Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC
Russ Housley <housley@vigilsec.com> Wed, 09 January 2019 23:16 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88FB412D7F8 for <ietf@ietfa.amsl.com>; Wed, 9 Jan 2019 15:16:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c312g0UQmmvr for <ietf@ietfa.amsl.com>; Wed, 9 Jan 2019 15:16:43 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67954129508 for <ietf@ietf.org>; Wed, 9 Jan 2019 15:16:43 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 41882300A46 for <ietf@ietf.org>; Wed, 9 Jan 2019 17:58:25 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id IaJSytgbVgZs for <ietf@ietf.org>; Wed, 9 Jan 2019 17:58:22 -0500 (EST)
Received: from a860b60074bd.fios-router.home (pool-108-45-137-105.washdc.fios.verizon.net [108.45.137.105]) by mail.smeinc.net (Postfix) with ESMTPSA id E04B93002C1; Wed, 9 Jan 2019 17:58:21 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Subject: Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-root-key-cert-extn-02.txt> (Hash Of Root Key Certificate Extension) to Informational RFC
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <87imyxh8fy.fsf@fifthhorseman.net>
Date: Wed, 09 Jan 2019 18:16:38 -0500
Cc: LAMPS WG <spasm@ietf.org>, draft-ietf-lamps-hash-of-root-key-cert-extn@ietf.org, IETF <ietf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <256EB2FE-C43E-428F-9FB6-66A24EFA7738@vigilsec.com>
References: <154594881588.11855.12133790922363153381.idtracker@ietfa.amsl.com> <1AB99D11-5B25-4A97-9FFD-17E318ADD739@vpnc.org> <87va35o7pe.fsf@fifthhorseman.net> <38891959-38F6-4FA5-B7B1-ACB50921E300@vigilsec.com> <87k1jlnxnu.fsf@fifthhorseman.net> <2AB77CF4-ADD6-4EE6-ABB2-BCDAC4BF6631@vigilsec.com> <87imyxh8fy.fsf@fifthhorseman.net>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/_igGDb72crBRFbhnKYQx-lvVBGM>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jan 2019 23:16:45 -0000
DKG: > On Wed 2019-01-09 11:51:33 -0500, Russ Housley wrote: >> Guidance on the transition from one trust anchor to another is >> available in Section 4.4 of [RFC4210]. In particular, the oldWithNew >> and newWithOld advice ensures that relying parties are able to >> validate certificates issued under the current Root CA certificate >> and the next generation Root CA certificate throughout the >> transition. Further, this advice SHOULD be followed by Root CAs to >> avoid the need for all relying parties to make the transition at the >> same time. > > thanks, this looks good so far, and i agree that the draft helps to > avoid needing coordination between all relying parties (RPs). But it > doesn't cover coordination by the subscribers (e.g. TLS servers) yet, > which is what the next point was about: > >> [ dkg wrote: ] >>> in this example scenario, the relying party visits site end entity A >>> (which whose cert has been issued by the new C2), and then end entity B >>> (which is still using a cert issued by C1). >>> >>> | Trust | | cert | >>> event | Store | PSE | chain | valid? >>> --------+-------+-------+-------+---------- >>> start | C1 | C1 | | >>> visit A | C2 | C1,C2 | EA←C2 | EA = ✓ >>> visit B | C2 | C1,C2 | EB←C1 | EB = ? >>> >>> >>> It looks to me like EB will not validate, since: >>> >>> 1) C1 is no longer a trusted root, despite being in the PSE >>> >>> 2) COwN is not available to the relying party (and might not be known >>> to server B either), so no chain can be formed to the only trusted >>> root, C2 > > Russ responded: >> First, TLS explicitly says that intermediate certificates can be >> included in the "certificate_list" during a transition. > > i agree that this "bag of certs" model is where we're at for > certificates shipped in TLS (and with CMS, and probably should be for > any other relevant protocols where certificate path discovery is > needed). But can you be concrete about which certificates you think > which parties will include in their certificate_list? I see two > possible proposals: > > 0) A should ship EA, COwN, and C2 in order to avoid breaking the RP's > access to site B > > 1) B should make sure that B ships COwN *before* A ever ships C2 The self-signed certificates that represent the thrust anchors are not included in the "certificate_list". I recall a discussion about whether this behavior should change in TLS 1.3, and after a fairly lengthy discussion at one of the meetings, it was decided that it should not. More below ... > > Or are you suggesting something else? > > The problem with 0 is that there is no clear incentive for A to take > that action (because C2 will Just Work™ for all clients that implement > the rollover), and B can be damaged by A failing to take it. > > The problem with 1 is that it requires coordination among the > subscribers. > > Or did you have some other suggestion about how to use the "bag of > certs" to get COwN to the RP? The revocation functionality of the > current draft seems to require distribution of it, but i don't see who > is going to reliably distribute it. > > > Perhaps the we need to add some additional guidance in the direction of > 0, to give A some incentive to do the right thing, and hopefully to > prevent accidental failures when accessing B: > > * a subscriber (TLS server) cannot guarantee that the RP (TLS client) > that currently trusts C1 will implement this draft's cert rollover > mechanism; so any subscriber that ships C2 SHOULD also ship COwN in > its TLS bag of certs, unless it knows that all of the CA's > subscribers have completed the transition to using C2. > > * any RP that implements this cert rollover mechanism MUST also retain > in its PSE all CA intermediate certs issued by the new self-signed > certificate, and sent as part of a subscriber's "bag of certs". > > * all RPs implementing this mechanism MUST perform path discovery based > on the union of its PSE and the bag of certs offered by peers. > > Note that this requires a bit more state management by the RP than > simply adjusting the root store -- it requires retaining a list of > trusted roots, *and* a distinct pool of certificates (the PSE) that can > be used for path discovery. There are whole informational RFCs on path discovery. The IETF does not have a standards-track RFC on this subject. Any way that it is done that results in valid path is acceptable. MUST statements on this document on it seem very wrong to me. > I'm still kind of sad about this, because it looks to me like A might > not have super strong incentives to do the right thing. For example, > they might have sufficient knowledge about all their RPs to know that > COwN isn't strictly necessary, but not have knowledge about all their > co-subscribers, for example. And if B is harmed, the cause of the harm > is very attenuated and difficult to track down or remedy. To the replying party, the old-in-new and new-in-old certificates are intermediate certificates. They should not really be treated differently than any other newly issued intermediate certificate. >> However, there are many repositories within enterprises, and these >> repositories can be used to locate the old-in-new and new-in-old >> certificates during a transition. This is the situation for the PKI >> that I know about that will be using this extension. > > If it is a requirement of this draft that the RPs have access to some > external repository of other certificates, the draft needs to explicitly > say so -- it needs to say that those repositories should be made > available, how they should be populated, and when. If coordinated > access to these repositories is a requirement, though, then the > statement that we don't require coordination among RPs isn't > well-supported. > > Without this guidance, someone will implement this who you didn't expect > in the initial drafting, and they will experience a very > difficult-to-track-down reliability problem. :( The repositories, where they are available, need to be populated with the old-in-new and new-in-old certificates before the new self-signed certificate is released. I will add that to the operational considerations. >>> One other open question occurs to me: Should the relying party also >>> verify that Subject information (or other identity info) in the new cert >>> matches the old certificate? I'm imagining a case where the old root CA >>> ("O=L'Emporium de Foobar,OU=Authorité Racine,C=FR") ends up replacing >>> itself with ("O=Вооружённые Силы Союза Советских Социалистических >>> Республик,C=SU"). That would be pretty weird and upsetting, especially >>> if i didn't know how my "new" Soviet military cert got into my trust >>> store. Would it be legitimate to cabin the scope of this rollover to >>> identical Subjects? >> >> I do not think so. We have seen cases in the Web PKI were the Root CA >> changed names as part of a key rollover. Of course, this happens >> without this extension today, so they establish a new self-signed >> certificate and once it is well established, they issue new >> certificate under the new root and stop issuing certificates under the >> old one. > > I understand that these subject names do often change, sometimes as > trivially as from "CN=FooCA G1 Root" to "CN=FooCA G2 Root". Sure. That is the most common case. > But if we allow arbitrary changes to the name, and if i install > "CN=Jane's CA", i can now end up with no trace of "Jane" in my root > store, and an entirely unrelated "CN=Bob's CA". right? They sometime change much more significantly, especially after an acquisition. >> If trust in the Root CA is lost by the relying party, then they ought >> to remove the self-signed certificate from the trust anchor store. > > So in the case above, the self-signed certificate that the user had > added is nowhere to be found, and there is no mention of "Jane". How > does the user know which certificate to remove? > >> Further, I do want this extension to say anything about the structure > > (i assume you mean "do not want" here) > >> of the trust anchor store. Rather, it depends on the definition of a >> trust anchor in RFC 5280 (on page 76), which says: >> >> (d) trust anchor information, describing a CA that serves as a >> trust anchor for the certification path. The trust anchor >> information includes: >> >> (1) the trusted issuer name, >> >> (2) the trusted public key algorithm, >> >> (3) the trusted public key, and >> >> (4) optionally, the trusted public key parameters associated >> with the public key. > > immediately thereafter, RFC 5280 says: > >>>> The trust anchor information may be provided to the path processing >>>> procedure in the form of a self-signed certificate. Indeed, but the path validation algorithm does not depend on any of the other fields in the self-signed certificate, including the validity period. I am aware of some implementations that remove a self-signed certificate from the trust store when the notAfter date is reached, but that is a trust store management decision, not a path validation decision. > This draft replaces one self-signed certificate with another, and the > new one might have a different "trusted issuer name" than the old. > Unless the trust anchor store retains the name from the > originally-injected certificate, this makes maintenance and auditing of > the trust anchor store by the end user (or local system administrator) > rather unstable/uncertain. I don't think that's a great outcome. I do not think this extension is the place to impose rule about Root CA naming. > We could reduce that uncertainty with a few recommendations: > > a) RPs should retain the original "trusted issuer name" distinctly from > the self-signed certificate, and should *not* change the "trusted > issuer name" for a root CA even when the certificate rolls over. It is not a self-signed certificate unless the issuer and subject names match. > b) RPs should retain a history of such transitions and be able to > display them to local operators or audit systems that inspect the > root store. I can see where this is desirable for audit purposes, but I do not think the document should be too detailed about it. I think a MAY is sufficient, especially in cases where the old-in-new and new-in-old certificates in a repository provide a bit of history in themselves. > c) require that the Subject of the replacing certificate matches the > Subject of the earlier root CA. (maybe we can allow some sort of > variance in a field in the DN, so that we permit the semi-standard > "G1" → "G2" naming shifts? i don't have a concrete suggestion here) Again, it is not a self-signed certificate unless the issuer and subject names match. > Failing any of these, the draft should acknowledge that it introduces > this difficulty for auditors of the most common/likely implementations > of a root store. I will work on some words to acknowledge the concern if the old and new self-signed certificates have very different names. Russ
- Re: Last Call: <draft-ietf-lamps-hash-of-root-key… Paul Hoffman
- Re: Last Call: <draft-ietf-lamps-hash-of-root-key… Russ Housley
- Re: Last Call: <draft-ietf-lamps-hash-of-root-key… Paul Hoffman
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Salz, Rich
- RE: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Tim Hollebeek
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Stephen Farrell
- RE: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Tim Hollebeek
- Re: Last Call: <draft-ietf-lamps-hash-of-root-key… Russ Housley
- Re: Last Call: <draft-ietf-lamps-hash-of-root-key… Russ Housley
- Re: Last Call: <draft-ietf-lamps-hash-of-root-key… Paul Hoffman
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Daniel Kahn Gillmor
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Russ Housley
- RE: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Jim Schaad
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Daniel Kahn Gillmor
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Russ Housley
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Daniel Kahn Gillmor
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Salz, Rich
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Russ Housley
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Daniel Kahn Gillmor
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Salz, Rich
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Paul Hoffman
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Daniel Kahn Gillmor
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Daniel Kahn Gillmor
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Salz, Rich
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Russ Housley
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Russ Housley
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Russ Housley
- Re: [lamps] Last Call: <draft-ietf-lamps-hash-of-… Benjamin Kaduk