IETF Logo Mail Archive

Re: [Trans] Write-up of the "Strict CT" variant

Phillip Hallam-Baker <ietf@hallambaker.com> Wed, 07 June 2017 15:45 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7235812ECA5 for <trans@ietfa.amsl.com>; Wed, 7 Jun 2017 08:45:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.398
X-Spam-Level:
X-Spam-Status: No, score=-2.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2GHa4n_u1dk1 for <trans@ietfa.amsl.com>; Wed, 7 Jun 2017 08:44:56 -0700 (PDT)
Received: from mail-oi0-x22f.google.com (mail-oi0-x22f.google.com [IPv6:2607:f8b0:4003:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5351A1294BF for <trans@ietf.org>; Wed, 7 Jun 2017 08:44:56 -0700 (PDT)
Received: by mail-oi0-x22f.google.com with SMTP id h4so7291075oib.3 for <trans@ietf.org>; Wed, 07 Jun 2017 08:44:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=oGWMMg2Xavlg72fMVxcaLFVxvP3fgOy8nsfiYoEgCAs=; b=HqvTQFIEflZ4ccZVc+7nuYIMFlGr0tZkqUtBrK8EohHpPHsBfDkT/reAwUYiFgDjO1 v6afua/Mfh7158iNF2xuPLD4aUUEgW33/L+MSsse81Mb22XnlrkPiozBQ7AzMo7u8KXO hHyAZo/XKWRU24mVAq/WfJa8PaTujFzAIOAreif/cS0NOGnYrDYv0IPXypBZfi7VRrrj pQW/TqTerY+UilNCQ7+TfIWsjVOu/31mcrHPxXl2+RJv0g0sMDsQylEoHtMn8YtTiuBT VPsuUpgeKJ9VF1g0YiUugZhHHhxebK812UIfxv2SR8qwEBMSWRK0x3tpkTxEuHwGQku3 XtrQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=oGWMMg2Xavlg72fMVxcaLFVxvP3fgOy8nsfiYoEgCAs=; b=jWQKI5hnHmATGOvvdbcjt/9CAI9cUnwqlwRNHeY0T2UxVWj+ps6sfBIeE7X5+4fTan qdw2qezIm1hR/hOh3DGE/HrPXTEhcbfnGuYsjs2LKLyTSUC2kiZcb4IRG2a1VmC/AujA vrs62gIuNO8NCzNGqv2SlzS1rXDsn/qsM2NrkPL0FHpY+Iu6V1f6DBPdQnoExNAKkVqc vWmH0X4lf0RyfSQqwdwnKAhq3+DcLsUpai+SFWutKrMv25/BYpGQlrI02xc3pMJ3rCS6 HOK3dq/tTSutP+vS7MOWgy43107h1kSoh5gosbeqZlpKDlNrM5WIVpIjwZA/cN2YI1Id v1Kg==
X-Gm-Message-State: AODbwcAHxJRLh+/Cno1JY6cwNzOHyVWKSIja8w15APufbz/UCLWnULFg S/duAAgkC2JCxBue9EQyeE+gy8M0gg==
X-Received: by 10.202.192.67 with SMTP id q64mr19195813oif.65.1496850295618; Wed, 07 Jun 2017 08:44:55 -0700 (PDT)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.157.23.5 with HTTP; Wed, 7 Jun 2017 08:44:54 -0700 (PDT)
In-Reply-To: <CAErg=HGxU7dnd1kifeCph8jTR6eLJn2GZ9=KehiyLpLgwTne=g@mail.gmail.com>
References: <CALzYgEeUCmj4BgY7uKdMnsvTcbvfAunquuqHxD7FxuzZxY1=Fg@mail.gmail.com> <0dd84938-9625-c6c8-5f31-d5d0d0683c5c@eff.org> <D1C7ADE2-DA28-4F29-A0AB-482435CD2B15@kth.se> <CAErg=HGxU7dnd1kifeCph8jTR6eLJn2GZ9=KehiyLpLgwTne=g@mail.gmail.com>
From: Phillip Hallam-Baker <ietf@hallambaker.com>
Date: Wed, 07 Jun 2017 11:44:54 -0400
X-Google-Sender-Auth: hzUKyfbKoqMNzYpJyJ90KTy-f5E
Message-ID: <CAMm+Lwi8gq7pUyvrX5BDndwcZDPYc+PDX9dQfeCWa2dvLyqbEQ@mail.gmail.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
Cc: Magnus Ahltorp <map@kth.se>, Eran Messeri <eranm@google.com>, "trans@ietf.org" <trans@ietf.org>, Jacob Hoffman-Andrews <jsha@eff.org>
Content-Type: multipart/alternative; boundary="001a1135b6c827031b0551609e44"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/BTMACzgfZdtnwnerExEe0R7Asrc>
Subject: Re: [Trans] Write-up of the "Strict CT" variant
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jun 2017 15:45:05 -0000

On Wed, Jun 7, 2017 at 9:08 AM, Ryan Sleevi <ryan-ietf@sleevi.com> wrote:

>
>
> On Wed, Jun 7, 2017 at 8:51 AM, Magnus Ahltorp <map@kth.se> wrote:
>
>> Well, that depends on the assurance level, doesn't it? For
>> domain-validated certificates, sure, but those are next to worthless
>> anyway. It would be hard to hold a CA responsible for issuing them, so the
>> need for logging them is really small.
>>
>
> Let's not introduce CAs' marketing distinction into the technical
> discussion.
>

​Marketing is sometimes based on facts. In this case inconvenient facts for
people proposing to trash the WebPKI trust model. If you want to spread
disinformation, then I am going to respond to correct.

https://www.scmagazineuk.com/updated-97-of-malicious-mobile-malware-targets-android/article/535410/

The press have stopped writing articles about 97% of malware targeting
Android because it is no longer news. Apple do have some advantages in
their structure besides enforcing what amounts to EV validation of
developers. But it is the validation of every developer before they get
developer credentials that makes the rest of their model feasible.




> Domain validated certificates - the basis for the Web PKI - are the only
> security level that matter. The holder of such a certificate can
> impersonate any site named in the certificate - whether from example.com
> to google.com.
>

​Domain Validation is not the 'basis' for the WebPKI. It did not even exist
until late in the dotCom boom. The WebPKI was originally designed to
establish accountability. It is the bridge between the online and offline
accountability infrastructure.

What was not anticipated in the original design was that there would be a
demand for certificates that only provided encryption and a minimal level
of authentication. And in our defense, I will point out that even the banks
were not encrypting their entire sites until quite late in the game. Back
in 1997, RSA was a serious resource hog even at 1024 bits and SSL
accelerators were only just starting to exist in usable form (you could buy
'em, taking delivery was another matter).



The other forms of certificates, "Organizationally Validated" or "Extended
> Validation", or, in the EU, Qualified Website Authentication Certificates,
> while nominally trying to provide higher assurance, do not meaningfully do
> so in the security model of the Web (which is the Origin).
>

​I suggest that stating that the Web has a single security model is
obviously wrong.

The JavaScript security model is origin but even that is a retrofit and it
is not the Web security model.​



> To that end, the past decade of CA misissuance responses have come down,
> in part, to the misissuance of certificates that attest to a websites
> identity, and CAs have been held responsible.
>

Issuance ​of phishing certificates with Paypal in the name is exploding.
But if you aren't actually bothered about phishing fraud, I guess you can
claim an improvement.

One of the facts that the industry is going to have to face is that there
is a choice, only one of the following can be true:

* Every site is encrypted.
* Certificates are not issued to criminals.

​Now the WebPKI model for EV and DV is very much that the second is true
and always has been in the 25 years I have been involved in its
development. And no, I do not need an adventure in 'alternative history'. I
was there. I was part of the original design discussions.

What I am getting at though is something different. There are in fact
multiple security concerns for a system as large as the Web and one size
fits all security is not going to work. The problem with equating enabling
encryption with 'security' is that it just is not so. Encryption is a
starting point for security but it is a weak one. That was how I broke
SSL/1.0, Marc had only considered confidentiality as a security concern.


The way to address the conflict raised above is to observer that while it
is true that every communication should be encrypted, it is not true that
every communication should be represented to the user as providing
security.

What we need to do is to bifurcate the DV level and distinguish between
certificates that only enable confidentiality and those that provide
authentication. The first would become a new category 'minimal validation'
and would not be required to prevent issue of paypal certificates etc, or
provide for revocation or any other controls. The second would be an
enhanced DV providing full revocation and lifecycle management.


> I can totally appreciate a perspective that believes that CAs' human
> processes are far more secure than their automated processes, even if that
> perspective is not supported by the data.
>

​Actually it is.

The work factor for obtaining an EV cert as a criminal is markedly higher
than for DV which is in turn markedly higher than that for those who don't
do any lifecycle controls.
​

​PHB​

v2.23.0 | Report a Bug | By Email