Re: [Trans] Providing the history of STHs a log has issued (in 6962-bis)
Eran Messeri <eranm@google.com> Mon, 15 May 2017 16:22 UTC
Return-Path: <eranm@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0203F12EACF for <trans@ietfa.amsl.com>; Mon, 15 May 2017 09:22:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2e3QE4RVL5zj for <trans@ietfa.amsl.com>; Mon, 15 May 2017 09:22:43 -0700 (PDT)
Received: from mail-it0-x236.google.com (mail-it0-x236.google.com [IPv6:2607:f8b0:4001:c0b::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C002312EA6A for <trans@ietf.org>; Mon, 15 May 2017 09:18:53 -0700 (PDT)
Received: by mail-it0-x236.google.com with SMTP id g126so71787835ith.0 for <trans@ietf.org>; Mon, 15 May 2017 09:18:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=e2fqnmx2qK/JyEVtbKlUPLey0eC0XUrS0/eq/0MrxNM=; b=c8uc8m/G56ZGSeuOsZHKPpRZNxJXxlz9RKBoZHHEdcIcTIzXZKGjKWbZfGSMWgfmVi KiZzF7EjeXngKcJlt5ZOJn1m6WoezhAYxWQ6K1AnJ5Cg1wtJ6Kmcbg+v1uc0kF5OLjZI HjyG/+fQYRMia5KKNK7MRz7pxlBFE9OLRPwQLsAtTNjZLm6lCOS3Kjnm9bK9GtzrSeOQ 9lBnsBncp1Ob8L45zAK+Gg6LPc7+a4hWY1vi/w/BOglnvaOCeyKp7TCR5yimAviYjYSj ThdyfpEAOPdXs7MbKCcasaxKLL7ZINpYAEEOVArn2RY5uckh0QpEcHkhYwYsM990Hp3b Q2Zw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=e2fqnmx2qK/JyEVtbKlUPLey0eC0XUrS0/eq/0MrxNM=; b=tjXjFTZDP+Y8dgX/cunHYFKgLbgLfX+lV2aAWbRNcuY04u3zMh28SKu+9KIumCMoOc 6yivrnPj1/suGvvGeh/JIOqPWEX+1Wa9PN44GxAqnsR4LqpNBFsnF6ZOfTQbFHqUO3uG zPm3wFoJKD70ajxtW6yDt+/JoDblk5hUGc8E2Vcytw0ctL3Qju5h3wDKeuwsPbAtOio9 0k2nYFIGCgyJJQQ/frm5j20gXF78R/68YBD+PtPkCu1QTYUdl7rhhV98eQxIojdqQ23K iZw6bufki7YVSPfg96v4xHtvAugGkgJCLA2oo7PmQoheVd+f8j+Yz4reg8ZefbBvPWOY CWxg==
X-Gm-Message-State: AODbwcDCztt4GRCEgv/XLmFPha1QBGqXDFGQ2/Xi6ScOVfoLl8dd2h+W EHNeVthtPSMuKw/8gR3Uju6JxfFqZlVEKs86jQ==
X-Received: by 10.36.3.13 with SMTP id e13mr6215654ite.112.1494865132892; Mon, 15 May 2017 09:18:52 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.129.6 with HTTP; Mon, 15 May 2017 09:18:22 -0700 (PDT)
In-Reply-To: <87lgq7j6a3.fsf@nordberg.se>
References: <CALzYgEe+PbYJN6Zz4NnPXBnnhYCi8Op-WmSzFKGxRv+uf+b=sA@mail.gmail.com> <20170504082636.dd0212e34e17949eb69b2fed@andrewayer.name> <CAFDDyk93AcRsCTmt+EPO6VFn-Y4D8g1ETTdGuJrtVk3rH7Xnxg@mail.gmail.com> <20170504123447.41d957a88bd65417e714be78@andrewayer.name> <CAFDDyk-DyBObm2W96R1dZPET-CWwTnitmonkHV2oT+_GH4Gyew@mail.gmail.com> <20170505100910.f3da472d9ad71d1d540b8b62@andrewayer.name> <87lgq7j6a3.fsf@nordberg.se>
From: Eran Messeri <eranm@google.com>
Date: Mon, 15 May 2017 17:18:22 +0100
Message-ID: <CALzYgEeXq0iwJTOfcRUQPR49=Xaqvd21nR=Tk5C884xyGehRuQ@mail.gmail.com>
To: Linus Nordberg <linus@sunet.se>
Cc: Andrew Ayer <agwa@andrewayer.name>, "trans@ietf.org" <trans@ietf.org>
Content-Type: multipart/alternative; boundary="001a11419bfa3c12a7054f926927"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/q3aTjtEFJvFZS2Yw5q0rY4rf95Y>
Subject: Re: [Trans] Providing the history of STHs a log has issued (in 6962-bis)
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 May 2017 16:22:46 -0000
As it has been pointed out to me, the STH history API, even with the proposed changes of adding a sequence number to issued STHs, or requiring an STH refers to a previous STH, would not prevent backdating of STHs in a meaningful way - see explanation below. Because of that, I'm not sure it'll add anything to have this API - and if we do add it, it should be an optional one. Note that the threat I’m focusing on is detection of MMD breach: Where the log hasn’t incorporated an entry corresponding to an issued SCT for more than the MMD, _and a monitor could feasibly observe evidence of it_. Here’s why, I think, adding references to past STHs wouldn’t improve the situation: Currently, clients cannot prove that a log has misbehaved, by serving an STH that’s more than an MMD old. A client can claim that at a given time the log has served it an STH that’s MMD + delta hours old, but cannot prove it. Additionally, close monitoring of a log can identify an MMD breach, but only until 2*MMD - (some delta, marked d in the diagram) time has passed: [image: MMD breach detection.png] (Note in this diagram STH1 is on a tree that does not yet contain the SCT; Only STH2 is). Because the RFC requires an incorporation within the MMD, yet allows serving an STH that’s up to MMD old, a log could incorporate an SCT within the MMD but it would only be evident after more than MMD of the submission time has passed - or it could backdate inclusion by backdating issuance of an STH that includes the entry[0]. AFAICT requiring that STHs refers to previous ones does not change that in any way - it does not prevent any backdating that’s now possible, nor does it make it easier for a client to detect backdating: * When a cunning log realises that it will fail to incorporate a pending entry for longer than the MMD, it can immediately generate a back-dated STH that shows it was included within the MMD, and an “innocent looking” STH (timestamped ‘now’), that refers to the back-dated STH. * A failure by the log to provide an STH in the “chain” of STHs (should STHs include reference to previous ones) is equivalent to a failure by the log to provide an STH that proves an inclusion of a particular entry: In both cases the evidence would be STHs surrounding the entry that was not incorporated. * If a monitor has observed an STH that’s more than MMD old and does not include an entry for a particular SCT, this is evidence enough for misbehaviour. So my concrete suggestion is then to not add get-sths entirely or make it an optional API (because a log can only use it to incriminate itself, not prove that it behaved). [0] Note that backdating of selective submissions is not possible either with or without back-references in STHs: A single submission that hasn’t been incorporated cannot be retroactively incorporated, once the MMD has passed, if other entries have been incorporated. On Tue, May 9, 2017 at 12:08 AM, Linus Nordberg <linus@sunet.se> wrote: > Andrew Ayer <agwa@andrewayer.name> wrote > Fri, 5 May 2017 10:09:10 -0700: > > > On Thu, 04 May 2017 20:58:16 +0000 > > Nick Sullivan <nick@cloudflare.com> wrote: > > > >> By consistent I mean that if a sequence of STHs such as (A, B, C) are > >> presented on day 1, that a different sequence is not presented on day > >> 2 (A, C) or (A, D, B, C). > > > > The PR doesn't currently say the log must retain and return all STHs > > it has ever signed. That should be added. Such language, plus the > > existing chronological ordering requirement, plus the requirement that > > STH timestamps be unique ("Each subsequent timestamp MUST be more > > recent than the timestamp of the previous update") should ensure > > consistency, right? > > > >> Rob's language works in term of chronological order. > >> > >> STH pollination could be a way to support auditing this, but I don't > >> think it's sufficiently robust as currently defined. To prevent STHs > >> from going missing, or for new STHs to appear after the fact, STHs > >> should be exchanged along with metadata indicating the previous and > >> (if it exists yet) the next STH in the tree. > > > > To be an effective auditing mechanism, this information needs to be > > signed by the log. Otherwise, a monitor could lie about what it has > > seen. Perhaps the STH could contain the timestamp of the previous > > STH. If it did, I believe that STH pollination would be sufficient for > > detecting STHs that go missing or appear after the fact. > > > > That said, is there a compelling security need for this to be > > auditable? > > I'm probably missing something crucial here but if it's not auditable, > what use does it have? > > It seems to me that you're transcending towards a log of STHs, which I > wouldn't mind thinking about but probably not as an ad-hoc addon to a > new get-sths API. > > For the record, I'd like to express hesitance about adding an STH > history API until I understand the problem better, with apologies for > not being fully up to speed at the moment. > > _______________________________________________ > Trans mailing list > Trans@ietf.org > https://www.ietf.org/mailman/listinfo/trans >
- [Trans] Providing the history of STHs a log has i… Eran Messeri
- Re: [Trans] Providing the history of STHs a log h… Paul Hadfield
- Re: [Trans] Providing the history of STHs a log h… Andrew Ayer
- Re: [Trans] Providing the history of STHs a log h… Nick Sullivan
- Re: [Trans] Providing the history of STHs a log h… Andrew Ayer
- Re: [Trans] Providing the history of STHs a log h… Nick Sullivan
- Re: [Trans] Providing the history of STHs a log h… Andrew Ayer
- Re: [Trans] Providing the history of STHs a log h… Brian Smith
- Re: [Trans] Providing the history of STHs a log h… Linus Nordberg
- Re: [Trans] Providing the history of STHs a log h… Eran Messeri
- Re: [Trans] Providing the history of STHs a log h… Andrew Ayer
- Re: [Trans] Providing the history of STHs a log h… Eran Messeri
- Re: [Trans] Providing the history of STHs a log h… Al Cutter
- Re: [Trans] Providing the history of STHs a log h… Brian Smith
- Re: [Trans] Providing the history of STHs a log h… Nick Sullivan
- Re: [Trans] Providing the history of STHs a log h… Matt Palmer
- Re: [Trans] Providing the history of STHs a log h… Brian Smith
- Re: [Trans] Providing the history of STHs a log h… Linus Nordberg