[Acme] S/MIME and ACME: concerns about dual certificates (maybe pull the S/MIME draft back to ACME WG)
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 19 November 2020 08:51 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 053DF3A1203 for <acme@ietfa.amsl.com>; Thu, 19 Nov 2020 00:51:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.306
X-Spam-Level:
X-Spam-Status: No, score=-1.306 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=dJjzPV8T; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=d0zwWJUY
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yu18OxsYRMMG for <acme@ietfa.amsl.com>; Thu, 19 Nov 2020 00:51:55 -0800 (PST)
Received: from che.mayfirst.org (unknown [162.247.75.117]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 607733A1201 for <acme@ietf.org>; Thu, 19 Nov 2020 00:51:55 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1605775914; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=PW5fTtWxZfcXFzk2rs1F9VSelR0MXOg/268tHvN2uOA=; b=dJjzPV8T1iQfMDzh2DyeK7WBBaKAqPMsbkIXynEeXflKL1Fq+7pBRHw3iRh9oKFaegsDo VPbKxR6j35VdJRTCQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1605775914; h=from : to : subject : date : message-id : mime-version : content-type : from; bh=PW5fTtWxZfcXFzk2rs1F9VSelR0MXOg/268tHvN2uOA=; b=d0zwWJUYhMLhvU5YYI2ZJ0y/qya6enidkXRDF9vAdP/nvdxQMxOC0f0IVMZR8Zlphs8Vq YCwsHUPy5geUnVlbDZX1lTTnNdyAATRXS5RX1/1JcUf5ACew541/oSfilHJRaP9P04c6UYG tnNUjmvvKaU4V3axEtZhDSaNAGzZKdvAiaJnovH7ctmY9bjPqx3F9YEOCqUDdrG71rl5O0L FxUBaBO6I8B+6NjEJsqA4NKdu4x3Y9eFBNSv2s1OM9FnavvcrHgWqzsGx/DksGc2e5sTL4J /hQWlBG+mjEDo/IhPceHODB23ok9tJOn3kHHqc4GFyBmOImPv27Dc+YYYxEA==
Received: from fifthhorseman.net (unknown [IPv6:2001:470:1f07:60d:f2de:f1ff:fec3:d109]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 3CC35F9A5 for <acme@ietf.org>; Thu, 19 Nov 2020 03:51:54 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id B69CF202FA; Thu, 19 Nov 2020 03:51:50 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: acme@ietf.org
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQULCQgH AgYVCgkICwIEFgIDAQIeAQIXgAIZARYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJd5Hw3BQkFpJWB AAoJEPIGkReQOOXGDYEA/j0ERjPxDleKMZ2LDcWc/3o5cLFwAVzBKQHppu0Be5IWAP0aeTnyEqlp RTE7M8zugwkhYeUYfYu0BjecDUMnYz6iDLgzBF3kewUWCSsGAQQB2kcPAQEHQK1IuW0GZmcrs2mx CYMl8IHse0tMF8cP7eBNXevrlx2ZiPUEGBYIACYCGwIWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUC XeR7TwUJAiGl/gCBdiAEGRYIAB0WIQQsv6x2UaqQJzY+dXHEDyVUMvKBDwUCXeR7BQAKCRDEDyVU MvKBD7KmAQCHs+7588C4jto6fMje0Nu97zzoppjJM7lrGF2rVnbHvwD+MgmGUbHzPSUrTWnZBQDi /QM595bxNrBA4N1CiXhs2AMJEPIGkReQOOXGpp0BAM7YeBnt/UNvxJAGm4DidSfHU7RDMWe6Tgux HrH21cDkAQC9leNFXJsQ7F2ZniRPHa8CkictcQEKPL8VCWpfe8LbArg4BF3ke5wSCisGAQQBl1UB BQEBB0Cf+EiAXtntQMf51xpqb6uZ5O0eCLAZtkg0SXHjA1JlEwMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJd5HucAhsMBQkCIaVkAAoJEPIGkReQOOXGdYcBANYnW7VyL2CncKH1 iO4Zr0IwfdIv6rai1PUHL98pVi3cAP9tMh85CKGDa0Xi/fptQH41meollLW5tLb/bEWMuUNuBQ==
Date: Thu, 19 Nov 2020 03:51:49 -0500
Message-ID: <87y2ixafve.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/F-AeJSugbvL1Drrzh96I2lHX2HE>
Subject: [Acme] S/MIME and ACME: concerns about dual certificates (maybe pull the S/MIME draft back to ACME WG)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2020 08:51:57 -0000
Over in LAMPS, we've been discussing how a given S/MIME certificate
probably shouldn't expect the same cryptographic key material to be used
for both signing and encryption. [0]
In particular, public keys of type "EC Public Key" can be used for
digital signatures or key agreement. And a public key of type "RSA" can
be used for digital signatures or key encapsulation. ("ECDSA" and
"ECDH" key types can only be used for signing or encryption,
respectively, so maybe they aren't affected by this)
So, an S/MIME MUA probably wants to control two distinct certificates
per e-mail account it manages: one for signing, and one for encryption.
It's not clear to me how a MUA is expected to deal with this.
- should the MUA run the ACME process twice, once per certificate? if
so, how does it specify which certificate is for signing and which is
for encryption?
- If so, are we expecting the users of non-ACME MUAs to jump through
these hoops twice as well, responding to two different e-mail
prompts?
- If not, how does the client communicate both certificate requests to
the server at the same time? If there's a way to do that, can the
user indicate that they want different issuance parameters for the
different key usages?
For example, maybe a sensible MUA with an automated workflow might
want to rotate their signing certificate every month (it's cheap and
easy to get a new one, and a validity period of a month on each
certificate limits the window of any particular compromise). But it
might want to request a new encryption certificate every 6 months
(and it might want the validity window for the encryption certificate
to last for a year, so that any acquaintance that receives mail from
the user will be able to reply encrypted up to a year later without
having to rediscover the user's certificate). Can/should the MUA
just indicate those preferences in the generated CSRs? if it's
embedded in the CSR, do we have rules for how a CA ought to verify
the semantics of such a request?
- alternately, are we comfortable with just saying that the ACME S/MIME
work doesn't actually support this dual-certificate model, and just
have the same key used for both signing and encryption? that seems
to go against NIST guidance at least, and risks introducing some kind
of cross-protocol attack.
sorry to bring this up when the draft is already so far into the
editorial review process!
--dkg
[0] in Message-ID CALhKWgj=W-Yo_t=K0fCL+vsFA3ace2LfYgeTiThJqpW-UPFoPA@mail.gmail.com,
Jonathan Hammell writes:
> Section 5.2 of NIST SP 800-57-1 rev 5 forbids using a key for both
> signing and encryption and gives several reasons.
- [Acme] S/MIME and ACME: concerns about dual certi… Daniel Kahn Gillmor
- Re: [Acme] S/MIME and ACME: concerns about dual c… Michael Richardson
- Re: [Acme] S/MIME and ACME: concerns about dual c… Alexey Melnikov
- Re: [Acme] S/MIME and ACME: concerns about dual c… Sebastian Nielsen
- Re: [Acme] S/MIME and ACME: concerns about dual c… Benjamin Kaduk