Re: [Trans] Write-up of the "Strict CT" variant
Filippo Valsorda <filippo@cloudflare.com> Fri, 02 June 2017 01:56 UTC
Return-Path: <filippo@cloudflare.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7D7012949D for <trans@ietfa.amsl.com>; Thu, 1 Jun 2017 18:56:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.102
X-Spam-Level:
X-Spam-Status: No, score=-0.102 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v7AcKmgSooLR for <trans@ietfa.amsl.com>; Thu, 1 Jun 2017 18:56:56 -0700 (PDT)
Received: from mail-qt0-x22d.google.com (mail-qt0-x22d.google.com [IPv6:2607:f8b0:400d:c0d::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2A5F12948E for <trans@ietf.org>; Thu, 1 Jun 2017 18:56:55 -0700 (PDT)
Received: by mail-qt0-x22d.google.com with SMTP id t26so50054016qtg.0 for <trans@ietf.org>; Thu, 01 Jun 2017 18:56:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:from:date:message-id:subject:to:cc; bh=IN79g7A0V2B2mFjBo6vmIClbgDj+T68bBDwhqTRpHvE=; b=Wk0s8deeVDFo1w+TxOPm56o6v2iyxADqIi1P+2ucNUgcURoypvjU2iVzhM2Ki0oWIs 9BAPb0DZSQhfrp0TK5Zy/feiBj2yd30C+mSMPERJL4EMEK2PFzcbrl5y54IO3a1v9Moy hqGG092Ov2jcvcAIJ84H3Iynb9ViCb3TnTJgw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=IN79g7A0V2B2mFjBo6vmIClbgDj+T68bBDwhqTRpHvE=; b=Le96Q/KDOKTyrKsy+x3fS6MrkR8evpSdBmLPCNlymickK1r27M9bASHQNbt1LyXVj/ V44jNC0kLT4R9zQ55+OaCxbv5aizpfqFhrGiXhJXohZWFTl0xuorYKfNpdIH3Pt2+wAU rvlTsUsWLl4Eo8PPC4M0U6zlZwwXj/c7xD+Xyejz9ysArOu328cHS9Og0Grq7FddGcVG VLxirUBFsRdopvCVF2+3MBOxHWzCWyUC5xW23IkubqVvaGtLgoq6vB34VnMvZINxC4Vt LNxiHnv2wm0Ufd4zSzwWZ7bO2BeRreHveK9ZNUUSMxYq9DYw+3xHqRwEPVObDIeslfd+ jM2Q==
X-Gm-Message-State: AODbwcBYDRwReQM4Vrc57zPoUrvhxOJaZZrBViS7pgcX+4ZuqVwfW70c NqLQYU58NZfw/1xqanbk3pqRJLPVYgtsxA9khQ==
X-Received: by 10.200.34.35 with SMTP id o32mr5698935qto.67.1496368614751; Thu, 01 Jun 2017 18:56:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.88.18 with HTTP; Thu, 1 Jun 2017 18:56:34 -0700 (PDT)
From: Filippo Valsorda <filippo@cloudflare.com>
Date: Thu, 01 Jun 2017 18:56:34 -0700
Message-ID: <CABVsBPagBd2Goi7vH9Cr7ffkW662pnw5zLKY6hoaYO7oFus-Kg@mail.gmail.com>
To: trans@ietf.org
Cc: Nick Sullivan <nick@cloudflare.com>, George Tankersley <gtank@cloudflare.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/ay266NvjlkSlSB4PdRT9xVI9p6Y>
Subject: Re: [Trans] Write-up of the "Strict CT" variant
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Jun 2017 02:09:22 -0000
A couple observations on what we can and can't achieve with strict CT. First, I think that for a scheme to be deployable it has to enable and not rollback the HTTPS automation trend. We can't tell Caddy (which recently affirmed that it rather not start than start with an expired certificate) to just wait a MMD or two at startup. We can't afford 24h delays in signups at Cloudflare. So any scheme that requires linking to out-of-band distributed blessed STHs needs an asynchronous verification fallback, at least for young certificates. I heard suggestions that the requirement might be enforced per-CA. I think that would cause pretty twisted incentives, and eventually die the way of HPKP: * A CA opting into "Strict CT"---which should be incentivized as more secure/privacy-preserving---would be exposing its customers to the 24h delays, a strong dis-incentive. LE would never opt-in, Cloudflare couldn't use such a CA. * For it to be effective against attackers that compromise a non-strict CA, the site would have to pin to the strict CA(s). But then losing the certificate private key means a MMD of downtime, which is effectively the same operational risk of leaf-pinning HPKP. Moreover, as Ryan pointed out, clients can be out of sync for significant periods, for causes indistinguishable from maliciousness, so there's no "safe amount of time" a website can wait, while a UA can't stop working after 24h failing to phone home. A zero-MMD log that immediately produces a STH doesn't help, because you face the exact same problems proving that the STH is not forked. It's hard-fail/soft-fail all over again, except we can meaningfully verify asynchronously---there's a CT log to hold accountable. Once you accept the need for an asynchronous verification method it becomes clear that we can't improve upon it in terms of: * complexity, since we still need to implement an asynchronous verification method * security against a colluding CA-log-MitM, since the attacker will keep generating young certificates * privacy against a malicious log, for the same reason All we can do is limit how often the asynchronous verification method is invoked in normal operation. I think the best possible outcome would be: * codify at which period STHs are issued, so each SCT has a known next STH (-bis basically requires a log to have a full and minimal history of STHs already, respectively because there are "existing and not" STHs, and for privacy; let's go the whole way and expose and codify it) * distribute off-band the whole history of STHs (~150 bytes * 2 STH per day * 365 days * 2 years window * 12 logs = 2.6MB) * optionally staple inclusion proofs to SCTs, which are now unique since they only need to link to the next canonical STH * offer an asynchronous method to fetch inclusion proofs for a SCT, which are now easy to cache in DNS because unique * if the UA does not yet have the STH for the SCT, it will defer verification; if it doesn't have the inclusion proof, it will fetch it; but in most cases it will have the STH and will use the stapled inclusion proof to verify the SCT It's compatible with all three distribution methods, still benefits from mandatory SCT (and if possible inclusion proof) in OCSP, and a CA and website willing to wait can also include the inclusion proof directly in the certificate. It would also have the excellent side-effect of making logs endpoints cacheable, as the number of artifacts would now be O(number of certificates).
- [Trans] Write-up of the "Strict CT" variant Eran Messeri
- Re: [Trans] Write-up of the "Strict CT" variant Ryan Sleevi
- Re: [Trans] Write-up of the "Strict CT" variant Ryan Sleevi
- Re: [Trans] Write-up of the "Strict CT" variant Eran Messeri
- Re: [Trans] Write-up of the "Strict CT" variant Eran Messeri
- Re: [Trans] Write-up of the "Strict CT" variant Ryan Sleevi
- Re: [Trans] Write-up of the "Strict CT" variant Andrew Ayer
- Re: [Trans] Write-up of the "Strict CT" variant Andrew Ayer
- Re: [Trans] Write-up of the "Strict CT" variant Magnus Ahltorp
- Re: [Trans] Write-up of the "Strict CT" variant Tom Ritter
- Re: [Trans] Write-up of the "Strict CT" variant Filippo Valsorda
- Re: [Trans] Write-up of the "Strict CT" variant Jacob Hoffman-Andrews
- Re: [Trans] Write-up of the "Strict CT" variant Magnus Ahltorp
- Re: [Trans] Write-up of the "Strict CT" variant Ryan Sleevi
- Re: [Trans] Write-up of the "Strict CT" variant Magnus Ahltorp
- Re: [Trans] Write-up of the "Strict CT" variant Ryan Sleevi
- Re: [Trans] Write-up of the "Strict CT" variant Magnus Ahltorp
- Re: [Trans] Write-up of the "Strict CT" variant Ryan Sleevi
- Re: [Trans] Write-up of the "Strict CT" variant Phillip Hallam-Baker
- Re: [Trans] Write-up of the "Strict CT" variant Watson Ladd