IETF Logo Mail Archive

RE: [lamps] Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC

Tim Hollebeek <tim.hollebeek@digicert.com> Wed, 02 January 2019 21:27 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B76B61274D0; Wed, 2 Jan 2019 13:27:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.066
X-Spam-Level:
X-Spam-Status: No, score=-2.066 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.065, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lOdJ_asCxnSS; Wed, 2 Jan 2019 13:27:28 -0800 (PST)
Received: from mail1.bemta23.messagelabs.com (mail1.bemta23.messagelabs.com [67.219.246.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51BB7126C01; Wed, 2 Jan 2019 13:27:28 -0800 (PST)
Received: from [67.219.246.100] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-1.bemta.az-b.us-east-1.aws.symcld.net id BF/0E-10856-EBC2D2C5; Wed, 02 Jan 2019 21:27:26 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1WTfUwTZxzHefpcryeh7iwVfjY4Q2fM0nFdi4Z 0RhJNTNY/BtPEl2S86JWebZdSsHdEdEtmMGNC1ZABYbIC1SCNlcVgmCxGNBYngpFkEFCQTFBU XiSA4JCZFHu9+vbf53m+3999v8+T5yisKlFoKK5Y4Nwu1qklYwn7l6mpzLUUJttwbybBVN8Wx KbJ8UGF6WlLA2EaurggNy23lhGm+oE8U037gGKrwlx504fNf3j6SXNj45LMHBhekJvnf+/HO+ TfyR0uS0Hxfrn9t6VxsnBxZ3Go4zk6is59U45iKYI+gWGhaVkmLlR0hQx+fnEdSYt/EYzMzRL laAVF0gYYaO+Uiaym6xBcDx0UTZhuRnCpqV0hCvF0FYLyG+tFQU1XIzh+oSU6kQWnfP1hpsKB 6+GkVxC3lXQODC92yaU0Lwb/3UdYFFbQ6TA0MxKZRXQCLHY3RxjTiTA01hBhoNUw+s8dUuLVM PE4JJf82VA3HyTFLKCTYfBPRrKshd4GT+RkQN8j4Yz/jFwSGJitrsYSZ0DVMw8pmR4gmArdj4 bpoHywImpywi8dVwmJpzDU9KklToKu/71YGvaQ0PLKHxlQ0VaoCgSjTT+FwMnR6PCYDAJNGRV IV/vB4Woj1+pDMFs2iWoj17QKuk6PEZJJB40lywqJ10HbtBfXIkWYt0CrVdpNhirPaNSRBqU9 c6QPUQGUZnE7bHYhn3U4GaPBwBiNqYyBSd34lZ49wlj0RTzDsbzAGPXsIV7PH87Pc1r1Lk64h MLv0VoYM/MX8p21BdEaSqZdrQx0p2SrVloKrIftLG/f5y5ycnwQJVGUFpSVOiZbtcrN2bjiAw 5n+FG/lYGK06qVPV+EZSVfyObzDpskdSOG6ix76cUqwlXg4jSJygTRRIsme5Hr3Sfe/hq9aK0 mXoliYmJUcYWcO98hfKxPokQKaeOVD8QmcQ6X8C5pMlxCFi6xCVLEEgL7XtIcRe4NLXmPJnCn 8VRb7lLRhbyHtm3L8X9XekLn03cc+OzpD/PqvcN9m5NubnBNv/pxZOXXx+4L3t2fZHasu3qwL 3f7ts1M7K6GLQw1k3M7x4wyHa+T95zfU3+R9+Oh2bQrv7Z56r7PKP2vyXkl/fKA5dvL41m39i 6VPnnx+U/4tClYstWv0RK8nTXqsJtn3wB+YG14FQQAAA==
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-39.tower-384.messagelabs.com!1546464445!4474753!1
X-Originating-IP: [104.47.50.50]
X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass
X-StarScan-Received:
X-StarScan-Version: 9.14.24; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 29410 invoked from network); 2 Jan 2019 21:27:26 -0000
Received: from mail-by2nam05lp2050.outbound.protection.outlook.com (HELO NAM05-BY2-obe.outbound.protection.outlook.com) (104.47.50.50) by server-39.tower-384.messagelabs.com with AES256-SHA256 encrypted SMTP; 2 Jan 2019 21:27:26 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0s/afXDoWaJcKgTlfg6yayxuA1cM6iB53PELLGLOyF4=; b=qq6WNvVA7YbdziMO8W17+GHtEe90bOD8bxy3msqIzB7RpgBHza3QYYfC8fzmvtfg9q33gXb04wBs1yGe066DYhqyCjLOJ7YjgExUOl8mYxD+BHABT4JvR1TqUOQoT216yuqjvJNVq5MEnfrH9gms3RcZqjejLIEKQwb6D/1ANpg=
Received: from BN6PR14MB1106.namprd14.prod.outlook.com (10.173.161.15) by BN6PR14MB1491.namprd14.prod.outlook.com (10.172.151.137) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1471.20; Wed, 2 Jan 2019 21:27:23 +0000
Received: from BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::60f0:c4cd:7c30:59c4]) by BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::60f0:c4cd:7c30:59c4%2]) with mapi id 15.20.1471.019; Wed, 2 Jan 2019 21:27:23 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "Salz, Rich" <rsalz@akamai.com>, Paul Hoffman <paul.hoffman@vpnc.org>, Russ Housley <housley@vigilsec.com>
CC: "spasm@ietf.org" <spasm@ietf.org>, "draft-ietf-lamps-hash-of-root-key-cert-extn@ietf.org" <draft-ietf-lamps-hash-of-root-key-cert-extn@ietf.org>, IETF <ietf@ietf.org>
Subject: RE: [lamps] Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC
Thread-Topic: [lamps] Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC
Thread-Index: AQHUnjFsG1mFhr8NEEGYNgqXXTDizqWcVNuAgAAZcQCAAAWZAIAABD8AgAAGM7CAAAcHgIAAAQDw
Date: Wed, 02 Jan 2019 21:27:23 +0000
Message-ID: <BN6PR14MB1106E1A39076F3C6CF6C46DD838C0@BN6PR14MB1106.namprd14.prod.outlook.com>
References: <154594881588.11855.12133790922363153381.idtracker@ietfa.amsl.com> <1AB99D11-5B25-4A97-9FFD-17E318ADD739@vpnc.org> <3D85A45C-FE94-45A7-BF37-C3F8C1B3F5AA@vigilsec.com> <869BCE27-2AB5-4550-AC89-335BFE749123@vpnc.org> <ECAC3D9D-6A2F-4DE0-BF8B-4AEB1A513BA7@akamai.com> <BN6PR14MB110608E203576F64905F8E2F838C0@BN6PR14MB1106.namprd14.prod.outlook.com> <790efc1b-12ee-d960-c4cd-c7e44b5b7ccf@cs.tcd.ie>
In-Reply-To: <790efc1b-12ee-d960-c4cd-c7e44b5b7ccf@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [98.111.253.32]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR14MB1491; 6:taXZdMyqpfL0cVS7VD1YNiuPAyWU5/NaCBM7PwV5ESMfKOiS2Og3l285DqE7c2E/vBz11End24xguvXKv4OSUYKfEWsvocf3Ahn9StW30Poxdo1F/dLYyuymmdiknBHMe5SpaSFKIqKR5WDO7Z0Vn26J6mwrzj2DEYNjJOaGDSdOfSM8gLvAn4/yBIDWq/HkVhg4Tr00lyAw/8gLwh5nzak0kojxZYOThxgJ1grcUUjhexa9V/QsBhgR1C9iAXt+VpJP0qIU72cRS4QH0wDxM5ogTLoQEbjQOodjJau6/Qfmxtjh3VfEY9j2KgNGUzSv6yhY5CE9QmqQR/sCXApzRogR9BrNmbXlHEe5L2AMGCvtjkiG+GE+d8KrobtVU6vPFwGAwiRXfzPyBpCvo+oLsPttL5RtK+/m6TDqKNN7SZmzEu7V0tKWUCpwr3pvVXlKcpKr19VjPE5LEUl12jjLCA==; 5:n/rjHG2bK3S6hslHqkDpWQPZrvloX+HiZKlH6m7AzlsOjUpLwKxwjX6aqYOjXWsuWh26LYj/uPTORyPENG4sGQp93CymIYnavlM9+Q6QFaDrTJ9L7TfwGJlduhipDjW975Py/Z2LlDiUEvoYTNRNSz86viQC/G67wtr5NjyP2TA=; 7:3mmrUx2HtgkPkpSTiQ6fe7VODtbvsXe4WLYPiqydiOyiAPNdm9NATRxD5czqMb7HHymvb6HH9Flb63gw3XIP84hz+oqSdOdEhWTwF1xwyR+mopacTvv3iJqTRHng1f4Lo2F4yd4Y2+d4g3hSb02r7w==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 47bb4542-2642-485e-b58c-08d670f915c5
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600109)(711020)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN6PR14MB1491;
x-ms-traffictypediagnostic: BN6PR14MB1491:
x-microsoft-antispam-prvs: <BN6PR14MB149134AB2E0DF3889F6F84C7838C0@BN6PR14MB1491.namprd14.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(3230021)(908002)(999002)(5005026)(102415395)(6040522)(8220060)(2401047)(8121501046)(93006095)(93001095)(3231475)(944501520)(4983020)(52105112)(3002001)(10201501046)(6041310)(20161123562045)(20161123564045)(201703131423095)(201703031522075)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123560045)(201708071742011)(7699051)(76991095); SRVR:BN6PR14MB1491; BCL:0; PCL:0; RULEID:; SRVR:BN6PR14MB1491;
x-forefront-prvs: 0905A6B2C7
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(366004)(346002)(136003)(396003)(376002)(13464003)(199004)(189003)(2906002)(476003)(71190400001)(74316002)(446003)(81166006)(33656002)(54906003)(71200400001)(55016002)(26005)(6246003)(296002)(478600001)(81156014)(3846002)(110136005)(316002)(186003)(6116002)(53936002)(7736002)(8676002)(97736004)(93886005)(8936002)(9686003)(305945005)(11346002)(256004)(14444005)(86362001)(229853002)(76176011)(66066001)(25786009)(102836004)(4326008)(966005)(7696005)(68736007)(14454004)(105586002)(486006)(6506007)(99286004)(106356001)(5660300001)(6436002)(53546011)(99936001)(44832011)(6306002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR14MB1491; H:BN6PR14MB1106.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: zK+Pxvm/fTenG8nywSlO3xMOqglP/5AcUiViYwBA+iR8u+OisNFrj3dhs3cqs8mLynbS/3bkDE+9e7Tsjoh+8nsRKVmuPypQRqVlaTf4qCSEUvINeXi0CVPhwB/yufzWlwmmGCQTW0iyxEle5pxL2EvYrMJZVtiETxAalswOba8QbBuTg0bPgh2htJKKN0Gn95sDIygDaCRqwyIIBl0wQyx5ja5QC50nuiN17eLRGly4US+Q+svmOHYK1EYRyhqy9Vm0iGJlJynx01hBPSu6tO0GQfc9Ezg7e5RsLv3QCqV31u12tyMHVZoU/qXgP5Qh
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_00B4_01D4A2B8.010C6A20"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 47bb4542-2642-485e-b58c-08d670f915c5
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jan 2019 21:27:23.2588 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR14MB1491
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/_7ifHvyjNs0nTvtF9xGe_VnVPFk>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jan 2019 21:27:32 -0000

I'm not sure the comparison with pins is that useful, because existing pins
generally work out badly because they prevent changing keys, while this
mechanism provides the opportunity to change a key, where no such
opportunity otherwise exists.  If anything, this makes roots of trust _less_
like pinned keys, and in a good way.

But I agree that even if this is a minor issue, perhaps a few sentences
noting it is appropriate.  Just to help out anyone who might not have
thought about it.

-Tim

> -----Original Message-----
> From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
> Sent: Wednesday, January 2, 2019 4:20 PM
> To: Tim Hollebeek <tim.hollebeek@digicert.com>; Salz, Rich
> <rsalz@akamai.com>; Paul Hoffman <paul.hoffman@vpnc.org>; Russ
> Housley <housley@vigilsec.com>
> Cc: spasm@ietf.org; draft-ietf-lamps-hash-of-root-key-cert-extn@ietf.org;
> IETF <ietf@ietf.org>
> Subject: Re: [lamps] Last Call: 
> <draft-ietf-lamps-hash-of-root-key-cert-extn-
> 02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC
>
>
> Hiya,
>
> On 02/01/2019 20:57, Tim Hollebeek wrote:
> > I'm sympathetic to perhaps adding a sentence or two, but otherwise I'm
> > struggling to understand the risk as well.
>
> I assume Paul's pointing out that this is another form of key pinning, and
> other instances of pinning haven't worked out so well.
>
> > If an entity is incapable of managing and protecting a replacement
> > root key, perhaps they shouldn't be in the CA business.  And since, at
> > worst, they lose the ability to replace the root key, they aren't in a
> > worse situation than they were if this capability didn't exist.
>
> IIUC Paul's concern is for the relying party, not the CA.
>
> Compared to RPs who do not support this extension, RPs who do support this
> extension may have a harder time with a CA that mucks up pinning, e.g.
> because the CA's HSM vendor has gone out of business or something.
>
> I'm not sure how big a deal that is really but it seems like a fine LC 
> comment
> worthy of resolution to me.
>
> Having just read the draft (for the 1st time), I think it ought say (by 
> inclusion
> or reference) how RPs could handle bad pins, given that there are a small 
> set
> of trust store distributors (browsers, debian etc.) who aren't quite sync'd 
> up.
>
> Cheers,
> S.
>
>
> >
> > -Tim
> >
> >> -----Original Message-----
> >> From: Spasm <spasm-bounces@ietf.org> On Behalf Of Salz, Rich
> >> Sent: Wednesday, January 2, 2019 3:32 PM
> >> To: Paul Hoffman <paul.hoffman@vpnc.org>; Russ Housley
> >> <housley@vigilsec.com>
> >> Cc: spasm@ietf.org;
> >> draft-ietf-lamps-hash-of-root-key-cert-extn@ietf.org;
> > IETF
> >> <ietf@ietf.org>
> >> Subject: Re: [lamps] Last Call:
> > <draft-ietf-lamps-hash-of-root-key-cert-extn-
> >> 02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC
> >>
> >> I don't understand what the risk is.
> >>
> >> If a client sees and understands the extension, it can update its
> >> trust
> > store to
> >> have the new key.  If a client does not see, or does not understand,
> >> the extension, then the trust store will have to be updated out of
> >> band, just
> > like it
> >> is now.
> >>
> >> CA's that use this extension must take proper care to ensure that the
> > private
> >> key is not exposed.
> >>
> >>
> >> _______________________________________________
> >> Spasm mailing list
> >> Spasm@ietf.org
> >> https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email