Eran Messeri <[email protected]> wrote Wed, 10 May 2017 11:44:14 +0100:
> However, compromise of any of those security domains (either in the form of > stealing key material or compelling signing of arbitrary SCTs / STHs) would > create a breach of compliance with the Merkle Tree properties required in > 6962-bis: > * If a rogue SCT is issued, it will fail auditing - the log will not be > able to produce an inclusion proof to any STH. > * If a rogue STH is issued, it will fail consistency checking - the log > will not be able to produce a consistency proof to other STHs. > * If a rogue SCT and STH are issued, then the rogue STH will fail > consistency checking. > > Both kinds of failure are equally bad as far as 6962-bis is concerned: > Because of the tight coupling between SCT and STH signatures, I don't see > the value of using a separate key for each. I've so far been thinking of a misissued SCT as a less severe breach of log compliance. SCT's are silly creatures anyway and we'll have to dispose of them ASAP, aight? That's probably not correct. An adversary who can continously produce SCT's wouldn't even have trouble fooling TLS clients which refused to accept an SCT with a timestamp older than now() - MMD. Which leaves us with an even smaller class of attacks. I withdraw my support for separate keys for signing SCT's and STH's and will update #170 to reflect this. Thanks for your patience. _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
