Re: [Trans] How to redact an entry
Peter Bowen <pzbowen@gmail.com> Fri, 24 February 2017 20:00 UTC
Return-Path: <pzbowen@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 988C1129508 for <trans@ietfa.amsl.com>; Fri, 24 Feb 2017 12:00:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C6A3JfqlFS6o for <trans@ietfa.amsl.com>; Fri, 24 Feb 2017 12:00:02 -0800 (PST)
Received: from mail-ot0-x22b.google.com (mail-ot0-x22b.google.com [IPv6:2607:f8b0:4003:c0f::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 101181294EE for <trans@ietf.org>; Fri, 24 Feb 2017 12:00:02 -0800 (PST)
Received: by mail-ot0-x22b.google.com with SMTP id k4so21154100otc.0 for <trans@ietf.org>; Fri, 24 Feb 2017 12:00:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Vu06i5WxdCZ3+cY2+L9dA7IsNC/A+Nwwb68cwknSI0w=; b=Vt6mZ0Si9KZQbcFiNQXal6KAUioxwHnEsfR7Kk3LPtLDAGETyBgHfNpAGUyM2Fhe0w RlkeEKwum31KP+nV5LqszyhDcIBfHv4Kxzee5+1/Vb8hYBIZTna3NS5Ibnq2cIYke7Ps pUx37qMTjJZFpPjhZqUdpEdU8F4ntwT5Z9Ihmf+lgp2xCtwD45Ep47DMT+VeOBNyOWf5 CoVUrY7gIfHm3AL1PLVHGArUFA9447LY+QXASdDncdRtPWd/QvQrZw8dVo7DfKvlKyDc dkNGV/TyzcHEVJUrkQAsCOaqrXN1sDq39Ls6+Ldy1sUIze9ruWnwERmowGG5kpuZttS1 InnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Vu06i5WxdCZ3+cY2+L9dA7IsNC/A+Nwwb68cwknSI0w=; b=FCnrkiDNXWE8+Ee8G+ve4uunVmxB8JZDu0VmHSZqgFsnNASQg+YnZ+2+EssOQ18PjQ oY7VjS7Jabm83Flht72hsaCwkI46AGRvrfGTDsPkquhQXZI8tm8a+OioN0eKzoIBaDcZ oCenY2uebAgVxoTZBwCVcozmMFcRtwiKOXfBzOqClAwv+wwOZuCNrIs39mouUDKTzcYw FNS0NHY8pFphdp+Un2pAuDfhLElgCN8kei5FUikCrPI0JobnrsTV75sZlMpLwAuVGjsi WEGmBc48drFAbOy601LT4zNOrTOv0m8qqhgHetZwbYqrwugOJvHWggNTam4Vb/hP6SgQ Vwxg==
X-Gm-Message-State: AMke39nhiqh8MVdVlnzcWVATj32jXjCN/ZwYIWaFrwK9lXgEKmlIIgmoCzyxQJQK0+x4uMVLFEETRcGeTEYreA==
X-Received: by 10.157.25.14 with SMTP id j14mr2096564ota.178.1487966401370; Fri, 24 Feb 2017 12:00:01 -0800 (PST)
MIME-Version: 1.0
Received: by 10.157.1.228 with HTTP; Fri, 24 Feb 2017 12:00:00 -0800 (PST)
In-Reply-To: <CALzYgEcQZb-Yc_b2Mp+dd9hFKAAj5o4Wg9suH6Nq5J03EMz-=A@mail.gmail.com>
References: <CABrd9SSeePrsNq8ERjxpbEvUAdyb=yQOGAom0qh9SZMoP=nsMw@mail.gmail.com> <CAMm+LwiZUw+JpEanY5vkxGBOtdrs9HfYzp34cBtwDv34uJCjKw@mail.gmail.com> <4E665C5B-BC28-428E-9BFB-626D3364E05B@nohats.ca> <CABrd9STPBWt=p-eAW5t=QSw2oexuSeW5tbtcbczagA0jx77gQA@mail.gmail.com> <alpine.LRH.2.20.1611160636020.4488@bofh.nohats.ca> <CABrd9SQjMkWCOv1jPky+DiOE61qCTXej2Ovy9nRVAKs66OtEGA@mail.gmail.com> <CAMm+Lwim3NDovHGp62UBKhGc4ewYQQkq2=qH9ssAOFk=JTF=Cw@mail.gmail.com> <CALzYgEcQZb-Yc_b2Mp+dd9hFKAAj5o4Wg9suH6Nq5J03EMz-=A@mail.gmail.com>
From: Peter Bowen <pzbowen@gmail.com>
Date: Fri, 24 Feb 2017 12:00:00 -0800
Message-ID: <CAK6vND8sSDtsgvsrtD7L2zCo2SCxZ8sTQz0+QEkXp5UU8+Nenw@mail.gmail.com>
To: Eran Messeri <eranm@google.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/IUrBKfUKifYTFETFsBKpw5026X0>
Cc: Ben Laurie <benl@google.com>, Paul Wouters <paul@nohats.ca>, Phillip Hallam-Baker <ietf@hallambaker.com>, "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] How to redact an entry
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Feb 2017 20:00:05 -0000
On Fri, Feb 24, 2017 at 11:21 AM, Eran Messeri <eranm@google.com> wrote: > Following up on this thread, after a few discussions about it in online & > offline forums: > - It is necessary to have the "Redaction reason" entry in the log to commit > the log to the redaction of a particular entry and avoid allowing the log to > present redacted/unredacted view at will. > - A few have echoed Phillip's sentiment that once an entry is suppressed > then the suppression reason can't be effectively audited for correctness. > - There was a strong push-back against this mechanism on the basis that it > weakens the basic properties we get from the Merkle tree right now. > Potential problems: What if the "Redaction reason" entry itself was > redacted? > - A suggestion by Peter Bowen was to simply not serve the redacted entry: > The only API method by which a suppressed entry can be obtain is > 'get-entries', it's possible to return an error when the range specified > includes a suppressed entry. That suffers from the same drawback of the log > being able to selectively presenting redacted/unredacted view. Another option would be to return something other than "leaf_input" and "extra_data" in the object. For example the log could return the hash of the MerkleTreeLeaf that was there along with a reference to the leaf that has the redaction reason entry. > - An approach many see as superior is to reduce the chances of having > entries with undesirable content in the log by restricting the certificates > that may be logged (e.g. forbidding certificates with embedded images). > > Eran > > On Wed, Nov 16, 2016 at 6:20 AM, Phillip Hallam-Baker <ietf@hallambaker.com> > wrote: >> >> Lets break this down. >> >> In what way is suppression of a previously enrolled certificate different >> to not enrolling the certificate at all? >> >> The only ones I can see is that it means that 1) the CA is off the hook, >> they fulfilled their duties and 2) the fact that suppression has occurred is >> visible. >> >> >> CT relies on there being some feedback mechanism to detect unenrolled >> certs, the same would apply to suppressed certs. >> >> So let us imagine that a government coerces a CA to issue a bogus cert and >> then coerces a notary to suppress it. What next? >> >> Well first off anyone who has a copy of that cert taken from the >> repository before the suppression is going to hard look at it. So the chance >> of people being aware of the suppression and working out the reason for it >> is essentially 99%. >> >> >> A person formerly very senior in NSA told me that the governing paradigm >> post Snowden was 'NOBUS': Nobody but us. Sure they might want to perform >> this type of attack if they think they can get away with it but they won't >> do things that are liable to get caught. >> >> >> >> >> On Wed, Nov 16, 2016 at 6:48 AM, Ben Laurie <benl@google.com> wrote: >>> >>> On 16 November 2016 at 11:39, Paul Wouters <paul@nohats.ca> wrote: >>> > On Wed, 16 Nov 2016, Ben Laurie wrote: >>> > >>> > (no hats on) >>> > >>> >> On 16 November 2016 at 03:46, Paul Wouters <paul@nohats.ca> wrote: >>> >>> >>> >>> How can I as log consumer detect the difference between the log >>> >>> removing >>> >>> illegal content and the log being compelled by a government to hide a >>> >>> rogue >>> >>> certificate? >>> >> >>> >> >>> >> Court orders are court orders. That issue is not in the log's domain. >>> > >>> > >>> > It was an example. the core isuse is, how can a consumer determine the >>> > log censored itself with a valid reason, versus an attack, compromise, >>> > having been compelled, or for financial gain or any other invalid >>> > reason? >>> > >>> > Using a hash of a removed cert won't allow anyone to verify the reason >>> > for removal. And clearly the content cannot remain their either. It's >>> > a catch22. >>> >>> This is why the redaction reason entry exists, so that there _is_ >>> something to reason about. If you (a consumer) are unconvinced by the >>> reason, well, there are public fora where you can voice your concerns. >> >> >> >> _______________________________________________ >> Trans mailing list >> Trans@ietf.org >> https://www.ietf.org/mailman/listinfo/trans >> > > > _______________________________________________ > Trans mailing list > Trans@ietf.org > https://www.ietf.org/mailman/listinfo/trans >
- [Trans] How to redact an entry Ben Laurie
- Re: [Trans] How to redact an entry Phillip Hallam-Baker
- Re: [Trans] How to redact an entry Paul Wouters
- Re: [Trans] How to redact an entry Phillip Hallam-Baker
- Re: [Trans] How to redact an entry Paul Wouters
- Re: [Trans] How to redact an entry Phillip Hallam-Baker
- Re: [Trans] How to redact an entry Ben Laurie
- Re: [Trans] How to redact an entry Ben Laurie
- Re: [Trans] How to redact an entry Paul Wouters
- Re: [Trans] How to redact an entry Ben Laurie
- Re: [Trans] How to redact an entry Phillip Hallam-Baker
- Re: [Trans] How to redact an entry Eran Messeri
- Re: [Trans] How to redact an entry Peter Bowen