IETF Logo Mail Archive

Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 03 January 2019 19:35 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 116721312AD; Thu, 3 Jan 2019 11:35:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.19
X-Spam-Level:
X-Spam-Status: No, score=-4.19 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mgczlVz-DASb; Thu, 3 Jan 2019 11:35:35 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A1FB1312A8; Thu, 3 Jan 2019 11:35:35 -0800 (PST)
Received: from fifthhorseman.net (unknown [38.109.115.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id B0B98F99A; Thu, 3 Jan 2019 14:35:33 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id EF2712039A; Thu, 3 Jan 2019 14:35:28 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Paul Hoffman <paul.hoffman@vpnc.org>, ietf@ietf.org
Cc: spasm@ietf.org, draft-ietf-lamps-hash-of-root-key-cert-extn@ietf.org
Subject: Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC
In-Reply-To: <1AB99D11-5B25-4A97-9FFD-17E318ADD739@vpnc.org>
References: <154594881588.11855.12133790922363153381.idtracker@ietfa.amsl.com> <1AB99D11-5B25-4A97-9FFD-17E318ADD739@vpnc.org>
Date: Thu, 03 Jan 2019 14:35:25 -0500
Message-ID: <87va35o7pe.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/MDIVIGZmhuE3ivggaTFZduNb2xY>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jan 2019 19:35:37 -0000

On Wed 2019-01-02 10:26:05 -0800, Paul Hoffman wrote:
> Using this extension increases the risk of a bad trust anchor rollover
> at the same time that it makes good rollover more secure.

I think this may be the root (ha ha) of confusion about the purpose of
this draft, and it raises some additional concerns for me about whether
it is clear and useful as it stands (i've been reading -03).

This draft serves one main purpose as far as i can tell:

 * It provides a technical mechanism that facilitates a root authority
   releasing a new root certificate.

This is a good purpose i can get behind, but the introduction implies
that it also offers another purpose:

    remove the previous one from the trust anchor store.

but the only detail in this draft that suggests how that is supposed to
happen is in the end of the Overview:

    If either check fails, then [the] potential Root CA
    certificate is not a valid replacement, and the recipient continues
    to use the current Root CA certificate.

The implication here is of course that if both checks succeed, then the
current Root CA certificate is discarded.  But that is explicitly stated
nowhere in the document.  Should it be?  If it should, we need more
text.  If it does not, the draft should remove the text about "remove
the previous one" and "continues to use the current Root CA
certificate".

Section 5 ("Operational Considerations") talks about RFC 2510 (should
maybe be 4210 today, no?), and refers to oldWithNew and newWithOld.
However, the final sentence of that paragraph is ambiguous:

   Further, this technique avoids the need for all relying parties to
   make the transition at the same time.

Which technique?  The technique in the current draft?  oldWithNew?
newWithOld?  Both oldWithNew and newWithOld?  If the sentence is talking
about the two mechanisms from RFC 4210, then Operational Considerations
should clarify that the current draft explicitly *does* require all
relying parties (and all subscribers!) to make the transition at the
same time, since the escape of C2 into the wild means that all
subscribers MUST start shipping certs signed by C2, because they can't
know whether their relying parties have switched from C1 to C2 yet.

The safest thing is for the subscriber to force the relying party to
switch to C2 by shipping C2, but of course that will screw over any
other subscribe that hasn't switched yet.  So i'm not convinced that we
can safely say that reciept of C2 MUST (or even SHOULD) effectively
revoke C1.

Additionally, the two paragraphs added in -03 make it clear that the
traditional new-root-cert import mechanism will remain enabled for all
relying parties, subject to all the pre-existing vagaries and risks.
(perhaps some other draft can tighten those up, but this draft does not
do so on its own.)

So, without this draft offering a strong and immediate revocation
mechanism, and without it cleaning up the pre-existing new-root-cert
import mechanism, it does *not* make "rollover more secure" (since all
existing insecure channels will continue to exist).  It just makes good
rollover more convenient/automatic.

      --dkg

v2.23.0 | Report a Bug | By Email