[cabfpub] Pre-Ballot - Short-Life Certificates

Ben Laurie benl at google.com
Mon Nov 24 06:39:29 MST 2014 

On Mon Nov 24 2014 at 1:13:20 PM Sigbjørn Vik <sigbjorn at opera.com> wrote:

> On 19-Nov-14 22:04, Ben Laurie wrote:
> >
> > On Wed Nov 19 2014 at 7:51:18 PM Sigbjørn Vik <sigbjorn at opera.com
> > <mailto:sigbjorn at opera.com>> wrote:
> >
> >     Short answer: The client needs to securely download a single recent
> >     hash/timestamp combination. Most likely this would be done from a
> vendor
> >     server. All vendors have a lot of servers that the clients routinely
> >     connect to anyway, and trust in the client implies trust in those
> >     servers. Most likely the client would download the entire list from a
> >     trusted server, but a single combination is all that is required.
> >
> > This is no better than saying that the client securely downloads the
> > current time - which would not only solve the original problem, but a
> > whole bunch of others.
>
> Downloading the current time and a three days old hash, is functionally
> equivalent to downloading a three days old hash along with its
> timestamp, agreed :)
>
> If you agree that this solves the original problem, then let's just
> conclude problem solved :) This is really a deep corner case of the
> original proposal, but I am glad we could resolve it anyhow. Snipping
> any further discussions about this.
>

I don't agree its a deep corner case - its the core of the proposal's
security.

Also, I can't agree that this solves the problem - in practice, clients do
not have the correct time, so we can;t conclude that they can have the
correct log head either.


>
> [snip]
>
> > But the problem is: suppose I (the attacker) don't care that all your
> > other connections fail?
> >
> > More seriously: if I am the victim of such an attack (not a log fork,
> > but a rollback), how would I prove it?
>
> If you are given a signed copy of a log by someone, and that signed copy
> doesn't match the actual log, then you have proof to incriminate the
> signer.
>

Not really - I show the signed copy and what I claim the actual log sent
me, only I captured that a week ago. How have I proved anything?

I did think of a way (again involving a third party) but I'm not keen on
it, because of load on the server: retrieve a signed timestamp from a third
party, send a hash of it to the log server and ask for current head +
hashed timestamp to be signed.

If the log lies, you can show the signed timestamp and the signed head +
hashed timestamp. Then we get to argue about the honesty of the timestamp
provider(s). :-)


> --
> Sigbjørn Vik
> Opera Software
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20141124/257dee09/attachment.html

More information about the Public mailing list