Re: [Trans] What logs are storing (was: The RFC6979 requirement in RFC6962-bis is bad)
Andrew Ayer <agwa@andrewayer.name> Mon, 08 May 2017 23:14 UTC
Return-Path: <agwa@andrewayer.name>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F6DB127078 for <trans@ietfa.amsl.com>; Mon, 8 May 2017 16:14:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewayer.name
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KLfxUXh3E-Bh for <trans@ietfa.amsl.com>; Mon, 8 May 2017 16:14:44 -0700 (PDT)
Received: from alcazar.beanwood.com (alcazar.beanwood.com [70.85.129.230]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD66B1200FC for <trans@ietf.org>; Mon, 8 May 2017 16:14:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=andrewayer.name; s=beanwood20160511; t=1494285284; bh=/GXudZUz232J7avUeCTjt3REg2/5V5QrEokxdHsmZv0=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=gOLzgpV7R2mLmkIOJm4/0iRe7zPre8k/csrylIfOqy9Ptew9ZC4S8d7kf96V2HF3F 5gvj1a8qIIuCBiX+OVrrZoOyFL32EJFn8wQgxbcZJSCT8M3pgEdzxYu/Cp9nEEIm3b zCB+QbqsuHHnkGLZbAkfl2dhMHVkLYD8qbWZ5hpmN7k+jqjCfSTwFKlswX7eV3Pmg5 wMzqR9a3SmCYiiTGlO8dNa/TeFXZWWM2FO/+f0ibZudQuTYnxtrlbAe5MFN9rEi1ub tWQEltXx7DVvEnfgUfAYXNrpNt99M/05JSksxhdnETWPvTz1f4lBmunWFV3a6TMI3u f8MYre30ndgDg==
Date: Mon, 08 May 2017 16:14:43 -0700
From: Andrew Ayer <agwa@andrewayer.name>
To: Linus Nordberg <linus@sunet.se>
Cc: trans@ietf.org
Message-Id: <20170508161443.be44c605e67bec0feeb50e3a@andrewayer.name>
In-Reply-To: <87pofjj6xd.fsf_-_@nordberg.se>
References: <CAFewVt5z3sq-Occ1VaHeNeBvt1yyCM_3_nssZSu2f_PBEL4SFQ@mail.gmail.com> <20170508111141.2ad103252b01cf48b5e988c8@andrewayer.name> <87pofjj6xd.fsf_-_@nordberg.se>
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/WJDaxNQS_CghnIyHjpDVpYjSOoY>
Subject: Re: [Trans] What logs are storing (was: The RFC6979 requirement in RFC6962-bis is bad)
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 May 2017 23:14:45 -0000
On Tue, 09 May 2017 00:54:38 +0200 Linus Nordberg <linus@sunet.se> wrote: > Andrew Ayer <agwa@andrewayer.name> wrote > Mon, 8 May 2017 11:11:41 -0700: > > > 3. When producing a new STH or SCT, sign it, store the signature, > > and serve the stored signature instead of re-signing on-the-fly > > every time the log needs to serve the STH or SCT. Since the log > > already needs to store information about STHs and SCTs, also > > storing the signature should not be burdensome. > > Why do logs already need to store information about SCTs? Technically it's not required, but practically speaking logs need to return an SCT for an existing entry when someone submits an already-logged certificate (otherwise the log could be spammed into oblivion). To construct that SCT, the log needs to know the timestamp of the existing entry. A logical place to store the signature would be alongside the timestamp. > Do logs already need to store information about STHs because of the > proposed get-sths API [0][1][2] or something else? Even without the get-sths API, the log needs to store the timestamp of the current STH. That would be a logical place to store the signature. Regards, Andrew
- [Trans] The RFC6979 requirement in RFC6962-bis is… Brian Smith
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Eran Messeri
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Brian Smith
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Rob Stradling
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Tom Ritter
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Andrew Ayer
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Linus Nordberg
- [Trans] What logs are storing (was: The RFC6979 r… Linus Nordberg
- Re: [Trans] What logs are storing (was: The RFC69… Andrew Ayer
- Re: [Trans] What logs are storing Linus Nordberg
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Linus Nordberg
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Linus Nordberg
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Linus Nordberg
- Re: [Trans] What logs are storing (was: The RFC69… Eran Messeri
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Tom Ritter
- Re: [Trans] What logs are storing (was: The RFC69… Al Cutter
- Re: [Trans] What logs are storing (was: The RFC69… Andrew Ayer
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Eran Messeri
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Brian Smith
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Linus Nordberg
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Eran Messeri
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Eran Messeri
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Linus Nordberg
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Gary Belvin
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Linus Nordberg
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Eran Messeri
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Linus Nordberg
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Andrew Ayer
- Re: [Trans] The RFC6979 requirement in RFC6962-bi… Al Cutter