On Tue, Nov 8, 2016 at 2:05 AM, Gervase Markham <[email protected]> wrote: > On 07/11/16 17:25, Ryan Sleevi wrote: >> Yes. An 'evil log' can provide a divided split-view, targeting only >> an affected number of users. Unless that SCT was observed, and >> reported (via Gossip or some other means of exfiltration), that split >> view would not be detected. > > So it is therefore important not just that the client which receives the > SCT checks it against an STH it can observe, but that it is reported > elsewhere for others to check? Or that a client has a method of fetching > inclusion proofs that were "observed" from elsewhere?
No, this isn't quite a correct understanding :) If your goal is to detect a split view, exchanging STHs, not SCTs, is sufficient. However, if you want to determine what was misissued, you need the SCTs to show that - the STHs will just show you that there's some unknown. However, exchanging STHs by itself doesn't provide any security guarantees - if you're not checking SCTs to STHs, then a log operator never has reason to lie about the STH, and can simply omit certificates without splitting STHs. However, if a client checks SCTs to STHs, they can't be sure they're not getting a split view, without also checking others' STHs. In Chrome's case, it receives a list daily from Google of the STHs that Google has observed, and then compares its SCTs against those STHs from the log. As such, the log cannot hide a split view - even if it lies about the STH to the client, it will still have to prove the STH it gave to the client against the STH Google saw. However, here still, the importance is that the client needs to send some signal indicating it's receiving a split view. This is where Gossip comes in. > Presumably this is one reason some people are suggesting Mozilla's > policy have a jurisdictional diversity requirement - to make such > coercion harder. Possibly, but I encourage you to review the past CA/Browser Forum discussions about CT, and the ct-policy list, to understand why Google intentionally removed it's "diversity" requirement as being ambiguous and unenforcable, and contributing more harm than good. For any system of diversity to be relevant, you must be able to quantify it, and you must be able to quantify it over time. As the situation with StartCom/WoSign/Qihoo showed, both Mozilla and the broader ecosystem are not well suited to continuously monitor the complex legal system of ownership, let alone nexus' of business operations. And if you can't be certain, and can't measure it, then are you actually providing value? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
