[Anima] evaluation of pinned-domain-cert equality in BRSKI
Michael Richardson <mcr+ietf@sandelman.ca> Thu, 25 April 2019 22:16 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30801120343 for <anima@ietfa.amsl.com>; Thu, 25 Apr 2019 15:16:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1CceWSEEhETV for <anima@ietfa.amsl.com>; Thu, 25 Apr 2019 15:16:29 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1222E1200F8 for <anima@ietf.org>; Thu, 25 Apr 2019 15:16:28 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 0F06F3826C for <anima@ietf.org>; Thu, 25 Apr 2019 18:16:08 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 27F4A922; Thu, 25 Apr 2019 18:16:26 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 259A06D9 for <anima@ietf.org>; Thu, 25 Apr 2019 18:16:26 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: anima@ietf.org
X-Attribution: mcr
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Thu, 25 Apr 2019 18:16:26 -0400
Message-ID: <17916.1556230586@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/uXhz0j7r_HpPDuOURk3kv4FkY4c>
Subject: [Anima] evaluation of pinned-domain-cert equality in BRSKI
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2019 22:16:31 -0000
Due to a design concern my MASA looks up domain registrars by public key rather
than certificate(DN). I think that I did this because of constrained voucher
concerns.
A test registrar resigned the certificate used for pinning, and used that as
part of the BRSKI protocol. The private key was not replaced, so it had the
same public key inside the certificate.
The resulting voucher was pinned to the original certificate, rather than the
certificate that was present. This was then rejected by the pledge because
the certificate pinned was not the same as the registrar that was proximal.
Before I fix the bug in the MASA such that it always pins with the
certificate provided, I thought I'd ask some questions. It could be that my
pledge was wrong instead.
1) how should a pledge compare pinned-domain-cert to TLS Server Certificate.
a) compare Issuer + DN+subjectAltName.
b) compare subjectPublicKeyInfo
c) byte-wise comparison of DER encoded form.
[I am doing c]
2) how should a MASA audit a voucher-request that comes from a JRC that has
the same public key, but a different certificate?
a) it is the same owner, if the old certificate is still valid, then
keep it.
b) it is the same owner, keep the new certificate on file, replacing the
previous certificate
c) it is the same owner, keep whichever certificate has a later notAfter.
d) it is the same owner, only if the issuer+DN are the same. In which
case keep the one with ...
i) a newer PKIX serial number (no, ramdomized serial numbers)
ii) latest notAfter
iii) ???
I note that a high-availability multi-node JRC might have:
a) different certificates with the same DN, and different public keys
b) different certificates with the same DN, and the same public keys,
because rewewal times were skewed. (They will become the same at the
next sync)
c) different certificates with different DNs
{I note that doing Issuer+DN comparisons is difficult to get right if the
Issuer public key is not easily obtained from a trusted store}
Now, you might say that the pledge should never expect the TLS Server
Certificate to ever differ, byte-for-byte from the pinned-domain-cert, and
that would be reasonable for a completely online situation.
But in the case of offline vouchers, it's entirely reasonable that the JRC
has rolled it's certificate. In such a situation, either one needs (1a) or
(1b) above. If we are doing (1a), then we get back to something we thought
we got away from, which was pinning the CA+DN. We have underspecified this.
If we go with (1b), then there are some crypto-hygiene operational
considerations to consider, but I think they are probably acceptable given
that vouchers can be re-issued easily.
--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
- [Anima] evaluation of pinned-domain-cert equality… Michael Richardson
- Re: [Anima] evaluation of pinned-domain-cert equa… Fries, Steffen