[cabfpub] Pre-Ballot - Short-Life Certificates
benl at google.com
Mon Nov 24 06:39:29 MST 2014
On Mon Nov 24 2014 at 1:13:20 PM Sigbjørn Vik <sigbjorn at opera.com> wrote:
> On 19-Nov-14 22:04, Ben Laurie wrote:
> > On Wed Nov 19 2014 at 7:51:18 PM Sigbjørn Vik <sigbjorn at opera.com
> > <mailto:sigbjorn at opera.com>> wrote:
> > Short answer: The client needs to securely download a single recent
> > hash/timestamp combination. Most likely this would be done from a
> > server. All vendors have a lot of servers that the clients routinely
> > connect to anyway, and trust in the client implies trust in those
> > servers. Most likely the client would download the entire list from a
> > trusted server, but a single combination is all that is required.
> > This is no better than saying that the client securely downloads the
> > current time - which would not only solve the original problem, but a
> > whole bunch of others.
> Downloading the current time and a three days old hash, is functionally
> equivalent to downloading a three days old hash along with its
> timestamp, agreed :)
> If you agree that this solves the original problem, then let's just
> conclude problem solved :) This is really a deep corner case of the
> original proposal, but I am glad we could resolve it anyhow. Snipping
> any further discussions about this.
I don't agree its a deep corner case - its the core of the proposal's
Also, I can't agree that this solves the problem - in practice, clients do
not have the correct time, so we can;t conclude that they can have the
correct log head either.
> > But the problem is: suppose I (the attacker) don't care that all your
> > other connections fail?
> > More seriously: if I am the victim of such an attack (not a log fork,
> > but a rollback), how would I prove it?
> If you are given a signed copy of a log by someone, and that signed copy
> doesn't match the actual log, then you have proof to incriminate the
Not really - I show the signed copy and what I claim the actual log sent
me, only I captured that a week ago. How have I proved anything?
I did think of a way (again involving a third party) but I'm not keen on
it, because of load on the server: retrieve a signed timestamp from a third
party, send a hash of it to the log server and ask for current head +
hashed timestamp to be signed.
If the log lies, you can show the signed timestamp and the signed head +
hashed timestamp. Then we get to argue about the honesty of the timestamp
> Sigbjørn Vik
> Opera Software
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public