Re: [Trans] Extensibility and algorithm agility
Eran Messeri <eranm@google.com> Fri, 14 March 2014 10:18 UTC
Return-Path: <eranm@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92C181A0118 for <trans@ietfa.amsl.com>; Fri, 14 Mar 2014 03:18:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.925
X-Spam-Level:
X-Spam-Status: No, score=-1.925 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ep8wdU4FZLr for <trans@ietfa.amsl.com>; Fri, 14 Mar 2014 03:18:02 -0700 (PDT)
Received: from mail-oa0-x22e.google.com (mail-oa0-x22e.google.com [IPv6:2607:f8b0:4003:c02::22e]) by ietfa.amsl.com (Postfix) with ESMTP id B9E501A0107 for <trans@ietf.org>; Fri, 14 Mar 2014 03:17:57 -0700 (PDT)
Received: by mail-oa0-f46.google.com with SMTP id i7so2378115oag.33 for <trans@ietf.org>; Fri, 14 Mar 2014 03:17:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=jYOknnKdAvNOiD051X4yrJiNSkj5hE43LlszFBwf5Do=; b=ds0dT5xF9iMfbSxEc/H4UOfpA9nnESs8yvX/CpjtDOEUuSxkhE6oHg8lcjVOoJaKI5 73q79p28iJtK1yYf7rrgDpCKEg8oCKhXLb61bpLbbsIHi33aCkEuu1+7SMZA9EnGSU3I UwLfaMHNhiJ75pUocxofoUwrw4PeoH9IouySpOPR4SjmbWHQP8man+ji27d6dBrtc4Je YpgoXyudvT//3COHb3j99S5KC0WyXtQuLc2IQwL45WudjC/+frQgN9ZnwB5LDU0q4+oj Jgo3sNgk+VclnM9z3uOD0nEx04HogZGb1sl7GwqrkXynLWYRtYZei9bjsICg39QSzWRO 9T3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=jYOknnKdAvNOiD051X4yrJiNSkj5hE43LlszFBwf5Do=; b=kfcgMHEWTpxpB4TH/Os51+zy9DaIhQwRkXbqKZNn6vY05JwYEawmPPUAqCHbs/NXbO n00aE8Kmlv+HdMolm97+XnBohsbp7zeWgUWbB21iZj4+fMUWeVXGOPxfkDvuN99XrtdS QyeVXlcKrKamjbxnOVSaaCB7hRcJTddZu3MP+5Jr5AykzBDGlA+KyaNHv3UJViKvi5q6 nlmbMp0uPdpNgVBkBqguvfQipvW9H6/67bBiUFSjQY5mE5pkVO/9sZD/DpDJnueWr9SF nPo42p5Urc4/ioFhXtP7dNVbezrOtEftRRFkPO+L/NJZw2+6AQJDdH4v/kDbaHjhUW8G QXkQ==
X-Gm-Message-State: ALoCoQnErEc7CVSTzQw5ahYgeNspQmHv/I+CkhMxz/R6ZY+I0O7vU2P2Z1F3JiXeR91NItqHGplex8YXsFDtBl1H8Eb6Hb9p8y+XQloMKiZ5z2bHoL3SzEthdiVvLN8ytVOuDO9RPnLo+NOAPzvrO51TUejrxnqkYtoO+fwLCTyE2CZtSpOqaxqqjd+rvMvkGDUGsQfxDJcV
MIME-Version: 1.0
X-Received: by 10.182.233.106 with SMTP id tv10mr1237894obc.59.1394792270913; Fri, 14 Mar 2014 03:17:50 -0700 (PDT)
Received: by 10.182.142.198 with HTTP; Fri, 14 Mar 2014 03:17:50 -0700 (PDT)
In-Reply-To: <CABrd9SQ1vbg6fEfrTFYd8knJt2EVtQS8GgPFFQ7uPACbvHvLnw@mail.gmail.com>
References: <CAMm+LwjpCGA4Hc-cjMWZsgLQWkxHc-j3Z9fyqALCJVqXpSpzNg@mail.gmail.com> <CABrd9SQ1vbg6fEfrTFYd8knJt2EVtQS8GgPFFQ7uPACbvHvLnw@mail.gmail.com>
Date: Fri, 14 Mar 2014 10:17:50 +0000
Message-ID: <CALzYgEd+T7MtMaz+btPCZFjQWDd+e7iPVDzAYXG_h5YCPusJPQ@mail.gmail.com>
From: Eran Messeri <eranm@google.com>
To: Ben Laurie <benl@google.com>
Content-Type: multipart/alternative; boundary="f46d0445191fd7fac604f48e6107"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/iSNLfbACViQTp942taLZkDMjAao
Cc: "trans@ietf.org" <trans@ietf.org>, Phillip Hallam-Baker <hallam@gmail.com>
Subject: Re: [Trans] Extensibility and algorithm agility
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Mar 2014 10:18:06 -0000
On Thu, Mar 13, 2014 at 6:08 PM, Ben Laurie <benl@google.com> wrote: > On 12 March 2014 12:57, Phillip Hallam-Baker <hallam@gmail.com> wrote: > > One of the areas that we have to address to go to proposed standard is > > algorithm agility. Another area we can skip but probably should not is > > strategy for extensibility so as to be able to apply TRANS to other > areas. > > > > On algorithm agility we have to consider questions like: > > > > * Using algorithms other than SHA-2-256 for the tree. > > * How does a client discover which algorithm is being used. > > * What sort of algorithm substitution attacks become possible. > > > > * How does a client make a selection where a choice of signing algorithm > is > > offered for the SCT heads? > > Because SCTs can be embedded in certificates, there's no hope of being > agile. All certs would have to be re-issued and the re-issued certs > would have to be deployed. Realistically, this is not going to happen. > > Thus, you change algorithms by creating new logs with different metadata. > > > Questions we don't have to answer but should probably consider include: > > > > * How would alternative log topologies be identified, for example skip > > lists? > > See above. > > > * Do we want to permit the size of the tree to be bounded by periodically > > rolling to a new log? If so we probably want to have a mechanism for > > incorporating the old log as the stating point of the new. > > This one may be worth addressing. But again, it can also be addressed > by simply starting a new log. > > > Extensibility is an area where we can and quite probably should punt. > But we > > do need to describe a punting strategy. > > > > The TLS data encoding used in TRANS is a placed based encoding that can > only > > be decoded by reference to the corresponding schema. That makes it very > hard > > to use it in an application where extensibility is being used. The > > extensions end up being encoded in opaque extension blobs. This is one of > > the many parts of ASN.1 that don't work either and is one of the reasons > > that JSON has become much more interesting. JSON is after all simply > RFC822 > > headers with braces added to allow recursive structures to be > represented... > > > > > > When I started looking at this, I had thought that the TRANS data > structures > > are fixed because any changes would be reflected deep in the Merkle tree. > > However looking at the situation again, it seems to me that just as a > tree > > head could be signed with a different algorithm, a different encoding for > > the SCT data structure could be communicated in the same way. > > I agree that different encodings are possible, and somewhat > straightforward, but there are a bunch of other moving parts - for > example, should you have SCTs or just go straight to > proof-of-inclusion. What about including proof-of-STH-linkage. And so > forth. > > None of these are possible with TLS certs for various reasons, but > clearly are for other scenarios, particularly where there is no > legacy. > > > Another, rather more minor issue is version numbering. At the moment > there > > is (or appears to be) one version number for the SCT structures and the > > protocol. But there is no reason why these should be linked or even that > > every data structure should need to be changed if there is a rev. When we > > talk about X.509v3 we are actually talking about v2 of the CRL structure. > > > > This matters because the v1 protocol does not have a mechanism for > > specifying what the version of the data structure being requested is. > > Yes it does: its in the URL. But I agree that the STH and the leaves > should have separate versions. I thought there was a ticket for this > already. > There is now: http://trac.tools.ietf.org/wg/trans/trac/ticket/12 > > _______________________________________________ > Trans mailing list > Trans@ietf.org > https://www.ietf.org/mailman/listinfo/trans >
- [Trans] Extensibility and algorithm agility Phillip Hallam-Baker
- Re: [Trans] Extensibility and algorithm agility Ben Laurie
- Re: [Trans] Extensibility and algorithm agility Eran Messeri