Opened 7 years ago

Closed 7 years ago

#58 closed defect (fixed)

Limit the number of STH's allowed to be published per time unit

Reported by: linus@… Owned by: draft-ietf-trans-rfc6962-bis@…
Priority: major Milestone: review
Component: rfc6962-bis Version:
Severity: - Keywords:
Cc:

Description

Logs can mount a fingerprinting attack against clients by issuing separate STH's for clients the wish to track.

This could be thwarted by the standard stipulating a maximum number of STH's that a log is allowed to issue per time unit before it is considered bad. Monitors should be able to detect if a log ignores this limitation.

A fair figure might be max one STH per hour, unless someone sees a need for a higher frequency.

Implementation wise, you might want this to be configurable for debugging purposes.

Change History (4)

comment:1 Changed 7 years ago by linus@…

  • Summary changed from Maximise number of STH's published per time unit to Stipulate a maximum number of STH's published per time unit

A comment from the room (Kent i believe) made it obvious that the title of this ticket was far from good. I agree. Changing it.

comment:2 Changed 7 years ago by linus@…

  • Summary changed from Stipulate a maximum number of STH's published per time unit to Limit the number of STH's allowed to be published per time unit

comment:4 Changed 7 years ago by melinda.shore@…

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.