Oak, a Free and Open Certificate Transparency Log


143 points | by dankohn1 97 days ago


  • ccjnsn 97 days ago

    Interesting model having a firm sponsor a specific part of the infrastructure. Don't think I've seen this before, reminds me of sports style sponsorships.

    Great that lets encrypt gets funding, long may it continue!

    • schoen 96 days ago

      The existing CT logs are (almost all) each run by individual companies.


      But this might be the first time that a company has sponsored a CT log without operating that log itself.

    • move-on-by 96 days ago

      Awesome! I love CT logs and use a service called Cert Spotter [0] to notify me every time a new cert is generated for one of my domains. This knocks out their Q1 goal [1], I'm very excited about their Q2 goal of Multi-Perspective Validation [2]. It will make getting a cert issued to a malicious actor via BGP hijacking much more difficult. I'm also excited about them getting a ECDSA root certificate and was bummed out when it de-prioritized from being a 2018 feature, but Multi-Perspective Validation is certainly a better priority. All this provided for free, lets encrypt is certainly one of my favorite non-profits [3].

      [0] https://sslmate.com/certspotter/

      [1] https://letsencrypt.org/upcoming-features/

      [2] https://letsencrypt.org/2018/12/31/looking-forward-to-2019.h...

      [3] https://letsencrypt.org/donate/

      • toppy 97 days ago

        Great use case for blockchain technology

        • theamk 97 days ago

          I'd say "great replacement for blockchain technology" (in some applications)

          • LeonM 97 days ago

            CT logs are already chained

            • westurner 97 days ago

              > Great use case for blockchain technology

              >> CT logs are already chained

              Trillian is a centralized Merkle tree: it doesn't support native replication (AFAIU?) and there is a still a password that can delete or recreate the chain (though we can track for any such inappropriate or errant modifications (due to e.g. solar flares) by manually replicating and verifying every entry in the chain, or trusting that everything before whatever we consider to be a known hash (that could be colliding) is unmodified (since the last time we never verified those entries)).

              According to the trillian README, trillian depends upon MySQL/MariaDB and thus internal/private replication is as good as the SQL replication model (which doesn't have a distributed consensus algorithm like e.g. paxos).

              A Merkle tree alone is not a blockchain; though it provides more assurance of data integrity than a regular tree, verifying that the whole chain of hashes actually is good and distributed replication without configuring e.g. SSL certs are primary features of blockchains.

              • skybrian 97 days ago

                There are multiple certificate issuers, multiple logs, and multiple log verifiers. With no single point of failure, that doesn't sound centralized to me?

                • westurner 97 days ago

                  Which components of the system are we discussing?

                  PKI is necessarily centralized: certs depend upon CA certs which can depend upon CA certs. If any CA is compromised (e.g. by theft or brute force (which is inestimably infeasible given current ASIC resources' preference for legit income)) that CA can sign any CRL. A CT log and a CT log verifier can help us discover that a redundant and so possibly unauthorized cert has been issued for a given domain listed in an x.509 cert CN/SAN.

                  The CT log itself - trillian, for Google and now LetsEncrypt, too - though, runs on MySQL; which has one root password.

                  The system of multiple independent, redundant CT logs is built upon databases that depend upon presumably manually configured replication keys.

                  Does my browser call a remote log verifier API over (hopefully pinned with a better fingerprint than MD5) HTTPS?

                  • skybrian 97 days ago

                    There are multiple issuers, so from an availability point of view, if one is down, you could choose another. They submit to at least two logs, so if one log is unavailable you could read the other one. This is a form of decentralization.

                    Now, from a security point of view, it only takes breaking into one issuer to issue bad certificates. But maybe classifying everything as either centralized or decentralized is too simple?

                    • westurner 97 days ago

                      Centralized and decentralized are overloaded terms. We could argue that every system that depends upon DNS is a centralized (and thus has a single point of failure).

                      We could describe replication models as centralized or decentralized. Master/master SQL replication is still not decentralized (regardless of whether there are multiple A records or multiple static IPs configured in the client).

                      With PKI, we choose the convenience of trusting a CA bundle over having to manually check every cert fingerprint.

                      Whether a particular chain is centralized or decentralized is often bandied about. When there are a few mining pools that effectively choose which changes are accepted, that's not decentralized either.

                      That there are multiple redundant independent CT logs is a good thing.

                      How do I, as a concerned user, securely download (and securely mirror?) one or all of the CT logs and verify that none of the record hashes don't depend upon the previous hash? If the browser relies upon a centralized API for checking hash fingerprints, how is that decentralized?

            • Ajedi32 97 days ago

              I'd say it's more of a tree than a chain, but yes. https://www.certificate-transparency.org/log-proofs-work

              • icebraining 97 days ago

                Blockchain is also a tree, it's just that every branch except one is (usually) abandoned rapidly.

                That said, that's just because both use Merkle trees. CT isn't a blockchain.

                • village-idiot 97 days ago

                  Its creators also make it very clear that it is not a blockchain. It’s centralized and lacks the consensus mechanism that’s a hallmark of blockchains (PoW or PoS).