Emails crossed paths – I meant 6pm for the last signed head, but I’m double checking as I’m not 100% sure on that time. And you are right – since a compromised SCT can have any time it wants, only a real time check on the last known good log would be proof of a valid CT. That real time check doesn’t exist. However, there is still the multiple log requirement.
From: Alex Cohn <a...@alexcohn.com> Sent: Sunday, May 3, 2020 5:35 PM To: Jeremy Rowley <jeremy.row...@digicert.com> Cc: Mozilla <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: CT2 log signing key compromise Thank you for the clarification. This would appear to introduce a new requirement for clients verifying SCTs from CT2: a get-proof-by-hash call to the log server (or a mirror) is now required to know if a SCT from before May 2 is valid. Do CT-enforcing clients do this in practice today? (I suspect the answer is "no" but don't know off the top of my head) Alex On Sun, May 3, 2020 at 6:27 PM Jeremy Rowley <jeremy.row...@digicert.com<mailto:jeremy.row...@digicert.com>> wrote: They would already appear in a previous tree where the head was signed by us. From: Alex Cohn <a...@alexcohn.com<mailto:a...@alexcohn.com>> Sent: Sunday, May 3, 2020 5:22 PM To: Jeremy Rowley <jeremy.row...@digicert.com<mailto:jeremy.row...@digicert.com>> Cc: Mozilla <mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.mozilla.org>> Subject: Re: CT2 log signing key compromise The timestamp on a SCT is fully controlled by the signer, so why should SCTs bearing a timestamp before May 2 still be considered trusted? Alex On Sun, May 3, 2020 at 6:19 PM Jeremy Rowley via dev-security-policy <dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>> wrote: Hey all, The key used to sign SCTs for the CT2 log was compromised yesterday at 7pm through the Salt root bug. The remaining logs remain uncompromised and run on separate infrastructure. We discovered the compromise today and are working to turn that log into read only mode so that no new SCTs are issued. We doubt the key was used to sign anything as you'd need to know the CT build to do so. However, as a precaution, we ask that you consider all SCTs invalid if the SCT was issued from CT2 after 7pm MST on May 2nd . Please let me know what questions you have. Jeremy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
