Re: [Trans] [ct-policy] Re: Certificate Transparency Mirrors (experimental)
Paul Hadfield <hadfieldp@google.com> Mon, 07 November 2016 10:54 UTC
Return-Path: <hadfieldp@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E9BD129682 for <trans@ietfa.amsl.com>; Mon, 7 Nov 2016 02:54:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.497
X-Spam-Level:
X-Spam-Status: No, score=-3.497 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eWyVPYGGZtzV for <trans@ietfa.amsl.com>; Mon, 7 Nov 2016 02:54:29 -0800 (PST)
Received: from mail-lf0-x229.google.com (mail-lf0-x229.google.com [IPv6:2a00:1450:4010:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F759129A6F for <trans@ietf.org>; Mon, 7 Nov 2016 02:54:28 -0800 (PST)
Received: by mail-lf0-x229.google.com with SMTP id o141so37947532lff.1 for <trans@ietf.org>; Mon, 07 Nov 2016 02:54:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=MhMouIkoGIkQp7DIR+QD/gkDLc8W24jIJG5NHPivViE=; b=ZHiR/Q4/UfOUgEwkac6ckVbGqzcdTegVmthWD3k6OYd9/B7ybB4VXcsGdpdwk2TEi0 Lhg1/ZCpQ3lTE6uMfMO051YlOzvWg6lhCrNWQLxrOe6+ayoEGsStveOoyMctm6jVQIgw EfBMXD9KPYBHZyFKf/pVYQDBCmioQs9OdYouDmUmWb+Pfi94XijnyB/m8HY+2br+/akF WeMGwD9M+wiBd3MSU8ltf+1u6gtAUJXNGqAMw7y+BYItCXYcZbUIY0famx232US1a/nq FDRnl1LO16zLD6rcJBWLcMTjOxHXx72s1Ym7dGmiieF+1ycdYz099Q87Lx1Pww8CVeOD ErzQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=MhMouIkoGIkQp7DIR+QD/gkDLc8W24jIJG5NHPivViE=; b=VBjtHipo5Rm82kUIHgMHWezNcvFvFjvs4nhvYiv1Kho2jAC4x9Zgg4QHb0UDzBqWFC B+81c69YmaJw4nXSLfZa2det5VdiR6I7xKEslaVMWa/LcjiHhQq/wxx/4o4C0lfnWX9B kbVCVSWbIthSQUvememwy4yV9kfO7l9lzXjDlYxqJKCln3U5Q++e5ZnUpuh3fffIodII XzjX2sNzfrSmQKA8j3xHTOZiIo4QN7CePujPlaqLnaaw7vDVAwunGis9CwZEOwRP+qOX +ZRlawsmbAYsy+vmqsdItJUacW2+h0wqNIMsm0jCm15j1LmaSSJDpde224bC1IsacqGD 0EkQ==
X-Gm-Message-State: ABUngveCN7sF78e2IpNNOUJXdce780AsXs502lqpHMjNFMkPS/JOQTdz2+bUbIJZa1218WB/qYkvQs+l3qtKoBJo
X-Received: by 10.25.150.210 with SMTP id y201mr3191018lfd.58.1478516066420; Mon, 07 Nov 2016 02:54:26 -0800 (PST)
MIME-Version: 1.0
Received: by 10.25.221.91 with HTTP; Mon, 7 Nov 2016 02:54:25 -0800 (PST)
In-Reply-To: <CAKMP+kdESqbM-DQ-9egZQzM7kgbzV=affU6uwYRHizmTJC_=hg@mail.gmail.com>
References: <CAP9QY5ZYa6_-=5-DOz3O8PJYi-48sqyBvx2XbyV+3euWKjcavQ@mail.gmail.com> <8229e7fa-9763-41b7-b08b-ce1286dcb389@chromium.org> <CAKMqHLg41YkNT=N-kq6Lbtp2A4s6SD040H2cFRvDenZVbgc5_A@mail.gmail.com> <CAKMP+kdESqbM-DQ-9egZQzM7kgbzV=affU6uwYRHizmTJC_=hg@mail.gmail.com>
From: Paul Hadfield <hadfieldp@google.com>
Date: Mon, 07 Nov 2016 10:54:25 +0000
Message-ID: <CAGDCdM4c5V9Csx1x-u5m9gYVOf5o0k1_e5pz3ithCWwSc3+EtQ@mail.gmail.com>
To: Florian MAURY <florian.maury@gmail.com>
Content-Type: multipart/alternative; boundary="001a114017ceef5da60540b3d887"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/o4owsKC7HqSvzbcEUYsk2UniLHg>
Cc: Pierre Phaneuf <pphaneuf@google.com>, trans@ietf.org, Certificate Transparency Policy <ct-policy@chromium.org>, certificate-transparency <certificate-transparency@googlegroups.com>
Subject: Re: [Trans] [ct-policy] Re: Certificate Transparency Mirrors (experimental)
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Nov 2016 10:54:32 -0000
On Sat, Nov 5, 2016 at 8:15 AM, Florian MAURY <florian.maury@gmail.com> wrote: > Hi lists, > > I decided to discuss this in private with Pierre, so that we would not > spam the list. Here is a summary of our conversation. Pierre, please > feel free to comment that report, in case I missed something or if the > report is inaccurate. > > Pierre statement in the previous email is accurate. One could request > a consistency proof between a subtree and the latest tree head to > check if this subtree contains corrupted data or not. This is an > efficient way to detect which entry or set of entries are invalid. > Current Google implementations (and some others) are willing to return > such proofs. It is however noteworthy that this behavior is not > required by RFC6962 and RFC69626-bis current draft. These documents > only require that logs be able to return consistency proofs between > STHs. This requirement is probably to allow precomputation to limit > abusive behavior impacts on log load. Since all subtree roots are not > necessarily STHs, the consistency checks suggested by Pierre are nice > to have but cannot be expected from all logs. > > We both agreed that it would be great to have some way to find out > previous STH. I would suggest adding a tree_size optional parameter to > the v2 get-sth endpoint. If present, the returned STH would be the STH > with the greatest tree_size inferior to the tree_size parameter. I > have not given it much thoughts and this might not be a good idea. > Anyway, this is probably not the right place to discuss this. > Hi Florian, there's been some recent discussion on [trans] about adding a new endpoint for v2 that permits a client to retrieve historic STHs. It sounds like what you are interested in is quite similar. Rob Stradling has taken the proposal for this and created a pull request on the RFC repo: https://github.com/google/certificate-transparency-rfcs/pull/200 Perhaps you could comment there? regards, Paul > > Pierre's suggestion to use inclusion proofs to verify that a specific > entry is consistent is an excellent idea. However, if you don't know > for sure which entry or set of entries are corrupted, then we agreed > that this check method is less efficient than downloading everything > all over again. > > Finally, Pierre suggested that computing the root hash from the > downloaded entries is not sufficient to ensure an entry consistency. > Indeed, downloaded data include an extra_data field that should be > checked too, by verifying the signature chain up to a trust anchor. > This is an excellent idea that I added on my TODO list. Thanks! > > Cheers, > Florian > > On Fri, Nov 4, 2016 at 3:28 PM, Pierre Phaneuf <pphaneuf@google.com> > wrote: > > On Fri, Nov 4, 2016 at 1:42 PM, Florian M. <florian.maury@gmail.com> > wrote: > > > >> if, for whatever reason, a get-entries response is corrupted, the root > hash > >> will be incorrect. If the user has no access to intermediate STH, there > is > >> no way to narrow down and track the corrupted get-entries result. The > user > >> can only start over. > > > > That's not entirely true, there's a strategy you can use to find where > > the corruption occurred. > > > > If the root hash of the whole Merkle tree doesn't compute correctly, > > you can do a binary search for the corrupted entry, by using the > > MerkleTree::RootAtSnapshot method in the C++ implementation (for > > example) to compute the root hash of your tree at half the size, and > > do a get-sth-consistency between that tree size and the full one. If > > the proof applies correctly, then you know the entries below are good, > > and you can repeat the operation, until you isolate the tree size that > > stops validating with the consistency proof. You could then drop all > > the entries from there on and resume from there (simpler), or maybe > > just re-fetch a chunk and recompute the Merkle tree (hoping the > > corruption was localised). > > > > You can also spot check single entries using inclusion proofs. > > -- > You received this message because you are subscribed to the Google Groups > "Certificate Transparency Policy" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ct-policy+unsubscribe@chromium.org. > To post to this group, send email to ct-policy@chromium.org. > To view this discussion on the web visit https://groups.google.com/a/ > chromium.org/d/msgid/ct-policy/CAKMP%2BkdESqbM-DQ-9egZQzM7kgbzV% > 3DaffU6uwYRHizmTJC_%3Dhg%40mail.gmail.com. >
- [Trans] Certificate Transparency Mirrors (experim… Adam Eijdenberg
- Re: [Trans] [ct-policy] Re: Certificate Transpare… Pierre Phaneuf
- Re: [Trans] Certificate Transparency Mirrors (exp… Florian M.
- Re: [Trans] [ct-policy] Re: Certificate Transpare… Florian MAURY
- Re: [Trans] [ct-policy] Re: Certificate Transpare… Paul Hadfield
- Re: [Trans] [ct-policy] Re: Certificate Transpare… Rob Stradling
- Re: [Trans] [ct-policy] Re: Certificate Transpare… Eran Messeri