Re: [Trans] Directory instead of .well-known for URL structure
Eran Messeri <eranm@google.com> Wed, 03 July 2019 16:04 UTC
Return-Path: <eranm@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CA3012068B for <trans@ietfa.amsl.com>; Wed, 3 Jul 2019 09:04:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.499
X-Spam-Level:
X-Spam-Status: No, score=-17.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5QpEE8X3TKif for <trans@ietfa.amsl.com>; Wed, 3 Jul 2019 09:04:32 -0700 (PDT)
Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A318212064F for <trans@ietf.org>; Wed, 3 Jul 2019 09:04:32 -0700 (PDT)
Received: by mail-qt1-x831.google.com with SMTP id a15so4083021qtn.7 for <trans@ietf.org>; Wed, 03 Jul 2019 09:04:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BCWWq3EIcTy1UhYIEo5bkSyn4HvBTqSw+pj0VmIAvPY=; b=n73zkZnlLO1lSNrRBhfdlPWkhlXFsSBvVGc8iVLWeIYwsA61n4PlV9ieyA7qTWofWA mdidfHD7UomzH7jCbazhalxHT8T9ecMTdldMX6dwFl1Sxnl6CI+acFMgBnYVNvS6jF1y dfMgV17lhWssq3WI3Y/RD3PoPfXEycxA7aoTXDRfqfkmLvMwBInjf6fj9OMhwi6np+zD zwMD0N/AejvqBoKtmR1P+s9SMldtlPuv4RvI6o1o/WthJN2L52oUFhE5IBuzUo13tA4J 1EyzywQyCsgR32yGSzeUluTYjXbNMr8lYML8Ytq6AbrTrSgbm7zVKx+rEb79dL1fv9Ab MJ6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BCWWq3EIcTy1UhYIEo5bkSyn4HvBTqSw+pj0VmIAvPY=; b=TOsiV+2F2wC88ZJAOldrxKEmLe0KoTTjw5NaTmfahoTbNIHLHNE/CKmYc36eVLHjWf hBUlzBrnVnUjywPPCIK3ib9EwelP3kLFJ8geH5RnEurSYrfnly+vnNMTMsn+SXkFJ9pN TA3Je3hVY+dfYuyNLpvQBK+/+LsNerJOTZdES0EzOVQDQXAFzpQzPKpGHevVDslDnEVL UzrUkOJk3E2ytGB/HkcLRJUBFVEWR6cScnoN2lmqfWO9A6GiX72gzLvC5hi3QFzD3Dvk vQNhzVIEi6sRk4v+y268CZLbwmxmNUT/0d7B4BG7WFY03vcaudMpyYkfBeUrpEbV/EiM o0Mg==
X-Gm-Message-State: APjAAAXHZ28eeWgmkXIrEliR5+1DqlW59TIudqnmZbLqqKY/tEIUUb4V +5vbgllJw80u2fXTyNQLaH01l1G+HLddQqo93umQ+A==
X-Google-Smtp-Source: APXvYqyeHISkfNkqD4vr6nUOsL+eNKP7DdVKw+sQf7XpAJud1fPRl8/gFLoWhurMgTMfDSbwsZ+7E4q+cn76Dy/j/Dc=
X-Received: by 2002:a25:738a:: with SMTP id o132mr8609651ybc.139.1562169871182; Wed, 03 Jul 2019 09:04:31 -0700 (PDT)
MIME-Version: 1.0
References: <0d5e05fc-8f1e-54b5-536d-231153e7baf7@eff.org> <20190701123701.b3ba6b44ef85a74da6209e64@andrewayer.name> <2cbff182-7c7a-4c55-b2d2-a67f41dd7436@sectigo.com> <CAPbZxJTvk805WtR6FF8xUR0GS=E9gcEMphJR658GuTN8V0h_qg@mail.gmail.com> <047d5a04-4176-6651-b200-6ce7ce8a8266@sectigo.com>
In-Reply-To: <047d5a04-4176-6651-b200-6ce7ce8a8266@sectigo.com>
From: Eran Messeri <eranm@google.com>
Date: Wed, 03 Jul 2019 17:04:04 +0100
Message-ID: <CALzYgEc_aE+pcB-Y59VsG-s9PHyEW=94vUQdWZ7o-PvOra9PmQ@mail.gmail.com>
To: Rob Stradling <rob@sectigo.com>
Cc: Rob Percival <robpercival@google.com>, "trans@ietf.org" <trans@ietf.org>, Andrew Ayer <agwa@andrewayer.name>
Content-Type: multipart/alternative; boundary="00000000000040bf42058cc904d1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/CisWQc2Sxn9Yig9wguommSIMg9s>
Subject: Re: [Trans] Directory instead of .well-known for URL structure
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jul 2019 16:04:41 -0000
I support Andrew Ayer and Rob Stradling's suggestion to " require each endpoint to be specified as a log parameter." The reasons outlined make a lot of sense from an implementation perspective, our experience with RFC6962 suggest that absent caching mechanisms, logs would face significant load if all clients were to audit them. Adding a requirement to fetch a directory would increase the load for (as far as I can tell) no good reason. I think under-specifying it right now is the only option as we have no specification of the log metadata. I don't think it's too big of a deal as when people start implementing 6962-bis I expect the log metadata format will evolve based on the existing schemas and, if necessary, could be standardized. On Wed, Jul 3, 2019 at 2:52 PM Rob Stradling <rob@sectigo.com> wrote: > Thanks Rob. Both the to-be-deprecated and new schemas are of course > focused on CT v1 (RFC6962), so ISTM that neither of them are suitable > candidates for 6962-bis to point at. > > Maybe we should simply remove the "[JSON.Metadata] is an example of a > metadata format which includes the above elements" sentence from 6962-bis. > > On 02/07/2019 18:51, Rob Percival wrote: > > FYI: That JSON schema is planned for deprecation; a new version was > > proposed last year and, following a period for feedback, parties have > > been slowly migrating to the new schema: > > > https://groups.google.com/a/chromium.org/d/topic/ct-policy/26dmpWdaSHM/discussion > > > > That thread would be a good place to propose schema changes. > > > > On Tue, 2 Jul 2019, 16:08 Rob Stradling, <rob@sectigo.com > > <mailto:rob@sectigo.com>> wrote: > > > > Andrew, thanks for your analysis. Comments inline... > > > > On 01/07/2019 20:37, Andrew Ayer wrote: > > > I also think .well-known URLs are a bad idea, for the same reasons > > > as Jacob. > > > > > > I think directories are even worse. Although they've been used > > > successfully in ACME, CT has different needs which make > directories > > > unsuitable. ACME's usage pattern is to make a series of related > > > requests over a short time period to drive a certificate request > to > > > issuance, with the client maintaining state between each request. > > > This makes it natural for a client to fetch the directory once at > the > > > beginning of an issuance "session" and use it for the duration, > since > > > the cost of fetching the directory is amortized over all the > > requests, > > > and the directory is unlikely to become invalid during the > session. > > > > > > However, CT's usage pattern is to make a lot of unrelated one-off > > > requests spread over a long period of time - e.g. submitting a > > > (pre)certificate, fetching an inclusion proof, fetching the > > latest STH > > > to send to auditors. Clients would have to either fetch a new > > directory > > > for every request (doubling the number of requests made to the > > log) or > > > cache directories in long-term state (which requires dealing with > > > cached directories going stale, and requires keeping long-term > state > > > which might not otherwise be necessary). > > > > > > ACME's use of directories is underspecified since it doesn't say > how > > > long a directory remains valid. It's not a big deal for ACME > because > > > ACME servers are presumed to be sane, or people would switch to > > another > > > CA. > > > > It's not been a big deal for ACME...yet. But why leave it to chance? > > > > I just filed this erratum against RFC8555: > > https://www.rfc-editor.org/errata/eid5771 > > > > > However, CT is meant to be an adversarial protocol and has to > > > anticipate logs doing crazy things like constantly changing their > > > directory in an effort to stymie auditing and hide misbehavior. > > > > > > Thus, CT's use of directories would need to be quite well > specified. > > > It is not a change that should be rushed at the last minute > without a > > > chance for people to carefully examine and poke holes in it. > > > > Agreed. > > > > > CT clients already need to be configured with a number of > parameters > > > for each log - MMD, hash algorithm, public key, log ID, and so on. > > > Adding a directory would bifurcate log metadata between the > existing > > > parameter set and the new directory object. > > > > > > I propose satisfying BCP 190 by simply specifying the URL for each > > > endpoint as a separate log parameter. This is a very minimal > > change to > > > the protocol and avoids the problems above. > > > > I agree that it would make sense to require each endpoint to be > > specified as a log parameter. Your point about bifurcation is well > > made. > > > > So then I think the question is: Should 6962-bis specify a > "directory" > > endpoint that returns a JSON structure that contains all of the log's > > parameters (including each of the endpoint URLs)? Or should 6962-bis > > not mandate any particular format by which log operators should > > distribute this information? > > > > Currently, 6962-bis doesn't mandate a format, but it does point to an > > example format: > > "[JSON.Metadata] is an example of a metadata format which > > includes the > > above elements." > > > > Sadly, this claim is not currently true, because [JSON.Metadata] > > (https://www.gstatic.com/ct/log_list/log_list_schema.json) does not > > currently "include the above elements". We should fix this somehow. > > But how? > > > > Also, how often is a CT client expected to refresh log metadata it > has > > obtained from (for example) [JSON.Metadata] ? > > Is it wise to underspecify this? > > > > > Regards, > > > Andrew > > > > -- > > Rob Stradling > > Senior Research & Development Scientist > > Sectigo Limited > > > > _______________________________________________ > > Trans mailing list > > Trans@ietf.org <mailto:Trans@ietf.org> > > https://www.ietf.org/mailman/listinfo/trans > > > > -- > Rob Stradling > Senior Research & Development Scientist > Email: rob@sectigo.com > Bradford, UK > Office: +441274024707 > Sectigo Limited > > This message and any files associated with it may contain legally > privileged, confidential, or proprietary information. If you are not the > intended recipient, you are not permitted to use, copy, or forward it, > in whole or in part without the express consent of the sender. Please > notify the sender by reply email, disregard the foregoing messages, and > delete it immediately. > _______________________________________________ > Trans mailing list > Trans@ietf.org > https://www.ietf.org/mailman/listinfo/trans >
- [Trans] Directory instead of .well-known for URL … Jacob Hoffman-Andrews
- Re: [Trans] Directory instead of .well-known for … Martin Thomson
- Re: [Trans] Directory instead of .well-known for … Melinda Shore
- Re: [Trans] Directory instead of .well-known for … Rob Stradling
- Re: [Trans] Directory instead of .well-known for … Manger, James
- Re: [Trans] Directory instead of .well-known for … Eran Messeri
- Re: [Trans] Directory instead of .well-known for … Manger, James
- Re: [Trans] Directory instead of .well-known for … Rob Stradling
- Re: [Trans] Directory instead of .well-known for … Andrew Ayer
- Re: [Trans] Directory instead of .well-known for … Tomas Gustavsson
- Re: [Trans] Directory instead of .well-known for … Rob Stradling
- Re: [Trans] Directory instead of .well-known for … Rob Percival
- Re: [Trans] Directory instead of .well-known for … Rob Stradling
- Re: [Trans] Directory instead of .well-known for … Eran Messeri
- Re: [Trans] Directory instead of .well-known for … Andrew Ayer
- Re: [Trans] Directory instead of .well-known for … Rob Stradling
- Re: [Trans] Directory instead of .well-known for … Eran Messeri
- Re: [Trans] Directory instead of .well-known for … Rob Stradling
- Re: [Trans] Directory instead of .well-known for … Jacob Hoffman-Andrews
- Re: [Trans] Directory instead of .well-known for … Andrew Ayer
- Re: [Trans] Directory instead of .well-known for … Ryan Sleevi