[Trans] Write-up of the "Strict CT" variant
Eran Messeri <eranm@google.com> Tue, 23 May 2017 12:43 UTC
Return-Path: <eranm@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3024D129B2C for <trans@ietfa.amsl.com>; Tue, 23 May 2017 05:43:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.802
X-Spam-Level:
X-Spam-Status: No, score=-0.802 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZEXVpwh6OBQq for <trans@ietfa.amsl.com>; Tue, 23 May 2017 05:43:10 -0700 (PDT)
Received: from mail-it0-x235.google.com (mail-it0-x235.google.com [IPv6:2607:f8b0:4001:c0b::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20D12129B2B for <trans@ietf.org>; Tue, 23 May 2017 05:43:10 -0700 (PDT)
Received: by mail-it0-x235.google.com with SMTP id g126so18660461ith.0 for <trans@ietf.org>; Tue, 23 May 2017 05:43:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=3vH3v5gVYrSwP9rbQEjJgR8TYS4TSY3cUfBMwvvzK1E=; b=gIbDRtYEg6C3fT7PCJPGI/MpKoRJ8yvucdrVRHs90fLRWUcKoOH/LunxXYHZ8fOVCZ QITCVQAWIppiGI+cGBr4ywUW0cfD8P20cSR3cdsKTVtH6RJjTux0nwe9pMoqra0mWTIr bNvORSpRtMKbTQ5RTDvPqjdW/A+fyOdsiD7/NWmCSesGYkQbQudEjhzfO5r7q3NwaC58 12IvfgVUOlv3glsTQ9jdzTIWsnRtq7U4dsYm6SYM4/KotG+Z83fx3yoTR15OSmFuCDOa oN4jedCeiZxJSEiKyZR9XJ6yXaQm6Zaxf/b7BO3Q9xSxrmMvlckHxRazlzzCfo8zi1X/ 0bBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=3vH3v5gVYrSwP9rbQEjJgR8TYS4TSY3cUfBMwvvzK1E=; b=j1HMipPqwTCWU73CQ+fknXmjmPMUf4N0XutNKbqR1tr8utS6Sy9+4Op1ikOXcNrDjM 3usdMQ21foUQaWnGLOaf/zengmZaevIKOpkfxU4ouwZkBPQQ069xMlF4yV+AbuylYdIs Ill+1Ya35bQQuI94kwtKYdbGVUtcD29ND2FIfUfUb/6ti/c3qlzec1DryKB3jDGMT3cr R0X4HnWo9SCU1uuRPDUsbK5/vIQDSnTp8xDbMWFri2hJqbxSRd75J6/b+NEYyyKyukR8 PUH1i5mgL4lHx/US+abdTNKiWVGcq3tV+ydq0b+9e+rvZIyCyBvFD4k+epRea2cG4xCJ 8nqQ==
X-Gm-Message-State: AODbwcAM1kySxKLA97q0KtvIz21MGD/OLyzOQPt/qcm1nOXag1MCGAPD AYr21FDXe5kyiQA+ZNEQRiGKKPuOkYWcYiB5YA==
X-Received: by 10.36.29.204 with SMTP id 195mr2482027itj.112.1495543389020; Tue, 23 May 2017 05:43:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.129.6 with HTTP; Tue, 23 May 2017 05:42:38 -0700 (PDT)
From: Eran Messeri <eranm@google.com>
Date: Tue, 23 May 2017 13:42:38 +0100
Message-ID: <CALzYgEeUCmj4BgY7uKdMnsvTcbvfAunquuqHxD7FxuzZxY1=Fg@mail.gmail.com>
To: "trans@ietf.org" <trans@ietf.org>
Content-Type: multipart/alternative; boundary="001a1135b76473b9a10550305459"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/tCm13jGLlwlb9oP5bB9hXc_7t7s>
Subject: [Trans] Write-up of the "Strict CT" variant
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2017 12:43:12 -0000
Below is a write up of the “Strict CT” variant, based on Mozilla’s suggestion. The goal of this write-up is to serve as a foundation for a document that will describe the deployment of CT needed to operate with stronger guarantees for TLS clients, as well as the protocol extensions necessary to deploy it. *Goal*: Provide TLS clients with proof of inclusion to a tree state they already know (save clients the need to audit logs themselves). *Overview*: - UA vendor ("auditor") periodically collects an STH (denoted "official" STH [1]) from each log, distributes it to its UAs ("clients"). Clients are expected to cache all STHs. - CA/Site Owner ("submitter") submits (pre)certificate to the log, gets SCT [2]. - Submitter waits until the next official STH that includes the certificate, gets an inclusion proof to be served alongside the certificate + SCT. - In the TLS handshake, clients get certificate + SCT + inclusion proof to an official STH they know about [5]. The purpose of the UA vendor sending down the official STH is to provide third-party verification of the consensus. The purpose of the submitter bundling the STH + inclusion proof is to avoid the client having to retrieve it via some other protocol Options for dealing with the delayed usability of certificates: - Submitter waits until an inclusion proof to an “official” STH becomes available, only starts serving that certificate then (could take up to 2 x MMD - two days, typically). - The CA could wait until the proof becomes available and only issue the final certificate then - delay issuance by up to MMD. - The requester could get the certificate immediately but only start using it once it’s able to obtain an inclusion proof to an official STH [3]. - Certificate is used immediately, only with SCT: Clients accept certificates only with SCTs for a limited duration; after that an inclusion proof must be accompanied [4]. - Opt-in: servers requires presence of proofs via header / X.509 extension [6]. - Certificate is used after the client can fetch an inclusion proof and an STH the log has produced; if it’s an unknown STH the client sends it to the auditor for reconciliation. Footnotes: [1] The "official" STH does not have to be explicitly marked: Assuming daily STH push cycle, a log could mint one marked STH every day, to be distributed to clients. Alternatively, if STH issuance frequency (which 6962-bis requires specifying) is not too high (e.g. hourly) then the "official" STH could be the first one issued after midnight UTC (synchronizing on the clock). [2] An intermediate improvement is to return, rather than just SCT, the SCT + STH issued immediately afterwards (~seconds) + inclusion proof to that STH. Effectively, this would rid of SCTs - the STHs issued that way will have the same privacy properties of SCTs, but it will simplify the system by removing the requirement to deal with inclusion proofs, only consistency proofs (clients would still have to know how to check an inclusion proof to those intermediate STHs, but not have to fetch them). If this variant can be successfully deployed using 6962-bis, in 6962-bis-bis we could get rid of SCTs completely. [3] The web server only has to do this once for each new certificate since clients are expected to cache all STHs indefinitely. [4] That requires auditing logs asynchronously, since an attacker with persistent access could keep getting new SCTs issued, or some clients may not have fresh STHs because they missed some updates. [5] There will be a time period where a submitter serves an official STH that the client doesn’t yet know about because it wasn’t distributed, or received, yet. Clients could send these for reconciliation, or the submitter required to not serve it yet until it was distributed to clients. [6] In theory, a new certificate, with the inclusion proof embedded, could be issued - but it may run afoul of the restriction on issuing different certificates with the same serial number. Eran
- [Trans] Write-up of the "Strict CT" variant Eran Messeri
- Re: [Trans] Write-up of the "Strict CT" variant Ryan Sleevi
- Re: [Trans] Write-up of the "Strict CT" variant Ryan Sleevi
- Re: [Trans] Write-up of the "Strict CT" variant Eran Messeri
- Re: [Trans] Write-up of the "Strict CT" variant Eran Messeri
- Re: [Trans] Write-up of the "Strict CT" variant Ryan Sleevi
- Re: [Trans] Write-up of the "Strict CT" variant Andrew Ayer
- Re: [Trans] Write-up of the "Strict CT" variant Andrew Ayer
- Re: [Trans] Write-up of the "Strict CT" variant Magnus Ahltorp
- Re: [Trans] Write-up of the "Strict CT" variant Tom Ritter
- Re: [Trans] Write-up of the "Strict CT" variant Filippo Valsorda
- Re: [Trans] Write-up of the "Strict CT" variant Jacob Hoffman-Andrews
- Re: [Trans] Write-up of the "Strict CT" variant Magnus Ahltorp
- Re: [Trans] Write-up of the "Strict CT" variant Ryan Sleevi
- Re: [Trans] Write-up of the "Strict CT" variant Magnus Ahltorp
- Re: [Trans] Write-up of the "Strict CT" variant Ryan Sleevi
- Re: [Trans] Write-up of the "Strict CT" variant Magnus Ahltorp
- Re: [Trans] Write-up of the "Strict CT" variant Ryan Sleevi
- Re: [Trans] Write-up of the "Strict CT" variant Phillip Hallam-Baker
- Re: [Trans] Write-up of the "Strict CT" variant Watson Ladd