[Trans] STH Discipline & Security Considerations
Richard Barnes <rlb@ipv.sx> Fri, 03 March 2017 18:24 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D33212996F for <trans@ietfa.amsl.com>; Fri, 3 Mar 2017 10:24:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GAKZ6_o_v4mO for <trans@ietfa.amsl.com>; Fri, 3 Mar 2017 10:24:54 -0800 (PST)
Received: from mail-wr0-x233.google.com (mail-wr0-x233.google.com [IPv6:2a00:1450:400c:c0c::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47DEB129958 for <trans@ietf.org>; Fri, 3 Mar 2017 10:24:54 -0800 (PST)
Received: by mail-wr0-x233.google.com with SMTP id u108so79198858wrb.3 for <trans@ietf.org>; Fri, 03 Mar 2017 10:24:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=whYP2RX/6/H09OQE51TLNtZl/dBFmEuZgg5GOjm8L3w=; b=uQBC9wX1918WFxz2yw2tdbPYBm6fTIhRzbcTD031Joc2v+P3W7MJzBRYqR0RKdYxo2 Q3CcAw73WNbP7DNG6sUj2fl+GQGIzZVr27YHs3zhJFTsZ76LCCuRbM2FDm2j/ZusLOpc jLV6sQtBySIwhtEsQ3k+UHFi56WqvwxhfNmXBj4gNLtBCK5ex4D2e8WPL8QPONaAKY+C ETZ/PH7/l5SDd4oTwOIlxbVO4ieYeekCe/krhpfL4j8Txqw6wbJNw+f5bxuD3KV83Qn4 kBx6EyjVKYM36P7Lrc9+ecITtoHytx4xDLwaXGXbh1NQ6oI3MdmrGYTy8d/oLu034LOC rq6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=whYP2RX/6/H09OQE51TLNtZl/dBFmEuZgg5GOjm8L3w=; b=A9l+CQcfZeP52iCuTjghx4OPq/Mr+lj4LKQuBU74P2AsqhLhsk5V1OnBzKiiq2TeRJ SE7dtqDmDLlpDcO/IEnbayFMyW8NsuNEUDt4bqMVPRcSpe3FunVx5Xky688BqWfNgdEY 5A2aubMs0wJEYkaXTDLy4dkBdGH7TQ/xCg4QukrY2V2/tnf7G93dWBrg0pO79WU2ASsK twBvZeEMpEefSRHfIRAzjaD1rsBEnFWya0IW8FAgqOrQQl1LAK9w7AaVugqlXnznvSkk ms1IhG3PalwcWukqHNejBKHniDa5YlwO5NLZUihBE6P6q2hD0pkmdYLZJjoTSJnhf+Y2 T7qA==
X-Gm-Message-State: AMke39ndIwDjgyRXiWDnXaQkb1HwvfEplEFoCbRwEGfevkxiA6hVDdL0Fzbqt6NsnbaotSnujgAa2W3UGMTOIA==
X-Received: by 10.223.139.152 with SMTP id o24mr3869101wra.61.1488565491760; Fri, 03 Mar 2017 10:24:51 -0800 (PST)
MIME-Version: 1.0
Received: by 10.28.31.2 with HTTP; Fri, 3 Mar 2017 10:24:51 -0800 (PST)
From: Richard Barnes <rlb@ipv.sx>
Date: Fri, 03 Mar 2017 13:24:51 -0500
Message-ID: <CAL02cgSr_G6HdS7f28cgBE4G_DAhnz6ios2EsTGEx==t6ONOZw@mail.gmail.com>
To: Trans <trans@ietf.org>
Content-Type: multipart/alternative; boundary="f403045e9ace5c98420549d7a9e3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/Zm4NqyRc7LDsOtV56EchBIT9r4c>
Subject: [Trans] STH Discipline & Security Considerations
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Mar 2017 18:24:56 -0000
Hey all, I wanted to follow up on my earlier comments and a bunch of side conversations I've had with people since then with a revised change proposal that I think can get -rfc6962-bis to a point we can live with. tl;dr: 1. We/Mozilla can live with the Merkle tree for now, though we/community might ultimately want something different later 2. At a systemic level, we need to move toward servers providing inclusion proofs, but -rfc6962-bis provides sufficient tools for this 3. We need to better document "STH discipline", and define a "canonical STH" for each element in the log 4. We need to update the security considerations to describe more clearly the implications of various levels of auditing I'm willing to write up a PR for (2); EKR has volunteered for (3). # Auditing Models There are basically two approaches to auditing available to clients: 1. Prospective: Browser does auditing checks at TLS connection time 2. Retrospective: Browser does auditing checks after TLS connection time Prospective checking provides better assurance than retrospective, since it prevents any harm that would come from a mis-issued, improperly-attested certificate. The cost is that the server has to send enough information the cert and the browser has to cache enough information about the log that the two can be married up without further requests. In practice, however, it looks like some degree of retrospective checking will be necessary even in browsers that support the cache enough information for prospective checking. On the one hand, if an inclusion proof can't be embedded in a cert, then we can't count on all server operators providing it (via OCSP / TLS). On the other hand, including proofs in certs imposes issuance delays that will not be acceptable in many circumstances, even if it is O(minutes). And given Eran's SSL proxy proposal, with the amendments I suggested, I'm now pretty well convinced that the fetches you need for retrospective validation can be done privately with something short of Tor (just). The scalability problems are bad, but probably ultimately workable. It should be clear that either of these models work much better if the server provides inclusion proofs. Together with the STH discipline notions below, this would enable prospective auditing for all but very new certificates if a browser is willing to cache STHs. Even in cases where CT information must be fetched, having the server send an inclusion proof would mean that the only fetch would be for consistency, which is a less privacy-sensitive, more cacheable query. # STH Discipline Either style of auditing also works better if logs have a notion of "STH discipline", in the following sense: 1. The official state of the log comprises a sequence of STHs issued at specified intervals. 2. For each certificate in the log, there is a single "canonical STH" to which the log will produce an inclusion proof. Proofs to other STHs are done by adding a consistency proof to the inclusion proof. This property makes things work more smoothly in both auditing models: - If the browser is willing to cache STHs, this tells the browser exactly which STHs it needs to cache in order to validate all inclusion proofs. - Everything is more cacheable, since there's only one inclusion proof per certificate, and a limited set of heads among which consistency needs to be calculated. - Cacheability means that the fetches of inclusion proofs get greater privacy benefit from caching, since they depend only on the certificate, not the STH that the client is using. Likewise for consistency proofs, because of the reduced variety. >From a protocol point of view, I haven't done a thorough evaluation of the document, but there are at least a few things you would want to make this model work: - Prose that articulates the above bounds on logs / inclusion proofs / STHs. Probably a notion of "STH issuance frequency" parallel to MMD. - A field in an SCT that indicates the canonical STH for the certificate in question. Possibly a serial number in STH that SCTs could refer to. - An API endpoint for fetching STHs in the official sequence (in addition to the current one, which is the only option right now). If this line of thinking sounds generally sane to people, I'll take a pass through the document and make some concrete proposals. Thanks, --Richard
- [Trans] STH Discipline & Security Considerations Richard Barnes
- Re: [Trans] STH Discipline & Security Considerati… Andrew Ayer
- Re: [Trans] STH Discipline & Security Considerati… Al Cutter
- Re: [Trans] STH Discipline & Security Considerati… Richard Barnes
- Re: [Trans] STH Discipline & Security Considerati… Ben Laurie
- Re: [Trans] STH Discipline & Security Considerati… Richard Barnes