Re: [Trans] Ticket 170

Linus Nordberg <> Wed, 10 May 2017 12:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 771C9128CFF for <>; Wed, 10 May 2017 05:51:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.802
X-Spam-Status: No, score=-2.802 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nL0MRIjGN3Pa for <>; Wed, 10 May 2017 05:51:05 -0700 (PDT)
Received: from ( [IPv6:2001:6b0:8:2::202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AC1A5129447 for <>; Wed, 10 May 2017 05:51:04 -0700 (PDT)
Received: from ( [IPv6:2001:948:4:6::32]) by (8.14.4/8.14.4/Debian-4+deb7u1) with ESMTP id v4ACp1cV017955 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 10 May 2017 14:51:01 +0200
Received: from flogsta ( [IPv6:2001:6b0:8::129]) (authenticated bits=0) by (8.14.7/8.14.7) with ESMTP id v4ACovZ0018726 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 10 May 2017 12:51:00 GMT
From: Linus Nordberg <>
To: Eran Messeri <>
Organization: Sunet
References: <> <> <> <>
Date: Wed, 10 May 2017 14:51:05 +0200
In-Reply-To: <> (Eran Messeri's message of "Wed, 10 May 2017 11:44:14 +0100")
Message-ID: <>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Scanned-By: CanIt (www . roaringpenguin . com)
X-Scanned-By: MIMEDefang 2.74
X-Bayes-Prob: 0.0001 (Score 0, tokens from: outbound, outbound-nordu-net:default, nordu-net:default, base:default, @@RPTN)
X-p0f-Info: os=unknown unknown, link=Ethernet or modem
X-CanIt-Geo: ip=2001:6b0:8::129; country=SE; latitude=59.3247; longitude=18.0560;,18.0560&z=6
X-CanItPRO-Stream: outbound-nordu-net:outbound (inherits from outbound-nordu-net:default, nordu-net:default, base:default)
X-Canit-Stats-ID: 0aTiAP1qa - b343ab6f67b3 - 20170510
X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw
Received-SPF: neutral ( 2001:6b0:8::129 is neither permitted nor denied by domain; client-ip=2001:6b0:8::129; envelope-from=<>;; identity=mailfrom
Archived-At: <>
Subject: Re: [Trans] Ticket 170
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 10 May 2017 12:51:08 -0000

Eran Messeri <> wrote
Wed, 10 May 2017 11:44:14 +0100:

> However, compromise of any of those security domains (either in the form of
> stealing key material or compelling signing of arbitrary SCTs / STHs) would
> create a breach of compliance with the Merkle Tree properties required in
> 6962-bis:
> * If a rogue SCT is issued, it will fail auditing - the log will not be
> able to produce an inclusion proof to any STH.
> * If a rogue STH is issued, it will fail consistency checking - the log
> will not be able to produce a consistency proof to other STHs.
> * If a rogue SCT and STH are issued, then the rogue STH will fail
> consistency checking.
> Both kinds of failure are equally bad as far as 6962-bis is concerned:
> Because of the tight coupling between SCT and STH signatures, I don't see
> the value of using a separate key for each.

I've so far been thinking of a misissued SCT as a less severe breach of
log compliance. SCT's are silly creatures anyway and we'll have to
dispose of them ASAP, aight? That's probably not correct.

An adversary who can continously produce SCT's wouldn't even have
trouble fooling TLS clients which refused to accept an SCT with a
timestamp older than now() - MMD. Which leaves us with an even smaller
class of attacks.

I withdraw my support for separate keys for signing SCT's and STH's and
will update #170 to reflect this. Thanks for your patience.