IETF Logo Mail Archive

Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC

Russ Housley <housley@vigilsec.com> Thu, 10 January 2019 19:37 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7575313122F for <ietf@ietfa.amsl.com>; Thu, 10 Jan 2019 11:37:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2lh2i1QhDc1q for <ietf@ietfa.amsl.com>; Thu, 10 Jan 2019 11:37:26 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E59D813122D for <ietf@ietf.org>; Thu, 10 Jan 2019 11:37:25 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 3EFFC300595 for <ietf@ietf.org>; Thu, 10 Jan 2019 14:19:08 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id LeUBovyntDve for <ietf@ietf.org>; Thu, 10 Jan 2019 14:19:05 -0500 (EST)
Received: from a860b60074bd.fios-router.home (pool-108-45-137-105.washdc.fios.verizon.net [108.45.137.105]) by mail.smeinc.net (Postfix) with ESMTPSA id BC9F630017E; Thu, 10 Jan 2019 14:19:05 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Subject: Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <87zhs8e9bb.fsf@fifthhorseman.net>
Date: Thu, 10 Jan 2019 14:37:22 -0500
Cc: LAMPS WG <spasm@ietf.org>, draft-ietf-lamps-hash-of-root-key-cert-extn@ietf.org, IETF <ietf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2340CD5D-F001-4B5A-8F42-6F2B90E3B7A3@vigilsec.com>
References: <154594881588.11855.12133790922363153381.idtracker@ietfa.amsl.com> <1AB99D11-5B25-4A97-9FFD-17E318ADD739@vpnc.org> <87va35o7pe.fsf@fifthhorseman.net> <38891959-38F6-4FA5-B7B1-ACB50921E300@vigilsec.com> <87k1jlnxnu.fsf@fifthhorseman.net> <2AB77CF4-ADD6-4EE6-ABB2-BCDAC4BF6631@vigilsec.com> <87imyxh8fy.fsf@fifthhorseman.net> <256EB2FE-C43E-428F-9FB6-66A24EFA7738@vigilsec.com> <87zhs8e9bb.fsf@fifthhorseman.net>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/Md5ln1dkRH7lpj_HQgtToRjaeSY>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jan 2019 19:37:28 -0000

DKG:

> On Jan 10, 2019, at 12:01 PM, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> 
> [ i sent this e-mail earlier by accident to Russ offlist, re-sending it
> on-list now ]
> 
> On Wed 2019-01-09 18:16:38 -0500, Russ Housley wrote:
>> The self-signed certificates that represent the thrust anchors are not
>> included in the "certificate_list".  I recall a discussion about
>> whether this behavior should change in TLS 1.3, and after a fairly
>> lengthy discussion at one of the meetings, it was decided that it
>> should not.  More below ...
> 
> I agree -- the root cert is not mandatory to include in the
> certificate_list.
> 
> But as you wrote earlier, the certs in certificate_list are a "bag of
> certs" -- they might contain any certs.  I don't think we can *stop*
> people from shipping C2, and if they do, they'll effectively be revoking
> C1.

If the new-in-old and old-in-new advice is followed and the old-in-new is included in the certificate_list, then the replacement of C1 by C2 will not change the validity of any end-entity certificates.

I think your point is that the distribution of C2 by another server will cause the recipient to replace C1 by C2 in their trust anchor store.  If all of the servers have not put the old-in-new certificate in their certificate_list, then the path construction may not have all of the certificates that are needed.  However a small amount of caching will resolve this, and use of enterprise directory services will resole this.

I will work on some text to cover both of these points in the operational considerations, but I do not think this specification should mandate any particular behavior one either one.

>> They sometime change much more significantly, especially after an acquisition.
> 
> This draft doesn't need to support the acquisition case if we decide
> it's not in the best interest of the relying parties.

As I said previously, I do not think this extension specification should impose any rules on Root CA naming.

>>> a) RPs should retain the original "trusted issuer name" distinctly from
>>>   the self-signed certificate, and should *not* change the "trusted
>>>   issuer name" for a root CA even when the certificate rolls over.
>> 
>> It is not a self-signed certificate unless the issuer and subject names match.
> 
> i know -- but proposal (a) here suggests that the root trust store
> doesn't need to associate "trusted issuer name" with any field in the
> current self-signed certificate.  rather, it can keep that information
> independent.  anyway, it's one of three suggestions.

I see, I misunderstood your paragraph at the end of your list began, "Failing any of these", which I read to mean that you wanted all three of them checked by the recipient.

Now that I understand your intention, I already agreed to work on some words to acknowledge the concern if the old and new self-signed certificates have very different names.

>>> b) RPs should retain a history of such transitions and be able to
>>>   display them to local operators or audit systems that inspect the
>>>   root store.
>> 
>> I can see where this is desirable for audit purposes, but I do not
>> think the document should be too detailed about it.  I think a MAY is
>> sufficient, especially in cases where the old-in-new and new-in-old
>> certificates in a repository provide a bit of history in themselves.
> 
> i agree that the document doesn't need to be overly detailed about it.
> I'm not even sure that RFC 2119 language is necessary.  but it needs
> some guidance to point out the problems it creates for auditors if
> something like this is not done.

Okay.

>>> c) require that the Subject of the replacing certificate matches the
>>>   Subject of the earlier root CA.  (maybe we can allow some sort of
>>>   variance in a field in the DN, so that we permit the semi-standard
>>>   "G1" → "G2" naming shifts? i don't have a concrete suggestion here)
>> 
>> Again, it is not a self-signed certificate unless the issuer and
>> subject names match.
> 
> both Old and New are self-signed certificates (Old.Issuer ==
> Old.Subject, and New.Issuer == New.Subject).  Proposal (c) here suggests
> that we could require Old.Subject to match New.Subject (fsvo "match"),
> in order for the replacement/revocation to proceed.

That would require no name change at all, including the GA1 --> GA2, which you already acknowledged is commonplace.

Russ

v2.23.0 | Report a Bug | By Email