Log diversity requirements group at the CT policy days - session notes

45 views
Skip to first unread message

Eran Messeri

unread,
Feb 23, 2017, 10:15:21 PM2/23/17
to ct-p...@chromium.org

Reasons for having a log diversity requirement:

  • Who watches the watchmen?

  • Availability over time / robustness.

  • (Prevent) single point of failure.

  • Risk of poor security of operator.

  • User affinity (distribution of logs means auditing is easier)


Axes of diversity of a log:

  • Corporate operating

  • Geopolitical influence on the operator.

  • Implementation used for the log.

  • Infrastructure (including Ops people that have access to underlying infrastructure).


Options for SCT diversity (number of SCTs):

  • N: Always N SCTs.

  • Y + 1 (tied to lifetime).

  • Traffic based (Alexa top 1M sites need extra SCTs so their certs don’t stop working).

  • Geo-based (logging to logs outside an area with restricted connectivity)


Additional dimensions that can affect SCT diversity:

  • Time Of Issuance (TOI) vs. Time Of Check (TOC)

  • SCT delivery mechanism: Certs vs. TLS handshake vs. stapled OCSP response.


There was consensus that we need SCTs from diverse logs, otherwise we’ll end up with single-points-of-failure in the ecosystem.


Axes of diversity: How can you meaningfully fulfill them?


Infrastructure (Risks: compulsion, outage):

  • Quiz log operators about the infrastructure used.

  • Make judgement call about what is “similar”.

  • There’s some ability to independently verify.


Implementation (Risks: bug, exploit):

  • Quiz log operators about the software underlying the log.

    • Issue with hybrid implementations sharing some code.

  • There’s little ability to independently verify (log API has to be mostly uniform, can fingerprint to an extent).


Corporate (Risks: compulsion, incompetence):

  • UA-favouring (me + N) - doesn’t scale or kills ecosystem.

  • UA-favouring: A bucket of logs accepted/operated-by UAs, where certificates must be logged, plus some more.

    • Alternative: Small subset of operators that are extremely vetted (voluntarily disclose documents to prove they are independent of other operators).

  • General model (N): Accept claim of independence at face value, be angry if claim is proven incorrect.


Geopolitical (Risk: compulsion):

  • Corporate HQ: Independently verifiable.

  • Infrastructure location: Require operator to specify set of jurisdictions/countries.

    • Hard to completely hide.

    • There’s an incentive to hide/reduce the set of jurisdictions.

  • Which governments can compel the operator (combination of Corporate HQ + Infrastructure)


The output: a matrix of log diversity constraints.


Risks to consider in determining Axes

  • What to do about changes to any diversity axis?

  • How to detect lying and what to do when it’s uncovered?

Reply all
Reply to author
Forward
0 new messages