On Tue, Nov 8, 2016 at 2:05 AM, Gervase Markham <
ge...@mozilla.org> wrote:
> On 07/11/16 17:25, Ryan Sleevi wrote:
>> Yes. An 'evil log' can provide a divided split-view, targeting only
>> an affected number of users. Unless that SCT was observed, and
>> reported (via Gossip or some other means of exfiltration), that split
>> view would not be detected.
>
> So it is therefore important not just that the client which receives the
> SCT checks it against an STH it can observe, but that it is reported
> elsewhere for others to check? Or that a client has a method of fetching
> inclusion proofs that were "observed" from elsewhere?
No, this isn't quite a correct understanding :)
If your goal is to detect a split view, exchanging STHs, not SCTs, is
sufficient. However, if you want to determine what was misissued, you
need the SCTs to show that - the STHs will just show you that there's
some unknown.
However, exchanging STHs by itself doesn't provide any security
guarantees - if you're not checking SCTs to STHs, then a log operator
never has reason to lie about the STH, and can simply omit
certificates without splitting STHs. However, if a client checks SCTs
to STHs, they can't be sure they're not getting a split view, without
also checking others' STHs.
In Chrome's case, it receives a list daily from Google of the STHs
that Google has observed, and then compares its SCTs against those
STHs from the log. As such, the log cannot hide a split view - even if
it lies about the STH to the client, it will still have to prove the
STH it gave to the client against the STH Google saw. However, here
still, the importance is that the client needs to send some signal
indicating it's receiving a split view. This is where Gossip comes in.
> Presumably this is one reason some people are suggesting Mozilla's
> policy have a jurisdictional diversity requirement - to make such
> coercion harder.
Possibly, but I encourage you to review the past CA/Browser Forum
discussions about CT, and the ct-policy list, to understand why Google
intentionally removed it's "diversity" requirement as being ambiguous
and unenforcable, and contributing more harm than good.
For any system of diversity to be relevant, you must be able to
quantify it, and you must be able to quantify it over time. As the
situation with StartCom/WoSign/Qihoo showed, both Mozilla and the
broader ecosystem are not well suited to continuously monitor the
complex legal system of ownership, let alone nexus' of business
operations. And if you can't be certain, and can't measure it, then
are you actually providing value?