Re: [Trans] [EXT] CT Log Costs and Incentives
Devon O'Brien <devon.obrien@apple.com> Fri, 24 March 2017 00:52 UTC
Return-Path: <devon.obrien@apple.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33504129BAD for <trans@ietfa.amsl.com>; Thu, 23 Mar 2017 17:52:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AfTOSyaw5Pov for <trans@ietfa.amsl.com>; Thu, 23 Mar 2017 17:52:29 -0700 (PDT)
Received: from mail-in4.apple.com (mail-out4.apple.com [17.151.62.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C42C124B0A for <trans@ietf.org>; Thu, 23 Mar 2017 17:52:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1490316749; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Mfa2kic2IAuba3UNnzS95xLnfEncF7shKDE5h/YBPOs=; b=gFmzt9UPpApDVuu+gtA1GDYo/zxqabnz6n47cdFYwcL2/OFG2jHlW3w+ftzR8TFA sa+JHoFvbeWgaRX1TreDu+9c7K9z7jJALud7L+C5MzGeIKuIytB8S4fNRX03Oq3q 8H5ESU/A662FOCOpY5TdsCKjG3X6erKjVUYgE/TgVePX2tBoSlLKeskL3QvjNlDX hf5GUccmP2ScvkQfm0kLxaU5frZVQwUQ8CYeBU90RycOe+k9B+pmTqMxjg3VKBIw mIsHeKjYEpZj2+2WLZ6XrWRoDhyzGJwsNOnyNOpk9PLy48mwyfcZDMlf+nAyVYB8 lQfNY8QgBTU/44tuufGiGg==;
Received: from relay4.apple.com (relay4.apple.com [17.128.113.87]) by mail-in4.apple.com (Apple Secure Mail Relay) with SMTP id 3B.72.25383.CCD64D85; Thu, 23 Mar 2017 17:52:29 -0700 (PDT)
X-AuditID: 11973e12-003389a000006327-fa-58d46dcd76bc
Received: from nwk-mmpp-sz10.apple.com (nwk-mmpp-sz10.apple.com [17.128.115.122]) by relay4.apple.com (Apple SCV relay) with SMTP id 2F.4F.03007.CCD64D85; Thu, 23 Mar 2017 17:52:28 -0700 (PDT)
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_phaH/owmZA+Fqzde7QOuCw)"
Received: from [17.153.46.23] (unknown [17.153.46.23]) by nwk-mmpp-sz10.apple.com (Oracle Communications Messaging Server 8.0.1.2.20170210 64bit (built Feb 10 2017)) with ESMTPSA id <0ONA00F7ENRG3W60@nwk-mmpp-sz10.apple.com>; Thu, 23 Mar 2017 17:52:28 -0700 (PDT)
Sender: devon.obrien@apple.com
From: Devon O'Brien <devon.obrien@apple.com>
Message-id: <CD2FEE7F-8C3F-480A-AF61-ACFEFCCA19A9@apple.com>
Date: Thu, 23 Mar 2017 17:52:27 -0700
In-reply-to: <D4F97678.502E%tarah_wheeler@symantec.com>
Cc: Steve Matsumoto <steve@stevematsumoto.net>, "trans@ietf.org" <trans@ietf.org>
To: Tarah Wheeler <Tarah_Wheeler@symantec.com>
References: <ca34d76c-305b-3064-46c0-08163b59b46d@stevematsumoto.net> <D4F97678.502E%tarah_wheeler@symantec.com>
X-Mailer: Apple Mail (2.3271)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrFLMWRmVeSWpSXmKPExsUi2FAYrns290qEwb7/rBYXDzUyWrzed5/N Yu3jiywOzB5Llvxk8vg5eyWzx47zU5gDmKO4bFJSczLLUov07RK4Mras/s1asOsrY8WKKeeY GhjfXmfsYuTgkBAwkdi/pb6LkYtDSGAvo8TtSXOZuxg5weIb5zWygthCAocYJY6/TAOxeQUE JX5MvscCYjMLhEnca/zJAtHczySxpXc5WEJYQE5i1dmHYDabgI7Ejdvz2SGabSQ6n/9khKgx l/j0ZTGYzSKgKjF17ns2kIM4geJPT3CBmMwCwRL352SDVIgI6ElcW3KRHSQsJFAk8eeXKcSV shLb781ghLBPsEn0dIpMYBSaheTQWUgOnQU2VF1iypRciLC2xJN3F1ghbDWJhb8XMSGLL2Bk W8UolJuYmaObmWeil1hQkJOql5yfu4kRFBnT7YR2MJ5aZXWIUYCDUYmHN6LmUoQQa2JZcWXu IUZpDhYlcV5tkcsRQgLpiSWp2ampBalF8UWlOanFhxiZODilGhgNdZdrb9c6UZna5+JbKn5O s/3IJ/up718mXp27WXKl88ltT5aEFRh1nOLgXrfif6xwYtmhvO1hij1eCxo5t8/zDJo5w7O1 XSE7rjHCxdHDW3z9qVNTnf1Ns6/PfPVB+ebnCBsDJgHeMGnxVV3yyVuPeSzzSbJc7LFR4iFz TvLH/Z/3z/ifYKnEUpyRaKjFXFScCAAdtxrNbQIAAA==
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrGIsWRmVeSWpSXmKPExsUi2FBcpXsm90qEwbV7FhYXDzUyWrzed5/N Yu3jiywOzB5Llvxk8vg5eyWzx47zU5gDmKO4bFJSczLLUov07RK4Mras/s1asOsrY8WKKeeY GhjfXmfsYuTkkBAwkdg4r5EVxBYSOMQocfxlGojNKyAo8WPyPRYQm1kgTOJe408gmwuopp9J YkvvcrCEsICcxKqzD8FsNgEdiRu357NDNNtIdD7/yQhRYy7x6ctiMJtFQFVi6tz3bF2MHByc QPGnJ7hATGaBYIn7c7JBKkQE9CSuLbnIDhIWEiiS+PPLFOJKWYnt92YwTmDkn4XkuFlIjpsF NkhdYsqUXIiwtsSTdxdYIWw1iYW/FzEhiy9gZFvFKFCUmpNYaaKXWFCQk6qXnJ+7iREczIXh Oxj/LbM6xCjAwajEwxtRcylCiDWxrLgyFxhAHMxKIrw3sq5ECPGmJFZWpRblxxeV5qQWH2Kc yAj04URmKdHkfGCs5ZXEG5qYGJgYG5sZG5ubmNNSWEmct+sL0JEC6YklqdmpqQWpRTBHMXFw SjUw2i3uWOjMs+7JBpufe44JiK/s8LKf3L1pwRKvna7XMn2iDTY+cWywVPOq+7fzmfbSNyd6 Le92/D8+a6vBrtRqvYsS4au4znOek/Y5fKD32rcV+/viPGfsMNI9US037fDfyc+MOcOu1cu9 yms6tnrVS7eFX9aL/YhRmuNUZhQmIFRZkX765aZbU5RYijMSDbWYi4oTAZko9/zZAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/pYvs704oNh8UeOf1uxTT2fBHI8Q>
Subject: Re: [Trans] [EXT] CT Log Costs and Incentives
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Mar 2017 00:52:32 -0000
While there might or might not be a direct financial incentive for log operation, there are stakeholders in the CT ecosystem with very compelling indirect incentives. As Chrome has demonstrated, User Agents have the strongest incentive. They represent their users’ interest in a secure browsing experience, and detecting and responding to mis-issuances within the WebPKI solidifies that promise to their users. In most, but not all cases, User Agents tend to also have the financial and infrastructural resources in place to operate a high assurance log. Similarly, entities like certain government agencies could also step up in this area since they operate on a similar mandate. To a lesser extent, large PKIs have an incentive to run logs as well. Given certificate logging requirements, it makes sense that a massive PKI would rather deploy and depend upon their own CT log rather than depend on what’s turned out to be a more tumultuous log ecosystem than expected. As Steve pointed out, relying on the altruism of a log operator can be a hard business case to make. Beyond either of these two cases, log operators can charge back infrastructure costs to CAs submitting to the log. These can be volume-based fees designed to allow scalability or allow for periodic renegotiation. Personally, I like this model the least since it offers the weakest commitment to CAs and UAs for continued operation. As has been discussed on a few occasions over the past few years, many players in the CT ecosystem don’t see the need for more than 10-20 logs to exist in total. This threshold can feasibly be met by the above cases without requiring logs to operate as a token of goodwill. - Devon > On Mar 23, 2017, at 09:57, Tarah Wheeler <Tarah_Wheeler@symantec.com> wrote: > > What are the financial incentives of the non-opaque log operators? I > mistrust altruism as regards incentive for long-term stability. Is log > operation a loss leader for orgs that provide other, more profitable > services? > > > -- > Tarah M. Wheeler > > > > > > On 3/23/17, 10:07 AM, "Trans on behalf of Steve Matsumoto" > <trans-bounces@ietf.org <mailto:trans-bounces@ietf.org> on behalf of steve@stevematsumoto.net <mailto:steve@stevematsumoto.net>> wrote: > >> Hi everyone, >> >> I've been thinking lately about the incentives that certificate logs >> have for operating, and would like to start a discussion centered around >> the costs and incentives for certificate log operators. >> >> It seems to me that CT relies on the altruism of log operators. As far >> as I know, logs don't receive any sort of compensation for operating, >> and of the current known and included logs listed on the CT site [1], 4 >> are run by Google and 5 are run by CAs (Symantec, WoSign/StartSSL, and >> CNNIC) that had some sort of security incident in the past and had to >> implement CT as a result [2-4]. So besides the fact that CT will be >> required in October, what incentives are there to run a certificate log? >> Are there any plans to add incentives for logs to operate? >> >> Complementary to the above question is whether or not the incentives >> that log operators have outweigh the cost of running a log. I estimate >> that the storage cost of the certificate entries for the largest log >> (Google Pilot) is on the order of several hundred gigabytes, and that >> the cost of reliability, staff, etc. is quite expensive. But if there >> are any log operators who can comment more on this, that would be great. >> >> Moreover, as far as I know, CT also relies on the altruism of log >> monitors. Logs currently don't offer a way to retrieve entries by domain >> name, so it's difficult for a domain to query the logs for its own >> certificates (some of which may be rogue). Moreover, proving that a >> certificate is not in a log requires checking the entire tree. >> Therefore, CT needs monitors who periodically retrieve all newly-logged >> certificates and check for suspicious certificates, and it's not >> entirely clear how monitors decide whether a certificate is suspicious. >> What are the incentives for these monitors? >> >> Given that the number of logs is small and will probably be limited by >> Google (partially because monitoring becomes difficult otherwise), are >> there any plans to incentivize the "best" logs, i.e., those that keep >> the most certificates or have the highest uptime? Is incentivizing logs >> in this way something that we should do? >> >> I'd be very interested in getting feedback from everyone, particularly >> log operators and monitors, about this. >> >> -Steve >> >> [1] >> https://clicktime.symantec.com/a/1/59oePpKbG62hyNDvpJjPTDfulpqyjTGck38AfdP <https://clicktime.symantec.com/a/1/59oePpKbG62hyNDvpJjPTDfulpqyjTGck38AfdP> >> V-S4=?d=CAG1JfK0a4CVoHF5eYIXWtRfPfhblXEujp476xHAieYvJKc-xm9IvfgPMVtpK-UKNt >> Ayuo_LQxDM_vZcwOM-XKD68Mr1VKghAGdrKdDLhRDyqeE7Wdv2QMaqfZLzptPpJ5xLjGfHLMj6 >> LmTMLEt2KSnv0aACLYGg6CTfkhgYCRANSHKsKfy_yaf0IyK7qidqN_oYO6CYyEai3x8ytUDPBy >> dnl9HmlLO86sl5AUXAs_XfYG3reUGYOKzzL_jKBkUV25kTgwNnvNsKsgBwHRo5MqM5ZYk3EqhP >> XTOgwbFp9icvYN76ahOcI0UmsGJVELJpI2A3CIsZ-In3uc-QQVfU92AOSlCf9RtcflWCpFBjX8 >> p_VgXXyvCywwg9cmXjr_8YzTRM6Tc%3D&u=https%3A%2F%2Fwww.certificate-transpare >> ncy.org <http://ncy.org/>%2Fknown-logs >> [2] >> https://clicktime.symantec.com/a/1/mw81gxILG0yv90ZXFS1qixOhC68j21cVWOlygtZ <https://clicktime.symantec.com/a/1/mw81gxILG0yv90ZXFS1qixOhC68j21cVWOlygtZ> >> HNc8=?d=CAG1JfK0a4CVoHF5eYIXWtRfPfhblXEujp476xHAieYvJKc-xm9IvfgPMVtpK-UKNt >> Ayuo_LQxDM_vZcwOM-XKD68Mr1VKghAGdrKdDLhRDyqeE7Wdv2QMaqfZLzptPpJ5xLjGfHLMj6 >> LmTMLEt2KSnv0aACLYGg6CTfkhgYCRANSHKsKfy_yaf0IyK7qidqN_oYO6CYyEai3x8ytUDPBy >> dnl9HmlLO86sl5AUXAs_XfYG3reUGYOKzzL_jKBkUV25kTgwNnvNsKsgBwHRo5MqM5ZYk3EqhP >> XTOgwbFp9icvYN76ahOcI0UmsGJVELJpI2A3CIsZ-In3uc-QQVfU92AOSlCf9RtcflWCpFBjX8 >> p_VgXXyvCywwg9cmXjr_8YzTRM6Tc%3D&u=https%3A%2F%2Fsecurity.googleblog.com <http://2fsecurity.googleblog.com/>%2 >> F2015%2F03%2Fmaintaining-digital-certificate-security.html >> [3] >> https://clicktime.symantec.com/a/1/L7ETjKNjE6aJIg2kJxMA-ySmW4-RcYG3BFCECcQ <https://clicktime.symantec.com/a/1/L7ETjKNjE6aJIg2kJxMA-ySmW4-RcYG3BFCECcQ> >> T--k=?d=CAG1JfK0a4CVoHF5eYIXWtRfPfhblXEujp476xHAieYvJKc-xm9IvfgPMVtpK-UKNt >> Ayuo_LQxDM_vZcwOM-XKD68Mr1VKghAGdrKdDLhRDyqeE7Wdv2QMaqfZLzptPpJ5xLjGfHLMj6 >> LmTMLEt2KSnv0aACLYGg6CTfkhgYCRANSHKsKfy_yaf0IyK7qidqN_oYO6CYyEai3x8ytUDPBy >> dnl9HmlLO86sl5AUXAs_XfYG3reUGYOKzzL_jKBkUV25kTgwNnvNsKsgBwHRo5MqM5ZYk3EqhP >> XTOgwbFp9icvYN76ahOcI0UmsGJVELJpI2A3CIsZ-In3uc-QQVfU92AOSlCf9RtcflWCpFBjX8 >> p_VgXXyvCywwg9cmXjr_8YzTRM6Tc%3D&u=https%3A%2F%2Fsecurity.googleblog.com <http://2fsecurity.googleblog.com/>%2 >> F2015%2F10%2Fsustaining-digital-certificate-security.html >> [4] >> https://clicktime.symantec.com/a/1/TgVn9TlunMWDKiq9pWSvDsi2V-ip6xtqx8yPiWe <https://clicktime.symantec.com/a/1/TgVn9TlunMWDKiq9pWSvDsi2V-ip6xtqx8yPiWe> >> 0ZuM=?d=CAG1JfK0a4CVoHF5eYIXWtRfPfhblXEujp476xHAieYvJKc-xm9IvfgPMVtpK-UKNt >> Ayuo_LQxDM_vZcwOM-XKD68Mr1VKghAGdrKdDLhRDyqeE7Wdv2QMaqfZLzptPpJ5xLjGfHLMj6 >> LmTMLEt2KSnv0aACLYGg6CTfkhgYCRANSHKsKfy_yaf0IyK7qidqN_oYO6CYyEai3x8ytUDPBy >> dnl9HmlLO86sl5AUXAs_XfYG3reUGYOKzzL_jKBkUV25kTgwNnvNsKsgBwHRo5MqM5ZYk3EqhP >> XTOgwbFp9icvYN76ahOcI0UmsGJVELJpI2A3CIsZ-In3uc-QQVfU92AOSlCf9RtcflWCpFBjX8 >> p_VgXXyvCywwg9cmXjr_8YzTRM6Tc%3D&u=https%3A%2F%2Fsecurity.googleblog.com <http://2fsecurity.googleblog.com/>%2 >> F2016%2F10%2Fdistrusting-wosign-and-startcom.html >> >> _______________________________________________ >> Trans mailing list >> Trans@ietf.org <mailto:Trans@ietf.org> >> https://www.ietf.org/mailman/listinfo/trans <https://www.ietf.org/mailman/listinfo/trans> > > _______________________________________________ > Trans mailing list > Trans@ietf.org <mailto:Trans@ietf.org> > https://www.ietf.org/mailman/listinfo/trans <https://www.ietf.org/mailman/listinfo/trans>
- [Trans] CT Log Costs and Incentives Steve Matsumoto
- Re: [Trans] [EXT] CT Log Costs and Incentives Tarah Wheeler
- Re: [Trans] [EXT] CT Log Costs and Incentives Devon O'Brien