On 16 March 2016 at 18:34, Bryan Ford <[email protected]> wrote: > On Mar 16, 2016, at 9:49 AM, Ben Laurie <[email protected]> wrote: >> I do agree that these attacks can be mounted, and are in fact already >> discussed in general in 6962 and 6962-bis (s7.3 for the latter). > > I don’t see a section 7.3 in draft-ietf-trans-rfc6962-bis-12, which appears > to be the latest version; did the section numbers change recently and you’re > referring to a different version? I would most naturally expect such issues > to be discussed in section 12 “Security Considerations”, but see no obvious > mention of this class of attacks anywhere in there.
Sorry, 7.3 is the relevant section in 6962. I meant 12.4! "(2) by violating its append-only property by presenting two different, conflicting views of the Merkle Tree at different times and/or to different parties. " > >> I have still not yet had the time to thoroughly review the threat >> analysis document, so I can't comment on it at this time. > > Perhaps the WGLC shouldn’t close until at least the core CT developers such > as you have had a chance to do that review? WGLC for a document we don't depend on? Why not? >> In general, it seems hard to defend against attacks that permanently >> separate their victims from the rest of the world - and it also seems >> hard to mount such an attack. > > Hard to defend: perhaps, but does that justify ignoring that entire threat > vector space in a threat analysis document? I have already said I am not commenting on the threat analysis document at this time. > And do you (still) maintain that collective signing is not a workable defence > against precisely such attacks? If so, I’m still curious why. This is not really a question for this group, and I have already explained why I don't think its a workable solution, as have others. > Hard to mount: perhaps, but do you disagree that such an attack appears to be > exactly what the FBI is at the moment quite explicitly threatening to perform > against Apple (by threatening just to commandeer their signing keys and sign > their own backdoored software update)? And that the FBI appears to be in a > perfect position to perform such an attack secretly even against a > CT-hardened system, if they didn’t happen to want the publicity like they > seem to this time? No, I don't agree that - the attack they are proposing is against a single phone, in their possession, whose user is dead. That seems like a pretty ideal situation for mounting an isolation attack. I also agree in advance that CT would not defend against such a strong and narrowly targeted attack. Since you like this example, I'd love to hear how you think collective signing would, in detail, for this particular example. _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
