general public (because they terminate in a trust anchor > unrecognized by any major UA) while, in fact, there is a valid path > from the submitted entry to a trust anchor recognized by UAs. > > This could be detected by identifying which intermediates have the > key that was used to sign the submission. Regardless, this is not an > attack on the protocol or log implementation - but an ecosystem > issue: Logs that accept a mix of credible and unvetted trust anchors > could always be spammed, and so may not have the same utility as logs > that accept TAs. Signing the entire chain in the submission won't be > useful to TLS clients (because TLS certificates can be served with > different, valid chains), so I think that from a correctness > perspective 6962-bis should just require the log to serve a valid > chain for each entry (which monitors can verify), and if it can't, > then it misbehaved. Presenting different, valid chains is a separate problem so I'm curious what the relevance is? I agree there's nothing 6962-bis needs to do about the multiple chain problem. Regards, Andrew
- [Trans] Mutability of Certificate Signatures Andrew Ayer
- Re: [Trans] Mutability of Certificate Signatures Eran Messeri
- Re: [Trans] Mutability of Certificate Signatures Andrew Ayer
- Re: [Trans] Mutability of Certificate Signatures Eran Messeri
- Re: [Trans] Mutability of Certificate Signatures Andrew Ayer
- Re: [Trans] Mutability of Certificate Signatures Rob Stradling
- Re: [Trans] Mutability of Certificate Signatures Andrew Ayer
- Re: [Trans] Mutability of Certificate Signatures Eran Messeri
- Re: [Trans] Mutability of Certificate Signatures Andrew Ayer
- Re: [Trans] Mutability of Certificate Signatures Rob Stradling