IETF Logo Mail Archive

Re: [Trans] Directory instead of .well-known for URL structure

Rob Percival <robpercival@google.com> Tue, 02 July 2019 17:52 UTC

Return-Path: <robpercival@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 703EC1206C8 for <trans@ietfa.amsl.com>; Tue, 2 Jul 2019 10:52:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.499
X-Spam-Level:
X-Spam-Status: No, score=-17.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HVwYw0v8rYGj for <trans@ietfa.amsl.com>; Tue, 2 Jul 2019 10:52:07 -0700 (PDT)
Received: from mail-ot1-x32b.google.com (mail-ot1-x32b.google.com [IPv6:2607:f8b0:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DF1F1206B8 for <trans@ietf.org>; Tue, 2 Jul 2019 10:52:07 -0700 (PDT)
Received: by mail-ot1-x32b.google.com with SMTP id s20so18091963otp.4 for <trans@ietf.org>; Tue, 02 Jul 2019 10:52:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MhPc162XPaSGHQcdX0W+ObBwe12/7lM7MNB9jF0P3vM=; b=veow4O9c4t3DPvze+5Rn2IoVfPRvYibPb1z3YeB836LYWZ3qrA/tjhlQQ43iXBGX/q awg4EA5fG/4+Z3zZM7jpHNL865Odzqk3JgXW1ObitEdxSWkvWMKPV9fM3yjV0foe2afH oiQKPkQcJb2SNdo+fmSroPrAN1IkAyyxkUQV45q/epD3WkMerO5tPJ5G89+RcWmaSZKx BbFuJGprDrODeXwR8yD2qybPpRG1hk966q7CSRiKjM0I6V+Wqbb8rNmfOTUhzdQKSBx1 3pPP+J8jE7VMB6COWlLoPgMablsDXX5osDRM7y0wQKlNfNANvz+mN/IqsbhWb04h1Wp3 xZxA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MhPc162XPaSGHQcdX0W+ObBwe12/7lM7MNB9jF0P3vM=; b=FWeZtywiahRvWLeVXyR2tEuDfFdiFljLJBDCeQJVDw6QyDmT6+Xoj3PMVyFPB4lvR0 /RBhtJwpCyfQ03+YSZHz7aC8aBHSbAmDhEzGUkBjVPPE2oUH7iRbf0NsD51XsU15wSNJ LN+vm/68Qge5cDdJHMHob28+yTlNVilnKZXGQvOfwwM32b4Dn0iqXIBMi1zAkeOma3SZ 5jCjzlcKpUTfo9Arx045I80EIJBGQOnTtxQmLytF8lkxf9AserupDJI++jmPJVD3cSJs n/3sAD6ZkA90O6XcK/OTUpbFlJYXD30R9moQN2FrPNfOiGRatokAWB1aa2VKDpkm4lXp AYvA==
X-Gm-Message-State: APjAAAWuGDuooMkASHLimscEJehCEfwcnBiCpYIjRiOtfIpHwiU1fnG/ yawqbRkADqxqNfdnAxeIvG82bVCVRYZbnnf0Sf6adg==
X-Google-Smtp-Source: APXvYqzLJX4JVQgrmIQmLD+IwU1Da7h8Mnqctzgtn5ikAJ1IxiQkxSkLXgNB29et5p+HK+wwkCIJYO36EiIMwBS0dac=
X-Received: by 2002:a9d:774a:: with SMTP id t10mr23350962otl.228.1562089926400; Tue, 02 Jul 2019 10:52:06 -0700 (PDT)
MIME-Version: 1.0
References: <0d5e05fc-8f1e-54b5-536d-231153e7baf7@eff.org> <20190701123701.b3ba6b44ef85a74da6209e64@andrewayer.name> <2cbff182-7c7a-4c55-b2d2-a67f41dd7436@sectigo.com>
In-Reply-To: <2cbff182-7c7a-4c55-b2d2-a67f41dd7436@sectigo.com>
From: Rob Percival <robpercival@google.com>
Date: Tue, 02 Jul 2019 18:51:53 +0100
Message-ID: <CAPbZxJTvk805WtR6FF8xUR0GS=E9gcEMphJR658GuTN8V0h_qg@mail.gmail.com>
To: Rob Stradling <rob@sectigo.com>
Cc: Andrew Ayer <agwa@andrewayer.name>, "trans@ietf.org" <trans@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002c3ff1058cb6672e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/hrDjGfuVSERsZK35DZbS1CyV9ko>
Subject: Re: [Trans] Directory instead of .well-known for URL structure
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jul 2019 17:52:11 -0000

FYI: That JSON schema is planned for deprecation; a new version was
proposed last year and, following a period for feedback, parties have been
slowly migrating to the new schema:
https://groups.google.com/a/chromium.org/d/topic/ct-policy/26dmpWdaSHM/discussion

That thread would be a good place to propose schema changes.

On Tue, 2 Jul 2019, 16:08 Rob Stradling, <rob@sectigo.com> wrote:

> Andrew, thanks for your analysis.  Comments inline...
>
> On 01/07/2019 20:37, Andrew Ayer wrote:
> > I also think .well-known URLs are a bad idea, for the same reasons
> > as Jacob.
> >
> > I think directories are even worse.  Although they've been used
> > successfully in ACME, CT has different needs which make directories
> > unsuitable.  ACME's usage pattern is to make a series of related
> > requests over a short time period to drive a certificate request to
> > issuance, with the client maintaining state between each request.
> > This makes it natural for a client to fetch the directory once at the
> > beginning of an issuance "session" and use it for the duration, since
> > the cost of fetching the directory is amortized over all the requests,
> > and the directory is unlikely to become invalid during the session.
> >
> > However, CT's usage pattern is to make a lot of unrelated one-off
> > requests spread over a long period of time - e.g. submitting a
> > (pre)certificate, fetching an inclusion proof, fetching the latest STH
> > to send to auditors. Clients would have to either fetch a new directory
> > for every request (doubling the number of requests made to the log) or
> > cache directories in long-term state (which requires dealing with
> > cached directories going stale, and requires keeping long-term state
> > which might not otherwise be necessary).
> >
> > ACME's use of directories is underspecified since it doesn't say how
> > long a directory remains valid.  It's not a big deal for ACME because
> > ACME servers are presumed to be sane, or people would switch to another
> > CA.
>
> It's not been a big deal for ACME...yet.  But why leave it to chance?
>
> I just filed this erratum against RFC8555:
> https://www.rfc-editor.org/errata/eid5771
>
> > However, CT is meant to be an adversarial protocol and has to
> > anticipate logs doing crazy things like constantly changing their
> > directory in an effort to stymie auditing and hide misbehavior.
> >
> > Thus, CT's use of directories would need to be quite well specified.
> > It is not a change that should be rushed at the last minute without a
> > chance for people to carefully examine and poke holes in it.
>
> Agreed.
>
> > CT clients already need to be configured with a number of parameters
> > for each log - MMD, hash algorithm, public key, log ID, and so on.
> > Adding a directory would bifurcate log metadata between the existing
> > parameter set and the new directory object.
> >
> > I propose satisfying BCP 190 by simply specifying the URL for each
> > endpoint as a separate log parameter.  This is a very minimal change to
> > the protocol and avoids the problems above.
>
> I agree that it would make sense to require each endpoint to be
> specified as a log parameter.  Your point about bifurcation is well made.
>
> So then I think the question is: Should 6962-bis specify a "directory"
> endpoint that returns a JSON structure that contains all of the log's
> parameters (including each of the endpoint URLs)?  Or should 6962-bis
> not mandate any particular format by which log operators should
> distribute this information?
>
> Currently, 6962-bis doesn't mandate a format, but it does point to an
> example format:
>    "[JSON.Metadata] is an example of a metadata format which includes the
>     above elements."
>
> Sadly, this claim is not currently true, because [JSON.Metadata]
> (https://www.gstatic.com/ct/log_list/log_list_schema.json) does not
> currently "include the above elements".  We should fix this somehow.
> But how?
>
> Also, how often is a CT client expected to refresh log metadata it has
> obtained from (for example) [JSON.Metadata] ?
> Is it wise to underspecify this?
>
> > Regards,
> > Andrew
>
> --
> Rob Stradling
> Senior Research & Development Scientist
> Sectigo Limited
>
> _______________________________________________
> Trans mailing list
> Trans@ietf.org
> https://www.ietf.org/mailman/listinfo/trans
>

v2.23.0 | Report a Bug | By Email