[Trans] Benjamin Kaduk's Discuss on draft-ietf-trans-rfc6962-bis-31: (with DISCUSS and COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Thu, 14 March 2019 14:09 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: trans@ietf.org
Delivered-To: trans@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 5617A130E5B; Thu, 14 Mar 2019 07:09:27 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-trans-rfc6962-bis@ietf.org, Paul Wouters <paul@nohats.ca>, trans-chairs@ietf.org, paul@nohats.ca, trans@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.94.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <155257256734.2691.16242192957909565560.idtracker@ietfa.amsl.com>
Date: Thu, 14 Mar 2019 07:09:27 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/2Sc26GMFwQnTRl5DEEk_-51ABFU>
Subject: [Trans] Benjamin Kaduk's Discuss on draft-ietf-trans-rfc6962-bis-31: (with DISCUSS and COMMENT)
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2019 14:09:28 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-trans-rfc6962-bis-31: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-trans-rfc6962-bis/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- First off, thanks for this well-written document! I intend to ballot Yes, but there are a few issues that need to be resolved first. Sections 4.11 and 4.12 have arrays of NodeHash to carry consistency and inclusion proofs, respectively, with minimum array size of 1. However, Sections 2.1.4.1 and 2.1.3.1 (respectively) seem to admit the possibility of zero-length proofs in degenerate cases, which the aforementioned protocol description language forbids the conveyance of. (Section 5.3 explicitly requires the use of an empty consistency proof.) Do those minimum array sizes need to be (implicit) zero? (If they do not, it seems that a minimum size of 32 would have the same effect as that of one, since a NodeHash has minimum size 32.) I support Alexey's Discuss regarding the registration of a "urn:ietf:params:trans:error" URN namespace. In Section 6: o An Online Certificate Status Protocol (OCSP) [RFC6960] response extension (see Section 7.1.1), where the OCSP response is provided in the "CertificateStatus" message, provided that the TLS client included the "status_request" extension in the (extended) "ClientHello" (Section 8 of [RFC6066]). [...] This is not quite a TLS 1.3-compliant formulation -- TLS 1.3 does not use the "CertificateStatus message", but rather uses the encoding of that structure in a status_request extension in the CertificateEntry. I also think we need greater clarity on the (non-)usage of CT for TLS client certificates; see COMMENT I also support Alissa's Discuss. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Since the 64-bit timestamp format (milliseconds since epoch) is used in multiple places, there is perhaps room for consolidation into a single definition. Section 1 Do we need to provide a definition or reference for "public certification authority"? It is necessary to treat each log as a trusted third party, because the log auditing mechanisms described in this document can be circumvented by a misbehaving log that shows different, inconsistent views of itself to different clients. Whilst it is anticipated that additional mechanisms could be developed to address these shortcomings and thereby avoid the need to blindly trust logs, such mechanisms are outside the scope of this document. Doesn't Section 11.3 discuss/link to some (partial) mechanisms to detect misbehaving logs? It's not clear that "anticipated" is quite the right terminology to use here, then... Section 2.1.1 We have established a registry of acceptable hash algorithms (see Section 10.2). [...] It's not clear that we need to use the first person here. Section 2.1.2 When a client has a complete list of n input "entries" from "0" up to "tree_size - 1" and wishes to verify this list against a tree head "root_hash" returned by the log for the same "tree_size", the following algorithm may be used: This seems to imply that n equals "tree_size"; do we want to normalize to one name or the other? 3. If there is more than one element in the "stack", repeat the same merge procedure (Step 2.3 above) until only a single element remains. nit: we just want the sub-sub-bullets of 2.3, and not the "repeat merge_count times" part, since "merge_count" is not defined in this scope? Section 2.1.3.2 IMPORTANT: We need to define/specify what "leaf_index" is. Section 2.1.4.1 SUBPROOF(m, D[m], true) = {} I don't remember seeing the "D[m]" notation defined; is this a typo for something else? If m <= k, the right subtree entries D[k:n] only exist in the current tree. We prove that the left subtree entries D[0:k] are consistent and add a commitment to D[k:n]: SUBPROOF(m, D_n, b) = SUBPROOF(m, D[0:k], b) : MTH(D[k:n]) This 'b' is always 'false', right? Section 2.2 Various data structures Section 1.2 are signed. A log MUST use one of the signature algorithms defined in Section 10.3. A literal reading of this forbids any algorithms registered in the future but not listed in this document; we probably want to say "listed in the registry defined in". Section 3.2 o "SignedData.digestAlgorithms" MUST only include the "SignerInfo.digestAlgorithm" OID value (see below). nit: this could be misread as saying that there is a single distinguished OID that has symbolic name "SingerInfo.digestAlgorithm"; we just want this one to match the one in the SignerInfo in the SignedData.signerInfos, so maybe something about "same as" would avoid the ambiguity. Section 4.1 Maximum Chain Length: The longest chain submission the log is willing to accept, if the log imposes any limit. Is the absence of a limit indicated by the absence of the parameter or a distinguished sentinel value? Final STH: If a log has been closed down (i.e., no longer accepts new entries), existing entries may still be valid. In this case, the client should know the final valid STH in the log to ensure no new entries can be added without detection. The final STH should be provided in the form of a TransItem of type "signed_tree_head_v2". Is this a lowercase "should" or a "SHOULD" or a "MUST"? (How else would it be provided?) Do we need to say that the Final STH is not provided for a log that is still accepting submissions? Section 4.4 Note that the ASN.1 length and the opaque vector length are identical in size (1 byte) and value, so the DER encoding of the OID can be reproduced simply by prepending an OBJECT IDENTIFIER tag (0x06) to the opaque vector length and contents. nit: maybe "full DER encoding (including tag and length)" to contrast with the previous paragraph? OIDs used to identify logs are limited such that the DER encoding of their value is less than or equal to 127 octets. This seems to be a new requirement to this spec, in which case RFC 2119 language would be appropriate? Section 4.7 "sct_extensions" matches the SCT extensions of the corresponding SCT. Is this supposed to imply the ordering and non-duplication requirements? (If it does not, then recreating the log entry from the SCT for signature validation could prove difficult.) Sections 4.9, 4.10 Do we really want to allow for zero-length signatures in the structure definition? Section 4.11 "consistency_path" is a vector of Merkle Tree nodes proving the consistency of two STHs. A backreference to Section 2.1.4 might be helpful. Section 4.12 "inclusion_path" is a vector of Merkle Tree nodes proving the inclusion of the chosen certificate or precertificate. A backreference to Section 2.1.3 might be helpful. Section 5 Sometimes documents using base64 note explicitly that the padding characters are (or aren't) included; 4648 is fairly clear that the default is to include the padding characters, so there isn't necessarily any change needed here. Section 5.1 chain: An array of zero or more base64 encoded CA certificates. The first element is the certifier of the "submission"; the second certifies the first; etc. The last element of "chain" (or, if "chain" is an empty array, the "submission") is certified by an accepted trust anchor. I'm reading this to be a JSON array of strings; is that correct, and do we want to be more explicit about it ("no" may well be fine)? If "submission" is an accepted trust anchor whose certifier is neither an accepted trust anchor nor the first element of "chain", then the log MUST return the "unknown anchor" error. A log cannot generate an SCT for a submission if it does not have access to the issuer's public key. Is this a descriptive "cannot" or a normative "MUST NOT"? If the returned "sct" is intended to be provided to TLS clients, then "sth" and "inclusion" (if returned) SHOULD also be provided to TLS clients (e.g., if "type" was 2 (for "precert_sct_v2") then all three "TransItem"s could be embedded in the certificate). nit: the grammar is a bit weird around the second "then", maybe ", so that" is easier to read? Section 5.4 IMPORTANT: The input to get-proof-by-hash has a "tree_size" but the processing discussion refers to a single "requested STH". It does not seem like the one uniquely determines the other, since there could be multiple valid STHs for a given tree size (e.g., if there are no submissions for more than the MMD). Is the intent to supply an STH as input, or is there otherwise need for further clarity here? inclusion: A base64 encoded "TransItem" of type "inclusion_proof_v2" whose "inclusion_path" array of Merkle Tree nodes proves the inclusion of the chosen certificate in the selected STH. We don't seem to define "chosen certificate"; do we just want to refer to the (input) leaf hash? Section 5.5 [similar note about tree_size/STH mapping] Similarly, we talk about "index of requested hash", which is at least unambiguous (IIUC), but we don't give a description of how the server could/should determine. [same comment about "chosen certificate"] Section 5.6 submitted_entry: JSON object representing the inputs that were submitted to "submit-entry", with the addition of the trust What does "representing" mean? (In particular, does it use the same JSON structure?) Section 5.7 There is not a note here about how no signature is required on the results, and in fact this data does seem to only be authenticated by the surrounding TLS connection. Perhaps it's worth making a note of that. Section 6 CT-using TLS servers MUST use at least one of the three mechanisms listed below to present one or more SCTs from one or more logs to each TLS client during full TLS handshakes, where each SCT This MUST may need some caveats, given that the server can't use TLS extensions not offered first by the client. So maybe it has to be "each CT-using TLS client". Section 6.1 o One or more logs may not have become acceptable to all CT-using TLS clients. nit: are we concerned about (new?) logs potentially becoming acceptable to clients, or logs acceptable to clients becoming no longer accepted (or both)? Section 6.3 In each "TransItemList" that is sent to a client during a TLS nit: I don't know that "to a client" is needed; the server can just as well use CT for client certificates, right? o The TLS server MUST construct a "TransItemList" of relevant "TransItem"s (see Section 6.3), which SHOULD omit any "TransItem"s that are already embedded in the server certificate or the stapled OCSP response (see Section 7.1). If the constructed "TransItemList" is not empty, then the TLS server MUST include the "transparency_info" extension with the "extension_data" set to this "TransItemList". Am I allowed to send an empty "transparency_info" extension if the TransItemList is empty? TLS servers MUST only include this extension in the following messages: o the ServerHello message (for TLS 1.2 or earlier). o the Certificate or CertificateRequest message (for TLS 1.3). Servers sending it in CR implies that clients can send it in Certificate (heh, the normal "CT" abbreviation is not really usable in this context), but we don't explicitly say that. Section 10.3 I'm confused by this registry. Is the SignatureScheme value required to come from/match the TLS SignatureScheme registry? Is anything going to key off that value or otherwise use the value in a protocol data structure? (Why are there two entries for 0x0403?) Section 10.5 All OIDs in the range from 1.3.101.8192 to 1.3.101.16383 have been reserved. This is a limited resource of 8,192 OIDs, each of which has an encoded length of 4 octets. The table says "Unassigned"; which is it? Section 11.1 This seems to be making some unstated assumptions, including perhaps that someone has actually submitted the misissued certificate in question to a log (in order to support the claim that the maximum time it can be used without audit is twice the MMD). Section 11.3 We may want to note the potential privacy concerns relating to gossip and similar mechanisms, at least in passing. I do see Section 11.4, though there's not a terribly tight linkage in the text, and 11.4 may not have comprehensive coverage of all privacy considerations. Section 13.2 I think that RFCs 6234 and 6979 may need to be normative, since they're needed for the signature/hash algorithms that are specified for use.
- [Trans] Benjamin Kaduk's Discuss on draft-ietf-tr… Benjamin Kaduk via Datatracker