ietf
[Top] [All Lists]

Re: [therightkey] LC comments on draft-laurie-pki-sunlight-05

2013-02-16 12:23:16
Sorry for the delay but I have been thinking of CT and in particular the
issues of

* Latency for the CA waiting for a notary server to respond
* Business models for notary servers

As a rule open source software works really well as the marginal cost of
production is zero. Open source services tend to sux because even though
the marginal cost of a service is negligible, large numbers times
negligible adds up to big numbers. Running a DNS server for a university
department costs very little, running it for the whole university starts to
cost real money and running a registry like .com with 99.9999% reliability
ends up with $100 million hardware costs.

So the idea that I plug my business into a network of notary servers being
run by amateurs or as a community service is a non-starter for me. We have
to align the responsibility for running any server that the CA has a
critical dependency on with a business model.

Looking at the CT proposal, it seems to me that we could fix the business
model issue and remove a lot of the CA operational issues as follows:

1) Each browser provider that is interested in enforcing a CT requirement
stands up a meta-notary server.

2) Each CA runs their own notary server and this is the only resource that
needs to have a check in at certificate issue.

3) Each CA notary server checkpoints to one or more meta-notary servers
every 60 minutes. As part of the check in process it uploads the whole
information for all the certificates issued in that time interval.

4) Meta-Notaries deliver tokens that assert that the CA notaries are
current every 60 minutes. Note here that 'current' is according to the
criteria set by the meta notary. This is an intentional piece of 'slop' in
the system.

5) The OCSP tokens delivered by the CA contain the information necessary to
checkpoint the certificate to the Meta-Notaries.

6) A browser enforcing CT disclosure pulls a list of anchor points from its
chosen meta-notary every 60 minutes and uses them to validate the CT
assertions delivered in certs.


The 'slop' introduced at the meta-notary can of course be removed if we
want to ensure that the system is robust even if there is a collusion
between the CA and the meta-notary. But since the whole point of the scheme
is transparency, the meta-notary operation can be audited by third parties
in any event.
<Prev in Thread] Current Thread [Next in Thread>