IETF Logo Mail Archive

Re: [Trans] Write-up of the "Strict CT" variant

Magnus Ahltorp <map@kth.se> Wed, 07 June 2017 12:51 UTC

Return-Path: <map@kth.se>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2007112EC10 for <trans@ietfa.amsl.com>; Wed, 7 Jun 2017 05:51:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N0DPFBaQICJR for <trans@ietfa.amsl.com>; Wed, 7 Jun 2017 05:51:48 -0700 (PDT)
Received: from smtp-4.sys.kth.se (smtp-4.sys.kth.se [IPv6:2001:6b0:1:1300:250:56ff:fea6:2de3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61ABF129459 for <trans@ietf.org>; Wed, 7 Jun 2017 05:51:48 -0700 (PDT)
Received: from smtp-4.sys.kth.se (localhost.localdomain [127.0.0.1]) by smtp-4.sys.kth.se (Postfix) with ESMTP id 3A388182; Wed, 7 Jun 2017 14:51:46 +0200 (CEST)
X-Virus-Scanned: by amavisd-new at kth.se
Received: from smtp-4.sys.kth.se ([127.0.0.1]) by smtp-4.sys.kth.se (smtp-4.sys.kth.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id dVy91Qnc39Dh; Wed, 7 Jun 2017 14:51:45 +0200 (CEST)
Received: from [IPv6:::1] (s17.lan.kth.se [IPv6:2001:6b0:1:1d20:214:c2ff:fe3a:5eec]) by smtp-4.sys.kth.se (Postfix) with ESMTPS id DAE4BCB3; Wed, 7 Jun 2017 14:51:41 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Magnus Ahltorp <map@kth.se>
In-Reply-To: <0dd84938-9625-c6c8-5f31-d5d0d0683c5c@eff.org>
Date: Wed, 07 Jun 2017 14:51:39 +0200
Cc: Eran Messeri <eranm@google.com>, "trans@ietf.org" <trans@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <D1C7ADE2-DA28-4F29-A0AB-482435CD2B15@kth.se>
References: <CALzYgEeUCmj4BgY7uKdMnsvTcbvfAunquuqHxD7FxuzZxY1=Fg@mail.gmail.com> <0dd84938-9625-c6c8-5f31-d5d0d0683c5c@eff.org>
To: Jacob Hoffman-Andrews <jsha@eff.org>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/_ck7sGAgiiYk5jU4-MexhvK2pRY>
Subject: Re: [Trans] Write-up of the "Strict CT" variant
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jun 2017 12:51:52 -0000

6 June 2017 21:28 Jacob Hoffman-Andrews <jsha@eff.org> wrote:

> I'll echo what Filippo said and say that fast issuance (order of minutes) is important, and anything that breaks fast issuance for new sites (or for sites moving between providers) is a problem. In the long run, getting a certificate will be part of standing up a web site just as much as getting DNS and hosting are today. Are we willing to ask the web to accept a delay of 24 hours for any new site? I think that would be a big step backwards.

Well, that depends on the assurance level, doesn't it? For domain-validated certificates, sure, but those are next to worthless anyway. It would be hard to hold a CA responsible for issuing them, so the need for logging them is really small.

> > Certificate is used immediately, only with SCT: Clients accept certificates only with SCTs for a limited duration; after that an inclusion proof must be accompanied [4].
> > [4] That requires auditing logs asynchronously, since an attacker with persistent access could keep getting new SCTs issued, or some clients may not have fresh STHs because they missed some updates.
> 
> This seems potentially promising but I think it has some flaws. Would this auditing be done by the logs themselves, or by monitors? IIUC, logs are allowed to produce infinite SCTs for the same cert once they've logged it, and they don't have to produce the list of SCTs they've signed. So the only party that could meaningfully audit for excessive SCT generation would be the log itself, which is the party we're trying to defend against.

If we are talking about "limited duration" of SCTs, we are talking about the age of the timestamp in the SCT. Each timestamp that is used to generate an SCT is required to be logged in the log. That is what the log is logging, cert+timestamp.

/Magnus

v2.23.0 | Report a Bug | By Email