IETF Logo Mail Archive

Re: [Trans] Write-up of the "Strict CT" variant

Jacob Hoffman-Andrews <jsha@eff.org> Tue, 06 June 2017 19:28 UTC

Return-Path: <jsha@eff.org>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 942631294B2 for <trans@ietfa.amsl.com>; Tue, 6 Jun 2017 12:28:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.002
X-Spam-Level:
X-Spam-Status: No, score=-7.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kwUV3elsUe3t for <trans@ietfa.amsl.com>; Tue, 6 Jun 2017 12:28:20 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64C0F1242EA for <trans@ietf.org>; Tue, 6 Jun 2017 12:28:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References:To:Subject; bh=+i0uLMHX4WwSGPmZeNxwkkUBskS+q+8PaLfcIYon1To=; b=uhOcgnvNnfiBG6SKvX55/l+/1d/b+ri9iSP2FXa2PXze87WOL3zLXnjVtaNE4SYja1Y1Ju6MMoofFk+OsM/4Q66dGL2qidYw4rZhLTcRcxcIYX6KPMlMhA1/XFk0vRL+1Yw+blr/A+JLZAGkPb02tRbNWXxrQljey5JB43ff4tA=;
Received: ; Tue, 06 Jun 2017 12:28:19 -0700
To: Eran Messeri <eranm@google.com>, "trans@ietf.org" <trans@ietf.org>
References: <CALzYgEeUCmj4BgY7uKdMnsvTcbvfAunquuqHxD7FxuzZxY1=Fg@mail.gmail.com>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <0dd84938-9625-c6c8-5f31-d5d0d0683c5c@eff.org>
Date: Tue, 06 Jun 2017 12:28:19 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1
MIME-Version: 1.0
In-Reply-To: <CALzYgEeUCmj4BgY7uKdMnsvTcbvfAunquuqHxD7FxuzZxY1=Fg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------FBE777B7AC7CDBBBC37E87CF"
Content-Language: en-US
Received-SPF: skipped for local relay
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/8HU7ycSzeHDAj4zmPRFcKGRH_Fc>
Subject: Re: [Trans] Write-up of the "Strict CT" variant
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jun 2017 19:28:23 -0000

I'll echo what Filippo said and say that fast issuance (order of
minutes) is important, and anything that breaks fast issuance for new
sites (or for sites moving between providers) is a problem. In the long
run, getting a certificate will be part of standing up a web site just
as much as getting DNS and hosting are today. Are we willing to ask the
web to accept a delay of 24 hours for any new site? I think that would
be a big step backwards.

On 05/23/2017 05:42 AM, Eran Messeri wrote:
> Options for dealing with the delayed usability of certificates:
>
>   * Opt-in: servers requires presence of proofs via header / X.509
>     extension [6].
>
This seems like the most plausible option, with the same caveats as HSTS
about first visit. However, if Strict CT is only applied for a small
number of sites that opt in, is it worth the extra ecosystem complexity?
It seems like Strict CT on an opt-in basis would not be a meaningful
substitute for gossip.

> Certificate is used immediately, only with SCT: Clients accept
certificates only with SCTs for a limited duration; after that an
inclusion proof must be accompanied [4].
> [4] That requires auditing logs asynchronously, since an attacker with
persistent access could keep getting new SCTs issued, or some clients
may not have fresh STHs because they missed some updates.

This seems potentially promising but I think it has some flaws. Would
this auditing be done by the logs themselves, or by monitors? IIUC, logs
are allowed to produce infinite SCTs for the same cert once they've
logged it, and they don't have to produce the list of SCTs they've
signed. So the only party that could meaningfully audit for excessive
SCT generation would be the log itself, which is the party we're trying
to defend against.

v2.23.0 | Report a Bug | By Email