Re: [Trans] Gossiping in CT

Linus Nordberg <> Mon, 29 September 2014 12:49 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 8D4BF1A6F8F for <>; Mon, 29 Sep 2014 05:49:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.129
X-Spam-Level: *
X-Spam-Status: No, score=1.129 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_SE=0.35, J_CHICKENPOX_31=0.6, SPF_NEUTRAL=0.779] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id iHhF-ver2U7K for <>; Mon, 29 Sep 2014 05:49:51 -0700 (PDT)
Received: from ( [IPv6:2001:6b0:8:2::202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EA2621A1A74 for <>; Mon, 29 Sep 2014 05:49:50 -0700 (PDT)
Received: from ( [IPv6:2001:948:4:6::32]) by (8.14.4/8.14.4/Debian-4) with ESMTP id s8TCnmFt019856 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 29 Sep 2014 14:49:48 +0200
Received: from ( []) by (8.14.7/8.14.7) with ESMTP id s8TCnj7q028759 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 29 Sep 2014 12:49:48 GMT
VBR-Info:; mc=all;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=default; t=1411994988; bh=z+1RV6Ohe+vGyD4leAmOVuNMyTlyqLvYrieRhClFalk=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=RJerW28mlcchV1OlVBPi9d/O5SAheXWUQzlAAElc2GyK8WiRxd4SHzs+Im5oHRuTw EfNx+eJKJo0caClzj/HhX3OKgC6VwcaYlYgQI/6VWFIxMkTmho7NSSZ4QjCZnJaSvX EVOXrS2rRAwVsAv/2tfoScJ7wKdwXLZtwfXbdkho=
X-Footer: bm9yZHUubmV0
Received: from ([]) (authenticated user by (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)); Mon, 29 Sep 2014 14:49:47 +0200
From: Linus Nordberg <>
To: Tao Effect <>
Organization: NORDUnet A/S
References: <> <>
Date: Mon, 29 Sep 2014 14:50:53 +0200
In-Reply-To: <> (Tao Effect's message of "Sat, 27 Sep 2014 16:10:35 -0700")
Message-ID: <>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Scanned-By: CanIt (www . roaringpenguin . com)
X-Scanned-By: MIMEDefang 2.74 on
X-p0f-Info: os=unknown unknown, link=Ethernet or modem
X-CanIt-Geo: ip=; country=SE; latitude=62.0000; longitude=15.0000;,15.0000&z=6
X-CanItPRO-Stream: outbound-nordu-net:outbound (inherits from outbound-nordu-net:default, nordu-net:default, base:default)
X-Canit-Stats-ID: 0aMV0NMPx - 4974d61ee810 - 20140929
X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw
Subject: Re: [Trans] Gossiping in CT
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 29 Sep 2014 12:49:52 -0000

Tao Effect <> wrote
Sat, 27 Sep 2014 16:10:35 -0700:

| Paul Wouters brought up the idea of sharing certs on [metzdowd], and I guess that's the same thing as gossiping SCTs, right?

That's not how I read that. The suggestion seems to be sharing
information about seeing two different certificates with the same CN
within some period of time. That's not what an SCT carry. 

| > The more information shared, the better detection we seem to get. But
| > sharing information have privacy implications. It seems to me that
| > sharing STH's is much less problematic than sharing SCT's.
| Why do you think sharing SCTs is problematic, and what privacy implications does it pose?
| If the SCTs are shared over an encrypted connection, only the server, the client, and the potential MITM will know about them.

The fear is that the web server would get a good idea about what sites
the client has visited. If clients would gossip sufficiently about
_other_ clients SCT:s _and_ there would be no way of linking an SCT to a
given client, this might be less of a problem. Can we do this?

| Any time a cert changes, the client would tell the server about that change over the established TLS connection.
| When MITM leaves, the server would find out that a fraudulent cert had been generated for their website, and could then identify the CA responsible.

Here is the cert change again. I'll leave it to others to explain more
about that idea. Sounds interesting.