Re: [Bimi] Problematic cert activities

Wei Chuang <weihaw@google.com> Mon, 01 April 2019 16:24 UTC

Return-Path: <weihaw@google.com>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0705F120375 for <bimi@ietfa.amsl.com>; Mon, 1 Apr 2019 09:24:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.49
X-Spam-Level:
X-Spam-Status: No, score=-17.49 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y1rd1koRbome for <bimi@ietfa.amsl.com>; Mon, 1 Apr 2019 09:24:00 -0700 (PDT)
Received: from mail-it1-x133.google.com (mail-it1-x133.google.com [IPv6:2607:f8b0:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98D4E120379 for <bimi@ietf.org>; Mon, 1 Apr 2019 09:23:56 -0700 (PDT)
Received: by mail-it1-x133.google.com with SMTP id z126so15673788itd.5 for <bimi@ietf.org>; Mon, 01 Apr 2019 09:23:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4T9Oe7OEXXyCah3nX+fZKvQfQShYd7E3Dr+vg4ZFo+M=; b=MQL1x7tVWGdEwtzvduBtjthxRENwnVjmqVwTVPTdLiw4oQRccrv1DRuiwAeaXpqbSb iu9ZNeOl02eo2Ibwo/qOaOvWJytbp2Ma4PDeB8pEOLH9+ZOB62UWD0THrWHJj0cmwUjc Qae4O4HRwN4wL4rEPYU4CgsWNLSmQHUy/7qbhecSgw7cZdI8dpRcY1mV7u77ZMvpNr/8 Pei88my1zllDzEpqZ93kGsOLNwVqynC/yGNS9LcekMCBNnrC/ynjnfrwza89gzzhKe0v cwFRO9FBumHPg4Z9UtCP5a1YN9J7oBZbiZo+OBxSkepRbBcR4jLDEXJXfb1x/S1gStBu LK6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4T9Oe7OEXXyCah3nX+fZKvQfQShYd7E3Dr+vg4ZFo+M=; b=H5tOsV7BlBrGKKmV18pXc5aLhcmxI//zEcBrAmyvecBcIc6D6LC/rXZwcQKuaTsktn R/BmDGrZqKhuGdv365VdGjQYtYftkesEtX6ftaSpTQttXFhLMDLXSEzX8/i3knK/Qo4c weCKvBBwmgx+gJEKUozgMLKnZpv9va/DOtQcsCoJV5As7wcYsy1Y6ojlxGs+CA5Jf93c yvdT86pHo6EnfZaWOyMRZNt7nuV5xnjohW2kpAwo/ueUJyjj4GQ7GY7IEbhC79oWmAdP iYtHkbqJhY5NariH3+5ZXnVcWDJaD8WOSzwu6DUkysQ7HB7a6q2VmEzznsCa7dsCSru2 8qBQ==
X-Gm-Message-State: APjAAAXHEgTJ/AiMLhoGPQUDSR8QIf9d1I6XJ+ZIILroplj35VBCw8YQ /GfBFYI1OU1VPf404iOEUMAq9LwwQrt5pEBE5D8eMGv43IY=
X-Google-Smtp-Source: APXvYqxmPe88Njukw+Ht5YcnJv9UHawWiWtMwAbRJCDYwU+i7jIMiNBrH2uzsIh6H1eJ1pdmNt04vhpR7wPiByB3NG8=
X-Received: by 2002:a24:1d0:: with SMTP id 199mr370040itk.41.1554135835344; Mon, 01 Apr 2019 09:23:55 -0700 (PDT)
MIME-Version: 1.0
References: <6e99b975-73d8-9f57-450f-bfa1c2227a31@dcrocker.net> <CAAFsWK3OPmS6Wz5bFqHnDFgH8Za5PgjYer5qg6wd3BAS_sdYWw@mail.gmail.com> <5cd60888-b690-2cde-2156-5ed145394a01@bbiw.net>
In-Reply-To: <5cd60888-b690-2cde-2156-5ed145394a01@bbiw.net>
From: Wei Chuang <weihaw@google.com>
Date: Mon, 01 Apr 2019 09:23:40 -0700
Message-ID: <CAAFsWK3YS=dS-O-baBBkgh0Uww99XZ1+fg=1WmV-cJXmMBKdyQ@mail.gmail.com>
To: Dave Crocker <dcrocker@bbiw.net>
Cc: bimi@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="00000000000070040f05857a7296"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/L2FH_uPup5XljJD7DCs5elku_TQ>
Subject: Re: [Bimi] Problematic cert activities
X-BeenThere: bimi@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bimi>, <mailto:bimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi/>
List-Post: <mailto:bimi@ietf.org>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bimi>, <mailto:bimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2019 16:24:03 -0000

*From: *Dave Crocker <dcrocker@bbiw.net>
*Date: *Sun, Mar 31, 2019 at 4:33 PM
*To: *Wei Chuang

On 3/31/2019 4:18 PM, Wei Chuang wrote:
> > With regards to VMC, in theory there's a face-to-face validation step to
> > could mitigate this though that is only done on the initial request.
> > I'll have to check if subsequent certificate requests are vulnerable or
> > if other measures protect against this type of attack.
>
>
> In an unrelated, and relatively random conversation today, I had a bit
> of insight that is no doubt obvious to serious security folk but hadn't
> occurred to me:  We have the concept of 2FA, with two independent
> channels that provide validation of the requestor. But we ought to add
> the idea of two-factor confirmation.  So rather than just sending an
> email to confirm that the owner of the cited email address agrees with
> whatever the transaction is, do a second, separation confirmation -- eg,
> via the phone number.
>

FWIW Bill mentions registrar lock which provides a call back process 2FA
mechanism though unfortunately at extra cost.

Some CA issued certificates have a similar call back/secondary verification
mechanism.  The current CABF Web EV guidelines 11.10 calls for the CA to
verify that the certifcate request was authorized.  That verification may
use phone, fax, or postal but also may involve email which in this scenario
is problematic.  As currently specced, VMC is an extension of web EV, and
is supposed to use this secondary verification process.

-Wei


>
> The set of attack behaviors described by Bill are such that I doubt this
> would have made a difference -- there were more basic holes being
> exploited -- but I suspect there is value to be had with it.
>
> The broader point is that we seem not to take a holistic approach to
> protection of infrastructure services...
>
>
> > PS Sorry for the delay in getting back to this as I was in transit.
>
> Delay?  There was a delay? ...
>
>
> d/
>
> --
> Dave Crocker
> Brandenburg InternetWorking
> bbiw.net
>