Questions about log consistency

167 views
Skip to first unread message

Yi Shen

unread,
Mar 30, 2021, 6:25:52ā€ÆAM3/30/21
to certificate-transparency
Hi,

Can anyone help me on a quesiton regarding log consistency? (just out of academic curiosity):

Background:
  • There are multiple log servers and the differecnt CT logs are likely to be different.
  • For every new certificate, the CA typically insert each new certificate in multiple logs (e.g. 5)
Question:
When the website send the certificate information to the browser, it includes the identities of log servers that have the new certificate. What if none of 5 new log servers is the server the browser has previoulsy talked to, in other words, they don't have the same old STH as the browers has, in case like this, the server seems unlikely to provide the browser a Merkel consistensy proof, or otherwise?

Sorry in advcance...if my question sounds stupidšŸ¤¦ā€

BR,
Kate

Mohammadamin Karbasforushan (Amin Karbas)

unread,
Mar 30, 2021, 10:27:50ā€ÆAM3/30/21
to certificate-...@googlegroups.com
Hi Kate,

The certificates served by web servers contain SCTs, each of which is from a CT log. Anyhow, as RFC6962 (section 5.2) states, TLS Clients (in this case the browser) are not direct clients of the log. As long as they see a ā€œvalidā€ number of ā€œvalidā€ SCTs in the cert (or through other means like OCSP stapling), theyā€™ll be happy with the certificate.


Does this cover your question?

Best,
Amin

--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/ed21340b-377a-456c-abe0-b6572d49759bn%40googlegroups.com.

Yi Shen

unread,
Mar 30, 2021, 11:31:13ā€ÆPM3/30/21
to certificate-transparency
Hi Amin,

Thanks for your help. I believe you're explaining the inclusion proof, i.e. the certificate sent from the domin proves that it's in the log (that it is a valid certificate), not the merkle consistency proof, a proof the log server sends to browser.

Everytime a log server tells a browser here's a new STH (signed tree head) for a longer log (for example, by adding new certificates as my original question describes)Ā the brower will not accept the new STH until the log server has proved the new STH describes a suffix of the old STH, which the browser has already cashed and used.Ā 

So my question is that, if the log server that contains the new certificate inserted by the CA is not the server the browser has previoulsy talked to, in other words, they don't share the same old STH, in case like this, the server seems unlikely to provide the browser a Merkel consistensy proof, and will it be rejected by the browser?

Please see:Ā https://research.swtch.com/tlog (Section "Verifing a Log) andĀ https://www.youtube.com/watch?v=UKdLJ7-0iFM&list=PLrw6a1wE39_tb2fErI4-WkMbsvGQk9_UB&index=18 (sencond half part).

Please point out if I don't make myself clear.

BR,
Kate

Mohammadamin Karbasforushan (Amin Karbas)

unread,
Mar 31, 2021, 4:00:29ā€ÆAM3/31/21
to certificate-...@googlegroups.com
Sure.

Browsers do not contact the logs directly. It is correct that Google verifies the correctness of the logs (i.e. they are append-only, etc. See the bit about MonitorsĀ here), but this isnā€™t done by client-side browsers. The ā€œMonitorsā€ (including Google) verify the compliance of the logs, and compliant logs are ā€œacceptedā€. Then, each certificate that a Chrome browser sees is checked to see whether it contains at least a certain number of SCTs from accepted logs.

See also:
*Ā Appleā€™s accepted logsĀ ā€” This should help.

Best,
Amin


Yi Shen

unread,
Mar 31, 2021, 4:44:59ā€ÆAM3/31/21
to certificate-transparency
Hi Amin,

The doc you've provided seems useful. šŸ˜ŠThanks.

Also find another aticle, talking about difference betweenĀ Direct Proof Fetching and ā€œProxied Auditingā€, and I find it is relavant to what we were discussing about. You may read it if it interests you:Ā https://www.agwa.name/blog/post/how_will_certificate_transparency_logs_be_audited_in_practice

BR,
Kate

Reply all
Reply to author
Forward
0 new messages