IETF Logo Mail Archive

Re: [Trans] Gossip: Unsticking a client caught with potential evidence of log misbehavior

Robin Wilton <wilton@isoc.org> Tue, 20 October 2015 12:54 UTC

Return-Path: <wilton@isoc.org>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EFC51A00C2 for <trans@ietfa.amsl.com>; Tue, 20 Oct 2015 05:54:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R87Vke94b26m for <trans@ietfa.amsl.com>; Tue, 20 Oct 2015 05:54:18 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0670.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::670]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4617C1A0143 for <trans@ietf.org>; Tue, 20 Oct 2015 05:54:18 -0700 (PDT)
Received: from SN1PR06MB1839.namprd06.prod.outlook.com (10.162.133.18) by SN1PR06MB1838.namprd06.prod.outlook.com (10.162.133.16) with Microsoft SMTP Server (TLS) id 15.1.300.14; Tue, 20 Oct 2015 12:53:55 +0000
Received: from SN1PR06MB1839.namprd06.prod.outlook.com ([10.162.133.18]) by SN1PR06MB1839.namprd06.prod.outlook.com ([10.162.133.18]) with mapi id 15.01.0300.010; Tue, 20 Oct 2015 12:53:55 +0000
From: Robin Wilton <wilton@isoc.org>
To: Ben Laurie <benl@google.com>
Thread-Topic: [Trans] Gossip: Unsticking a client caught with potential evidence of log misbehavior
Thread-Index: AQHRCsWY3lORl9SSD0qUovTlUnEIPZ50FV6AgABBXQA=
Date: Tue, 20 Oct 2015 12:53:54 +0000
Message-ID: <E1812BE0-BD94-4050-95DB-C0483303AFF2@isoc.org>
References: <CA+cU71m0wpnD1ZYOTtr=oW+1BjquFxyagtMt+wgCgC_PD0PE-g@mail.gmail.com> <CABrd9SQd2RETKQWe9-_KCHufAWjBhs2k008vEz-5cyM_gbY4Qw@mail.gmail.com>
In-Reply-To: <CABrd9SQd2RETKQWe9-_KCHufAWjBhs2k008vEz-5cyM_gbY4Qw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=wilton@isoc.org;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [94.174.34.240]
x-microsoft-exchange-diagnostics: 1; SN1PR06MB1838; 5:Uh68+qNGUp/i16k7K0edaUf0h6kUXSYOeqWFltL7IJw3wlprRfYiOf4ODSSt3P/Cp2aams6sEWT5jqt4m0iqtma9r9wckxNWPU18sJuwATr/wzMDgOhRgZCOTaUyd1VBHfGqaUMxnABOBoUgwZH5pQ==; 24:/nrBpFd9uMfNYxIakHfb4Xlmfk5wKOGVDjFNbPIzd13EtKWAUugxsvUKbt/WPP1Nhq0KUFj2CGQBxWa1QFuLXl9wTLWhXkv6D93j9NAaBZA=; 20:G6YqN2sSdgq/ZzHOgoyjFNX3saH6TYdmyItTTyCP0NOlbr59JGNEBDrH0fKu2UqWgUjRqyu+YnLZe8pYH1mkGQ==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:SN1PR06MB1838;
x-microsoft-antispam-prvs: <SN1PR06MB1838E961DF5CDD6B482414A7BF390@SN1PR06MB1838.namprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(520078)(5005006)(3002001); SRVR:SN1PR06MB1838; BCL:0; PCL:0; RULEID:; SRVR:SN1PR06MB1838;
x-forefront-prvs: 073515755F
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(199003)(24454002)(53754006)(189002)(16236675004)(76176999)(5008740100001)(5002640100001)(5001920100001)(82746002)(105586002)(97736004)(92566002)(87936001)(86362001)(101416001)(106116001)(81156007)(50986999)(106356001)(5001960100002)(10400500002)(2900100001)(11100500001)(102836002)(19580405001)(19580395003)(64706001)(77096005)(54356999)(2950100001)(19617315012)(83716003)(99286002)(5007970100001)(5004730100002)(46102003)(15975445007)(99936001)(36756003)(33656002)(66066001)(122556002)(189998001)(40100003)(110136002)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:SN1PR06MB1838; H:SN1PR06MB1839.namprd06.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: isoc.org does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; boundary="Apple-Mail=_A2AC24B0-C906-4C6A-81D7-FAAF96A058DA"; protocol="application/pgp-signature"; micalg="pgp-sha256"
MIME-Version: 1.0
X-OriginatorOrg: isoc.org
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Oct 2015 12:53:54.9994 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 89f84dfb-7285-4810-bc4d-8b9b5794554f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR06MB1838
Archived-At: <http://mailarchive.ietf.org/arch/msg/trans/ZXFk-cdd8YLg_xtwBAUQXZy3O-8>
Cc: "trans@ietf.org" <trans@ietf.org>, Tom Ritter <tom@ritter.vg>
Subject: Re: [Trans] Gossip: Unsticking a client caught with potential evidence of log misbehavior
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Oct 2015 12:54:22 -0000

A couple of thoughts in line...

On 20 Oct 2015, at 09:58, Ben Laurie <benl@google.com> wrote:

> 
> 
> On Tue, 20 Oct 2015 at 00:26 Tom Ritter <tom@ritter.vg> wrote:
> Hi all,
> 
> So as we're working through the Gossip draft we ran into a problem we're
> not really sure how to solve. The gist of it is that a client can wind
> up in a state where it has a piece of data that it is pretty suspicious
> of, and it might be evidence of log misbehavior - but it's also private
> data and it has no way to share it with the world.
> 
> We have not addressed this in the -01 draft, it's an open question with no
> text currently.
> 
> Here are some ways that situation can arise (not exhaustive, but the
> draft will have an exhaustive list):
> 
> A client has a Cert+SCT and wants an inclusion proof. Every time it
> sends it up to the log (via an appropriately privacy-preserving
> mechanism, such as a DNS proxy), it gets the equivalent of a 500 error,
> even through other inclusion proof requests succeed.
> 
> A client has an older STH and it wants a consistency proof to a newer
> STH that it can pollinate. But it gets an error on every request, even
> though other consistency proof requests succeed.
> 
> A client knows a log has shut down, and it has the 'final STH'. It has
> an older STH and wants to resolve it to the final STH, but again - errors.
> 
> 
> We've been working off the assumption that some data would get out to
> auditors and the auditors would detect the misbehavior - but here the
> client has a piece of data that is privacy-sensitive, so it can't just
> broadcast it widely. But it also could be evidence of log misbehavior -
> and the fact that it gets other successful responses from the log makes
> it even more suspicious.
> 
> What should it do?
> 
> I've been talking about the possibility of an 'escape valve' where a
> client would release private information to an auditor-of-last-resort of
> its choosing (well, chosen by the developer of the client probably)
> after a sufficiently rigorous attempt to resolve it in a private
> manner... but that's not very satisfying. And it's even less satisfying
> to wave our hand and leave the criteria for releasing it undefined
> (because it ties so much into the algorithm for how to release data in
> any circumstance.)
> 
> We even talked about UI/UX.  This is such a crazy and rare situation
> that there's no hope of explaining it to users.  It's also something
> disconnected from any browsing session, so it's not possible to put a
> link on an intersitial as Chrome has done. The closest analogy is
> bug/crash reporting, either active (Windows/Apple sometimes asks if you
> want to submit queued error reports) or general browser opt-in (I
> believe Chrome/Firefox have some mechanism where you 'share data with
> the company to make the experience better').
> 
> How about reporting it to the alleged origin? Presumably there's no privacy issue there (the user visited the site already) ... the origin would then have to do something with that report - I can imagine that browser vendors would operate public endpoints for them to be forwarded to, for example.

This seems like an appropriate and privacy-preserving first step. The question then would be how to act on the various possible responses from the origin.

For instance, if the origin appears to take no action, and the symptom persists, that might be a suitable trigger for the “escape valve” Tom describes - i.e. reporting to a pre-specified auditor.

I think we need to bear in mind that the ultimate goal here is better behaviour through transparency. If it’s not appropriate, under these circumstances, to forfeit some degree of origin privacy by invoking at least one auditor, then I think we need to consider how to mitigate the risk that the origin is a bad actor.

> 
> Seems like the same kind of issue as HPKP reporting (see https://tools.ietf.org/html/rfc7469#section-2.1.4).
> 
> _______________________________________________
> Trans mailing list
> Trans@ietf.org
> https://www.ietf.org/mailman/listinfo/trans

v2.23.0 | Report a Bug | By Email