IETF Logo Mail Archive

Re: [Trans] AD Review: draft-ietf-trans-gossip-04

Tom Ritter <tom@ritter.vg> Mon, 06 November 2017 05:07 UTC

Return-Path: <tom@ritter.vg>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F81313FC0F for <trans@ietfa.amsl.com>; Sun, 5 Nov 2017 21:07:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ritter.vg
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l13v1hJTZLvG for <trans@ietfa.amsl.com>; Sun, 5 Nov 2017 21:07:51 -0800 (PST)
Received: from mail-qk0-x22c.google.com (mail-qk0-x22c.google.com [IPv6:2607:f8b0:400d:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5681513FAFE for <trans@ietf.org>; Sun, 5 Nov 2017 21:07:51 -0800 (PST)
Received: by mail-qk0-x22c.google.com with SMTP id m189so9554907qke.4 for <trans@ietf.org>; Sun, 05 Nov 2017 21:07:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=A7pdouwaJjqxqdh5f9IF50A7ubnM3LUhgtjEul6pOdM=; b=g6lQYedw5gQ3ePizxd05o6kWj/I2T5Ft3di7fb5gMoxH7zfJAR4oY9q4T2aFor813/ TjS/5Rp8bkaPSpFYFx0+4lqmTPONobAyZhjbGeUzSrMjU2/qOlO/UXJUVlNkf/8/gXKu 95c7EbejL/7In0Dnr7jtSGCllQPf2gTEzUfWM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=A7pdouwaJjqxqdh5f9IF50A7ubnM3LUhgtjEul6pOdM=; b=fcdOtPvvEbaTv/eLCuHxbMJm8UUEGJhIRL2G9JIa4tvENNk6jukrrxOBZvjCddJ+/Y bFoaexVI3UUGElStAoS2FudYo0ze2N7svZFbKL5zs+VaDJj/9lpXYOgAMxUO4s0Gao6i 7D4WXukZjP0Xlnbn3MmlesTU8iObSzvmaCLD94FJEIk9HkycPix2Ywk+LikTDoJgK45J Ao4Aa9fwmhVBjUyqTqJJp1jzghw2UC8FQOTLBuda1+37X0YPTAVwv/oNLEITuy/3yAfU 3SgIP1Hb2okZdTR1CAREaTXkcrwpxBzGZeDQEta/AA9ndrLyaLs3LQl6eDAd9Io6WNYF Ny9A==
X-Gm-Message-State: AMCzsaVQvCJQMMNJ/kiT1b+A4nO1lmuCr6/jIzRu6J9BPtIEHvY+ySQO SdY5jxWLEUV44H34PkaIX30m1NlQe82sGMsgjlBfhQEF
X-Google-Smtp-Source: ABhQp+Sg/2Ox9xghYqT2jQfiT/8qjRlEFCFQC6CLaOkCrMomScloPnFyXHsOqdaws92T7RDsBzryAya1IqGj42/Vwl4=
X-Received: by 10.55.107.3 with SMTP id g3mr20044381qkc.24.1509944869787; Sun, 05 Nov 2017 21:07:49 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.108.53 with HTTP; Sun, 5 Nov 2017 21:07:29 -0800 (PST)
In-Reply-To: <CAL02cgQEYGMgfb3fxt8AniwgjUYMhNtio=Py+iYRSRzbaOztkg@mail.gmail.com>
References: <CABcZeBM6=26ojcoMfkq5205z7UvCSQuhkg0PrR2_bjP-ps7W0g@mail.gmail.com> <CAL02cgSyB4bdjJs=iGsQFmuwPZoQTTjhrwu=ivL5rBB7EWOjNw@mail.gmail.com> <CA+cU71monniqd1H9=gss2ZTJtBNVdBOXXx6=SDqBuFqHGKEEhA@mail.gmail.com> <CAL02cgQEYGMgfb3fxt8AniwgjUYMhNtio=Py+iYRSRzbaOztkg@mail.gmail.com>
From: Tom Ritter <tom@ritter.vg>
Date: Sun, 05 Nov 2017 23:07:29 -0600
Message-ID: <CA+cU71k-njpmxQYkrnRxLUfbM2CeZDtURX1Vi_pjqNK6C9pQjg@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Cc: Eric Rescorla <ekr@rtfm.com>, Trans <trans@ietf.org>, draft-ietf-trans-gossip@tools.ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/UZcNowxVrGrVrPcTmre0ouZ4lWk>
Subject: Re: [Trans] AD Review: draft-ietf-trans-gossip-04
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2017 05:07:53 -0000

On 5 November 2017 at 21:52, Richard Barnes <rlb@ipv.sx> wrote:
>
>
> On Sun, Nov 5, 2017 at 1:18 AM, Tom Ritter <tom@ritter.vg> wrote:
>>
>> I'm going to cherry pick a single thing to ask about before we try to
>> address everything.
>>
>> On 16 October 2017 at 16:41, Richard Barnes <rlb@ipv.sx> wrote:
>> > As far as SCT feedback, note that the
>> > privacy issues here (around server tracking) are unnecessary to meet the
>> > need here -- only the auditor needs to see the SCTs, not the server.  If
>> > you
>> > had a way for clients to encrypt SCTs to specific auditors, you would no
>> > longer have an issue with server tracking.
>> >
>> > ...
>> >
>> > 2. Add a through-encryption modality for SCT feedback
>>
>> This is an interesting idea. However, I'm worried it's infeasible
>> because of abuse concerns.
>>
>> A client needs to pass the (encrypted) SCT through a third party to
>> prevent the auditor from knowing who visited a particular site. But
>> the third party has no assurance that the payload is a valid SCT and
>> not garbage, so there's DOS concerns. Even if we waved the crypto
>> magic wand (I would be surprised if there wasn't a crypto primitive
>> for this problem, I didn't search), the third party is essentially
>> opening itself to being given every SCT in the log.
>>
>> Attempts at putting a cap on the data received open the doors to
>> flooding attacks that would fill up any cap before the client can
>> provide its data.
>>
>> Am I thinking about the design the same way you were? Do you think
>> this is a problem, and if so, know how you'd work around it?
>
>
> TBH, I don't think I had considered the DoS issues.  Now that you mention
> it, I'm not sure I really buy the premises of the operational model the
> document presumes for servers.  If I were building a server, why would I not
> just ship off a batch to the auditor whenever my storage fills up?

You could do that.

> Assuming
> that's in the realm of plausible server architectures, now you're relying on
> the server's altruism to protect the log from DoS, and altruism rarely
> scales.

The  *log* from DOS? Or the auditor? I confess I hadn't really
considered DOSing auditors. I think when I was actively working on
this doc, auditors hadn't really been implemented yet, and in my mind
internet-scale auditors keep a copy of the tree indexable, and
immediately discard data they have already seen, so it's 'hard' to DOS
them. But that's not how they work today and I don't even know if
that's feasible.

> And even if all the servers are well-behaved, a malefactor can spam
> the auditor's SCT feedback endpoint directly if he wants to.

Yes.

> In other words, the auditor has a DoS problem here regardless of
> through-encryption.  The only question is whether it has to just check
> signatures or also decrypt; one public-key operation or two.

Yes.

My point about DOS was not that one could DOS the auditor (you can
with or without as you note), but that one could DOS the SCT Feedback
server. Without encryption, example.com rejects all cert+SCTs that
aren't for example.com and doesn't store them. With encryption, it
accepts data for any address on the internet. (And if it sets a
storage limit, that's where you run into flooding attacks.)

-tom

v2.23.0 | Report a Bug | By Email