Re: [Trans] Mutability of Certificate Signatures
Eran Messeri <eranm@google.com> Tue, 18 July 2017 16:58 UTC
Return-Path: <eranm@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91724131B6C for <trans@ietfa.amsl.com>; Tue, 18 Jul 2017 09:58:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IUq_w5PylZ2b for <trans@ietfa.amsl.com>; Tue, 18 Jul 2017 09:58:05 -0700 (PDT)
Received: from mail-io0-x235.google.com (mail-io0-x235.google.com [IPv6:2607:f8b0:4001:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 730AB131B51 for <trans@ietf.org>; Tue, 18 Jul 2017 09:58:05 -0700 (PDT)
Received: by mail-io0-x235.google.com with SMTP id 5so16472217iow.0 for <trans@ietf.org>; Tue, 18 Jul 2017 09:58:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=9Os629ImPEZ0lzXOvrK7x0LNJfTSCrkYORifRHdxy7E=; b=BiY59nb/KsOXC88GbYrICJsp2UrVqmf8i4LLh5pBuk7Ca9u+HnoQHtS5Y9jEHn8mmF DGHtI6TEbf0okdLNNG9aUCybSCrKxVQ54j2LeMsL9p6gR1QcQOYFPWmtJDA+KevYPyT0 xZy+mABDgewYGomeIDvAj3vPlg14Pzsy0GDO50cZaT2A95/rORCzX3WtfSw5wNCb8Mje EbLkbShf6+7UQJpB1zG0Pwf5vq+32Wyl39Cnl3rvXp54fVc2XD3Ef7XEvixCT61ZqnR4 2U1olqGp00oJZta2S2x2jbVmfWYw5jbC3vcN3F6XRRs9m9HQNjL27gcm/AY/aO5Xr+4D IKyA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=9Os629ImPEZ0lzXOvrK7x0LNJfTSCrkYORifRHdxy7E=; b=L9BdKoikNcC1A6AlJhXhuOySXsn0XpnyKgsRaUpACakVMfnS1VGWuETqgLvVjDdT/w vL25LmiQuwf5seE5n0Vwe7/yp58XOiMu3t0SHP0ToOY4PP1ohckPhOBCJwZpmalEtSYx l5tvvVrYKy7pF4asQWo/b1sXjIJBlbz9rQLC1d7t9sOgnyXhhQIw/uNQMo4IvgdbHZq+ F7Q0qBo9NML8Vf7qplJfn5BKGrT3mAdDuLHuJsSFGwn0KiifRngzTMmuvJCoV1OwWpD/ h81TR6VAd3oQUJeWTV52SxmoB8pVTk/RUCGkcZ2uTnLIxnoxu2XTa1s6lmSZDUc5vx+c wXJg==
X-Gm-Message-State: AIVw112vg9pW+pm8RZjJt0D9dBtB+6+kgPHfuRCNvtUFzf4JwYq51I7w LEWrG2BK8AqOZJbkIsfi5WSV0pbN0lkwEQk=
X-Received: by 10.107.7.222 with SMTP id g91mr2557737ioi.218.1500397084452; Tue, 18 Jul 2017 09:58:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.10.88 with HTTP; Tue, 18 Jul 2017 09:57:33 -0700 (PDT)
In-Reply-To: <20170703100241.9dd63b867d0181bae69a3999@andrewayer.name>
References: <20170528191028.20f285073eea33a3f23b6b5a@andrewayer.name> <20170703100241.9dd63b867d0181bae69a3999@andrewayer.name>
From: Eran Messeri <eranm@google.com>
Date: Tue, 18 Jul 2017 17:57:33 +0100
Message-ID: <CALzYgEf5TnSSrkk0rP=OckLN_cgim2-M4fmnd70FavW8mG0yZA@mail.gmail.com>
To: Andrew Ayer <agwa@andrewayer.name>
Cc: "trans@ietf.org" <trans@ietf.org>
Content-Type: multipart/alternative; boundary="001a113f93ea3e38a605549a6b86"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/k91hx5HMdnsGvwqVi6ypMCndmeM>
Subject: Re: [Trans] Mutability of Certificate Signatures
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jul 2017 16:58:07 -0000
Going back to the original email, I support the proposal to fix the issue by adding language to the document saying that a failure to produce a full, valid chain with the (immediate) issuer's key hash identical to the key hash covered by the SCT signature. I do not think the full key should be present in the SCT - even though it would be convenient for monitors, the full chain *is* present in the get-entries response, and requiring that the chain returned includes the intermediate with the same key whose hash is covered by the SCT signature is enough to guarantee monitors have the key. While a CT log can present different, valid chains, leading to different trust anchors, for a particular entry (as long as the same key was used for signing the submission) - but that is true when certificates are used in TLS connections, and in the context of CT this is more of a spam/log credibility problem than a security problem: The log could present chains that seem "uninteresting" to the general public (because they terminate in a trust anchor unrecognized by any major UA) while, in fact, there is a valid path from the submitted entry to a trust anchor recognized by UAs. This could be detected by identifying which intermediates have the key that was used to sign the submission. Regardless, this is not an attack on the protocol or log implementation - but an ecosystem issue: Logs that accept a mix of credible and unvetted trust anchors could always be spammed, and so may not have the same utility as logs that accept TAs. Signing the entire chain in the submission won't be useful to TLS clients (because TLS certificates can be served with different, valid chains), so I think that from a correctness perspective 6962-bis should just require the log to serve a valid chain for each entry (which monitors can verify), and if it can't, then it misbehaved. Would that resolve the concern? IMHO such an addition to 6962-bis would not require restarting WGLC as this is already implied by the protocol. Eran On Mon, Jul 3, 2017 at 6:02 PM, Andrew Ayer <agwa@andrewayer.name> wrote: > To get the ball rolling again on fixing this issue, I've submitted a PR > which: > > 1. Changes issuer_key_hash to issuer_key. > > 2. Adds language to the Monitor section describing what checks a > monitor should do to detect signature mutation. > > https://github.com/google/certificate-transparency-rfcs/pull/270 > > Regards, > Andrew > > _______________________________________________ > Trans mailing list > Trans@ietf.org > https://www.ietf.org/mailman/listinfo/trans >
- [Trans] Mutability of Certificate Signatures Andrew Ayer
- Re: [Trans] Mutability of Certificate Signatures Eran Messeri
- Re: [Trans] Mutability of Certificate Signatures Andrew Ayer
- Re: [Trans] Mutability of Certificate Signatures Eran Messeri
- Re: [Trans] Mutability of Certificate Signatures Andrew Ayer
- Re: [Trans] Mutability of Certificate Signatures Rob Stradling
- Re: [Trans] Mutability of Certificate Signatures Andrew Ayer
- Re: [Trans] Mutability of Certificate Signatures Eran Messeri
- Re: [Trans] Mutability of Certificate Signatures Andrew Ayer
- Re: [Trans] Mutability of Certificate Signatures Rob Stradling