[Anima] evaluation of pinned-domain-cert equality in BRSKI
Michael Richardson <mcr+ietf@sandelman.ca> Thu, 25 April 2019 22:16 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30801120343 for <anima@ietfa.amsl.com>; Thu, 25 Apr 2019 15:16:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1CceWSEEhETV for <anima@ietfa.amsl.com>; Thu, 25 Apr 2019 15:16:29 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1222E1200F8 for <anima@ietf.org>; Thu, 25 Apr 2019 15:16:28 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 0F06F3826C for <anima@ietf.org>; Thu, 25 Apr 2019 18:16:08 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 27F4A922; Thu, 25 Apr 2019 18:16:26 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 259A06D9 for <anima@ietf.org>; Thu, 25 Apr 2019 18:16:26 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: anima@ietf.org
X-Attribution: mcr
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Thu, 25 Apr 2019 18:16:26 -0400
Message-ID: <17916.1556230586@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/uXhz0j7r_HpPDuOURk3kv4FkY4c>
Subject: [Anima] evaluation of pinned-domain-cert equality in BRSKI
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2019 22:16:31 -0000
Due to a design concern my MASA looks up domain registrars by public key rather than certificate(DN). I think that I did this because of constrained voucher concerns. A test registrar resigned the certificate used for pinning, and used that as part of the BRSKI protocol. The private key was not replaced, so it had the same public key inside the certificate. The resulting voucher was pinned to the original certificate, rather than the certificate that was present. This was then rejected by the pledge because the certificate pinned was not the same as the registrar that was proximal. Before I fix the bug in the MASA such that it always pins with the certificate provided, I thought I'd ask some questions. It could be that my pledge was wrong instead. 1) how should a pledge compare pinned-domain-cert to TLS Server Certificate. a) compare Issuer + DN+subjectAltName. b) compare subjectPublicKeyInfo c) byte-wise comparison of DER encoded form. [I am doing c] 2) how should a MASA audit a voucher-request that comes from a JRC that has the same public key, but a different certificate? a) it is the same owner, if the old certificate is still valid, then keep it. b) it is the same owner, keep the new certificate on file, replacing the previous certificate c) it is the same owner, keep whichever certificate has a later notAfter. d) it is the same owner, only if the issuer+DN are the same. In which case keep the one with ... i) a newer PKIX serial number (no, ramdomized serial numbers) ii) latest notAfter iii) ??? I note that a high-availability multi-node JRC might have: a) different certificates with the same DN, and different public keys b) different certificates with the same DN, and the same public keys, because rewewal times were skewed. (They will become the same at the next sync) c) different certificates with different DNs {I note that doing Issuer+DN comparisons is difficult to get right if the Issuer public key is not easily obtained from a trusted store} Now, you might say that the pledge should never expect the TLS Server Certificate to ever differ, byte-for-byte from the pinned-domain-cert, and that would be reasonable for a completely online situation. But in the case of offline vouchers, it's entirely reasonable that the JRC has rolled it's certificate. In such a situation, either one needs (1a) or (1b) above. If we are doing (1a), then we get back to something we thought we got away from, which was pinning the CA+DN. We have underspecified this. If we go with (1b), then there are some crypto-hygiene operational considerations to consider, but I think they are probably acceptable given that vouchers can be re-issued easily. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Anima] evaluation of pinned-domain-cert equality… Michael Richardson
- Re: [Anima] evaluation of pinned-domain-cert equa… Fries, Steffen