Re: [Trans] Gossip draft CFA closed
Bryan Ford <brynosaurus@gmail.com> Thu, 22 October 2015 09:36 UTC
Return-Path: <brynosaurus@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA2341B3577 for <trans@ietfa.amsl.com>; Thu, 22 Oct 2015 02:36:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MUr3COg2oJV2 for <trans@ietfa.amsl.com>; Thu, 22 Oct 2015 02:36:02 -0700 (PDT)
Received: from mail-wi0-x235.google.com (mail-wi0-x235.google.com [IPv6:2a00:1450:400c:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA17F1B3568 for <trans@ietf.org>; Thu, 22 Oct 2015 02:36:01 -0700 (PDT)
Received: by wijp11 with SMTP id p11so22830351wij.0 for <trans@ietf.org>; Thu, 22 Oct 2015 02:36:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=/NB8BtFbOrzoBxAayRbJTFrS0tSPntMJVy9NN5wsySU=; b=XlwOEt4vauiMP8el+7iILRE/qzFFXUe/23sWuE77JtdgiwiTUC6P5NWWo/B11xnvsr 2vfdV0l4Is4/hifjajbCz6VcedbcTanxXiJbEJefQjUz94yccFbtWo65chhqilPVe20D +WCzpKOB0qouN7/6Oaq6dZUkQk3V5YvmVTw2n9pNracXOYEPlnO1nuMea+UzGLCpvya4 PvHgXyEIVufoN+ijRvPnG/VXmyBX0CWlOkXgu2xg0szQwRhpl2UXyz8Kb1tvyCL+BJFX CCooNJacpQkT5qSxn5bzy3kMq00eZRewVGV6YsjJIxOZwbkDr8hU6hnE/+r7pPzbZAyL waiw==
X-Received: by 10.194.171.199 with SMTP id aw7mr18306697wjc.32.1445506560528; Thu, 22 Oct 2015 02:36:00 -0700 (PDT)
Received: from icsil1noteb193.epfl.ch (icsil1noteb193.epfl.ch. [128.178.151.41]) by smtp.gmail.com with ESMTPSA id q8sm10871855wiz.23.2015.10.22.02.35.59 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 22 Oct 2015 02:35:59 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.0 \(3094\))
From: Bryan Ford <brynosaurus@gmail.com>
In-Reply-To: <CA+cU71=Kk8QEiU__E63z_w2JDBfrYa3hAb=oE_iYu=c9Yn8uWA@mail.gmail.com>
Date: Thu, 22 Oct 2015 11:35:58 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <B200FAD3-26A6-4A07-B7CB-43102EBDB2D3@gmail.com>
References: <mailman.1457.1439053021.3844.trans@ietf.org> <30A8C7DD-B87D-4095-AAFF-FB63EA01D292@gmail.com> <CA+cU71=Kk8QEiU__E63z_w2JDBfrYa3hAb=oE_iYu=c9Yn8uWA@mail.gmail.com>
To: Tom Ritter <tom@ritter.vg>
X-Mailer: Apple Mail (2.3094)
Archived-At: <http://mailarchive.ietf.org/arch/msg/trans/Yt7rx5C1s-YBeoYY-1dj1TXE9wY>
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] Gossip draft CFA closed
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2015 09:36:04 -0000
Hi Tom, finally following up on your E-mail long-ago: On 13 Aug 2015, at 02:44, Tom Ritter <tom@ritter.vg> wrote: > I think that even if every log had a 51 of 100 signers threshold > scheme, we would still want some form of verification that logs are > operating non-maliciously. While the bar for collusion or compromise > is higher (at 51 instead of 1), the minimum and average technical > operating level for the signers of 3 such multi-signer logs will be > much lower than that of 3 single-signer logs. While each signer can > act as an auditor _for the data it sees_, there is no guarantee that a > signer might not be presented with a split-view of the log and never > be able to catch the other signers acting on the other side of the > merkle tree. So I still think verification is needed. And that > verification would probably look something like gossip…. The intent of my proposal is that the log-server operator (or anyone operating a public authority service with a cloud of co-signing witnesses) choose witness/co-signing servers from reputable (but independent) organisations competent enough to keep their witness servers up and available almost all the time. (Surely there must be 100 organisations out there who can keep a server running, especially one that’s trivial to replicate…) Thus, in the intended operating mode I would hope and expect it to be rare for even one co-signer to be missing. If many co-signers are missing it should mean either (a) the Internet is in the midst of a major connectivity meltdown and might have more urgent problems than issuing new certificates or STHs; or (b) the primary signer (e.g., log server) itself is disconnected from the rest of the world, in which case no one is going to hear about any new STHs it signs promptly anyway until it reconnects, so maybe it would actually be better if it just waits until it reconnects to the world. If a co-signing witness is persistently unreliable, it should be kicked out of the group at the next opportunity. > Whenever I've seen someone propose something to the effect of "And a > different organization will be responsible for the uptime of your > organization!" it tends not to get traction. So I'm skeptical that a > multi-signer approach can be practically deployed. But I would love to > be proven wrong. Agreed, that’s an important issue, but as mentioned in my immediately prior E-mail to Ben that’s not a problem here. The primary signer (log server) can forge ahead using any threshold it wants, including a threshold of 0 if it wants no risk at all of its progress being blocked by co-signers - but the precise set of co-signers that were or weren’t present in a round are precisely documented in the collective signature (and in the current mechanism, must be available to clients for signature verification.) If many (e.g., O(N)) co-signers are missing from a given round, then the collective signature grows and its verification cost likewise grows to be comparable to the simple case of simply collecting O(N) individual signatures. But again the intended operating principle is that missing co-signers should be rare - or booted from the group if not - and in that case the collective signatures should “almost always” be small and quick to verify. B > > -tom
- [Trans] Gossip draft CFA closed Melinda Shore
- Re: [Trans] Gossip draft CFA closed Bryan Ford
- Re: [Trans] Gossip draft CFA closed Tom Ritter
- Re: [Trans] Gossip draft CFA closed Bryan Ford