Re: [Trans] Write-up of the "Strict CT" variant
Eran Messeri <eranm@google.com> Tue, 23 May 2017 13:43 UTC
Return-Path: <eranm@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E216B129B31 for <trans@ietfa.amsl.com>; Tue, 23 May 2017 06:43:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KBNUvDUC-nJV for <trans@ietfa.amsl.com>; Tue, 23 May 2017 06:43:41 -0700 (PDT)
Received: from mail-io0-x236.google.com (mail-io0-x236.google.com [IPv6:2607:f8b0:4001:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F168F129AAA for <trans@ietf.org>; Tue, 23 May 2017 06:43:40 -0700 (PDT)
Received: by mail-io0-x236.google.com with SMTP id o12so97602988iod.3 for <trans@ietf.org>; Tue, 23 May 2017 06:43:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=JOcXXIZoovU25BH8TcIb76NZtPAXkZS9oW9GShqvYeE=; b=mnDX3CkrfQhp15KrThikA7RHYfjGoK21qIFGguopp7W72geHgl/aSrAT5XtUXLhIXJ 4pyYLKORfjg+3mMCiHqlVPrmdaVMA6iB6sEwGnpBbuJOPoa60Vf4klN7+CP1M5E85JuS I9DBGIrLvvv9oqiBMs2mGUma5zj735v+Y3w2sRWuZs0ltZt7clDKtxdvRgxf4xYzw3X7 BLB8NrAYq/rb+Lq2TQClEauK3PuN4M0J9MFY/qFagTNyVbOq/5UCXBnrZB0S11kzG5lV OOUOf9+bLs8B+UysZ+ESRrJykln1ptI5rr9vmmVlanwqbP1WbEWkgSC23fJYdsksXK+v 0+kA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=JOcXXIZoovU25BH8TcIb76NZtPAXkZS9oW9GShqvYeE=; b=PzO7TML99yiNh6/dAtLY3EhBb1KVqv6klnA4zf4GEOJ6K54y9PchuoyMcmi7waxjCt Tzm0+JPLHISP+sH01g+5ZujAJOb+P8Xz5DMB0hI3/IpK3lD/2CbtDL+4zp+mzgMyVCsh E/Ks/5umGumaK76mCpw7JOkzLwBaTsRod2OmJm7ZVd3E7a1Vu0uFwVLTAURJUvIizexr t/twsO4dTt2xrebe0vPj2me4C4sqqZTcy2pl5GhhiIGqJT39w73c+Jle3nF11OAkd3su 8XlUqPap4B/ocV80kJUYtcLYy4IVyjZ9D0EJLT0PeOabVBjHpUr2k2yloJmNk+LX+5pR 4aPw==
X-Gm-Message-State: AODbwcBOt/1s9XAgVra9a4BfIhd+ftzbIRZAoXqS7udoUXQbUP1V8xwT zyCuZcmXr7ucql01509U/tfOOM3sDaZKBbo=
X-Received: by 10.107.128.98 with SMTP id b95mr25817422iod.25.1495547019915; Tue, 23 May 2017 06:43:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.129.6 with HTTP; Tue, 23 May 2017 06:43:09 -0700 (PDT)
In-Reply-To: <CAErg=HHLVyTS=PxbUWsNQpzkc+S4SS9t5Bz3KHm1oFmJiyf+dg@mail.gmail.com>
References: <CALzYgEeUCmj4BgY7uKdMnsvTcbvfAunquuqHxD7FxuzZxY1=Fg@mail.gmail.com> <CAErg=HHLVyTS=PxbUWsNQpzkc+S4SS9t5Bz3KHm1oFmJiyf+dg@mail.gmail.com>
From: Eran Messeri <eranm@google.com>
Date: Tue, 23 May 2017 14:43:09 +0100
Message-ID: <CALzYgEfkatrhUi_vVkc3P55yd0-82OkaZcv7Sx7RytKvh4G7KA@mail.gmail.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
Cc: "trans@ietf.org" <trans@ietf.org>
Content-Type: multipart/alternative; boundary="001a113dfdaede7b4d0550312c6b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/yCMROBQAf8ClHqFEpeUac2_ybrU>
Subject: Re: [Trans] Write-up of the "Strict CT" variant
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2017 13:43:44 -0000
On Tue, May 23, 2017 at 2:20 PM, Ryan Sleevi <ryan-ietf@sleevi.com> wrote: > > > On Tue, May 23, 2017 at 8:42 AM, Eran Messeri <eranm@google.com> wrote: > >> Below is a write up of the “Strict CT” variant, based on Mozilla’s >> suggestion. >> The goal of this write-up is to serve as a foundation for a document that >> will describe the deployment of CT needed to operate with stronger >> guarantees for TLS clients, as well as the protocol extensions necessary to >> deploy it. >> >> *Goal*: Provide TLS clients with proof of inclusion to a tree state they >> already know (save clients the need to audit logs themselves). >> >> *Overview*: >> >> - UA vendor ("auditor") periodically collects an STH (denoted >> "official" STH [1]) from each log, distributes it to its UAs ("clients"). >> Clients are expected to cache all STHs. >> - CA/Site Owner ("submitter") submits (pre)certificate to the log, >> gets SCT [2]. >> - Submitter waits until the next official STH that includes the >> certificate, gets an inclusion proof to be served alongside the certificate >> + SCT. >> - In the TLS handshake, clients get certificate + SCT + inclusion >> proof to an official STH they know about [5]. >> >> >> The purpose of the UA vendor sending down the official STH is to provide >> third-party verification of the consensus. >> The purpose of the submitter bundling the STH + inclusion proof is to >> avoid the client having to retrieve it via some other protocol >> >> >> Options for dealing with the delayed usability of certificates: >> >> - Submitter waits until an inclusion proof to an “official” STH >> becomes available, only starts serving that certificate then (could take up >> to 2 x MMD - two days, typically). >> - The CA could wait until the proof becomes available and only >> issue the final certificate then - delay issuance by up to MMD. >> - The requester could get the certificate immediately but only >> start using it once it’s able to obtain an inclusion proof to an official >> STH [3]. >> - Certificate is used immediately, only with SCT: Clients accept >> certificates only with SCTs for a limited duration; after that an inclusion >> proof must be accompanied [4]. >> - Opt-in: servers requires presence of proofs via header / X.509 >> extension [6]. >> - Certificate is used after the client can fetch an inclusion proof >> and an STH the log has produced; if it’s an unknown STH the client sends it >> to the auditor for reconciliation. >> >> >> Footnotes: >> >> [1] The "official" STH does not have to be explicitly marked: Assuming >> daily STH push cycle, a log could mint one marked STH every day, to be >> distributed to clients. Alternatively, if STH issuance frequency (which >> 6962-bis requires specifying) is not too high (e.g. hourly) then the >> "official" STH could be the first one issued after midnight UTC >> (synchronizing on the clock). >> > > Note: A 'daily' cycle is a generous assumption. While this captures > publication, it does not measure client update. For example, it presumes > the UA is awake and listening and able to receive such an update, but in > situations of mobile devices, weekend home devices, etc, this doesn't hold. > I agree, this is a major concern and I haven't yet heard a proposal how to address it. > > >> [2] An intermediate improvement is to return, rather than just SCT, the >> SCT + STH issued immediately afterwards (~seconds) + inclusion proof to >> that STH. Effectively, this would rid of SCTs - the STHs issued that way >> will have the same privacy properties of SCTs, but it will simplify the >> system by removing the requirement to deal with inclusion proofs, only >> consistency proofs (clients would still have to know how to check an >> inclusion proof to those intermediate STHs, but not have to fetch them). >> If this variant can be successfully deployed using 6962-bis, in >> 6962-bis-bis we could get rid of SCTs completely. >> >> [3] The web server only has to do this once for each new certificate >> since clients are expected to cache all STHs indefinitely. >> > > Was this part of Mozilla's proposal? I probably misunderstood, but this > would seem to be an effective non-starter. Indefinite, unbounded caching, > on billions of clients of a variety of form factors, doesn't really seem > like a solution at all :) > As far as I understand, it was. Old STHs can be disposed of: if for example, clients knew that the log that issued them only admits certificates that are valid for at most a year, then STHs that are more than a year older are not going to be received anymore. > > >> [4] That requires auditing logs asynchronously, since an attacker with >> persistent access could keep getting new SCTs issued, or some clients may >> not have fresh STHs because they missed some updates. >> >> [5] There will be a time period where a submitter serves an official STH >> that the client doesn’t yet know about because it wasn’t distributed, or >> received, yet. Clients could send these for reconciliation, or the >> submitter required to not serve it yet until it was distributed to clients. >> >> [6] In theory, a new certificate, with the inclusion proof embedded, >> could be issued - but it may run afoul of the restriction on issuing >> different certificates with the same serial number. >> > > Isn't that the whole reason 6962-bis moved to the (terrible) CMS > structure? :) That CAs were concerned that precerts & certs constituted two > logically distinct X.509 certificates? If that was to be introduced, it > would make sense to simply return to the critical extension, since we'd > have lost the main argument for using CMS :) > Yes :( I mention that as an unlikely option. I'd like to return to the critical extension too, the main concern brought against it (AFAIK) is some TLS libraries that would accept precerts as valid X.509 certificates. > > _______________________________________________ > Trans mailing list > Trans@ietf.org > https://www.ietf.org/mailman/listinfo/trans > >
- [Trans] Write-up of the "Strict CT" variant Eran Messeri
- Re: [Trans] Write-up of the "Strict CT" variant Ryan Sleevi
- Re: [Trans] Write-up of the "Strict CT" variant Ryan Sleevi
- Re: [Trans] Write-up of the "Strict CT" variant Eran Messeri
- Re: [Trans] Write-up of the "Strict CT" variant Eran Messeri
- Re: [Trans] Write-up of the "Strict CT" variant Ryan Sleevi
- Re: [Trans] Write-up of the "Strict CT" variant Andrew Ayer
- Re: [Trans] Write-up of the "Strict CT" variant Andrew Ayer
- Re: [Trans] Write-up of the "Strict CT" variant Magnus Ahltorp
- Re: [Trans] Write-up of the "Strict CT" variant Tom Ritter
- Re: [Trans] Write-up of the "Strict CT" variant Filippo Valsorda
- Re: [Trans] Write-up of the "Strict CT" variant Jacob Hoffman-Andrews
- Re: [Trans] Write-up of the "Strict CT" variant Magnus Ahltorp
- Re: [Trans] Write-up of the "Strict CT" variant Ryan Sleevi
- Re: [Trans] Write-up of the "Strict CT" variant Magnus Ahltorp
- Re: [Trans] Write-up of the "Strict CT" variant Ryan Sleevi
- Re: [Trans] Write-up of the "Strict CT" variant Magnus Ahltorp
- Re: [Trans] Write-up of the "Strict CT" variant Ryan Sleevi
- Re: [Trans] Write-up of the "Strict CT" variant Phillip Hallam-Baker
- Re: [Trans] Write-up of the "Strict CT" variant Watson Ladd