Re: [Trans] Threat model outline, attack model

Katriel Cohn-Gordon <me@katriel.co.uk> Thu, 11 September 2014 19:44 UTC

Return-Path: <katrielalex@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C1501A00F2 for <trans@ietfa.amsl.com>; Thu, 11 Sep 2014 12:44:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QJkPYonr97U1 for <trans@ietfa.amsl.com>; Thu, 11 Sep 2014 12:44:28 -0700 (PDT)
Received: from mail-wg0-x229.google.com (mail-wg0-x229.google.com [IPv6:2a00:1450:400c:c00::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F7DF1A0100 for <trans@ietf.org>; Thu, 11 Sep 2014 12:43:47 -0700 (PDT)
Received: by mail-wg0-f41.google.com with SMTP id k14so5785799wgh.24 for <trans@ietf.org>; Thu, 11 Sep 2014 12:43:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:message-id:in-reply-to:references:subject :mime-version:content-type:content-transfer-encoding :content-disposition; bh=mlBGIw5s0BFwqjkXjPQWC3OJeqjYkh7OJasSSYMEqr4=; b=IZWwA3us9uNVtwk6UhlOvfYRE+2rkwfCGaiBUOOsqGLBW2l13nJCIFcfjZ6Dx4dT2e vvQcbISAEVGm5oWnh4jPgZ9+EbYYaouTDXflriiNdV49fO5lrO6OhOKVmQ//dHoRzPVo suPYY8j8przqPBkIWzmptdNnexEZnmi0z6N7dpFGjTecLkbAmR1AK9DdfLOv/NNBfoc8 9RcZjBfUF6BVmmDixJIkOZaPnhVz5ArBrfxu9GRd0y+SPflnr4qGdNxfCqQcWAyFAaOS FGMhRdMcxDOIpoHOXxK2ukH5bgRnzRk4gLGHIQcEpAx49lBTjsGpTS3LP+886HRy0mj1 2XwA==
X-Received: by 10.194.59.201 with SMTP id b9mr4513731wjr.43.1410464621649; Thu, 11 Sep 2014 12:43:41 -0700 (PDT)
Received: from [10.16.19.229] (client0979.vpn.ox.ac.uk. [129.67.119.211]) by mx.google.com with ESMTPSA id wx3sm2215819wjc.19.2014.09.11.12.43.38 for <multiple recipients> (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 11 Sep 2014 12:43:38 -0700 (PDT)
Sender: Katriel Cohn-Gordon <katrielalex@gmail.com>
Date: Thu, 11 Sep 2014 20:43:34 +0100
From: Katriel Cohn-Gordon <me@katriel.co.uk>
To: Stephen Kent <kent@bbn.com>
Message-ID: <BEAB70F21EC44221A49E95FC448603FC@gmail.com>
In-Reply-To: <5411E511.1040605@bbn.com>
References: <5411E511.1040605@bbn.com>
X-Mailer: sparrow 1.6.4 (build 1178)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/ptH1KGsOYRydSwG8sK45FNl9IE0
X-Mailman-Approved-At: Thu, 11 Sep 2014 13:47:05 -0700
Cc: "=?utf-8?Q?trans=40ietf.org?=" <trans@ietf.org>
Subject: Re: [Trans] Threat model outline, attack model
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Sep 2014 19:53:10 -0000

I’ve also been thinking about a threat model, though your writing is much clearer than mine!

tl;dr: (a) There’s a lot of text about the details of revocation that I thought was out of scope for CT. (b) A client specification may answer many of the questions you raise about Monitors.

--
Katriel Cohn-Gordon
Student, Cyber Security
Merton College, Oxford



On Thursday, 11 September 2014 at 19:08, Stephen Kent wrote:  
> Certificate Transparency (CT) is intended to detect and mitigate...

Is it intended to mitigate problems? (-04) says so but immediately follows it with “the logs do not themselves prevent misissue, but they ensure that interested parties (particularly those named in certificates) can detect such misissuance”

A fairer introduction might be “CT is intended to allow subjects to detect…"
> A certificate is characterized as mis-issued if the certificate is issued to an entity that is not authorized to represent the host (web server) named in the certificate Subject field or Subject Alternative Name extension.

Or doesn’t follow certain regulations, or some other definition (e.g. comes from a root that the CA can but does not use to issue certificates). I think it should be up to individual Monitors to define what they consider to be mis-issued, though it makes sense to give a minimal criterion, and hence that the text should say something like “In the following, a certificate is characterised as mis-issued if… but any Monitor may choose to use an alternative definition, since CT is definition-agnostic."
>  
>  
> Certificate mis-issuance may arise in one of several ways. The ways that CT helps detect and remedy mis-issuance depends on the context of the mis-issuance.

I think the key distinction to be made is between contexts that cause the certificate to be submitted to a non-malicious Log Server, and those that do not. As you say, in the former case a Monitor tracking the targeted Subject will detect the mis-issued certificate and set off the out-of-scope revocation process. In the latter, TLS clients which are not backwards compatible will refuse to accept the certificate, while TLS clients which do not yet enforce CT will act as they do today.

Once the certificate is detected, is the revocation process (e.g. what data the CA requires) in scope for this document?
>  
> 1. If a CA submits the bogus certificate to logs, but these logs are not watched by a Monitor that is tracking the targeted Subject, CT will not mitigate a mis-issuance attack. It is not clear whether every Monitor MUST offer to track every Subject that requests its certificates be monitored. Absent such a guarantee, how do TLS clients and CAs know which set of Monitors will provide “sufficient” coverage. Unless these details are addressed, use of CT does not mitigation mis-issuance even when certificates are logged.

I understood Monitors to be run by Subjects (or paid by Subjects to do their tracking for them), so I see no reason why they MUST offer to track anybody. It’s log servers for which you need sufficient coverage, though, not Monitors: one of the latter will suffice as long as it watches all the former. I don’t know what the current definition of “the set of all log servers” is (*); for the moment I assume it is defined by Google’s list for Chrome.

I agree it’s important to specify how Monitors can find out the set of log servers. (e.g. it’s Very Bad if I run my own monitor but don’t update its list, since then a mis-issued certificate submitted to a new log server will pass me by.)
>  
> 3. If a TLS client is to reject a certificate that lacks an embedded SCT, or is not accompanied by a post-issuance SCT, this behavior needs to be defined in a way that is compatible with incremental deployment. Issuing a warning to a (human) user is probably insufficient, based on experience with warnings displayed for expired certificates, lack of certificate revocation status information, and similar errors that violate RFC 5280 path validation rules.

What’s the precedent for defining incremental deployment in this type of document? I suppose the wording would be something like “TLS clients wishing to respect incremental deployment MAY choose to accept certificates without embedded SCTs, but…"
>  
> 4. The targeted Subject might request the parent or the offending CA to revoke the certificate of the non-cooperative CA. However, a request of this sort may be rejected, e.g., because of the potential for significant collateral damage.

Again, is this in scope for CT? This issue exists in today’s infrastructure just as much (c.f. when people removed DigiNotar from trust lists).
>  
>  
>  
> Absent a protocol (a so-called “gossip” protocol) that enables Monitors to verify that data from logs are consistent, CT does not provide protection against logs that may conspire with, or be victims of, attackers effecting certificate mis-issuance. Even when a gossip protocol is deployed, it is necessary to describe how the CT system will deal with a mis-behaving or compromised log. For example, will there be a mechanism to alert all TLS clients to reject SCTs issued by such a log.

I believe this is the same question as at (*): who controls the list of trusted logs? One assumes that anybody doing so (e.g. Chrome) would also run a Monitor, and thus detect misissuances and remove said logs from their list the same way they would have removed DigiNotar.

I think a section specifying the actions of TLS clients should answer a lot of these questions. Such a section would say in part that clients must keep lists of CAs and log servers, maintained either by themselves or by a trusted third party, and that the signatures on the cert and the SCT should be from entities in the respective lists. Whoever maintains the list undertakes to remove both bad CAs and bad log servers if they are detected.
>  
> Monitors also play a critical role in detecting certificate mis-issuance, for Subjects that have requested monitoring of their certificates. Thus Monitors represent another target for adversaries who wish to effect certificate mis-issuance. If a Monitor is compromised by, or is complicit with, an attacker, it will fail to alert a Subject to a mis-issued certificate targeting the Subject. This raises the question of whether a Subject needs to request certificate monitoring from multiple sources to guard against such failures.

Subjects must choose a trusted Monitor because the Monitor is by definition the thing that watches the logs; they can do this themselves or they can delegate to a third party, in which case they rely on that party not to be compromised. This doesn’t seem particular to CT: if I install a burglar alarm either I have to monitor it, or I have to pay someone else to monitor it and trust them to respond if it goes off, or I have to accept that the alarm might be ignored.
>