IETF Logo Mail Archive

[Trans] Review of draft-linus-trans-gossip-ct-02

Ben Laurie <benl@google.com> Mon, 20 July 2015 12:53 UTC

Return-Path: <benl@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D05A81A8770 for <trans@ietfa.amsl.com>; Mon, 20 Jul 2015 05:53:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.111
X-Spam-Level: *
X-Spam-Status: No, score=1.111 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_62=0.6, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O3VtcSCNygTW for <trans@ietfa.amsl.com>; Mon, 20 Jul 2015 05:53:21 -0700 (PDT)
Received: from mail-yk0-x236.google.com (mail-yk0-x236.google.com [IPv6:2607:f8b0:4002:c07::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 184661A87B0 for <trans@ietf.org>; Mon, 20 Jul 2015 05:51:34 -0700 (PDT)
Received: by ykax123 with SMTP id x123so137893839yka.1 for <trans@ietf.org>; Mon, 20 Jul 2015 05:51:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=HH28oDGxi7qcSRSh9FhiILOkZcTMypOE9eu9xD2MBqo=; b=RQAGEbXR90DsN55UaTGf+W+Nu9K+1IsnKZjyrIXDNtxS14zyiUPfX7pG+R3oL9eqrX fBaaXIUq05yiMXXI/8BtDkKuecNbgyxDP7gxnKN4hhfBR7VmhveFldzr1ghurP6+y6mx z7A6Nl4ZHQ3+mas6+JI49Js44T+/UiHpk0H+pDPg6udVAOhVm1NcZFpyf/liJd+6JR7S 2nJzvIXshKJs0V+P3vSMsPb8jSLldFlV/Wd2efLPMSJCaf2GQa8mv9rspxh6x9gcQ2Yn PxYXNvLopQUCdEYb+t5GWblkLi9OOiwAegGcDCm3p+Ch0yKX9267vfXn+yUa+qMu4nho gDaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=HH28oDGxi7qcSRSh9FhiILOkZcTMypOE9eu9xD2MBqo=; b=FBlzKekZR7idpvRL8o+Z6JkX4egR8bel4e8Aesx8aJVYLqMrF8h+n5Hv16rcADOZ9B 71Rq5liAd5+qJDJf0TghSb73SQUbEoh2uCP4MFBrKrNkM0aRoEjnKzL44E8VG/GK6w+p T0NLlLKqsl4ARumP4XTRMvRPnDJEvmml/kFYKBBRE59OiLJECNbmTFaPtLo4TA6wNPw6 Cg94ViR8toFXLHNRnJ0L25H7a/32rIO11JkP36h0sKzZxBMl0dfi6Q+s4VuP0Qeoh+03 7H92T+eotu+bmfo5fr8NiKd5X1Y/sgQwyKlbCT0pLa2SXpL+v9dhMAtJwkMwIlKWCMk0 7x/g==
X-Gm-Message-State: ALoCoQmlrh7dl+hkpL3rv+0h/wrh8EVsshtGzKxtlrct8Tj/bAXLXA94yo8GH4i9uOtyLtXx71Xh
MIME-Version: 1.0
X-Received: by 10.170.91.3 with SMTP id i3mr8466975yka.25.1437396693306; Mon, 20 Jul 2015 05:51:33 -0700 (PDT)
Received: by 10.37.8.201 with HTTP; Mon, 20 Jul 2015 05:51:33 -0700 (PDT)
Date: Mon, 20 Jul 2015 13:51:33 +0100
Message-ID: <CABrd9SQQWpqiku1xKYRzJj5p_G4bE63x6LAzQpFTNObwiZegxQ@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: draft-linus-trans-gossip-ct@tools.ietf.org, "trans@ietf.org" <trans@ietf.org>
Content-Type: multipart/alternative; boundary="001a113a05e84eae8e051b4dff3f"
Archived-At: <http://mailarchive.ietf.org/arch/msg/trans/RnW_zE3MW03uinBhjo_Ziwp-odo>
Subject: [Trans] Review of draft-linus-trans-gossip-ct-02
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2015 12:53:24 -0000

Comments in {} when in quoted sections.

"2.  Overview

   Public append-only untrusted {verifiable is perhaps a better word} logs "


Diagram in section 3 appears to omit SCTs delivered over OCSP.

Also, the line from CA to Website is labelled "Cert and SCT" but the SCT
may be omitted.


Section 5

"Trusted Auditor Stream, HTTPS clients communicating directly with
      trusted CT auditors/monitors sharing SCTs, certificate chains and
      STHs. {Slightly confused: section 4 mentions auditors and monitors
using this channel between themselves?}"

5.1

" Note that clients
   send the same SCTs and chains to servers multiple times with the
   assumption that a potential man-in-the-middle attack eventually will
   cease so that an honest server will receive collected malicious SCTs
   and certificate chains. {note that if an SCT is sent over a channel that
used an SCT from the same log, then that new SCT can replace the existing
one for reporting - bad behaviour is still detected - i.e. an SCT can be
considered "sent" if it is sent over a channel validated by the same log}"

5.1.1

" The client MUST
   send to the server the ones in the store that are for that server and
   were not received from that server. {comment about "sent SCTs" applies}"

"An SCT MUST NOT be sent to any other HTTPS server than one serving
   the domain that the certificate signed by the SCT refers to.{Not all TLS
clients care about privacy: e.g. crawlers, so this MUST NOT is too strong}"

"First, the server
   recieving the SCT would learn about other sites visited by the HTTPS
   client{if SCTs are gossipped then this is clearly untrue: however, I
agree that it is hard to avoid some kind of privacy leak}. "

"Secondly, auditors or monitors recieving SCTs from the HTTPS
   server would learn information about the other HTTPS servers visited
   by its clients.{ditto}"

"If the HTTPS client has configuration options for not sending cookies
   to third parties, SCTs MUST be treated as cookies with respect to
   this setting.{don't understand - you already banned sending to third
parties}"

"The data sent in the POST is defined in Section 5.1.3.{what if the POST
fails, as it obviously will for most servers initially?}"

"   3.  if the leaf cert is not for a domain that the server is
       authoritative for, the SCT MUST be discarded {only true if you ban
SCT gossip}"

" It's important to note
   that the check must be on pairs of SCT and chain in order to catch
   different chains accompanied by the same SCT.  [XXX why is this
   important?]{given that logs do _not_ have to log multiple chains, I
suspect this is actually not important}"

" Note that an HTTPS server MAY perform a certificate chain validation
   on a submitted certificate chain, and if it matches a trust root
   configured on the server (but is otherwise unknown to the server),
   the HTTPS server MAY store the certificate chain and MAY choose to
   store any submitted SCTs even if they are unable to be verified.  The
   risk of spamming and denial of service can be mitigated by
   configuring the server with all known acceptable certificates (or
   certificate hashes). {Confused by this, surely the point is to find
certs/SCTs the server does not expect?}"

5.1.3

"      *  sct_data: An array of objects consisting of the base64
         representation of the binary SCT data as defined in [RFC6962]
         Section 3.2. {SCTs may be in the certs, so should they be
replicated here or not?}"

"   The 'x509_chain' element MUST contain at{typo} the leaf certificate and
the
   full chain to a known root."

5.2

"   o  Logs cannot issue STHs too frequently.  This is restricted to 1
      per hour. {probably should refer to 6962-bis for this restriction}"

Also in 5.2, note that servers could function as their own auditors.

5.2.2

"After retrieving the consistency proof to the most recent STH, they
   SHOULD pollinate this new STH among participating HTTPS Servers {and may
safely discard the older STH}. "

5.2.3

"  o  sths - an array of 0 or more fresh STH objects [XXX recently
      collected] from the log associated with log_id.  Each of these
      objects consists of {note that we've moved to binary format for SCTs
in 6962-bis}"

6.1.1

" Therefore, a
   client with an SCT for a given server should transmit that
   information in only two channels: to a server associated with the SCT
   itself; and to a trusted CT auditor, if one exists.{only if the client
cares about privacy}"

6.1.4

"This is similar to
   the fingerprinting attack described in Section 6.1.2, but it is
   mitigated by the following factors: {mention rate limit?}"

6.1.6

"The log's inability to
      provide either proof will not be externally cryptographically-
      verifiable, as it may be indistinguishable from a network error.
{note that anyone who sees the whole log can independently prove
inconsistency/non-inclusion}"

v2.23.0 | Report a Bug | By Email