IETF Logo Mail Archive

Re: [Trans] AD Review: draft-ietf-trans-gossip-04

Linus Nordberg <linus@sunet.se> Thu, 11 January 2018 23:59 UTC

Return-Path: <linus@sunet.se>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACDB41243F6 for <trans@ietfa.amsl.com>; Thu, 11 Jan 2018 15:59:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.31
X-Spam-Level:
X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sunet.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M1jIjkxSL8tM for <trans@ietfa.amsl.com>; Thu, 11 Jan 2018 15:59:53 -0800 (PST)
Received: from e-mailfilter01.sunet.se (e-mailfilter01.sunet.se [IPv6:2001:6b0:8:2::201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33A1412EC69 for <trans@ietf.org>; Thu, 11 Jan 2018 15:59:52 -0800 (PST)
Received: from smtp1.sunet.se (smtp1.sunet.se [192.36.171.214]) by e-mailfilter01.sunet.se (8.14.4/8.14.4/Debian-8+deb8u2) with ESMTP id w0BNxm6j038807 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 12 Jan 2018 00:59:48 +0100
Received: from datan ([185.65.135.179]) (authenticated bits=0) by smtp1.sunet.se (8.15.2/8.14.9) with ESMTPSA id w0BNxiUw004007 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 11 Jan 2018 23:59:47 GMT
VBR-Info: md=sunet.se; mc=all; mv=swamid.se
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sunet.se; s=default; t=1515715187; bh=2KC9au/LQcyRNnoc/xQmsVr76h+yy/InwPSByHWhkhM=; h=From:To:Subject:References:Date:In-Reply-To; b=ROmrORf9/ZHyjrQWvBvxcFE2jegfEs9gF5Mkp4w40TLDnPAIfwKDGNVJ2JtGJpxhQ QESyw/AVoAD/vKHj568td6TjlsirVxgByhaFG6o5/5npNRUwEAgcaKWwKMSijTzDzN udLssZm5ZCsfBUbfeBABnP/oU90b2D2ZzxqT9vDI=
From: Linus Nordberg <linus@sunet.se>
To: Eric Rescorla <ekr@rtfm.com>, trans@ietf.org
Organization: Sunet
References: <CABcZeBM6=26ojcoMfkq5205z7UvCSQuhkg0PrR2_bjP-ps7W0g@mail.gmail.com>
Date: Fri, 12 Jan 2018 00:59:40 +0100
In-Reply-To: <CABcZeBM6=26ojcoMfkq5205z7UvCSQuhkg0PrR2_bjP-ps7W0g@mail.gmail.com> (Eric Rescorla's message of "Sat, 14 Oct 2017 17:03:36 -0700")
Message-ID: <87inc8osk3.fsf@nordberg.se>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Bayes-Prob: 0.5 (Score 0, tokens from: outbound, outbound-sunet-se:default, sunet-se:default, base:default, @@RPTN)
X-CanIt-Geo: ip=185.65.135.179; country=SE; latitude=59.3247; longitude=18.0560; http://maps.google.com/maps?q=59.3247,18.0560&z=6
X-CanItPRO-Stream: outbound-sunet-se:outbound (inherits from outbound-sunet-se:default, sunet-se:default, base:default)
X-Canit-Stats-ID: 09UVbXM9O - d69d99b81655 - 20180112
X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw
Received-SPF: neutral (e-mailfilter01.sunet.se: 185.65.135.179 is neither permitted nor denied by domain linus@sunet.se) receiver=e-mailfilter01.sunet.se; client-ip=185.65.135.179; envelope-from=<linus@sunet.se>; helo=smtp1.sunet.se; identity=mailfrom
X-Scanned-By: CanIt (www . roaringpenguin . com)
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/Me6gDd9njBBFB3zVRh17YcnnjFQ>
Subject: Re: [Trans] AD Review: draft-ietf-trans-gossip-04
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jan 2018 23:59:58 -0000

Hi Ekr, hi group,

Most of the issues in the AD review have been addressed in upcoming -05
(see [0] for the current status of the document). Apart from a couple of
clarifying questions to Ekr, there are two particular questions we'd
like to ask the working group -- please see "WG:" below.

[0] https://github.com/ln5/draft-ietf-trans-gossip/

Eric Rescorla <ekr@rtfm.com> wrote
Sat, 14 Oct 2017 17:03:36 -0700:

> View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D14#inline-390>draft-ietf-trans-gossip.txt:434
> The data sent in the POST is defined in Section 8.1.1. This data
> SHOULD be sent in an already-established TLS session. This makes it
> hard for an attacker to disrupt SCT Feedback without also disturbing
>
> See above about the privacy implications of creating a new connection.

Ekr: What privacy implications are you refering to here?


> View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D14#inline-396>draft-ietf-trans-gossip.txt:673
> validity window not to be personally identifiable data, and STHs
> outside this window to be personally identifiable.
>
> 14 just seems like a random number here. There's nothing that makes these
> STHs personally identifiable other than that you told everyone else not to
> save after 14, right?

The choice of 14 days _was_ arbitrary. However, you can't substitue any
number in there for the same result. The other component, besides
everyone using the same configuration, is that the timeframe must be
_short_ enough that seeing a STH on the tail end of it is not rare.

If we had chosen a 720 day window, it would be very rare for a client to
have a particular STH on the tail of the window. A client could be fed a
719-day-old STH on a.com, and when they pollinate it on b.com, they can
be recognized cross-domain with a much greater chance.

We guessed that 14 days was an appropriate number.

WG: Should we perform real-world measurements before picking a number
for STH freshness or will our guess be good enough for an experimental
RFC if we add text along the lines of the above explanation?


> View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D14#inline-400>draft-ietf-trans-gossip.txt:804
> proofs from that third party could be considered reasonable from a
> privacy perspective. The HTTPS client may also do its own auditing
> and might additionally share SCTs and STHs with the trusted party to
>
> Why would this be the case?

Ekr: Are you questioning why it could be considered reasonable to share
gossip data with any of the suggested types of third party
organisations? Or why an HTTPS client might do auditing?


> View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D14#inline-401>draft-ietf-trans-gossip.txt:932
> Unlike SCT Feedback, the STH Pollination mechanism is not hampered if
> only a minority of HTTPS servers deploy it. However, it makes an
> assumption that an HTTPS client performs Proof Fetching (such as the
>
> I'm not sure that this is true. Say that only one server deploys it. Maybe
> you meant that there is still ecosystem value.

Yes. "Ecosystem value" is the only value provided by STH Pollination.


> View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D14#inline-405>draft-ietf-trans-gossip.txt:996
> HTTPS clients are afforded the greatest chance of detecting an attack
> when they either participate in both SCT Feedback and STH Pollination
>
> "greatest chance" isn't that encouraging. Please actually quantify this in
> some way.

Ekr: Do you think that the document is lacking text on _why_ a client
has the greatest chance of detecting an attack when $foo? Or are you
asking for reasoning about how large the chance of detecting an attack
might be?


> View Inline <https://mozphab-ietf.devsvcdev.mozaws.net/D14#inline-413>draft-ietf-trans-gossip.txt:1283
> from a CT log that it doesn't accept SCTs from. An HTTPS client
> SHOULD regularly request an STH from all logs it is willing to
> accept, even if it has seen no SCTs from that log.
>
> Is any HTTPS client actually planning to do this?

We have no idea.

WG: Do you know of any HTTPS client planning on implementing _any_ of
the methods described in this document?

v2.23.0 | Report a Bug | By Email