Re: [Acme] ACME or EST?
Nico Williams <nico@cryptonector.com> Wed, 26 November 2014 02:59 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA2001A86FE for <acme@ietfa.amsl.com>; Tue, 25 Nov 2014 18:59:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.034
X-Spam-Level: *
X-Spam-Status: No, score=1.034 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mFK_e-8ZTnBM for <acme@ietfa.amsl.com>; Tue, 25 Nov 2014 18:59:48 -0800 (PST)
Received: from homiemail-a86.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 563D21A1EE8 for <acme@ietf.org>; Tue, 25 Nov 2014 18:59:48 -0800 (PST)
Received: from homiemail-a86.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a86.g.dreamhost.com (Postfix) with ESMTP id 116F0360072; Tue, 25 Nov 2014 18:59:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=Ol354cPqdYzLuC W+oIQHGgMUDAk=; b=hONvJ+04vzqT/GcZYmVGv+yMHnuAcHROMhYDNxOUP4LWQJ H9rcGPrxCZfO8Ex4XHsT4DQ6ETFCogKbZAxp8aXoaF3RFxDwTco0ECabO6Gk92sV 1Yh26ppp04Dn8DM/DJaFW+ocurgcM/djtsA6pBsG27xJzYUgLSWY12oUgTbGw=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a86.g.dreamhost.com (Postfix) with ESMTPA id BC98436006D; Tue, 25 Nov 2014 18:59:47 -0800 (PST)
Date: Tue, 25 Nov 2014 20:59:47 -0600
From: Nico Williams <nico@cryptonector.com>
To: Tony Arcieri <bascule@gmail.com>
Message-ID: <20141126025945.GY3200@localhost>
References: <AD5940AA-6F01-4D0E-A4E0-19AEA56BBED3@vpnc.org> <CAL02cgTgpjQffow2XuaNuT7BtqYVttXdVUgyqBFbsAbN4g0VzQ@mail.gmail.com> <F5761985-AD8C-4CA3-9E55-D1AC33BB55E6@vpnc.org> <CAHOTMVKtbasxAMo4qrx+HkJ14+z0vyAGOJMnFvdEhyMH=nLkCQ@mail.gmail.com> <4DF92BBD-82A3-4155-A23C-44C9EF851035@vpnc.org> <CAHOTMVLJFQsKUVaZueeqx4NRtzM+a4asU14YnQPC+2LHQCtcEQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAHOTMVLJFQsKUVaZueeqx4NRtzM+a4asU14YnQPC+2LHQCtcEQ@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/Z3LPEAPKYHlrFVVT3BI1fetrjpo
Cc: acme@ietf.org
Subject: Re: [Acme] ACME or EST?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Nov 2014 02:59:51 -0000
[Apologies for the noise.] On Tue, Nov 25, 2014 at 04:08:21PM -0800, Tony Arcieri wrote: > On Tue, Nov 25, 2014 at 4:03 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote: > > > There you go. :-) Folks who have fought with ASN.1 longer than JOSE find > > CMS's "handful of problems" already solved > > More generally, there were two severe vulnerabilities discovered this year > related to ASN.1: > > https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/meyer I don't see where that refers to anything to do with ASN.1 or BER/DER. > http://www.intelsecurity.com/resources/wp-berserk-analysis-part-1.pdf > > ASN.1 is *not* "LANGSEC-friendly". JOSE comes a lot closer. For that reason > alone, ASN.1 is inferior. ASN.1 is just syntax. *BER* is the horror, as are all tag-length-value encodings (Protocol Buffers, I'm looking at you too). ASN.1 types can be encoded by XML, and there's even JSON encoding rules proposals floating about for ASN.1. If you like XDR/NDR/... (or TLS' ad-hoc encoding) you might like ASN.1's OER. XDR and OER are siblings; XDR is the bigger brother. (I hope some of you get that awful joke.) The *nice* thing about ASN.1 is the availability of tooling -- yes, decades late, to be sure, at least for decent open source tooling, but still, it exists now. That's not nothing. Tooling is the answer to hand-coded encoder/decoder accidents. I'm curious as to what type(s) of _encoding rules_ you think is good for security. Assuming (wrongly?) a need for bags-of-bags-of- bags-of-...-of-scalars generality, I see these kinds of encodings, historically: - tag length value: BER and sisters DER and CER, Protocol Buffers, ... - with definite lengths: DER, Protocol Buffers - with indefinite lengths: CER) - textual friends of TLV: XML, JSON - fixed-sized fields everywhere possible: XDR, NDR, OER, PER, and FlatBuffers [I think]) - ad-hoc fixed-sized fields everywhere possible: IP, UDP, TCP, TLS, SSHv2, ... All of these are equivalent to each other in some way. E.g., FastInfoSet is a compact encoding of XML using OER. What types of encoding am I missing? BER/DER, XML, XDR, NDR -- all of these have had notable security vulnerabilities in decoding. I'm not sure if JSON has had any though... ...oh, wait, no, JSON _has_. Yes, even if you exclude 'Ruby', 'Rails', and 'YAML' from your search, you'll find JSON parser security bugs. Even Protocol Buffers implementations have had decoder security bugs (a brief search turns up at least one, but I bet there's been more than one). My question should really be: what types of encoding am I missing that fit the bill (bags of bags of ... stuff) and are inherently safe(r) to parse? My take is that TLV is worse for security than any other encoding because there's too much redundancy: - the 'T', which is redundant relative to the schema that generally one must know anyways), and - the lengths ('L'), which are all too easy to use without proper bounds checking. All encodings that can encode arbitrary-size data (i.e., all useful ones) will have to encode lengths internally, but TLV encodings tend to encode many more lengths than are needed. IMO, this makes a good encoding: - a schema is needed to decode/parse because tags are not used - fixed sized fields are be used wherever possible, even if it's somewhat wastful - in particular fixed-sized integer fields (in powers of two bit widths) - fixed sized lengths are used wherever lengths are needed - adjacent booleans are packed in obvious ways - optional/defaulted field absence/presence encoded as booleans early on in each struct/whatever - no sets (on the wire there's always an order in which things appear) - good docs (the ITU-T x.68x and x.69x docs are actually quite good _references_ once one gets familiar with them...) ASN.1 has a good such encoding: OER. A good syntax is one that's easy to write parsers for. A *good* reference implementation is always needed for both, the syntax and the encoding rules, because programmers always screw up (which brings us to verifiable implementations...). And that's needed in multiple programming languages, with extremely liberal licenses, they must be free in all senses, preferably verifiable, and definitely portable. No wonder these bugs keep happening... Nico PS: I'm not a fan of ASN.1 as a syntax. It works well enough as long as one sticks to base x.680, but add in the Object Information System syntax and it gets messy fast (the tiny bit of ASN.1 in RFC7030 shows this clearly). But I am a fan of its expressiveness and generality, and I prefer it over ad-hoc syntax and encodings. Also, syntax is not that important: one can always create a better equivalent. Encoding rules are forever.
- [Acme] ACME or EST? Paul Hoffman
- Re: [Acme] ACME or EST? Richard Barnes
- Re: [Acme] ACME or EST? Joe Hildebrand (jhildebr)
- Re: [Acme] ACME or EST? Richard Barnes
- Re: [Acme] ACME or EST? Nico Williams
- Re: [Acme] ACME or EST? Paul Hoffman
- Re: [Acme] ACME or EST? Tony Arcieri
- Re: [Acme] ACME or EST? Paul Hoffman
- Re: [Acme] ACME or EST? Tony Arcieri
- Re: [Acme] ACME or EST? Phillip Hallam-Baker
- Re: [Acme] ACME or EST? Michael Jenkins
- Re: [Acme] ACME or EST? Stephen Farrell
- [Acme] first order requirement - suitable as an o… Stephen Farrell
- Re: [Acme] ACME or EST? Salz, Rich
- Re: [Acme] ACME or EST? Nico Williams
- Re: [Acme] ACME or EST? Nico Williams
- Re: [Acme] ACME or EST? Randy Bush
- Re: [Acme] ACME or EST? Joe Hildebrand (jhildebr)
- Re: [Acme] ACME or EST? Stephen Farrell
- Re: [Acme] ACME or EST? Phillip Hallam-Baker
- Re: [Acme] ACME or EST? Viktor Dukhovni
- Re: [Acme] ACME or EST? Christian Huitema
- [Acme] ACME or EST? Tony Arcieri
- Re: [Acme] ACME or EST? Phillip Hallam-Baker
- Re: [Acme] ACME or EST? Christian Huitema
- [Acme] kinds of proof (was: Re: ACME or EST?) Stephen Farrell
- Re: [Acme] kinds of proof (was: Re: ACME or EST?) Phillip Hallam-Baker
- Re: [Acme] kinds of proof Stephen Farrell
- Re: [Acme] kinds of proof Salz, Rich
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Eric Rescorla
- Re: [Acme] ACME or EST? Eliot Lear
- Re: [Acme] kinds of proof (was: Re: ACME or EST?) Viktor Dukhovni
- Re: [Acme] kinds of proof Phillip Hallam-Baker
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] ACME or EST? Nico Williams
- Re: [Acme] kinds of proof Viktor Dukhovni
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Nico Williams
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] ACME or EST? Randy Bush
- Re: [Acme] kinds of proof Randy Bush
- Re: [Acme] ACME or EST? Richard Barnes
- Re: [Acme] ACME or EST? Randy Bush
- Re: [Acme] kinds of proof Viktor Dukhovni
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Viktor Dukhovni
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Tony Arcieri
- Re: [Acme] kinds of proof Eric Mill
- Re: [Acme] kinds of proof Randy Bush
- Re: [Acme] kinds of proof Peter Bowen
- Re: [Acme] kinds of proof Christian Huitema
- Re: [Acme] kinds of proof Viktor Dukhovni
- Re: [Acme] kinds of proof Peter Bowen
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Peter Bowen
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Phillip Hallam-Baker
- Re: [Acme] kinds of proof Trevor Freeman
- Re: [Acme] kinds of proof Randy Bush
- Re: [Acme] kinds of proof Martin Thomson