On 2016-11-08 11:05, Gervase Markham wrote:
On 07/11/16 17:25, Ryan Sleevi wrote:
Yes. An 'evil log' can provide a divided split-view, targeting only
an affected number of users. Unless that SCT was observed, and
reported (via Gossip or some other means of exfiltration), that split
view would not be detected.
So it is therefore important not just that the client which receives the
SCT checks it against an STH it can observe, but that it is reported
elsewhere for others to check? Or that a client has a method of fetching
inclusion proofs that were "observed" from elsewhere?
From what I understand, if the clients verify the SCTs to be included
in some STHs, we want to be sure that other people also see those STHs
to be able to detect a split view. If the clients doesn't verify the
SCTs to be included in an STH, we want to be able to get the SCTs it
sees to see that they end up in an STH within the merge delay.
Kurt
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
