Re: [Acme] S/MIME and ACME: concerns about dual certificates (maybe pull the S/MIME draft back to AC
Sebastian Nielsen <sebastian@sebbe.eu> Fri, 20 November 2020 18:05 UTC
Return-Path: <sebastian@sebbe.eu>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A469E3A0D7E for <acme@ietfa.amsl.com>; Fri, 20 Nov 2020 10:05:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sebbe.eu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z4jEtzj4YA7B for <acme@ietfa.amsl.com>; Fri, 20 Nov 2020 10:05:12 -0800 (PST)
Received: from dns2.sebbe.eu (dns2.sebbe.eu [IPv6:2001:470:dff1:1:10::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 531753A0C5D for <acme@ietf.org>; Fri, 20 Nov 2020 10:05:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sebbe.eu; s=root; h=Date:To:From:cc; bh=eDxI0YJsrWf8/oPJa3Ejp1IuyqLVEcqjdyjK9TUY1jI=; b=ezkWJxrK/FnOmf4n9Y9JXEK3W81at7Ho/jRzgaRwidAadCPt/VPLUhtWNjVklbkFHEUZQt4e7y FyDolzZiF9uhWmCbPmZkEuLH6ZjrIZ7C2uqnnO4tr3r6qJpAoP/BtmjuzYJ9BhxXIkGuI/QJKGpU+ wfbbk1jCA8vp/RSVmHwI=;
Received: from localhost ([127.0.0.1] helo=sebastian-desktop) by sebbe.eu with esmtp (Exim 4_94_RC0-31-83e8da8c0-XX) (envelope-from <sebastian@sebbe.eu>) id 1kgAmS-004Kaw-Hh for acme@ietf.org; Fri, 20 Nov 2020 19:05:08 +0100
Received: from [192.168.4.100] (helo=DESKTOPVB5MBIV) by sebbe.eu with esmtpa (Exim 4_94_RC0-31-83e8da8c0-XX) (envelope-from <sebastian@sebbe.eu>) id 1kgAmS-004Kat-6J for acme@ietf.org; Fri, 20 Nov 2020 19:05:08 +0100
From: Sebastian Nielsen <sebastian@sebbe.eu>
To: 'Mailing List' <acme@ietf.org>
Message-ID: <000201d6bf67$aea56560$0bf03020$@sebbe.eu>
In-Reply-To: <af04860b-9773-c695-6244-d2651b780df1@isode.com>
References: <87y2ixafve.fsf@fifthhorseman.net> <af04860b-9773-c695-6244-d2651b780df1@isode.com>
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="----=_Part_575_1468337385.1605895508507"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQLQjxfX+U5aP6fD5zO22qOqHztpRQHWpML/p875PkA=
X-Encryption-Target: external
Date: Fri, 20 Nov 2020 19:05:08 +0100
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/p0PDZhrX_58yQoa-hhCOB1HmqTI>
Subject: Re: [Acme] S/MIME and ACME: concerns about dual certificates (maybe pull the S/MIME draft back to AC
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Nov 2020 18:05:16 -0000
The certificates can have different extended key usages, either digital signature or encryption - and thus an email client will automatically pick the right certificate. However, the reason the same key shouldn't be used for both signing and encryption, is that in textbook RSA, it exist sheninigans, where a attacker could send an snooped encrypted message, to the receiver, but blinded with a random number. (multiplied). If the receiver accidentially signs this, or if the receiver has an automated responder or holiday message, which signs messages - including the quoted message, you can run in the trick that signing the encrypted message, will decrypt it - but with the blinded random number, it will not be apparent to the receiver that he just decrypted a message. The attacker, which receives the now encrypted--blinded--siigned message, could now de-blind it and get the received message in the clear. BUT!!! This is ONLY for textbook RSA - where you sign the message raw in directly. In current SMIME protocol, you NEVER do that!!!! Normally, you sign a HASH of the message, meaning theres NO danger in having the same key for encryption and signing UNLESS an attacker could compose a message M such as hash(M) == E, where E is an encrypted message that the attacker snooped (either unblinded or blinded). But that would require some serious bruteforcing. Thus not a viable attack. Thus no danger in using the same RSA key for both signing and encryption. -----Ursprungligt meddelande----- Från: acme-bounces@ietf.org <acme-bounces@ietf.org> För Alexey Melnikov Skickat: den 20 november 2020 18:53 Till: Daniel Kahn Gillmor <dkg@fifthhorseman.net>; acme@ietf.org Ämne: Re: [Acme] S/MIME and ACME: concerns about dual certificates (maybe pull the S/MIME draft back to AC Hi DKG, On 19/11/2020 08:51, Daniel Kahn Gillmor wrote: > Over in LAMPS, we've been discussing how a given S/MIME certificate > probably shouldn't expect the same cryptographic key material to be > used for both signing and encryption. [0] > > In particular, public keys of type "EC Public Key" can be used for > digital signatures or key agreement. And a public key of type "RSA" > can be used for digital signatures or key encapsulation. ("ECDSA" and > "ECDH" key types can only be used for signing or encryption, > respectively, so maybe they aren't affected by this) > > So, an S/MIME MUA probably wants to control two distinct certificates > per e-mail account it manages: one for signing, and one for encryption. > > It's not clear to me how a MUA is expected to deal with this. > > - should the MUA run the ACME process twice, once per certificate? Yes. > if > so, how does it specify which certificate is for signing and which is > for encryption? How does the change in https://www.ietf.org/rfcdiff?url2=draft-ietf-acme-email-smime-13 look? > - If so, are we expecting the users of non-ACME MUAs to jump through > these hoops twice as well, responding to two different e-mail > prompts? I am open to suggestions, but for simplicity of implementation, I think this is acceptable. > > - If not, how does the client communicate both certificate requests to > the server at the same time? If there's a way to do that, can the > user indicate that they want different issuance parameters for the > different key usages? If you really want different parameters for different key usages, I think you are basically reenforicing my comment above that this would require 2 separate requests. > For example, maybe a sensible MUA with an automated workflow might > want to rotate their signing certificate every month (it's cheap and > easy to get a new one, and a validity period of a month on each > certificate limits the window of any particular compromise). But it > might want to request a new encryption certificate every 6 months > (and it might want the validity window for the encryption certificate > to last for a year, so that any acquaintance that receives mail from > the user will be able to reply encrypted up to a year later without > having to rediscover the user's certificate). Can/should the MUA > just indicate those preferences in the generated CSRs? if it's > embedded in the CSR, do we have rules for how a CA ought to verify > the semantics of such a request? I think in the base ACME this is already indicated in the "notAfter" field in the newOrder request. This is not conveyed in the CSR itself. > - alternately, are we comfortable with just saying that the ACME S/MIME > work doesn't actually support this dual-certificate model, and just > have the same key used for both signing and encryption? that seems > to go against NIST guidance at least, and risks introducing some kind > of cross-protocol attack. > > sorry to bring this up when the draft is already so far into the > editorial review process! > > --dkg > > [0] in Message-ID CALhKWgj=W-Yo_t=K0fCL+vsFA3ace2LfYgeTiThJqpW-UPFoPA@mail.gmail.com, > Jonathan Hammell writes: > > Section 5.2 of NIST SP 800-57-1 rev 5 forbids using a key for both > > signing and encryption and gives several reasons. Best Regards, Alexey _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
- [Acme] S/MIME and ACME: concerns about dual certi… Daniel Kahn Gillmor
- Re: [Acme] S/MIME and ACME: concerns about dual c… Michael Richardson
- Re: [Acme] S/MIME and ACME: concerns about dual c… Alexey Melnikov
- Re: [Acme] S/MIME and ACME: concerns about dual c… Sebastian Nielsen
- Re: [Acme] S/MIME and ACME: concerns about dual c… Benjamin Kaduk