[Trans] CT Log Costs and Incentives
Steve Matsumoto <steve@stevematsumoto.net> Thu, 23 March 2017 14:07 UTC
Return-Path: <steve@stevematsumoto.net>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A90D129739 for <trans@ietfa.amsl.com>; Thu, 23 Mar 2017 07:07:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.795
X-Spam-Level:
X-Spam-Status: No, score=-4.795 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.796, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=stevematsumoto.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nFem-Wd2U6Yd for <trans@ietfa.amsl.com>; Thu, 23 Mar 2017 07:07:21 -0700 (PDT)
Received: from homiemail-a46.g.dreamhost.com (sub5.mail.dreamhost.com [208.113.200.129]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A1D21296D8 for <trans@ietf.org>; Thu, 23 Mar 2017 07:07:21 -0700 (PDT)
Received: from homiemail-a46.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a46.g.dreamhost.com (Postfix) with ESMTP id 8E8B86A21 for <trans@ietf.org>; Thu, 23 Mar 2017 07:07:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=stevematsumoto.net; h=to :from:subject:message-id:date:mime-version:content-type :content-transfer-encoding; s=stevematsumoto.net; bh=mpoQZIT2A/y 6cLuelwaRH4/wH/A=; b=oR797OMHMVfAmJBqUEnwLsFA6JT+yETGeeJq+NSwIsz UHBxCeUMfKc6G/3QToKPANRzJW2u6iRNMib7xwA4zmhNa8s3yNKqGTQjvdsaUat/ O1WFZ87n7dl4/reax4S8PlnM7zmcKIWa0mpp6cIRx/+n5iqHjquXgWL5b+C5NjhI =
Received: from syclone-2.local (c-67-186-43-183.hsd1.pa.comcast.net [67.186.43.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: steve@stevematsumoto.net) by homiemail-a46.g.dreamhost.com (Postfix) with ESMTPSA id 4BC036A20 for <trans@ietf.org>; Thu, 23 Mar 2017 07:07:20 -0700 (PDT)
To: "trans@ietf.org" <trans@ietf.org>
From: Steve Matsumoto <steve@stevematsumoto.net>
Message-ID: <ca34d76c-305b-3064-46c0-08163b59b46d@stevematsumoto.net>
Date: Thu, 23 Mar 2017 10:07:19 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/OHc2F83w52yoXjUAnngS2vMcTjU>
Subject: [Trans] CT Log Costs and Incentives
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Mar 2017 14:07:22 -0000
Hi everyone, I've been thinking lately about the incentives that certificate logs have for operating, and would like to start a discussion centered around the costs and incentives for certificate log operators. It seems to me that CT relies on the altruism of log operators. As far as I know, logs don't receive any sort of compensation for operating, and of the current known and included logs listed on the CT site [1], 4 are run by Google and 5 are run by CAs (Symantec, WoSign/StartSSL, and CNNIC) that had some sort of security incident in the past and had to implement CT as a result [2-4]. So besides the fact that CT will be required in October, what incentives are there to run a certificate log? Are there any plans to add incentives for logs to operate? Complementary to the above question is whether or not the incentives that log operators have outweigh the cost of running a log. I estimate that the storage cost of the certificate entries for the largest log (Google Pilot) is on the order of several hundred gigabytes, and that the cost of reliability, staff, etc. is quite expensive. But if there are any log operators who can comment more on this, that would be great. Moreover, as far as I know, CT also relies on the altruism of log monitors. Logs currently don't offer a way to retrieve entries by domain name, so it's difficult for a domain to query the logs for its own certificates (some of which may be rogue). Moreover, proving that a certificate is not in a log requires checking the entire tree. Therefore, CT needs monitors who periodically retrieve all newly-logged certificates and check for suspicious certificates, and it's not entirely clear how monitors decide whether a certificate is suspicious. What are the incentives for these monitors? Given that the number of logs is small and will probably be limited by Google (partially because monitoring becomes difficult otherwise), are there any plans to incentivize the "best" logs, i.e., those that keep the most certificates or have the highest uptime? Is incentivizing logs in this way something that we should do? I'd be very interested in getting feedback from everyone, particularly log operators and monitors, about this. -Steve [1] https://www.certificate-transparency.org/known-logs [2] https://security.googleblog.com/2015/03/maintaining-digital-certificate-security.html [3] https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html [4] https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html
- [Trans] CT Log Costs and Incentives Steve Matsumoto
- Re: [Trans] [EXT] CT Log Costs and Incentives Tarah Wheeler
- Re: [Trans] [EXT] CT Log Costs and Incentives Devon O'Brien