IETF Logo Mail Archive

Re: [Trans] comments on draft-linus-trans-gossip-ct-01

Linus Nordberg <linus@nordu.net> Wed, 25 March 2015 05:58 UTC

Return-Path: <linus@nordu.net>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3238C1ACDC2 for <trans@ietfa.amsl.com>; Tue, 24 Mar 2015 22:58:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.651
X-Spam-Level:
X-Spam-Status: No, score=-3.651 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, GB_I_LETTER=-2, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id unQ3QufIooXJ for <trans@ietfa.amsl.com>; Tue, 24 Mar 2015 22:58:21 -0700 (PDT)
Received: from e-mailfilter02.sunet.se (e-mailfilter02.sunet.se [IPv6:2001:6b0:8:2::202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DC311ACDBC for <trans@ietf.org>; Tue, 24 Mar 2015 22:58:21 -0700 (PDT)
Received: from smtp1.nordu.net (smtp1.nordu.net [IPv6:2001:948:4:6::32]) by e-mailfilter02.sunet.se (8.14.4/8.14.4/Debian-4) with ESMTP id t2P5wFp4029409 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 25 Mar 2015 06:58:15 +0100
Received: from kerio.nordu.net (kerio.nordu.net [109.105.110.42]) by smtp1.nordu.net (8.14.7/8.14.7) with ESMTP id t2P5wBbO025118 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 25 Mar 2015 05:58:14 GMT
VBR-Info: md=nordu.net; mc=all; mv=swamid.se
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nordu.net; s=default; t=1427263094; bh=hPlb1VnpmDVD7Th2/fpIfLNE74bo+PqBluBlrmEPnpU=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=HqVYXJ1KYSMctwaO1n6ZnznAu3F5kcVdbRmoDQVZOBfH3Gw3Z9eO0OX/4RmdE7Dvs V7llnqbWUWx4Gv+rE6FRx3yTKyvPtbHE5dpgaR0jlLzirXr8t0VfOL8FhwphdRnUJi N3pHmaX9ieTy3J5rN7w8X83meeVeM7OuQ/rlM9NM=
X-Footer: bm9yZHUubmV0
Received: from flogsta ([193.10.5.129]) (authenticated user linus@nordu.net) by kerio.nordu.net (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)); Wed, 25 Mar 2015 07:00:30 +0100
From: Linus Nordberg <linus@nordu.net>
To: Benjamin Kaduk <kaduk@MIT.EDU>
Organization: NORDUnet A/S
References: <alpine.GSO.1.10.1503222238550.22210@multics.mit.edu> <87h9tcge8a.fsf@nordberg.se> <alpine.GSO.1.10.1503231032585.22210@multics.mit.edu> <877fu6c0d2.fsf@nordberg.se> <alpine.GSO.1.10.1503241735030.22210@multics.mit.edu>
Date: Wed, 25 Mar 2015 06:58:08 +0100
In-Reply-To: <alpine.GSO.1.10.1503241735030.22210@multics.mit.edu> (Benjamin Kaduk's message of "Tue, 24 Mar 2015 17:37:25 -0400 (EDT)")
Message-ID: <87y4ml39fz.fsf@nordberg.se>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Scanned-By: CanIt (www . roaringpenguin . com)
X-Scanned-By: MIMEDefang 2.74 on 109.105.111.32
X-p0f-Info: os=unknown unknown, link=Ethernet or modem
X-CanIt-Geo: ip=109.105.110.42; country=SE; latitude=59.3294; longitude=18.0686; http://maps.google.com/maps?q=59.3294,18.0686&z=6
X-CanItPRO-Stream: outbound-nordu-net:outbound (inherits from outbound-nordu-net:default, nordu-net:default, base:default)
X-Canit-Stats-ID: 0aO7FWfRn - f7f16a4edd9b - 20150325
X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw
Received-SPF: neutral (e-mailfilter02.sunet.se: 109.105.110.42 is neither permitted nor denied by domain linus@nordu.net) receiver=e-mailfilter02.sunet.se; client-ip=109.105.110.42; envelope-from=<linus@nordu.net>; helo=smtp1.nordu.net; identity=mailfrom
Archived-At: <http://mailarchive.ietf.org/arch/msg/trans/0FFthVtM6TbBXbUfTJ6dDMtgwqA>
Cc: trans@ietf.org
Subject: Re: [Trans] comments on draft-linus-trans-gossip-ct-01
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2015 05:58:25 -0000

Benjamin Kaduk <kaduk@MIT.EDU> wrote
Tue, 24 Mar 2015 17:37:25 -0400 (EDT):

| Ah, looking at the diff makes what is going on more clear.  7c9801f is
| probably not helping very much; there seems to be some issue with the
| conversion process from markdown.  If you look at
| https://tools.ietf.org/html/draft-linus-trans-gossip-ct-01#section-4.1.3 ,
| the bulleted list from the markdown ... isn't.  I have no experience with
| writing I-Ds in markdown, but I am sure there are some experts who can be
| consulted.

Oh! Fixed in e261141.


Benjamin Kaduk <kaduk@MIT.EDU> wrote
Tue, 24 Mar 2015 18:16:06 -0400 (EDT):

| In section 3.1.1, """When the client later reconnects to any HTTPS server
| for the same domain it again receives a set of SCTs.  The client [...]
| MUST send to the server the ones in its store that were not received from
| that server."""  This precludes the client from doing any sort of MITM
| detection and refusing to send SCTs to a (presumed) attacker.  Admittedly,
| the scope of exposure here is pretty small; it seems like the only privacy
| loss would be that attacker A who has MITM'd the client then can learn
| whether the client has *also* been MITM'd by attacker B at some point in
| the past (since presumably the attackers know which SCTs are legitimate).
| But, it is not too much of a stretch to think that three-letter
| organizations might want to know if their target is being attacked by
| someone else.

That's an interesting attack. The best thing I can come up with right
now would be to s/MUST/SHOULD/1 and leave it at that.

I have very little clue about how that would change implementors minds
about the whole thing though. Guidance welcome.


| > | > | > In a related vein, in 3.1.2, should the server be allowed to exclude SCTs
| > | > | > that it considers legitimate?
| > | > |
| > | > | This is an optimization: if a server sends you SCTs A,B,C and then you
| > | > | as a client report back to it "I know about SCTs A, B, and C - it
| > | > | doesn't make a whole lot of sense for a server to report those to the
| > | > | auditor.
| > | > |
| > | > | I suppose; however, that an attacker may feed a server invalid SCTs
| > | > | somehow to 'load it's cache' such that it never reports them. So
| > | > | perhaps yes, it should report the SCTs it knows about to an auditor.
| > | >
| > | > I'm thinking of SCT's being legitimate as a "policy decision" made by
| > | > the operator and not something a piece of software decides. Does this
| > | > make sense? Should we add text to explain this?
| > |
| > | I guess I'm coming at this from the assumption that an auditor will want
| > | to know about all SCTs for a given site, including the "legitimate" ones.
| > | On the other hand, it could be useful for the site to have a way to
| > | indicate to an external auditor which SCTs it believes are legitimate.
| > | But it's not clear that omitting them from the results is the best way to
| > | make that indication, since it is not distinguishable from the site not
| > | knowing about those SCTs.  In short, is the extra complexity of making
| > | this optional justified?
| >
| > Backing up a bit, the question can be posed as whether the optimisation
| > of not sending them all is justified. This is somewhat related to the
| > open question of how (push vs. pull) and how often and much auditors and
| > web servers gossip. Getting an idea about the quantity of data would
| > help. I don't have any numbers at the moment.
| 
| 
| Waiting for data seems like a fine plan for now.
| 
| I do wonder if there should be an explicit way for an auditor to query
| which SCTs are considered "legitimate".

I've been thinking about some "score" mechanism too. My gut feeling is
that it complicates an already complicated matter. Open to suggestions
though.


| Hmm, re-reading the document just now I noticed a new issue -- in section
| 3.1.1 ("HTTPS client to server"), the first enumerated action is not
| required for interoperability, so I don't think MUST is appropriate.  (It
| is explicitly disclaimed as "a pure optimization".)

Right. I think I fixed that in d07126a.


Benjamin Kaduk <kaduk@MIT.EDU> wrote
Wed, 25 Mar 2015 00:17:26 -0400 (EDT):

| It looks like the other one was in 3.1.2, "HTTPS servers MUST NOT share
| any other data that they may learn from the submission of SCTs by HTTP
| clients".  My immediate response to that statement was "what goes wrong if
| a server misbehaves?"  Thinking about it now, it seems like the answer is
| "not very much, compared to a misbehaving server which does not implement
| CT", but confirmation would be nice.  Maybe my response to this line of
| thought would be to remove the RFC 2119 language and just ensure it's in
| the security/privacy considerations, but it's probably not a big deal
| either way.

We are giving server implementors a new vehicle to hurt the privacy of
their clients. It seems proper to make sure it's not being used for
that.

That said, I'm not well versed in 2119 language. I'll wait for more
comments on this.

Thanks!

v2.23.0 | Report a Bug | By Email