Re: [Acme] Signature misuse vulnerability in draft-barnes-acme-04

Phillip Hallam-Baker <phill@hallambaker.com> Thu, 13 August 2015 22:11 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8D981B3B7A for <acme@ietfa.amsl.com>; Thu, 13 Aug 2015 15:11:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c2zIGReIzBOD for <acme@ietfa.amsl.com>; Thu, 13 Aug 2015 15:11:31 -0700 (PDT)
Received: from mail-la0-x243.google.com (mail-la0-x243.google.com [IPv6:2a00:1450:4010:c03::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01F811B3B79 for <acme@ietf.org>; Thu, 13 Aug 2015 15:11:31 -0700 (PDT)
Received: by labd1 with SMTP id d1so3206725lab.3 for <acme@ietf.org>; Thu, 13 Aug 2015 15:11:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=3CexQESOUtYozTcFkXJO1zoj1Q1qjXvhQqaRfpsJzsA=; b=YitJoIQdY5bOUHklxsQlX4+Hh3T4HqUXWP2wazsbnkDJvamzYBtHQXeoH+hWkkn3rv iT3/g7UXe206sYMX7YXExrjUHO9hkZ+AfhkFRIGQkIvfsTMrGvHYwQ3p0KjeOg9cezWx Dm+vvId1oPUN/81naTPVWt9yXpqgf1p2UAEBU7y/s1V97lqET5MsAyMzeXor+VQWLdNs F6pyRkMN/C6sc5RMhdkwLYwGbgwlQ7a7JrACaiqgDWOMlCo1/0Sfyrvrr+bq9CDxp0L2 Qk22JuFo3vC+NPXoRI0zlORj12bHnxzLlyS/2P1KJy2ggiy38Z44MAtlB5cp+1FqWMmE 5fFg==
MIME-Version: 1.0
X-Received: by 10.112.24.195 with SMTP id w3mr39663547lbf.58.1439503889431; Thu, 13 Aug 2015 15:11:29 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.203.163 with HTTP; Thu, 13 Aug 2015 15:11:29 -0700 (PDT)
In-Reply-To: <CAHOTMVJiySnM1_st0vW2RE9XJ+Ejn0KNDD0o8BFJwJfhamU3JA@mail.gmail.com>
References: <20150811085205.bbcd37b3b0bb0482f6522b1a@andrewayer.name> <CAL02cgRf2M0Gkqymif-=rmNG0v9hhaMC2SBiXf-n5aYiRKBnmQ@mail.gmail.com> <20150812160405.b824b673ad9b139a4fd9446f@andrewayer.name> <CAL02cgReCTMZ+ECiZVtv2=sNDng3mvEmGv4w6V_REbZ6xf75dw@mail.gmail.com> <55CC6BEC.6050706@cs.tcd.ie> <CAMm+Lwi4Y5J2w2TB=n78KQnRvS7f171k8rUjcD3RRu5PMNPPMQ@mail.gmail.com> <20150813145155.GA7501@LK-Perkele-VII> <CAMm+LwgfD6bJYsNOKgwAG368zHU3b2_WLej0--5QCfCjW6NVAw@mail.gmail.com> <87si7n8abu.fsf@latte.josefsson.org> <CAHOTMVJiySnM1_st0vW2RE9XJ+Ejn0KNDD0o8BFJwJfhamU3JA@mail.gmail.com>
Date: Thu, 13 Aug 2015 18:11:29 -0400
X-Google-Sender-Auth: I909N-R-lDzzcyxde1xkpVt97qk
Message-ID: <CAMm+LwhF8odJ77Jh9WXAfffcYBDAwrx8jr5Y5TQ9-P=ZKeRk9g@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Tony Arcieri <bascule@gmail.com>
Content-Type: multipart/alternative; boundary=001a11c391a4fb82f0051d389d8e
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/NfpSj0yzD3rPnxtL0Fg2P-Ms0Gw>
Cc: Simon Josefsson <simon@josefsson.org>, Richard Barnes <rlb@ipv.sx>, "acme@ietf.org" <acme@ietf.org>, Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, Andrew Ayer <agwa@andrewayer.name>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [Acme] Signature misuse vulnerability in draft-barnes-acme-04
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Aug 2015 22:11:33 -0000

On Thu, Aug 13, 2015 at 3:17 PM, Tony Arcieri <bascule@gmail.com>; wrote:

> On Thu, Aug 13, 2015 at 8:41 AM, Simon Josefsson <simon@josefsson.org>;
> wrote:
>
>> This is not a good discriminator of the CFRG options -- this problem is
>> a weakness in this protocol, and should be addressed here.
>
>
> I'd agree, this is a conceptual misuse of digital signatures. While
> creating a signature algorithm resistant to this is a "neat trick" much
> like nonce reuse resistant AEAD schemes, you shouldn't design protocols
> that rely on that resistance in either case.
>

Old style crypto was to choose between a belt and braces.

New style is to take the belt and the braces and sew the pants to the
bottom of the shirt.

People need to change their attitudes. We are designing building blocks
that are going to be used by pin heads as well as geniuses. And on occasion
the genius is going to build something on a bad day. The harder it is to
screw up, the better.