IETF Logo Mail Archive

Re: [Trans] comments on draft-linus-trans-gossip-ct-01

Benjamin Kaduk <kaduk@MIT.EDU> Mon, 23 March 2015 15:50 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E08471A92B1 for <trans@ietfa.amsl.com>; Mon, 23 Mar 2015 08:50:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jRKxV2-sORYm for <trans@ietfa.amsl.com>; Mon, 23 Mar 2015 08:50:34 -0700 (PDT)
Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) by ietfa.amsl.com (Postfix) with ESMTP id 6D3AF1A92B7 for <trans@ietf.org>; Mon, 23 Mar 2015 08:50:30 -0700 (PDT)
X-AuditID: 12074422-f79cb6d000000d7b-22-551036457005
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id 1D.3F.03451.54630155; Mon, 23 Mar 2015 11:50:29 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id t2NFoSG8005016; Mon, 23 Mar 2015 11:50:29 -0400
Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t2NFoQoY016021 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 23 Mar 2015 11:50:28 -0400
Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id t2NFoQe5022125; Mon, 23 Mar 2015 11:50:26 -0400 (EDT)
Date: Mon, 23 Mar 2015 11:50:26 -0400
From: Benjamin Kaduk <kaduk@MIT.EDU>
To: Linus Nordberg <linus@nordu.net>
In-Reply-To: <87fv8wge7h.fsf@nordberg.se>
Message-ID: <alpine.GSO.1.10.1503231043340.22210@multics.mit.edu>
References: <alpine.GSO.1.10.1503222238550.22210@multics.mit.edu> <CA+cU71nN3f7TSoda_DOUzt5YVDzOmyLVhu8f9bR9hg42QNCLkw@mail.gmail.com> <87fv8wge7h.fsf@nordberg.se>
User-Agent: Alpine 1.10 (GSO 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrGIsWRmVeSWpSXmKPExsUixCmqrOtqJhBq0HnD1GL7vPdMFuuOHWe0 WPv4IosDs8eSJT+ZPLovzmH0ePmyhS2AOYrLJiU1J7MstUjfLoEro/1YaMEzzYojL04zNjDO Uuxi5OSQEDCROH5mGiOELSZx4d56ti5GLg4hgcVMEiuvXWOCcDYySnT+X8IM4Rxiktgx5T0b SIuQQAOjxOM3ll2MHBwsAtoSjct8QcJsAioSM99sBCsRAbLXbZ3NBGIzC+hJrDyzjgXEFhaw l5jW9hgszimgKfH71iZ2EJtXwFHi75KZULsWM0q8f/IG7DxRAR2J1funsEAUCUqcnPmEBWKo lsTy6dtYJjAKzkKSmoUktYCRaRWjbEpulW5uYmZOcWqybnFyYl5eapGuqV5uZoleakrpJkZQ 8LK7KO1g/HlQ6RCjAAejEg/vhSD+UCHWxLLiytxDjJIcTEqivBvUBEKF+JLyUyozEosz4otK c1KLDzFKcDArifDWg+R4UxIrq1KL8mFS0hwsSuK8m37whQgJpCeWpGanphakFsFkZTg4lCR4 f5sANQoWpaanVqRl5pQgpJk4OEGG8wANvw1Sw1tckJhbnJkOkT/FqCglznsfJCEAksgozYPr hSWXV4ziQK8I83KYAlXxABMTXPcroMFMQIPP5fOBDC5JREhJNTDqr7v344zWVdf/4etd3gmx pX6e++LH1aC5chKPRR0SAqfGxV/4Gjf1jOzDp+fiOhhmmrB/ul+c8OhsYoP/BI9/p++l7mdR eXZXp9bntcDpprymvd0q+eZbtSYV3Z9ptXP7xefauoW/XNZsZTmpF8W16f6uzUcnM1hnme/k fLbyfHOh9qbjK9lPK7EUZyQaajEXFScCAMFAbHkJAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/trans/8bfOBfUU3v-GyYBvDt6oh2ETfQI>
Cc: trans@ietf.org, Tom Ritter <tom@ritter.vg>
Subject: Re: [Trans] comments on draft-linus-trans-gossip-ct-01
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2015 15:50:40 -0000

On Mon, 23 Mar 2015, Linus Nordberg wrote:

> Tom Ritter <tom@ritter.vg> wrote
> Sun, 22 Mar 2015 22:38:48 -0500:
>
> | > I'm not
> | > sure that the client wants to always trust the server, given that the
> | > scheme is positing a universe where some clients will sometimes
> | > successfully connect to hostile servers supplied with fraudulent
> | > certificates (that validate) by the attacker.
> |
> | The client is trusting that it will eventually connect to a behaving
> | server and that a server is interested in detecting mis-issuance for
> | itself. Another way to phrase it is that a client is not cordoned off
> | for a given server once and forever, with no way to ever connect to
> | the valid server again

I know that, and you know that, but we want to make sure that the document
says that as well.  Linus's suggestion below is a good start.

But this is still not really addressing the issue I was trying to raise.
Yes, the goal of this protocol is to enable a client and server to
cooperate to detect misbehavior by third parties.  But that does not
absolve us of a responsibility to analyze the situation where one of the
client and/or server misbehaves, and document the security and privacy
considerations in that case.

> | If it's not clear that the client does not empty it's SCT cache into a
> | server and say "Okay, I'm all set" -then it should be made so. The
> | client doesn't do that. It retains SCTs and reports them according to
> | some unspecified UA algorithm. (exponential backoff plus
> | randomization?)
>
> Branch sct-feedback of https://github.com/ln5/internet-drafts.git makes
> an initial attempt at explaining this [1]. Improved wording is welcome!
>
> [1] https://github.com/ln5/internet-drafts/commit/6310b87e826d0a6f650fa39532932d24176b7cbe

That is helpful.

Could we also add a paragraph to the end of the introduction motivating
clients sending SCTs to servers due to it not presenting an additional
privacy leak?  Perhaps something like:

"""
However, there is no loss in privacy if a client sends SCTs for a given
site to the site named in the SCT, since the site's access logs would
already indicate that the client is accessing that site.  In this way a
site can accumulate records of SCTs that have been issued by various logs
for that site, providing a consolidated repository of SCTs which can be
queried by an auditor interested in that site (such as the site's owner
itself).
"""


> | > In a related vein, in 3.1.2, should the server be allowed to exclude SCTs
> | > that it considers legitimate?
> |
> | This is an optimization: if a server sends you SCTs A,B,C and then you
> | as a client report back to it "I know about SCTs A, B, and C - it
> | doesn't make a whole lot of sense for a server to report those to the
> | auditor.
> |
> | I suppose; however, that an attacker may feed a server invalid SCTs
> | somehow to 'load it's cache' such that it never reports them. So
> | perhaps yes, it should report the SCTs it knows about to an auditor.
>
> I'm thinking of SCT's being legitimate as a "policy decision" made by
> the operator and not something a piece of software decides. Does this
> make sense? Should we add text to explain this?

I guess I'm coming at this from the assumption that an auditor will want
to know about all SCTs for a given site, including the "legitimate" ones.
On the other hand, it could be useful for the site to have a way to
indicate to an external auditor which SCTs it believes are legitimate.
But it's not clear that omitting them from the results is the best way to
make that indication, since it is not distinguishable from the site not
knowing about those SCTs.  In short, is the extra complexity of making
this optional justified?

> | > I'm also a little confused by the last paragraph of 3.1.2, "the selection
> | > MUST NOT be influenced by potential HTTPS clients connecting directly to
> | > the auditor".  It seems like the only risk of allowing a client to request
> | > monitoring for a given site is additional resource usage by the server
> | > (assuming the client is aware of the privacy considerations of making such
> | > a request).  I suspect that there is a valid concern here, but the text as
> | > written may be overly broad.
> |
> | It's designed to prevent the following traffic analysis:
> |
> | - Adversary is watching traffic of the auditor and client, and wants
> | to learn historical client behavior
> | - Client connects to an auditor and sends a bunch of SCTs over HTTPS
> | - Auditor immediately goes and queries all the domains the client sent for
> | - Adversary learns which domains the client sent in SCTs for
>
> Should we add text explaining this? Should explanations like this go
> into "Security considerations", refering to appropriate sections (like
> 3.1.2. in this particular case)?

I think it would be fine to mention this in 4.1.2 (near "SCTs [are]
sensitive data").

I still think it is possible for a properly-written auditor to add sites
to monitor in a way which does not expose client information via traffic
analysis (i.e., probabilistic/staggered/delayed queries), but I am willing
to conced that getting it right is sufficiently hard that we should not be
recommending it.

-Ben

v2.23.0 | Report a Bug | By Email