IETF Logo Mail Archive

Re: Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC

"Paul Hoffman" <paul.hoffman@vpnc.org> Wed, 02 January 2019 18:26 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DF8C130EEA; Wed, 2 Jan 2019 10:26:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h08-BEofiuCg; Wed, 2 Jan 2019 10:26:07 -0800 (PST)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 799A8130EE5; Wed, 2 Jan 2019 10:26:07 -0800 (PST)
Received: from [169.254.31.115] (50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141]) (authenticated bits=0) by mail.proper.com (8.15.2/8.15.2) with ESMTPSA id x02IOsRB024385 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 2 Jan 2019 11:24:55 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141] claimed to be [169.254.31.115]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: ietf@ietf.org
Cc: draft-ietf-lamps-hash-of-root-key-cert-extn@ietf.org, spasm@ietf.org
Subject: Re: Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC
Date: Wed, 02 Jan 2019 10:26:05 -0800
X-Mailer: MailMate (1.12.3r5579)
Message-ID: <1AB99D11-5B25-4A97-9FFD-17E318ADD739@vpnc.org>
In-Reply-To: <154594881588.11855.12133790922363153381.idtracker@ietfa.amsl.com>
References: <154594881588.11855.12133790922363153381.idtracker@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/C2giyzt1wqsnNYfXNEhmEjOU7n4>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jan 2019 18:26:09 -0000

On 27 Dec 2018, at 14:13, The IESG wrote:

> The IESG has received a request from the Limited Additional Mechanisms 
> for
> PKIX and SMIME WG (lamps) to consider the following document: - 'Hash 
> Of Root
> Key Certificate Extension'
>   <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> as 
> Informational RFC
>
> The IESG plans to make a decision in the next few weeks, and solicits 
> final
> comments on this action. Please send substantive comments to the
> ietf@ietf.org mailing lists by 2019-01-10.

This extension seems useful to CAs that understand the increased risks 
that using it incurs, but those risks are not mentioned in the document.

The document implicitly assumes that the CA will in fact use the key 
named in the extension next. Using this extension increases the risk of 
a bad trust anchor rollover at the same time that it makes good rollover 
more secure. If the key listed in this extension cannot be used when the 
CA eventually changes the trust anchor, relying parties will mistrust 
the new trust anchor. There are many reasons why a CA might think they 
know the next key but cannot use that key when they change trust 
anchors, such as if the HSM that holds the next key fails or is 
destroyed. Given the last sentence in Section 2, this could mean that a 
CA might never be able to issue a new trust anchor, even if the key for 
its current trust anchor is compromised.

Given the severity of the new risks of using this extension, they need 
to be introduced at the beginning of the document and then discussed in 
more detail in the Security Considerations. Note that this risk affects 
the last paragraph of the Security Considerations section as well.

Editorial:

The abstract says:
    This document specifies the Hash Of Root Key certificate extension.
    This certificate extension is carried in the self-signed certificate
    for a trust anchor, which is often called a Root Certification
    Authority (CA) certificate.  This certificate extension 
unambiguously
    identifies the next public key that will be used by the trust anchor
    at some point in the future.
The term "trust anchor" is used as the concept, not the bits in the 
certificate. As such, the last sentence is confusing because the trust 
anchor will change when the key changes. A possible fix is to replace 
"will be used by the trust anchor at some point in the future" with 
"will be used in a trust anchor at some point in the future".

The first list in Section 2 would be clearer if the order was R1, R2, 
H2, C1; this would also then match the order in the second list.

Later in Section 2, a sentence appears to be missing its subject. "That 
is, verify the signature on the self-signed certificate..." should 
probably be "That is, the recipient verifies the signature on the 
self-signed certificate...".

--Paul Hoffman

v2.23.0 | Report a Bug | By Email