IETF Logo Mail Archive

Re: [Trans] The RFC6979 requirement in RFC6962-bis is bad

Al Cutter <al@google.com> Thu, 25 May 2017 15:29 UTC

Return-Path: <alcutter@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16B841294C8 for <trans@ietfa.amsl.com>; Thu, 25 May 2017 08:29:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E1twt4rIh8xB for <trans@ietfa.amsl.com>; Thu, 25 May 2017 08:29:51 -0700 (PDT)
Received: from mail-pf0-x22c.google.com (mail-pf0-x22c.google.com [IPv6:2607:f8b0:400e:c00::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 067CF127873 for <trans@ietf.org>; Thu, 25 May 2017 08:29:50 -0700 (PDT)
Received: by mail-pf0-x22c.google.com with SMTP id e193so170571729pfh.0 for <trans@ietf.org>; Thu, 25 May 2017 08:29:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=74yzqQvDnBSFnMXJMIZr7XKxed/nddMz60I7bNnDjcs=; b=g4WUHj33vLtKt6oNbtl89C2fjB5PXo5ArIEskr1BjNsLjwUEnZjlEItJiOlJN7mKOz Je8Jquwq68+Y3rBHyLsD4HLVMGCPrcx8lbtJlCdTJ6YesYlBdEJlPNDtBazbzmySYaGA /TBatkOFegZmSJSLHiIrMGXkmIiscbHETp9UIDkbePezJugRLhbAu9r8/bBTw3LGgAwi ek39D6g19bTPZklYmTpWNUw6U+oaLke26LkGgUxs333NtDF2Zu71TQXpB+S9uFyITvJO SC1zeTUWkN1pOxvDiDOw7uEqnDT3hLWlnBn4eEaHOa48cTRfe7tgU7MyxMF6iFi5E2GL tSSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=74yzqQvDnBSFnMXJMIZr7XKxed/nddMz60I7bNnDjcs=; b=K+oEoXCU4j7oTtf7YLwYbO5RGBmSSSGodg9qDCqEp9UhIAhtGVzv+79pOcYrjeSKqT DbP+2yq2j7iZTDMBUCIdyD1PA4mXeTL8E5iAVztccqzgCLCyEXixdfrXDZMZ/1xre6lm aqt9DlB5/lNeWLnCHhJzg1rSLo9E+0sYTb2vQhA76swMc41PwKV3F56NVpGsWTsLBGso ORoyJbQ+4rGpL8lBQSOTyScPZTE8sL7brkSHEmrq8T173EbsxNL28OxaoKyfHcwamy4o QhHFQ7mfXrtXSEBJBY+CkHf25/ZmRSD22Gg5kViQE8BfZ8OPbiaIukwL/8XNmzuCCukt +c4w==
X-Gm-Message-State: AODbwcApVps0tf3Sgx3n9YxRhe7hLU1i8sKu9coqEukWhwjr8KZl5pVi nZEKG6nTwu9E1iemZlB2Q9iZy8JYSHjy
X-Received: by 10.84.173.195 with SMTP id p61mr51246632plb.83.1495726190368; Thu, 25 May 2017 08:29:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.170.133 with HTTP; Thu, 25 May 2017 08:29:49 -0700 (PDT)
In-Reply-To: <20170524123347.a149b03ded187d3188906713@andrewayer.name>
References: <CAFewVt5z3sq-Occ1VaHeNeBvt1yyCM_3_nssZSu2f_PBEL4SFQ@mail.gmail.com> <CA+cU71kBmKsxyvsmpuF6UAzP+fict3v62gEq_iKY-O2P07ZRLw@mail.gmail.com> <87pofiif6g.fsf@nordberg.se> <CA+cU71kVV_o30p-+dGdLT9Hpg+iiW5KgG-9xJD9iVCEHwhLg6w@mail.gmail.com> <CALzYgEeHpxRSxpQTSPasdahWXdzV8bGMV_R4HM02oscHrm8TWw@mail.gmail.com> <87inl25r8l.fsf@nordberg.se> <CALzYgEdunZXRmGtStGhfJHdHeytk3etYLNtAvFgf3bN2-6EyXQ@mail.gmail.com> <CALzYgEeCVnWG19F79OSwCC+iPArZbGGaBZYrKP2MWWdEDGVHVg@mail.gmail.com> <871srhvunx.fsf@nordberg.se> <20170524123347.a149b03ded187d3188906713@andrewayer.name>
From: Al Cutter <al@google.com>
Date: Thu, 25 May 2017 16:29:49 +0100
Message-ID: <CACM=_Ocwi0NNO8xvUqjvOAgqQOzJtvrWmvEetwkDEONS2UmARw@mail.gmail.com>
To: Andrew Ayer <agwa@andrewayer.name>
Cc: Linus Nordberg <linus@sunet.se>, Eran Messeri <eranm@google.com>, "trans@ietf.org" <trans@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c11959c42aae805505ae434"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/7d9Rom3pUr3T9YsDR8TB0nDFzPk>
Subject: Re: [Trans] The RFC6979 requirement in RFC6962-bis is bad
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 May 2017 15:29:53 -0000

On 24 May 2017 8:33 pm, "Andrew Ayer" <agwa@andrewayer.name> wrote:

On Mon, 22 May 2017 16:21:54 +0200
Linus Nordberg <linus@sunet.se> wrote:

> Hi,
>
> It should be clear by now that I'd be sad if 6962bis would allow logs to
> return a different stream of bytes for the same ingoing parameters, for
> SCTs and STHs, but more interesting would be to hear other wg members
> views on the balance we're trying to strike.

I would also be sad - particularly in the case of STHs.  I may be
willing to give up mandatory consistent SCT signatures, since
privacy with SCTs might be a lost cause anyways, and because it's
hard for logs to ensure consistent SCT signatures without using
deterministic signatures (due to the need to issue SCTs from many
different frontends).  However, it doesn't seem hard for logs to have
consistent STH signatures.

> Regarding current deployment, are there any 6269bis logs deployed yet?

I don't know of any.  However, it may be interesting to note that of
the 31 publicly-known RFC6962 logs[1], all but two (Clicky and Behind
the Sofa) return the same signature for repeated get-sth requests, which
suggests that this is not a difficult requirement for STHs.  The two
logs which return a new signature for each get-sth request are running
Trillian. It would be interesting to hear from the Trillian developers
why Trillian behaves this way and whether it would be difficult to
persist STH signatures as other implementations do.


The short answer is because we've not built any support for doing that yet
:)

The slightly longer answer is that Trillian is a General Transparency
implementation, rather than a CT implementation, and there are some
divisions of responsibility in there:
  - Trillian maintains the trees of opaque blobs, updating them with
batches of new entries, and creates Trillian Tree Heads (signed with
Trillian tenant keys) for each update.
 - Then there's a CT 'personality' layer in front which uses Trillian APIs
to build a CT log, and that, currently, has no distributed state, so each
instance of this personality creates a CT STH from the data in the latest
Trillian Tree Head, and signs that with the CT log's key.

The CT personality layer could certainly be extended to somehow select and
"bless" STHs in some fashion.  This idea of logging STHs would also provide
a nice mechanism for doing that, as it happens :)


> Regarding correctness vs. completeness, what in -24 is incorrect with
> this regard?
>
> Regarding added cost of implementation, using RSA is an option.
>
> Regarding gossip unclearity, the suggested change risks making it harder
> to get STH gossip going.

Agreed.  We may never know how necessary consistent STH signatures are
if attempts to experiment with STH gossip are stillborn due to privacy
concerns.  It would make more sense to start out with a strong
requirement, and loosen it later if it turns out to be unnecessary.

Regards,
Andrew

[1] https://sslmate.com/labs/ct_ecosystem/ecosystem.html

_______________________________________________
Trans mailing list
Trans@ietf.org
https://www.ietf.org/mailman/listinfo/trans

v2.23.0 | Report a Bug | By Email