IETF Logo Mail Archive

Re: [Trans] [ct-policy] Re: Certificate Transparency Mirrors (experimental)

Florian MAURY <florian.maury@gmail.com> Sat, 05 November 2016 08:15 UTC

Return-Path: <florian.maury@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 166FB129566 for <trans@ietfa.amsl.com>; Sat, 5 Nov 2016 01:15:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gJmw90uA6AyB for <trans@ietfa.amsl.com>; Sat, 5 Nov 2016 01:15:23 -0700 (PDT)
Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B81D1293E8 for <trans@ietf.org>; Sat, 5 Nov 2016 01:15:23 -0700 (PDT)
Received: by mail-qk0-x22b.google.com with SMTP id n204so113966408qke.2 for <trans@ietf.org>; Sat, 05 Nov 2016 01:15:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ouZqpVgW2pK3Y61XMcApWf87EiLlS1f1iyvubZ2tvyc=; b=lTXolnLEsEfGJD4C2araNt0LGKxORloUWt7jeT/hBpY7RsSbW545NkPWoxGbcejitP Bx7Z58r3SQ+GAciw4YwQ2vxftfFb5zpg8Y8QKjAP6KLtj8kkeokcieMs8jBt3Ky3jwE+ FTOB8Q81VTrIQx+rIUdqIO8EEwv3Z3cCpQz3gbYLZD3jOEk7G5s+raMZyDlIzzDDYY5s NiOlE2IQhJu6DSBmzGkSQ3wc5uGnW/bNgi69W5Pf6aiXHsMgqvPIUe7O/yi0H7jOIyr8 TOxzE0/tsvlA2XWO7scqcJvcaFqIRfiVwQwOcJH8y2pwPcIcKHTFukX09SxH4gaNLmHM xoIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ouZqpVgW2pK3Y61XMcApWf87EiLlS1f1iyvubZ2tvyc=; b=YzA+XDjKFlB49yYeAM+UfT6qWj17ttMiK+XEwg3QNiea/K0EiOnFpOC6ONpYHiCudh xyD2yACMpKSFgXCTShg+JhywW+AzNz/0Dq5BEWUWLGQ0B4v+Ub3DKYVX6Yky3sbGq8qD zsBka9VZk9QFol5PTecGwUKgigJwRrUtjDEWm2o4okLmFeFhvV04kBb9Np4tTLoKyIwO R52U2LGktfIkXcvZfG/IRS5Kz3CCIRuxh0aV9Y5ssZ54D8tJB9Vk5Nh9yUXaCGuUyd9Q yzoQI6SMmT/5xb9t0MBDwattNXx2t3ZLMCt92BMOZmEcpFCIBH2fGPfetk6wzqaio8ji GTQA==
X-Gm-Message-State: ABUngveEKoBak7P00+8bbQP5EVbX2gSEGj8O6fJRelO9BwLwjH52MEuFodBtO1zmNIK5HqC3eSK/Ru0z+72GZg==
X-Received: by 10.55.16.147 with SMTP id 19mr16654355qkq.255.1478333722355; Sat, 05 Nov 2016 01:15:22 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.200.36.15 with HTTP; Sat, 5 Nov 2016 01:15:01 -0700 (PDT)
In-Reply-To: <CAKMqHLg41YkNT=N-kq6Lbtp2A4s6SD040H2cFRvDenZVbgc5_A@mail.gmail.com>
References: <CAP9QY5ZYa6_-=5-DOz3O8PJYi-48sqyBvx2XbyV+3euWKjcavQ@mail.gmail.com> <8229e7fa-9763-41b7-b08b-ce1286dcb389@chromium.org> <CAKMqHLg41YkNT=N-kq6Lbtp2A4s6SD040H2cFRvDenZVbgc5_A@mail.gmail.com>
From: Florian MAURY <florian.maury@gmail.com>
Date: Sat, 05 Nov 2016 09:15:01 +0100
Message-ID: <CAKMP+kdESqbM-DQ-9egZQzM7kgbzV=affU6uwYRHizmTJC_=hg@mail.gmail.com>
To: Pierre Phaneuf <pphaneuf@google.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/rHI5956CYTyvqfRbDBAVgUIdS5g>
X-Mailman-Approved-At: Sat, 05 Nov 2016 10:25:34 -0700
Cc: Certificate Transparency Policy <ct-policy@chromium.org>, trans@ietf.org, certificate-transparency <certificate-transparency@googlegroups.com>
Subject: Re: [Trans] [ct-policy] Re: Certificate Transparency Mirrors (experimental)
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Nov 2016 08:15:25 -0000

Hi lists,

I decided to discuss this in private with Pierre, so that we would not
spam the list. Here is a summary of our conversation. Pierre, please
feel free to comment that report, in case I missed something or if the
report is inaccurate.

Pierre statement in the previous email is accurate. One could request
a consistency proof between a subtree and the latest tree head to
check if this subtree contains corrupted data or not. This is an
efficient way to detect which entry or set of entries are invalid.
Current Google implementations (and some others) are willing to return
such proofs. It is however noteworthy that this behavior is not
required by RFC6962 and RFC69626-bis current draft. These documents
only require that logs be able to return consistency proofs between
STHs. This requirement is probably to allow precomputation to limit
abusive behavior impacts on log load. Since all subtree roots are not
necessarily STHs, the consistency checks suggested by Pierre are nice
to have but cannot be expected from all logs.

We both agreed that it would be great to have some way to find out
previous STH. I would suggest adding a tree_size optional parameter to
the v2 get-sth endpoint. If present, the returned STH would be the STH
with the greatest tree_size inferior to the tree_size parameter. I
have not given it much thoughts and this might not be a good idea.
Anyway, this is probably not the right place to discuss this.

Pierre's suggestion to use inclusion proofs to verify that a specific
entry is consistent is an excellent idea. However, if you don't know
for sure which entry or set of entries are corrupted, then we agreed
that this check method is less efficient than downloading everything
all over again.

Finally, Pierre suggested that computing the root hash from the
downloaded entries is not sufficient to ensure an entry consistency.
Indeed, downloaded data include an extra_data field that should be
checked too, by verifying the signature chain up to a trust anchor.
This is an excellent idea that I added on my TODO list. Thanks!

Cheers,
Florian

On Fri, Nov 4, 2016 at 3:28 PM, Pierre Phaneuf <pphaneuf@google.com> wrote:
> On Fri, Nov 4, 2016 at 1:42 PM, Florian M. <florian.maury@gmail.com> wrote:
>
>> if, for whatever reason, a get-entries response is corrupted, the root hash
>> will be incorrect. If the user has no access to intermediate STH, there is
>> no way to narrow down and track the corrupted get-entries result. The user
>> can only start over.
>
> That's not entirely true, there's a strategy you can use to find where
> the corruption occurred.
>
> If the root hash of the whole Merkle tree doesn't compute correctly,
> you can do a binary search for the corrupted entry, by using the
> MerkleTree::RootAtSnapshot method in the C++ implementation (for
> example) to compute the root hash of your tree at half the size, and
> do a get-sth-consistency between that tree size and the full one. If
> the proof applies correctly, then you know the entries below are good,
> and you can repeat the operation, until you isolate the tree size that
> stops validating with the consistency proof. You could then drop all
> the entries from there on and resume from there (simpler), or maybe
> just re-fetch a chunk and recompute the Merkle tree (hoping the
> corruption was localised).
>
> You can also spot check single entries using inclusion proofs.

v2.37.1 | Report a Bug | By Email | System Status