On Wed, Jan 18, 2017 at 12:00 PM, Salz, Rich <[email protected]> wrote:
> > One can compare three logs and if they differ you know who and where the > rogue is, right? > > > Hmm.... Not unless all logs are required to have every certificate (at > least within a given scope). > > Otherwise, the fact that a certificate is in log A but not log B doesn't > tell you anything about log B. > > So far the Chrome policies requires two or more, and the draft Moz policy > is three or more IIRC. > > So for a given CA, a disagreement identifies that *one* of the logs is > wrong, right? > It's quite sensitive to what the precise requirement is. So consider a requirement that site provide an SCT from N logs out of a set of M. Without loss of generality, the site gets SCTs from L_1, L_2, ... L_N but not L_N+1, ... L_M. The fact that the site's cert appears in L_1 but not L_M is normal and doesn't tell you that either one of them is wrong. (This is just the basic non-adversarial case). Now, consider the adversarial case, where an attacker as corrupted a CA and N logs out of M. Similarly, they will get N SCTs from those corrupt logs (which might not be the ones that the actual legitimate site used for their SCTs, but the client doesn't know that [0]. And again, the lack of an SCT from the non-corrupt log doesn't tell you anything. Now, in the special case where N==M, then inconsistencies are meaningful, and this is the case with Chrome's "one of the logs must be Google" policy, but as far as I can tell that's not something that's true in the general case. -Ekr [0] Modulo some sort of log pinning.
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
