IETF Logo Mail Archive

[Trans] WGLC comments on draft-ietf-trans-6962-bis-24

Richard Barnes <rlb@ipv.sx> Mon, 16 January 2017 22:23 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F22ED1296FB for <trans@ietfa.amsl.com>; Mon, 16 Jan 2017 14:23:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.176
X-Spam-Level:
X-Spam-Status: No, score=-0.176 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_SBL=1.623, URIBL_SBL_A=0.1] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OX-kibKDu767 for <trans@ietfa.amsl.com>; Mon, 16 Jan 2017 14:23:30 -0800 (PST)
Received: from mail-ua0-x235.google.com (mail-ua0-x235.google.com [IPv6:2607:f8b0:400c:c08::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5FAF1296E8 for <trans@ietf.org>; Mon, 16 Jan 2017 14:23:29 -0800 (PST)
Received: by mail-ua0-x235.google.com with SMTP id y9so91139676uae.2 for <trans@ietf.org>; Mon, 16 Jan 2017 14:23:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to:cc; bh=15EHcqs90Kcn/KD5NJHIgp2H/NBXHu3nNZnaYLf+jn4=; b=HEExJabaj/aCqTvopHBjIr38Vv2yiuiDLjT5gxFSLp0hkdWDPT8pMxjoT5oC883Z8S 3jpok2z6qWcbtNxQC+aCDzEFsOQOHb6IqAWdwcj0C84rRhhMjvSf9ja2+gYx/TEcOJWk NkMc2vM3Aa9mg7NJNhNSRvgfdK1tbKdv0NDTp7tuPYLTT1S94kK8S0MmKT6JWQVX5PCP Wvy8W7vgjz7zD0Jttgsn+bNmv330ffnt+wzcGJRWP+Ukr/iRZancr0IkzjfTuBXgbDgU ylJqOnXlxWRXFLfCBl9SdIvEpo6VYBI/f+JDiAEmGbWzYYhkJXp4XTGUuio9Ek9zSBzv tMLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=15EHcqs90Kcn/KD5NJHIgp2H/NBXHu3nNZnaYLf+jn4=; b=L25MXcxvhN1O8b+kydLOJu8KWxks+X1gRXTMiUG6K99K0kaEELhYOORNzGNjV/9p1P AuOa0QCKQYaMzpGimG+f1/RT7409mZCIxyy9+Oo6qoXFhtS0A75l5pJGsGAz++eSFZBu 8U/b9uAYJEcYQbfp33ydNhTZRALgDIHAEQweOuKrVHFrcsyDQYqZxY/TDg/vZ+cv6TOX cTtFdu+5Lgij5avYYPf0MbHDlBggGgqk4FojZGYmJOz6bLl1FhuJHP8yqjjHlmjByN/w rTl2CvaQQxAAYuCCrlPt+rCiNAV7JsZkRA13RU+41mOY8XxM6m0G9knIquOEqVkCr35u EILQ==
X-Gm-Message-State: AIkVDXKLtRuZIxZYLwK5A54HXfiMMyud4QH7TPa71sbPJ4QYGQGgXNqWMFUWYyLpRLdYm6oviF85fpo3QXZZ5g==
X-Received: by 10.159.48.131 with SMTP id j3mr7524469uab.42.1484605408326; Mon, 16 Jan 2017 14:23:28 -0800 (PST)
MIME-Version: 1.0
Received: by 10.31.106.71 with HTTP; Mon, 16 Jan 2017 14:23:27 -0800 (PST)
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 16 Jan 2017 17:23:27 -0500
Message-ID: <CAL02cgQ-dYT3o7NWc8JZw7Knuv2ssRAvkhmbLiyMYT8dWX9MfA@mail.gmail.com>
To: trans@ietf.org
Content-Type: multipart/alternative; boundary="f403045e3510fee8c205463da1f4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/gO_DFW3v9FmBCOek_hifZ6KL368>
Cc: Eric Rescorla <ekr@rtfm.com>
Subject: [Trans] WGLC comments on draft-ietf-trans-6962-bis-24
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jan 2017 22:23:32 -0000

Hey all,

Sorry I’ve missed the WGLC deadline.  I wanted to summarize for this list
some discussions that have been going on within the Firefox team.
Basically, we’ve started to look at what it would take to deploy CT inside
of Firefox (including code, policy, etc), and come away with some concerns
that the system as currently specified can’t be deployed in a way that
actually provides the desired guarantees, in particular protection against
equivocation by logs.  For what it’s worth, these comments apply roughly
equally to RFC 6962 and 6962bis.

tl;dr:

- It is not practical to build a publicly verifiable log system that
incorporates SCTs
- The existing tools for public verifiability need to be made more
efficient in order to work on the scale envisioned

I recognize that it’s very late in the day to be raising these issues, but
we believe they go to the heart of the value proposition of CT and so it’s
important they be addressed before 6962bis goes to RFC. I speak for both
myself and my colleagues here at Mozilla in saying that we are more than
willing to put in the time to help get to consensus on these topics.

Details below.

Thanks,
--Richard


===

Fundamentally, CT is a public ledger system: every certificate is supposed
to be entered into a log and RPs only accept certificates which are logged.
In order for this to work properly, RPs need to be able to verify that
there is public consensus about the state of the log. Otherwise, logs can
“equivocate”: represent to the RP that a given certificate was published
when it in fact was not. Unfortunately, in practice RPs are not doing this
verification (for reasons discussed below), and so CT reduces to a
countersignature scheme in which the RP trusts the log not to equivocate.
There are two primary challenges here, as detailed below.


# SCTs, and thus immediate issuance, are incompatible with public
verifiability

It has been known for quite some time that the public verifiability piece
of CT introduces latency in certificate issuance. In order to allow for
immediate certificate issuance, logs instead issue SCTs, which are just
promises to incorporate the certificate into the log; effectively the SCT
is a countersignature on the certificate. However, if an RP accepts a
certificate + SCT, then it is vulnerable to collusion between a CA which
issues a bogus cert and a log which issues a bogus SCT but never
incorporates the cert into the log.

We are unaware of any way to efficiently address this issue without
introducing either privacy problems or latency. In order to validate
inclusion in the log, the RP needs to validate that other entities (e.g.,
the software manufacturer) have the same view of the log. Either the RP
downloads the whole log (which is inefficient), queries for the specific
certificate in question (which has privacy problems) or retrieves a
checkpoint which vouches for some batch of certificates (which introduces
batch latency).

There seem to be two major ways to address this issue:

1. Accept issuance latency: An RP will only accept a cert as valid when
accompanied by proof that it has been incorporated into the public record

2. Accept some window of vulnerability to equivocation during which SCTs
are accepted and then retrospectively checked. The RP would provisionally
accept a certificate that claimed to have been very recently issued and
then check for log presence a few minutes later (once an inclusion proof
should be available)

Unfortunately, there’s not really an effective way to accomplish the latter
with high reliability and without bad privacy problems.  Going back to the
server and asking for an inclusion proof is safe from a privacy
perspective, but there’s a significant risk of failure given how often
servers are multi-homed.  And asking anyone but the server leaks browsing
history.  It’s theoretically possible that some private information
retrieval scheme could save us, but that would be a big new chunk of work,
and unlikely to deploy in the near term.

Note that it is not possible to just not require public verifiability for
certificates which claim to be recently issued; because this attack depends
on the log and the CA colluding, they can just issue certificates with
recent timestamps.


# CT’s public verifiability mechanisms are too inefficient to be deployed
at scale

If this WG is going to meet its charter goals, CT needs to have a working
public verifiability system. What that means in practice is that it’s
efficient for the RP to acquire whatever information it needs to validate
that a certificate is in the public record. In the current system, this
basically means:

  - Acquire an inclusion proof [hopefully provided by the site the RP is
connecting to].
  - Acquire the STH that the inclusion proof chains back to and validate
that the STH was publicly logged.

Clearly in order to be efficient, multiple certs must chain back up to the
same STH; this is also a privacy requirement because otherwise retrieving a
given STH leaks which certificate you are verifying.  For similar privacy
reasons, clients need to proactively download and validate every STH they
might encounter, to avoid making queries for STHs (which leak browsing
history).  So, what this means is that the RP needs to periodically
retrieve:

  - All the STHs that any certificate might chain to
  - The consistency proofs between those STHs

The good news is that if the RP does this, then it will be in a position to
verify that any certificate with an inclusion proof has been publicly
logged; it will be protected from equivocation.  The bad news is that this
scheme generates so much data it cannot be deployed.

To get an idea of scale here, I looked all of the submissions to the Google
Pilot log over December 2016.  Let’s assume that the log creates a new STH
for every 2048 certificates it receives, in order to minimize issuance
latency; it takes around 8 minutes for Pilot to get 2048 certificates, on
average.  At this rate, Pilot produces around 6000 STHs per month.  The
good news is that at this rate, an RP can easily store all of the STHs it
needs, around ~192kB of hashes per month, ~2.3MB per year.

The bad news is that the RP has to download an inordinate amount of
information to verify these STHs. In addition to the STHs themselves, it
will need to download around 6000 consistency proofs over the course of a
month.  Each proof is around 20 hashes, so at the end of the day this is
~125k hashes (4MB of data) that an RP has to download every month, 48MB for
the year. That’s a pretty big chunk of data.

There are no doubt several plausible alternative data structures, but just
to give a sense of what’s possible, consider the following design:  Replace
the global Merkle tree with a series of time-windowed trees, one for each
batch.  Then glue these together with a conventional Haber-Stornetta hash
chain.  (See my cartoon at <https://ipv.sx/tmp/ct-hs.pdf>)  This has the
same number of STHs as the design above but because the consistency proofs
are trivial (you just validate that STH_n includes the hash of STH_{n-1}),
the total download size for the month is just ~6k hashes (192kB of data).
This scheme also saves you a few bytes on inclusion proofs, since you only
have to go to the batch level.

There are also intermediate designs that preserve the overall Merkle tree
structure at the cost of a bit more data, and probably a lot of other
designs we haven’t thought of (such as the “segmented” scheme that was in
the pre-I-D versions of CT).

In any case, if we claim that CT represent a system that is actually
publicly verifiable, then we need to get rid of SCTs and come up with a way
to push log state to RPs more efficiently.

v2.23.0 | Report a Bug | By Email