IETF Logo Mail Archive

Re: [Trans] Gossip: Unsticking a client caught with potential evidence of log misbehavior

Ben Laurie <benl@google.com> Fri, 23 October 2015 09:25 UTC

Return-Path: <benl@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 289511B33BE for <trans@ietfa.amsl.com>; Fri, 23 Oct 2015 02:25:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mnLg4XEupF_l for <trans@ietfa.amsl.com>; Fri, 23 Oct 2015 02:25:03 -0700 (PDT)
Received: from mail-yk0-x231.google.com (mail-yk0-x231.google.com [IPv6:2607:f8b0:4002:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97A0C1B33B9 for <trans@ietf.org>; Fri, 23 Oct 2015 02:25:02 -0700 (PDT)
Received: by ykdr3 with SMTP id r3so113929900ykd.1 for <trans@ietf.org>; Fri, 23 Oct 2015 02:25:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=j4b2CQnx4cTd0S6udY8BRsoyj3pmOKjzNGhRd786Eec=; b=iEJS6WszzEoUESJ3u+Mm4R//uGhSAmvL4k+NdU2LtMYLPG+npRlqJS8X3HLcuy9n6c mRT95d+6Rxc4GHQ/3tlnLpdLiEqaH/xUQkUV0gSKGs1XwMTG7tBCY/7vo+VBtJ4OPF7i 777xElbW41K3wT+GtEstumqqo3Prx9VaY9cNtvoVpqjABUPgwrfl2iJI2KTZ5i/h1emr 8qY7uIlrRdovlNeMNziCFrujBJR0Q0Na+jf87bxa4RWVYtlUl0IzRuxouOy29KjoTddB IbZJmHesxFdTRDLqnKhU6Vq/rtlATxspeWGu4UL7aQknew7C+By0c6TVIBAxtUmD1AFO hN9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-type; bh=j4b2CQnx4cTd0S6udY8BRsoyj3pmOKjzNGhRd786Eec=; b=fYxTuvz0L7T7xCJvUvN9kg0gGrkg5jP1wJh5+DhnrGxgqs55Uv1GHD6gwMmsj6frnx WcR2AwpCbeJFzy0Mv8fHPw7NRjlhoaM38J2U22xUGqIpjHAPnoplpsd71gsbx8pe2na0 H7k7z5s99q74tu+hPvd7gKh/8Nbq5XnHt+uiQYEz+aEWdHjw2fWIJrj0fkgvOZHtx/KT NPWlNyr8VC0D2x72mD1gOMDAd/BJHzFQ2+MyjfL1zpgHO6u2ZcYA2oXrUzG0/vPDcw6Q d8d1r4DsKnEvNH4oWOtt1BPOjWsr53wKkQ5XzegH8/7UiUfnSAhLaYRsgyT28UlRkbb9 8L6g==
X-Gm-Message-State: ALoCoQk34vszZqrphDd0Reci/4bGeHrmSp1bRqYSyx9oXr6WIJa2BTNyZdLW/PUCTsDjMrVqhRx6
X-Received: by 10.129.33.86 with SMTP id h83mr14730844ywh.141.1445592301812; Fri, 23 Oct 2015 02:25:01 -0700 (PDT)
MIME-Version: 1.0
References: <CA+cU71m0wpnD1ZYOTtr=oW+1BjquFxyagtMt+wgCgC_PD0PE-g@mail.gmail.com> <CABrd9SQd2RETKQWe9-_KCHufAWjBhs2k008vEz-5cyM_gbY4Qw@mail.gmail.com> <E1812BE0-BD94-4050-95DB-C0483303AFF2@isoc.org> <CABEqWMC=pJUMEn8DxxTn6VTBs9hpayC-ZVUwcGdvg=PEw-Q=Rg@mail.gmail.com> <CALzYgEfsEOyuo9Ez2JqoMJ=WzZ3mFY+eTe6L2F6ZSLJEiVJAJQ@mail.gmail.com> <CA+cU71=YMq3jJhdnv_CqmteUhRnnxYmbpjQ=hN0DhFbBoy+ERg@mail.gmail.com> <CALzYgEcnW-Gm5jjv3cGj-MTPO9TA2u8sVpuJU8ML8dPi-ynKRA@mail.gmail.com> <87fv142urp.fsf@nordberg.se> <CA+cU71=s9fkKxYF47mYRnejLexsE2x924Dm+sU=fckzKKPdE4A@mail.gmail.com> <CABrd9SSeb=sHYDphJSWvF+ROBEdsrfDfOLSTyHDHuRvOz_RobA@mail.gmail.com> <87611ybjud.fsf@alice.fifthhorseman.net>
In-Reply-To: <87611ybjud.fsf@alice.fifthhorseman.net>
From: Ben Laurie <benl@google.com>
Date: Fri, 23 Oct 2015 09:24:48 +0000
Message-ID: <CABrd9SQT1quq1Rup4onF=+qAcBTcdc7vyyygW__jmXqHr=hqYQ@mail.gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Tom Ritter <tom@ritter.vg>, Linus Nordberg <linus@nordu.net>
Content-Type: multipart/alternative; boundary="001a1142a202a454b70522c22f68"
Archived-At: <http://mailarchive.ietf.org/arch/msg/trans/49Gbg1pbnj0iTeZ_CcdG4VuAgcg>
Cc: Katriel Cohn-Gordon <me@katriel.co.uk>, Robin Wilton <wilton@isoc.org>, Eran Messeri <eranm@google.com>, "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] Gossip: Unsticking a client caught with potential evidence of log misbehavior
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Oct 2015 09:25:05 -0000

On Thu, 22 Oct 2015 at 23:49 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
wrote:

> On Thu 2015-10-22 06:23:35 -0400, Ben Laurie wrote:
> > On Thu, 22 Oct 2015 at 03:16 Tom Ritter <tom@ritter.vg> wrote:
> >> On 21 October 2015 at 08:52, Linus Nordberg <linus@nordu.net> wrote:
> >> > Impractical since the browser would have to know which domain that
> >> > example.com has delegated its SCT Feedback to.
> >>
> >> This is an engineering problem I don't see a neat solution to. So
> >> obviously the solution is a new HTTP header! SCT-Feedback:
> >>
> >>
> https://uncle-neds-discount-hanggliding-and-sct-feedback-correlator.website/google.com/
> >> ;)
> >
> > Quite so.
>
> I can't tell how much people are kidding around here -- i see Tom's
> winky emoticon, at least.
>
> But which version of the site should get to declare where the delegation
> should happen -- the version that has the bogus cert with SCTs from the
> colluding logs, or the "real" version?
>

If you report every SCT you've seen to whichever site the session with a
new SCT says, then eventually the good guy gets to see the bogus SCTs,
right?

In fact, you probably only need to report the previous SCT to the next
SCT...


>      --dkg
>

v2.23.0 | Report a Bug | By Email