Re: [Trans] Precertificate format

Ben Laurie <benl@google.com> Thu, 11 September 2014 15:53 UTC

Return-Path: <benl@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 098731A0410 for <trans@ietfa.amsl.com>; Thu, 11 Sep 2014 08:53:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.031
X-Spam-Level:
X-Spam-Status: No, score=-3.031 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-1.652, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B8SH5VLAOzsW for <trans@ietfa.amsl.com>; Thu, 11 Sep 2014 08:53:08 -0700 (PDT)
Received: from mail-qc0-x22a.google.com (mail-qc0-x22a.google.com [IPv6:2607:f8b0:400d:c01::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63EF81A02F5 for <trans@ietf.org>; Thu, 11 Sep 2014 08:53:08 -0700 (PDT)
Received: by mail-qc0-f170.google.com with SMTP id l6so3104457qcy.15 for <trans@ietf.org>; Thu, 11 Sep 2014 08:53:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=nxlFw0MLp4ccD4+W8rUV01dCYdPGlbPVZbSbqqtogbI=; b=Wx9Q91TfaR26SLK5M0HRkjpCOHxuals9xZcbMJdGBUpvy7q6mp4GkOPLvb6RFyC5oA lKRCvO/EuUHYcwsuKYkLMmertYfp2G+JXoe8u+PMCZ5aEutLACu20dsYeqTPkn0PKBuq ZGQbH/FcHyUyazieiAfHuCcKqZ6mdyEwGStQETxlRJRvCT9ExyEXfTurBb7o78I7QNf3 vY54AVNgXHzo45I8D+Dd0sHx6VXL6HBkKU9dCnTXJ9UbvSMB/JptjgWyHtPvclVzEGpN uqP2VtaX26OL6GREYQVTa1Oc8rfmDx6DNsLCcou+c4Qr2h7k/8K5awrMYbo8f2QaSwPo WjNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=nxlFw0MLp4ccD4+W8rUV01dCYdPGlbPVZbSbqqtogbI=; b=Ql42U+zv5ShIPbYehB99USF1MAvriI2h60Tgiz1S2p3j+Oa4AdI8doXlU0UTTFafDL koNaXhG2gm7PTRlQ+ZZ2JfcMZgtnlYS2YvmGI+ZpE1VjK21GL8cdTt7tcMMgxoR4Ckxo z5Qgrn/LynDVfPRhBwLdL4DR+f3HLsI0vO3badPu45yrDXC6CPbLJ7DCdCkS2sXAkDFn RyxG9qzqIS14W/L95Eu3ydKU2GNAUdZ/1QZanvvlAdQpyWZBtIT0UHYtlwCBZyQ5WYlC NqT86rd5XlzIUJGoQc/+rWPPgoGsLACl+RvcngNI1E5lelZbSfb1CdhvYmY1TuvvUZEt KUqw==
X-Gm-Message-State: ALoCoQkl4Z9quqKqEug4pgwfMu3gE5Ohyik3zrHwidoO4PzHMSwkm44nySZwh7KZvhlo6AHU8vsO
MIME-Version: 1.0
X-Received: by 10.224.69.195 with SMTP id a3mr2755048qaj.59.1410450787199; Thu, 11 Sep 2014 08:53:07 -0700 (PDT)
Received: by 10.229.247.198 with HTTP; Thu, 11 Sep 2014 08:53:06 -0700 (PDT)
In-Reply-To: <5411BDE4.1060508@bbn.com>
References: <540DFA75.2040000@gmail.com> <540E0E90.1070208@bbn.com> <540E28FD.7050809@gmail.com> <540ECD3A.4040704@primekey.se> <540F4598.5010505@bbn.com> <CABrd9SSg5=wuierLoqAU00pMHxgGx+=ai5mHv4u5t6zm43yDWg@mail.gmail.com> <5410779A.20209@bbn.com> <CABrd9STnjqDBF4-5ABJ86M_d0bwRyjRNjRW6Hnj9UpeYC7Xz9A@mail.gmail.com> <5411BDE4.1060508@bbn.com>
Date: Thu, 11 Sep 2014 16:53:06 +0100
Message-ID: <CABrd9STAHzg_KJi=nA7hsvz+k0SMS+bg6c3hcBtUwfOUm=hqTQ@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/deqQJdLLoe0pRJ0oKpf0R3xGvlc
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] Precertificate format
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Sep 2014 15:53:10 -0000

On 11 September 2014 16:21, Stephen Kent <kent@bbn.com> wrote:
> Ben,
>>
>> Until there is such a mechanism, omitting serial numbers makes it hard
>> (or impossible?) for anyone to take effective action on violations
>> discovered via CT. So, CT has to require serial numbers until then.
>> This language allows that to happen.
>
> I think we're in agreement, which I why I proposed an alternative
> mechanism to log serial numbers, without requiring a CA to have
> to assign them prior to final cert issuance.

I managed to miss that proposal. I've found it now.

There seems to be a flaw: if I'm an evil CA wishing to issue an evil
certificate, I simply log a precert, minus serial, get an SCT*, log a
certificate containing that SCT*, which I then revoke when requested
to do so,

In order to attack a user with the evil certificate, I simply issue a
second copy with a different serial, containing the original SCT*, and
the certificate works. Yes, the discrepancy should be discovered in
audit, but that is a significantly weaker protection than we get if
the serial is included in the pre-certificate.

Also this adds quite a lot of complexity in order to allow what
appears to be, so far, an entirely theoretical use case.