IETF Logo Mail Archive

Re: [Trans] The RFC6979 requirement in RFC6962-bis is bad

Andrew Ayer <agwa@andrewayer.name> Wed, 24 May 2017 19:33 UTC

Return-Path: <agwa@andrewayer.name>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 649D61293F5 for <trans@ietfa.amsl.com>; Wed, 24 May 2017 12:33:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.699
X-Spam-Level:
X-Spam-Status: No, score=0.699 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewayer.name
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qjm6mYlvUnoC for <trans@ietfa.amsl.com>; Wed, 24 May 2017 12:33:50 -0700 (PDT)
Received: from alcazar.beanwood.com (alcazar.beanwood.com [70.85.129.230]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3C3F12422F for <trans@ietf.org>; Wed, 24 May 2017 12:33:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=andrewayer.name; s=beanwood20160511; t=1495654429; bh=1BeHlC7yB7j/pnCOZbBLgRs/EvtTjYouZ8gi9N9uogY=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=OA//EfTDRK0/DjdosSWT7mObt+GKNnzNRbBaIn2QoNz/w4jybmwUZ4cHp86cf8mh1 mlSRe7Bicm36qrYMv5Ts2co3UMbOJDQ0STFH+81Ek6i6UoFJXlgLinFnzKo99GNqw/ 1bYU1QehSGkIA8VkJlYqOJwGnfWRYAcogp2dHNYCx+ILmUGvlOBxnvcd7VzrFj3UI7 EoK2y0eZGgPJ6YE2Nwkegj4JtQcacq7k+0PFU+ckkvZZGgrWotNEPZyuYryFIVJlKf eiGkt1kp5U+DSJwC85jUlswG8EjTXHTU33nvuFMP97YgnBnqzx2ePlw5MGDd7vbHBn mljjHeA6Xo8KA==
Date: Wed, 24 May 2017 12:33:47 -0700
From: Andrew Ayer <agwa@andrewayer.name>
To: Linus Nordberg <linus@sunet.se>
Cc: Eran Messeri <eranm@google.com>, "trans@ietf.org" <trans@ietf.org>
Message-Id: <20170524123347.a149b03ded187d3188906713@andrewayer.name>
In-Reply-To: <871srhvunx.fsf@nordberg.se>
References: <CAFewVt5z3sq-Occ1VaHeNeBvt1yyCM_3_nssZSu2f_PBEL4SFQ@mail.gmail.com> <CA+cU71kBmKsxyvsmpuF6UAzP+fict3v62gEq_iKY-O2P07ZRLw@mail.gmail.com> <87pofiif6g.fsf@nordberg.se> <CA+cU71kVV_o30p-+dGdLT9Hpg+iiW5KgG-9xJD9iVCEHwhLg6w@mail.gmail.com> <CALzYgEeHpxRSxpQTSPasdahWXdzV8bGMV_R4HM02oscHrm8TWw@mail.gmail.com> <87inl25r8l.fsf@nordberg.se> <CALzYgEdunZXRmGtStGhfJHdHeytk3etYLNtAvFgf3bN2-6EyXQ@mail.gmail.com> <CALzYgEeCVnWG19F79OSwCC+iPArZbGGaBZYrKP2MWWdEDGVHVg@mail.gmail.com> <871srhvunx.fsf@nordberg.se>
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/f6XJQAqTs4jtPw6DqpHvfDgJfEA>
Subject: Re: [Trans] The RFC6979 requirement in RFC6962-bis is bad
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 May 2017 19:33:51 -0000

On Mon, 22 May 2017 16:21:54 +0200
Linus Nordberg <linus@sunet.se> wrote:

> Hi,
> 
> It should be clear by now that I'd be sad if 6962bis would allow logs to
> return a different stream of bytes for the same ingoing parameters, for
> SCTs and STHs, but more interesting would be to hear other wg members
> views on the balance we're trying to strike.

I would also be sad - particularly in the case of STHs.  I may be
willing to give up mandatory consistent SCT signatures, since
privacy with SCTs might be a lost cause anyways, and because it's
hard for logs to ensure consistent SCT signatures without using
deterministic signatures (due to the need to issue SCTs from many
different frontends).  However, it doesn't seem hard for logs to have
consistent STH signatures.

> Regarding current deployment, are there any 6269bis logs deployed yet?

I don't know of any.  However, it may be interesting to note that of
the 31 publicly-known RFC6962 logs[1], all but two (Clicky and Behind
the Sofa) return the same signature for repeated get-sth requests, which
suggests that this is not a difficult requirement for STHs.  The two
logs which return a new signature for each get-sth request are running
Trillian. It would be interesting to hear from the Trillian developers
why Trillian behaves this way and whether it would be difficult to
persist STH signatures as other implementations do.

> Regarding correctness vs. completeness, what in -24 is incorrect with
> this regard?
> 
> Regarding added cost of implementation, using RSA is an option.
> 
> Regarding gossip unclearity, the suggested change risks making it harder
> to get STH gossip going.

Agreed.  We may never know how necessary consistent STH signatures are
if attempts to experiment with STH gossip are stillborn due to privacy
concerns.  It would make more sense to start out with a strong
requirement, and loosen it later if it turns out to be unnecessary.

Regards,
Andrew

[1] https://sslmate.com/labs/ct_ecosystem/ecosystem.html

v2.23.0 | Report a Bug | By Email