IETF Logo Mail Archive

Re: [certid] section 4.6 rewrite (aka: Bad certificate handling)

"Jim Schaad" <ietf@augustcellars.com> Fri, 01 October 2010 01:40 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4B7FD3A6A59 for <certid@core3.amsl.com>; Thu, 30 Sep 2010 18:40:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PvwCCnHARtxT for <certid@core3.amsl.com>; Thu, 30 Sep 2010 18:40:46 -0700 (PDT)
Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) by core3.amsl.com (Postfix) with ESMTP id 3BB2F3A6A76 for <certid@ietf.org>; Thu, 30 Sep 2010 18:40:46 -0700 (PDT)
Received: from TITUS (unknown [207.202.179.27]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTP id 9699A6A463; Thu, 30 Sep 2010 18:41:32 -0700 (PDT)
From: "Jim Schaad" <ietf@augustcellars.com>
To: <mrex@sap.com>
References: <006b01cb605f$e2a7f9d0$a7f7ed70$@augustcellars.com> from "Jim Schaad" at Sep 29, 10 10:25:24 pm <201009302114.o8ULEqQd013861@fs4113.wdf.sap.corp>
In-Reply-To: <201009302114.o8ULEqQd013861@fs4113.wdf.sap.corp>
Date: Thu, 30 Sep 2010 18:49:16 -0700
Message-ID: <00a601cb610a$dc119c60$9434d520$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJHpX5v4DItlrruLr6jcOadSCXOmpIyxvhQ
Content-Language: en-us
Cc: certid@ietf.org
Subject: Re: [certid] section 4.6 rewrite (aka: Bad certificate handling)
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Oct 2010 01:40:49 -0000

> -----Original Message-----
> From: Martin Rex [mailto:mrex@sap.com]
> Sent: Thursday, September 30, 2010 2:15 PM
> To: Jim Schaad
> Cc: matt@mattmccutchen.net; stpeter@stpeter.im; certid@ietf.org
> Subject: Re: [certid] section 4.6 rewrite (aka: Bad certificate handling)
> 
> Jim Schaad wrote:
> >
> > If there is only one possible certification path then there is no
> > difference between caching just the EE certificate and caching the
> > entire chain.  However in the event that multiple certificate paths
> > are possible there may be a difference in behavior.
> 
> Nope, not for what is specified in server-id-check.
> 
> At most, the client would have to memorize along with the server cert
whether
> regular certificate path validation worked for this cached cert.
> Any changes to the path (above the server cert) will either make the cert
path
> validation fail or be security-irrelevant--entirely without caching and
> comparing chain certs above the cached/pinned server cert.

There is no need to remember that path validation has passed or failed - by
definition it has passed or you would never even get here.  The document
does not "permit" the case of using a certificate if path validation has
failed.

> 
> When the caching/pinning of the server certs is done for untrusted server
certs,
> then the trust relationship is defined only based on the server cert and
> certificate path validation can not be performed due to a lack of trust,
so the
> chain certs above the server cert are again irrelevant.

This document makes absolutely no statements about ever doing anything
positive with untrusted certificates.  If the certificate is untrusted -
i.e. fails path validation -- then all bets are off and the document does
not apply in any way.  After all if you don't trust the certificate why
would you believe anything that the certificate says about the identity that
is associated with the certificate.  This is a complete non-issue for the
document.

> 
> >
> > It is possible that you would trust a specific trust anchor (or
> > intermediate CA) to be more specific about getting things correct
> > (sooner or later).
> 
> There may be a slight difference for advanced users, but only at the point
> where they visualize and confirm the exception, not when doing further
> connects to the same target and have the server cert cached/pinned.

And the reason for having this is exactly because the advance user may be
looking at the chain of certificates when doing the conformation of the
exception.   They may make a different decision if a different path is
provided for making the decision.

> 
> 
> >
> > There may be differences in extensions which exist in the intermediate
> > certificates which might lead to slightly different behavior in how
> > the EE certificates are treated.
> 
> The existing server-id-check does _not_ specify any matching on chain
certs.
> As described above, changes that affect the outcome of the certificate
path
> validation, the difference in behaviour of the existing code in "fails
path
> validation", "passes path validation"
> is perfectly sufficient -- as long as the app client memorizes that the
> cached/pinned server cert originally passed certificate path validation
and
> repeats certificate path validation on future connects.
> 
> If the client app wants to _entirely_ skip certificate path validation on
the
> pinned/cached server cert, then a changed cert path would not be detected
> when only the server cert is compared.  But I have two observations about
this:
> (a) a malicious server in posession of the original server cert and
matching
> private key can easily send the original cert chain and pass your app
clients
> test, so security-wise, the client does _NOT_ get any security benefit
from
> caching and comparing the entire chain.  By not performing a certificate
path
> validation, the client misses cert revocations, and some folks might not
like this.

This behavior is not covered in the document.  The document assumes in all
locations that a successful path validation has been completed on the
certificate.

> 
> Pinning server certs protects you from attackers that manage to get a cert
> issued from any of the CAs operating under any of your (pre-)trusted
roots.
> Performing certificate path validation even for "pinned" certs protects
you
> from missing revocations.

Remember this only discussing the case of being unable to complete the logic
dealing with comparing the reference and the presented names.  This is not
dealing any cases where path validation either fails or is not performed.
Thus the idea of pinning a certificate that passes (or does not pass
validation) is not part of the concepts we are discussing here.

> 
> 
> 
> -Martin

v2.8.7 | Report a Bug | By Email