[Trans] Review of draft-linus-trans-gossip-ct-02
Ben Laurie <benl@google.com> Mon, 20 July 2015 12:53 UTC
Return-Path: <benl@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D05A81A8770 for <trans@ietfa.amsl.com>; Mon, 20 Jul 2015 05:53:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.111
X-Spam-Level: *
X-Spam-Status: No, score=1.111 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_62=0.6, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O3VtcSCNygTW for <trans@ietfa.amsl.com>; Mon, 20 Jul 2015 05:53:21 -0700 (PDT)
Received: from mail-yk0-x236.google.com (mail-yk0-x236.google.com [IPv6:2607:f8b0:4002:c07::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 184661A87B0 for <trans@ietf.org>; Mon, 20 Jul 2015 05:51:34 -0700 (PDT)
Received: by ykax123 with SMTP id x123so137893839yka.1 for <trans@ietf.org>; Mon, 20 Jul 2015 05:51:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=HH28oDGxi7qcSRSh9FhiILOkZcTMypOE9eu9xD2MBqo=; b=RQAGEbXR90DsN55UaTGf+W+Nu9K+1IsnKZjyrIXDNtxS14zyiUPfX7pG+R3oL9eqrX fBaaXIUq05yiMXXI/8BtDkKuecNbgyxDP7gxnKN4hhfBR7VmhveFldzr1ghurP6+y6mx z7A6Nl4ZHQ3+mas6+JI49Js44T+/UiHpk0H+pDPg6udVAOhVm1NcZFpyf/liJd+6JR7S 2nJzvIXshKJs0V+P3vSMsPb8jSLldFlV/Wd2efLPMSJCaf2GQa8mv9rspxh6x9gcQ2Yn PxYXNvLopQUCdEYb+t5GWblkLi9OOiwAegGcDCm3p+Ch0yKX9267vfXn+yUa+qMu4nho gDaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=HH28oDGxi7qcSRSh9FhiILOkZcTMypOE9eu9xD2MBqo=; b=FBlzKekZR7idpvRL8o+Z6JkX4egR8bel4e8Aesx8aJVYLqMrF8h+n5Hv16rcADOZ9B 71Rq5liAd5+qJDJf0TghSb73SQUbEoh2uCP4MFBrKrNkM0aRoEjnKzL44E8VG/GK6w+p T0NLlLKqsl4ARumP4XTRMvRPnDJEvmml/kFYKBBRE59OiLJECNbmTFaPtLo4TA6wNPw6 Cg94ViR8toFXLHNRnJ0L25H7a/32rIO11JkP36h0sKzZxBMl0dfi6Q+s4VuP0Qeoh+03 7H92T+eotu+bmfo5fr8NiKd5X1Y/sgQwyKlbCT0pLa2SXpL+v9dhMAtJwkMwIlKWCMk0 7x/g==
X-Gm-Message-State: ALoCoQmlrh7dl+hkpL3rv+0h/wrh8EVsshtGzKxtlrct8Tj/bAXLXA94yo8GH4i9uOtyLtXx71Xh
MIME-Version: 1.0
X-Received: by 10.170.91.3 with SMTP id i3mr8466975yka.25.1437396693306; Mon, 20 Jul 2015 05:51:33 -0700 (PDT)
Received: by 10.37.8.201 with HTTP; Mon, 20 Jul 2015 05:51:33 -0700 (PDT)
Date: Mon, 20 Jul 2015 13:51:33 +0100
Message-ID: <CABrd9SQQWpqiku1xKYRzJj5p_G4bE63x6LAzQpFTNObwiZegxQ@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: draft-linus-trans-gossip-ct@tools.ietf.org, "trans@ietf.org" <trans@ietf.org>
Content-Type: multipart/alternative; boundary="001a113a05e84eae8e051b4dff3f"
Archived-At: <http://mailarchive.ietf.org/arch/msg/trans/RnW_zE3MW03uinBhjo_Ziwp-odo>
Subject: [Trans] Review of draft-linus-trans-gossip-ct-02
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2015 12:53:24 -0000
Comments in {} when in quoted sections. "2. Overview Public append-only untrusted {verifiable is perhaps a better word} logs " Diagram in section 3 appears to omit SCTs delivered over OCSP. Also, the line from CA to Website is labelled "Cert and SCT" but the SCT may be omitted. Section 5 "Trusted Auditor Stream, HTTPS clients communicating directly with trusted CT auditors/monitors sharing SCTs, certificate chains and STHs. {Slightly confused: section 4 mentions auditors and monitors using this channel between themselves?}" 5.1 " Note that clients send the same SCTs and chains to servers multiple times with the assumption that a potential man-in-the-middle attack eventually will cease so that an honest server will receive collected malicious SCTs and certificate chains. {note that if an SCT is sent over a channel that used an SCT from the same log, then that new SCT can replace the existing one for reporting - bad behaviour is still detected - i.e. an SCT can be considered "sent" if it is sent over a channel validated by the same log}" 5.1.1 " The client MUST send to the server the ones in the store that are for that server and were not received from that server. {comment about "sent SCTs" applies}" "An SCT MUST NOT be sent to any other HTTPS server than one serving the domain that the certificate signed by the SCT refers to.{Not all TLS clients care about privacy: e.g. crawlers, so this MUST NOT is too strong}" "First, the server recieving the SCT would learn about other sites visited by the HTTPS client{if SCTs are gossipped then this is clearly untrue: however, I agree that it is hard to avoid some kind of privacy leak}. " "Secondly, auditors or monitors recieving SCTs from the HTTPS server would learn information about the other HTTPS servers visited by its clients.{ditto}" "If the HTTPS client has configuration options for not sending cookies to third parties, SCTs MUST be treated as cookies with respect to this setting.{don't understand - you already banned sending to third parties}" "The data sent in the POST is defined in Section 5.1.3.{what if the POST fails, as it obviously will for most servers initially?}" " 3. if the leaf cert is not for a domain that the server is authoritative for, the SCT MUST be discarded {only true if you ban SCT gossip}" " It's important to note that the check must be on pairs of SCT and chain in order to catch different chains accompanied by the same SCT. [XXX why is this important?]{given that logs do _not_ have to log multiple chains, I suspect this is actually not important}" " Note that an HTTPS server MAY perform a certificate chain validation on a submitted certificate chain, and if it matches a trust root configured on the server (but is otherwise unknown to the server), the HTTPS server MAY store the certificate chain and MAY choose to store any submitted SCTs even if they are unable to be verified. The risk of spamming and denial of service can be mitigated by configuring the server with all known acceptable certificates (or certificate hashes). {Confused by this, surely the point is to find certs/SCTs the server does not expect?}" 5.1.3 " * sct_data: An array of objects consisting of the base64 representation of the binary SCT data as defined in [RFC6962] Section 3.2. {SCTs may be in the certs, so should they be replicated here or not?}" " The 'x509_chain' element MUST contain at{typo} the leaf certificate and the full chain to a known root." 5.2 " o Logs cannot issue STHs too frequently. This is restricted to 1 per hour. {probably should refer to 6962-bis for this restriction}" Also in 5.2, note that servers could function as their own auditors. 5.2.2 "After retrieving the consistency proof to the most recent STH, they SHOULD pollinate this new STH among participating HTTPS Servers {and may safely discard the older STH}. " 5.2.3 " o sths - an array of 0 or more fresh STH objects [XXX recently collected] from the log associated with log_id. Each of these objects consists of {note that we've moved to binary format for SCTs in 6962-bis}" 6.1.1 " Therefore, a client with an SCT for a given server should transmit that information in only two channels: to a server associated with the SCT itself; and to a trusted CT auditor, if one exists.{only if the client cares about privacy}" 6.1.4 "This is similar to the fingerprinting attack described in Section 6.1.2, but it is mitigated by the following factors: {mention rate limit?}" 6.1.6 "The log's inability to provide either proof will not be externally cryptographically- verifiable, as it may be indistinguishable from a network error. {note that anyone who sees the whole log can independently prove inconsistency/non-inclusion}"
- [Trans] Review of draft-linus-trans-gossip-ct-02 Ben Laurie
- Re: [Trans] Review of draft-linus-trans-gossip-ct… Linus Nordberg
- Re: [Trans] Review of draft-linus-trans-gossip-ct… Ben Laurie
- Re: [Trans] Review of draft-linus-trans-gossip-ct… Tom Ritter
- Re: [Trans] Review of draft-linus-trans-gossip-ct… Ben Laurie
- Re: [Trans] Review of draft-linus-trans-gossip-ct… Tom Ritter