Re: [Trans] Threat model outline, attack model

Ralph Holz <> Sun, 28 September 2014 12:17 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id AA7821A1A78 for <>; Sun, 28 Sep 2014 05:17:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.15
X-Spam-Status: No, score=-1.15 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YxkUWXs-U6LY for <>; Sun, 28 Sep 2014 05:17:43 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 09BD81A1A76 for <>; Sun, 28 Sep 2014 05:17:42 -0700 (PDT)
Received: from [] ( []) by (Postfix) with ESMTPSA id A2CD919BD947; Sun, 28 Sep 2014 14:17:39 +0200 (CEST)
Message-ID: <>
Date: Sun, 28 Sep 2014 14:17:38 +0200
From: Ralph Holz <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2
MIME-Version: 1.0
To: Tao Effect <>, Matt Palmer <>
References: <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
Subject: Re: [Trans] Threat model outline, attack model
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 28 Sep 2014 12:17:45 -0000


> And using Jacob's numbers from here:

It is interesting that this rumour, which was started with the EFF's
talk at DEFCON years ago, is still perpetuated. It has been disputed
numerous times and is most likely inflated by at least a factor of 2.

* DFN is not a collection of many CAs, but of one CA whose RAs are
identified in intermediate certificates - they do not hold the private
keys corresponding to the latter, however. They even document this fact

* The number of organisations in the Mozilla root store holding CA
certificates is below 100, although about 60 are waiting for inclusion.
The number of root certificates is higher, but that is because many
organisations operate under several brand names and use different root
certs for different purposes (most notably EV).

* That leaves us with an undisclosed number of intermediate certificates
issued by CAs. Some of these may indicate subordinate CAs. This is a
problem as browsers often cache such certs for later use (once trusted,
always trusted). Mozilla has thus made it an obligation for CAs to
disclose their subordinate CAs if they are not identical to the "mother

The latter factor gives huge leeway in the number of certs accepted by
browsers as root certs. But however you look at it, the number of such
certs will be comfortably below 1000 - anything from the 150+ root certs
in the Mozilla store up to a few hundred.

Applied to CT, these numbers matter even less if gossiping, monitoring
and auditing can be used. First, logs only accept a limited number of
CAs, as a anti-flooding protection. I'd love to hear what CAs plan here
- if their subordinates are eligible for acceptance by a log or not. And
second, the gossiping between logs and between clients has an important
effect: an attacker would have to compromise quite a few logs to make
sure his MITM is effective. Just requiring, say, 3 SCTs in a handshake
would already result in considerable work for the attacker (I know the
current number is 2, though). There is no need for clients to cooperate
with 1000 logs.

That's my understanding at least - happy to hear comments.


Ralph Holz
I8 - Network Architectures and Services
Technische Universit√§t M√ľnchen
Phone +
PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF