Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 10 January 2019 05:04 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B532B131138; Wed, 9 Jan 2019 21:04:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.19
X-Spam-Level:
X-Spam-Status: No, score=-4.19 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PJFBE6-rdTTc; Wed, 9 Jan 2019 21:04:47 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43B0A131137; Wed, 9 Jan 2019 21:04:47 -0800 (PST)
Received: from fifthhorseman.net (unknown [IPv6:2001:470:1f07:60d:b4c1:b6ff:fe27:67bb]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id E2BFFF99D; Thu, 10 Jan 2019 00:04:43 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 9251A20B9E; Wed, 9 Jan 2019 23:52:52 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: "Salz, Rich" <rsalz@akamai.com>, Russ Housley <housley@vigilsec.com>
Cc: LAMPS WG <spasm@ietf.org>, "draft-ietf-lamps-hash-of-root-key-cert-extn@ietf.org" <draft-ietf-lamps-hash-of-root-key-cert-extn@ietf.org>, IETF <ietf@ietf.org>
Subject: Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC
In-Reply-To: <175B8CA7-17E8-48EC-BEFA-9E5D4B685B48@akamai.com>
References: <154594881588.11855.12133790922363153381.idtracker@ietfa.amsl.com> <1AB99D11-5B25-4A97-9FFD-17E318ADD739@vpnc.org> <87va35o7pe.fsf@fifthhorseman.net> <38891959-38F6-4FA5-B7B1-ACB50921E300@vigilsec.com> <87k1jlnxnu.fsf@fifthhorseman.net> <2AB77CF4-ADD6-4EE6-ABB2-BCDAC4BF6631@vigilsec.com> <87imyxh8fy.fsf@fifthhorseman.net> <175B8CA7-17E8-48EC-BEFA-9E5D4B685B48@akamai.com>
Date: Wed, 09 Jan 2019 23:52:49 -0500
Message-ID: <87y37tf71a.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/9SSNEcfZxFSFfdOvxObnxjkXGlM>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jan 2019 05:04:50 -0000
On Wed 2019-01-09 22:34:47 +0000, Salz, Rich wrote: > avoid needing coordination between all relying parties (RPs). But it > doesn't cover coordination by the subscribers (e.g. TLS servers) yet, > which is what the next point was about: > > I think this is beyond the scope of the document. > > I do not see how it introduces new problems. It enables some automation of trust store updates, that is all. What it introduces is the tight coupling of two previously-distinct actions for the relying party: a) rollout of a new root trust anchor b) revocation of the old trust anchor Previously, these two steps were not tightly coupled in time, which gave a window for loosely-coordiated deployment (RFC 5280 §4.4, with servers shipping OldWithNew and NewWithOld certs, as Russ points out). In the previous model, two things can happen in parallel, in an uncoordinated fashion: x) RPs can learn about the New CA cert y) subscribers can update their cert chains, either by: 1) shipping new end-entity certificates (signed with New, and with their chain extended by NewWithOld), or 2) augmented cert chains (ee cert still signed with Old, but its chain extended by OldWithNew) Once step Y was complete, it was safe to tell the RPs to drop the Old trust anchor as long as they had completed their part of step X. This draft says that as soon as an RP learns about New using this mechanism, it will drop the Old. This is unsafe unless step Y is universally complete. (meanwhile, it also makes Y.2 less plausible, because it's odd to expect a subscriber to bother shipping OldWithNew if New isn't available to the public; yet making New available to the public effectively acts as a revocation of Old for those implementations which see it). This is a new problem, and it doesn't exist without this draft's tight coupling of steps A and B. The only safe way i see to deploy this is in a carefully staged sequence: * all subscribers complete step Y in manner 1 (new EE cert, shipped alongside NewWithOld). During this time, New MUST be hidden from the public, or else subscribers who haven't completed the transition will break! Once that is universally complete: * deploy New to all RPs (which has a side effect of revoking Old) Once that is known to be complete, it is safe to: * tell all subscribers they can stop shipping NewWithOld intermediate certs Is there some other safe way to deploy this that i'm missing? Does no one else see this as a problem? if not, i'll just shut up about it and let things break, i guess. it's not like the ecosystem has never run into transvalidity problems and unreliable root stores before, this is just new and interesting automated ways to arrive there… --dkg
- Re: Last Call: <draft-ietf-lamps-hash-of-root-key… Paul Hoffman
- Re: Last Call: <draft-ietf-lamps-hash-of-root-key… Russ Housley
- Re: Last Call: <draft-ietf-lamps-hash-of-root-key… Paul Hoffman
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Salz, Rich
- RE: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Tim Hollebeek
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Stephen Farrell
- RE: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Tim Hollebeek
- Re: Last Call: <draft-ietf-lamps-hash-of-root-key… Russ Housley
- Re: Last Call: <draft-ietf-lamps-hash-of-root-key… Russ Housley
- Re: Last Call: <draft-ietf-lamps-hash-of-root-key… Paul Hoffman
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Daniel Kahn Gillmor
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Russ Housley
- RE: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Jim Schaad
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Daniel Kahn Gillmor
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Russ Housley
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Daniel Kahn Gillmor
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Salz, Rich
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Russ Housley
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Daniel Kahn Gillmor
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Salz, Rich
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Paul Hoffman
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Daniel Kahn Gillmor
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Daniel Kahn Gillmor
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Salz, Rich
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Russ Housley
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Russ Housley
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Russ Housley
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Benjamin Kaduk