IETF Logo Mail Archive

Re: [Trans] What logs are storing (was: The RFC6979 requirement in RFC6962-bis is bad)

Andrew Ayer <agwa@andrewayer.name> Mon, 08 May 2017 23:14 UTC

Return-Path: <agwa@andrewayer.name>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F6DB127078 for <trans@ietfa.amsl.com>; Mon, 8 May 2017 16:14:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewayer.name
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KLfxUXh3E-Bh for <trans@ietfa.amsl.com>; Mon, 8 May 2017 16:14:44 -0700 (PDT)
Received: from alcazar.beanwood.com (alcazar.beanwood.com [70.85.129.230]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD66B1200FC for <trans@ietf.org>; Mon, 8 May 2017 16:14:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=andrewayer.name; s=beanwood20160511; t=1494285284; bh=/GXudZUz232J7avUeCTjt3REg2/5V5QrEokxdHsmZv0=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=gOLzgpV7R2mLmkIOJm4/0iRe7zPre8k/csrylIfOqy9Ptew9ZC4S8d7kf96V2HF3F 5gvj1a8qIIuCBiX+OVrrZoOyFL32EJFn8wQgxbcZJSCT8M3pgEdzxYu/Cp9nEEIm3b zCB+QbqsuHHnkGLZbAkfl2dhMHVkLYD8qbWZ5hpmN7k+jqjCfSTwFKlswX7eV3Pmg5 wMzqR9a3SmCYiiTGlO8dNa/TeFXZWWM2FO/+f0ibZudQuTYnxtrlbAe5MFN9rEi1ub tWQEltXx7DVvEnfgUfAYXNrpNt99M/05JSksxhdnETWPvTz1f4lBmunWFV3a6TMI3u f8MYre30ndgDg==
Date: Mon, 08 May 2017 16:14:43 -0700
From: Andrew Ayer <agwa@andrewayer.name>
To: Linus Nordberg <linus@sunet.se>
Cc: trans@ietf.org
Message-Id: <20170508161443.be44c605e67bec0feeb50e3a@andrewayer.name>
In-Reply-To: <87pofjj6xd.fsf_-_@nordberg.se>
References: <CAFewVt5z3sq-Occ1VaHeNeBvt1yyCM_3_nssZSu2f_PBEL4SFQ@mail.gmail.com> <20170508111141.2ad103252b01cf48b5e988c8@andrewayer.name> <87pofjj6xd.fsf_-_@nordberg.se>
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/WJDaxNQS_CghnIyHjpDVpYjSOoY>
Subject: Re: [Trans] What logs are storing (was: The RFC6979 requirement in RFC6962-bis is bad)
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 May 2017 23:14:45 -0000

On Tue, 09 May 2017 00:54:38 +0200
Linus Nordberg <linus@sunet.se> wrote:

> Andrew Ayer <agwa@andrewayer.name> wrote
> Mon, 8 May 2017 11:11:41 -0700:
> 
> > 3. When producing a new STH or SCT, sign it, store the signature,
> > and serve the stored signature instead of re-signing on-the-fly
> > every time the log needs to serve the STH or SCT.  Since the log
> > already needs to store information about STHs and SCTs, also
> > storing the signature should not be burdensome.
> 
> Why do logs already need to store information about SCTs?

Technically it's not required, but practically speaking logs need to
return an SCT for an existing entry when someone submits an
already-logged certificate (otherwise the log could be spammed into
oblivion).  To construct that SCT, the log needs to know the timestamp
of the existing entry.  A logical place to store the signature would be
alongside the timestamp.

> Do logs already need to store information about STHs because of the
> proposed get-sths API [0][1][2] or something else?

Even without the get-sths API, the log needs to store the timestamp of
the current STH.  That would be a logical place to store the signature.

Regards,
Andrew

v2.23.0 | Report a Bug | By Email