Re: [Trans] Providing the history of STHs a log has issued (in 6962-bis)

Paul Hadfield <> Thu, 04 May 2017 13:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 87BED126E01 for <>; Thu, 4 May 2017 06:01:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id lUc_nn94aT5e for <>; Thu, 4 May 2017 06:01:52 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400e:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A5479127BA3 for <>; Thu, 4 May 2017 06:01:50 -0700 (PDT)
Received: by with SMTP id o3so8213792pgn.2 for <>; Thu, 04 May 2017 06:01:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=3Cb6GUTxmlAikbyGef/xfRDHM/dBmFyLCfVGT1h4WrQ=; b=MzVEzZ5HDjBk/VicTflWim8ZfkzgI9Vpl6IELMsCgspboa9qvGiHkzwmkvtbLjrhVS Pub+XTQrpJ/48PtR9jNyU0WcLyzh4F+UBxc7XuLQBGHk/qvecV6OKb9ScVXnrU8bTTTp MHH7TclTUvrEBNPcIgk5Ub7EHltrkGOlgG2YmtbO94D/2HmV/hh9yDMefR1p4vAx+MaY luF2jESy+RLOhwVqHhNlndw2RSEtCvnanUp5Z+q4UVjt2f4zcg6QVoA8zUvA9CPTLw/I zkEKsSupb8XAiVx/03xd6icUpVUN4ca8YihhpX/nMFLIj9d6u4tcmIhItt3IESMtbwlW 6RUw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=3Cb6GUTxmlAikbyGef/xfRDHM/dBmFyLCfVGT1h4WrQ=; b=AOkJL0xC5KD2arimdlouMkg1anIifU7OyCQMu5+SfgxI/SUf5hsOP3nbcxzO0OBepw NlXvV+S7Y8wmQZJq1CNMwW8+/HW921GJeuHW+Tig5aEiEPxz7OPbZouF7xfCeB7aSIYF XYIz6uN5sP6NuJy/TY8r0UIvEB5glPS3tVT0m2VgkTjEeXOh8xOBn0NWDEkQ4am20kSx IVt5HFvQVxxZMm9fj3C+5as94OKV/+ffUxn6iY83mo8vIzjmgd+M6aUl+eFieE18DMQB fIkomEZ5mRq8Wakz2N22F92yCfusZjgXssqZW2CF7har4DjcGLpCrryGokThFmwISlPd QvCg==
X-Gm-Message-State: AN3rC/6PpICzhNonrZz+iAw0fdb6nWdYttY4pEKXJK6vUl93BBIgfpga NBgFkbiMRH2WPW17DvfkiJyzcOaDTu8fh4Q=
X-Received: by with SMTP id i185mr10856205pfb.234.1493902910088; Thu, 04 May 2017 06:01:50 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Thu, 4 May 2017 06:01:49 -0700 (PDT)
In-Reply-To: <>
References: <>
From: Paul Hadfield <>
Date: Thu, 04 May 2017 14:01:49 +0100
Message-ID: <>
To: Eran Messeri <>
Cc: "" <>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="94eb2c0ce1d24e9c28054eb260d5"
Archived-At: <>
Subject: Re: [Trans] Providing the history of STHs a log has issued (in 6962-bis)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 04 May 2017 13:01:53 -0000

I support the addition of this API; Rob's PR
<> was
created in response to my original proposal
for this made Oct, 25 2016.

As the operator of a CT Monitor, I could use the STH history API to perform
historic analysis of the logs my monitor visits. This includes
determination of whether MMD violations occurred in the past.

Without this API, CT Monitors that ingest a log's entries from STHm to STHn
(n>m) could incorrectly identify an MMD violation, as it is possible for
them to have missed an STH that sits between m and n.

With this API, a log operator that is incorrectly called out for a MMD
violation has the ability to demonstrate that the monitor drew an incorrect
conclusion as a consequence of not observing the log's complete STH


On Thu, May 4, 2017 at 1:41 PM, Eran Messeri <> wrote:

> I'm looking for feedback on the proposal to add an API endpoint which
> would provide access to historical STHs issued by the log (
> I personally think it's a good idea to have such an API since it'd allow
> auditing a log for past compliance with the MMD requirement.
> Rob Stradling has sent a PR
> <> for
> this.
> Eran