IETF Logo Mail Archive

Re: [certid] Bad certificate handling

Martin Rex <mrex@sap.com> Mon, 27 September 2010 13:47 UTC

Return-Path: <mrex@sap.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3B41E3A6BAE for <certid@core3.amsl.com>; Mon, 27 Sep 2010 06:47:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.531
X-Spam-Level:
X-Spam-Status: No, score=-8.531 tagged_above=-999 required=5 tests=[AWL=-0.882, BAYES_50=0.001, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XL33h4zTyCNb for <certid@core3.amsl.com>; Mon, 27 Sep 2010 06:47:51 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by core3.amsl.com (Postfix) with ESMTP id 7FF8A3A6AFF for <certid@ietf.org>; Mon, 27 Sep 2010 06:47:49 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id o8RDmR0n021653 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 27 Sep 2010 15:48:27 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201009271348.o8RDmQSj010536@fs4113.wdf.sap.corp>
To: matt@mattmccutchen.net (Matt McCutchen)
Date: Mon, 27 Sep 2010 15:48:26 +0200 (MEST)
In-Reply-To: <1285514468.2673.8.camel@mattlaptop2.local> from "Matt McCutchen" at Sep 26, 10 11:21:08 am
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal07
X-SAP: out
Cc: certid@ietf.org
Subject: Re: [certid] Bad certificate handling
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Sep 2010 13:47:52 -0000

Matt McCutchen wrote:
> 
> On Sat, 2010-09-25 at 02:22 +0200, Martin Rex wrote:
> > Section 5.1.4 here:
> > 
> >     http://www.w3.org/TR/wsc-ui/#selfsignedcerts
> > 
> > is much closer what I this would be useful and sensible.
> > 
> > "Pinning" of certs is useful for both, certs that validate fine
> > and certs that do not validate for the two reasons "not trusted"
> > and "server-id-mismatch".
> 
> Once again
> (http://www.ietf.org/mail-archive/web/certid/current/msg00338.html), the
> purpose of pinning is to make it possible to connect to servers with
> unverifiable certificates, not to replace the public-CA trust model,
> which is much more difficult to do properly.  The definition of
> "strongly TLS-protected" (http://www.w3.org/TR/wsc-ui/#def-strong-tls)
> includes validated certificates regardless of whether there is a pinned
> certificate.

"Pinning" Certs is extremely sensible, especially for TOR exit nodes.
Getting a server cert issued from any one of the ~100 pre-trusted CAs
without being rightful owner of a domain is an effort to which you
can likely attach an average price tag.  Find out the procedures
of the CA and determine which is the most cost effective mix of
deceiving about real owner ship and bribe that will achieve the
objective.  Governmental agencies might have additional means of
persuaions to get server certs issued for domains that they do not
own.  Think about wikileaks.


Therefore having server-id-check unconditionally and silently override
"pinned" server certs with server-certs that chain to one of the ~100
trust anchors preconfigured by the software supplier is a significant
security problem.

-Martin

v2.8.7 | Report a Bug | By Email