Re: Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC
"Paul Hoffman" <paul.hoffman@vpnc.org> Wed, 02 January 2019 18:26 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DF8C130EEA; Wed, 2 Jan 2019 10:26:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h08-BEofiuCg; Wed, 2 Jan 2019 10:26:07 -0800 (PST)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 799A8130EE5; Wed, 2 Jan 2019 10:26:07 -0800 (PST)
Received: from [169.254.31.115] (50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141]) (authenticated bits=0) by mail.proper.com (8.15.2/8.15.2) with ESMTPSA id x02IOsRB024385 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 2 Jan 2019 11:24:55 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141] claimed to be [169.254.31.115]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: ietf@ietf.org
Cc: draft-ietf-lamps-hash-of-root-key-cert-extn@ietf.org, spasm@ietf.org
Subject: Re: Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC
Date: Wed, 02 Jan 2019 10:26:05 -0800
X-Mailer: MailMate (1.12.3r5579)
Message-ID: <1AB99D11-5B25-4A97-9FFD-17E318ADD739@vpnc.org>
In-Reply-To: <154594881588.11855.12133790922363153381.idtracker@ietfa.amsl.com>
References: <154594881588.11855.12133790922363153381.idtracker@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/C2giyzt1wqsnNYfXNEhmEjOU7n4>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jan 2019 18:26:09 -0000
On 27 Dec 2018, at 14:13, The IESG wrote: > The IESG has received a request from the Limited Additional Mechanisms > for > PKIX and SMIME WG (lamps) to consider the following document: - 'Hash > Of Root > Key Certificate Extension' > <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> as > Informational RFC > > The IESG plans to make a decision in the next few weeks, and solicits > final > comments on this action. Please send substantive comments to the > ietf@ietf.org mailing lists by 2019-01-10. This extension seems useful to CAs that understand the increased risks that using it incurs, but those risks are not mentioned in the document. The document implicitly assumes that the CA will in fact use the key named in the extension next. Using this extension increases the risk of a bad trust anchor rollover at the same time that it makes good rollover more secure. If the key listed in this extension cannot be used when the CA eventually changes the trust anchor, relying parties will mistrust the new trust anchor. There are many reasons why a CA might think they know the next key but cannot use that key when they change trust anchors, such as if the HSM that holds the next key fails or is destroyed. Given the last sentence in Section 2, this could mean that a CA might never be able to issue a new trust anchor, even if the key for its current trust anchor is compromised. Given the severity of the new risks of using this extension, they need to be introduced at the beginning of the document and then discussed in more detail in the Security Considerations. Note that this risk affects the last paragraph of the Security Considerations section as well. Editorial: The abstract says: This document specifies the Hash Of Root Key certificate extension. This certificate extension is carried in the self-signed certificate for a trust anchor, which is often called a Root Certification Authority (CA) certificate. This certificate extension unambiguously identifies the next public key that will be used by the trust anchor at some point in the future. The term "trust anchor" is used as the concept, not the bits in the certificate. As such, the last sentence is confusing because the trust anchor will change when the key changes. A possible fix is to replace "will be used by the trust anchor at some point in the future" with "will be used in a trust anchor at some point in the future". The first list in Section 2 would be clearer if the order was R1, R2, H2, C1; this would also then match the order in the second list. Later in Section 2, a sentence appears to be missing its subject. "That is, verify the signature on the self-signed certificate..." should probably be "That is, the recipient verifies the signature on the self-signed certificate...". --Paul Hoffman
- Re: Last Call: <draft-ietf-lamps-hash-of-root-key… Paul Hoffman
- Re: Last Call: <draft-ietf-lamps-hash-of-root-key… Russ Housley
- Re: Last Call: <draft-ietf-lamps-hash-of-root-key… Paul Hoffman
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Salz, Rich
- RE: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Tim Hollebeek
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Stephen Farrell
- RE: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Tim Hollebeek
- Re: Last Call: <draft-ietf-lamps-hash-of-root-key… Russ Housley
- Re: Last Call: <draft-ietf-lamps-hash-of-root-key… Russ Housley
- Re: Last Call: <draft-ietf-lamps-hash-of-root-key… Paul Hoffman
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Daniel Kahn Gillmor
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Russ Housley
- RE: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Jim Schaad
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Daniel Kahn Gillmor
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Russ Housley
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Daniel Kahn Gillmor
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Salz, Rich
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Russ Housley
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Daniel Kahn Gillmor
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Salz, Rich
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Paul Hoffman
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Daniel Kahn Gillmor
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Daniel Kahn Gillmor
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Salz, Rich
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Russ Housley
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Russ Housley
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Russ Housley
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Benjamin Kaduk