IETF Logo Mail Archive

Re: [Trans] The RFC6979 requirement in RFC6962-bis is bad

Linus Nordberg <linus@sunet.se> Mon, 22 May 2017 14:21 UTC

Return-Path: <linus@sunet.se>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5151A129B4F for <trans@ietfa.amsl.com>; Mon, 22 May 2017 07:21:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.091
X-Spam-Level:
X-Spam-Status: No, score=-4.091 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (bad RSA signature)" header.d=sunet.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k0WWW5Tm4lk1 for <trans@ietfa.amsl.com>; Mon, 22 May 2017 07:21:42 -0700 (PDT)
Received: from e-mailfilter02.sunet.se (e-mailfilter02.sunet.se [IPv6:2001:6b0:8:2::202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05BDB129329 for <trans@ietf.org>; Mon, 22 May 2017 07:21:41 -0700 (PDT)
Received: from smtp1.nordu.net (smtp1.nordu.net [109.105.111.32]) by e-mailfilter02.sunet.se (8.14.4/8.14.4/Debian-4+deb7u1) with ESMTP id v4MELccx016153 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 22 May 2017 16:21:38 +0200
Received: from flogsta (smtp.adb-centralen.se [IPv6:2001:6b0:8:0:0:0:0:129] (may be forged)) (authenticated bits=0) by smtp1.nordu.net (8.15.2/8.14.7) with ESMTPSA id v4MELYHQ027491 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 22 May 2017 14:21:37 GMT
VBR-Info: md=sunet.se; mc=all; mv=swamid.se
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sunet.se; s=default; t=1495462898; bh=OsPxA3L21o91wxYb+kOD+7YxsS+jdPV2JDe/jY5ZOj8=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=YAeYMMvo8kG4U+eRyE7MI9X+VqPl2hBhKy9MuIvi68Hz9SvVs33USoFbpfuyRAlux kVUGdl7Tu+PtxXMKwWKgV2+tKuTOR3TFZ9SrNiq36pQKk96qBgLxbp9VPi5aKOABGK OGAnM1mknSAhlMWe2XkhiUp9hJIXhAe9F9dEqWsI=
From: Linus Nordberg <linus@sunet.se>
To: Eran Messeri <eranm@google.com>
Cc: "trans@ietf.org" <trans@ietf.org>
Organization: Sunet
References: <CAFewVt5z3sq-Occ1VaHeNeBvt1yyCM_3_nssZSu2f_PBEL4SFQ@mail.gmail.com> <CA+cU71kBmKsxyvsmpuF6UAzP+fict3v62gEq_iKY-O2P07ZRLw@mail.gmail.com> <87pofiif6g.fsf@nordberg.se> <CA+cU71kVV_o30p-+dGdLT9Hpg+iiW5KgG-9xJD9iVCEHwhLg6w@mail.gmail.com> <CALzYgEeHpxRSxpQTSPasdahWXdzV8bGMV_R4HM02oscHrm8TWw@mail.gmail.com> <87inl25r8l.fsf@nordberg.se> <CALzYgEdunZXRmGtStGhfJHdHeytk3etYLNtAvFgf3bN2-6EyXQ@mail.gmail.com> <CALzYgEeCVnWG19F79OSwCC+iPArZbGGaBZYrKP2MWWdEDGVHVg@mail.gmail.com>
Date: Mon, 22 May 2017 16:21:54 +0200
In-Reply-To: <CALzYgEeCVnWG19F79OSwCC+iPArZbGGaBZYrKP2MWWdEDGVHVg@mail.gmail.com> (Eran Messeri's message of "Mon, 22 May 2017 13:23:12 +0100")
Message-ID: <871srhvunx.fsf@nordberg.se>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Scanned-By: CanIt (www . roaringpenguin . com) on 192.36.171.202
X-Scanned-By: MIMEDefang 2.74
X-p0f-Info: os=unknown unknown, link=Ethernet or modem
X-CanIt-Geo: ip=109.105.111.32; country=SE; latitude=59.3247; longitude=18.0560; http://maps.google.com/maps?q=59.3247,18.0560&z=6
X-CanItPRO-Stream: outbound-nordu-net:outbound (inherits from outbound-nordu-net:default, nordu-net:default, base:default)
X-Canit-Stats-ID: 0aTnqlC7d - 0c0d54b24ca0 - 20170522
X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/XouOOh2qNCcY4EgFvCCzuzjn1Aw>
Subject: Re: [Trans] The RFC6979 requirement in RFC6962-bis is bad
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2017 14:21:45 -0000

Hi,

It should be clear by now that I'd be sad if 6962bis would allow logs to
return a different stream of bytes for the same ingoing parameters, for
SCTs and STHs, but more interesting would be to hear other wg members
views on the balance we're trying to strike.

Regarding current deployment, are there any 6269bis logs deployed yet?

Regarding correctness vs. completeness, what in -24 is incorrect with
this regard?

Regarding added cost of implementation, using RSA is an option.

Regarding gossip unclearity, the suggested change risks making it harder
to get STH gossip going.


Eran Messeri <eranm@google.com> wrote
Mon, 22 May 2017 13:23:12 +0100:

> FYI I'm proposing changes per this discussion in
> https://github.com/google/certificate-transparency-rfcs/pull/261. Comments
> welcome.
>
> Eran
>
> On Mon, May 15, 2017 at 12:35 PM, Eran Messeri <eranm@google.com> wrote:
>
>>
>>
>> On Mon, May 15, 2017 at 11:50 AM, Linus Nordberg <linus@sunet.se> wrote:
>>
>>> Eran Messeri <eranm@google.com> wrote
>>> Fri, 12 May 2017 14:36:04 +0100:
>>>
>>> > Thanks for the feedback. It helped me realize deterministic signatures
>>> > could be achieved not only by using a deterministic signature scheme,
>>> but
>>> > also by logs storing the produced signatures and returning them instead
>>> of
>>> > re-signing SCTs, for example.
>>> >
>>> > That's my understanding of the discussion so far:
>>> > * Requiring the use of RFC6979 is bad, for the reasons Brian has
>>> mentioned.
>>> > * It is not yet clear where deterministic signatures may be more
>>> important
>>> > (SCTs or STHs) because it's not clear what TLS clients will gossip and
>>> how.
>>>
>>> Not to argue against that statement but I think that it's clear that
>>> gossiping about STHs would become more problematic for a client caring
>>> about privacy if logs were allowed to send different strings of bits to
>>> different clients for a given pair of `log_id` and `tree_head` in an
>>> STH.
>>>
>>> I completely agree - it would be more difficult for clients caring about
>> privacy (which should be all TLS clients used by end-users these days,
>> really) to exchange STHs they've obtained themselves, if logs were allowed
>> to use unique signatures.
>> I'm not saying the reasoning is wrong - it is very solid as far as I can
>> tell - but that we don't know if we need it yet, see below.
>>
>>
>>> > * It is not necessary to require the use of a deterministic signature
>>> > scheme - only that the same signature is present in all instances of a
>>> > particular SCT (note that different SCTs for the same submission, with
>>> > different timestamps, which the log may issue, cannot have the same
>>> > signature).
>>>
>>> This sounds like a requirement, i.e. a MUST, which is not reflected in
>>> the reasoning below ("MUST->SHOULD" and "Mention that").
>>>
>>> Also, this talks about SCTs specifically. What do you think the story is
>>> for STHs?
>>>
>> Seems to me like the same reasoning applies to both - sorry, wasn't clear
>> about it.
>>
>>>
>>>
>>> > Also, in 6962-bis, my focus is on correct operation of the log & Merkle
>>> > Tree - and deterministic signatures are not strictly necessary for that.
>>>
>>> While I think it's fair to try to limit the scope I think it would be
>>> bad to make it hard to gossip since that's supposed to protect against
>>> attacks on the ability to audit the correctness of said
>>> operation. Admittedly, one problem here is that "hard to gossip" is far
>>> from well defined.
>>>
>>> Also, does this imply that the limitation on STH issuance frequency
>>> should be removed too?
>>>
>> I'd leave that, as it has several benefits beyond gossip (for example, the
>> ability to cache STHs and their consistency proofs or coordinating
>> selection of an SCT).
>>
>>>
>>>
>>> > To make progress on this issue, I propose the following:
>>> > * Remove references to 6979.
>>> > * Remove the strong requirement to use deterministic signature schemes
>>> > (MUST -> SHOULD), so implementations can use non-deterministic signature
>>> > schemes and still be compliant with the spec.
>>> > * Add reference to EdDSA, which includes a deterministic signature
>>> scheme
>>> > variant.
>>> > * Mention that deterministic signatures can be achieved by storing the
>>> > produced signatures.
>>> >
>>> > Any objections?
>>>
>>> I think that 6962bis should mandate that the same bits are sent over the
>>> wire to every client asking for a given piece of signed data. (This can
>>> be accomplished by either using a deterministic signing scheme or by
>>> storing the data under a unique key for later use.)
>>>
>>> The main reason for this requirement is to make it possible for log
>>> clients to gossip about STHs -- limiting the number of outstanding STHs
>>> that a log can have at any given time is important in order to limit the
>>> ability for a log to fingerprint its clients, as described in
>>> draft-ietf-trans-gossip-04 section 10.5.4. This is done by limiting the
>>> log STH issuance frequency (6962bis-24 section 4.8) _and_ requiring that
>>> the same bits are sent over the wire to everyone asking for a given STH.
>>>
>>> The privacy argument for imposing this same-bits-for-same-data rule for
>>> SCTs too seems weaker since SCTs carry much more privacy sensitive data
>>> but I'm not convinced that this holds for all gossip
>>> scenarios. Fingerprinting of a gossip peer doesn't necessarily relate to
>>> linking an SCT to a user of an HTTPS client. I think this is reason
>>> enough to not separate STHs and SCTs with regard to this requirement.
>>>
>>
>> Overall I agree with the sentiment. However I'm trying to balance the
>> attempt to make SCTs & STHs non-identifying as much as possible with ease
>> of implementation and the current deployment:
>> - As Melinda said on a separate post, 6962-bis has to be correct but it
>> doesn't have to be complete. We could add the stricter requirement of
>> producing consistent signatures for the same data later on.
>> - There's an added cost for implementations: Either more storage (storing
>> produced signatures) or reliance on features that are not widely supported
>> in crypto libraries (deterministic signatures).
>> - Right now, how the gossip is going to take place is unclear: The only
>> thing currently operating (AFAIK) is STH exchange between several monitors.
>> I don't know of any TLS client implementation that intends to fetch STHs
>> directly (we've actually removed this capability
>> <https://chromium.googlesource.com/chromium/src/+/dba25668458c87c4b38c63db710c49c47d0db087>> from Chrome recently). Even if there was such an implementation, because
>> it's not clear who it will be exchanging STHs with, it's unclear what's the
>> threat model - who has to collude to compromise a client's privacy by
>> tracking it.
>>
>> To put it simply, I don't know yet if we'll need it - which is why I
>> suggest we strongly recommend deterministic signatures, but not mandate it.
>>
>> What do you think?
>>
> _______________________________________________
> Trans mailing list
> Trans@ietf.org
> https://www.ietf.org/mailman/listinfo/trans

v2.23.0 | Report a Bug | By Email