Re: [OAUTH-WG] cert spoofing in mtls & short-lived certs
Brian Campbell <bcampbell@pingidentity.com> Tue, 14 November 2017 09:28 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5745D128B4E for <oauth@ietfa.amsl.com>; Tue, 14 Nov 2017 01:28:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4i8ClW9DUcNZ for <oauth@ietfa.amsl.com>; Tue, 14 Nov 2017 01:28:12 -0800 (PST)
Received: from mail-it0-x22e.google.com (mail-it0-x22e.google.com [IPv6:2607:f8b0:4001:c0b::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E0B4127078 for <oauth@ietf.org>; Tue, 14 Nov 2017 01:28:12 -0800 (PST)
Received: by mail-it0-x22e.google.com with SMTP id f187so12864348itb.1 for <oauth@ietf.org>; Tue, 14 Nov 2017 01:28:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=RJbMBcWFUfsv9F1vT5PKT2j/KmoMYOGej9iU3NANBZ0=; b=ILPD9nmeCGAcURSKZvcjX60szbaQk3CFgR82pCrAqGKFT3EDVgzcUYpRc+52F1ySAF EcxEqePffLKZU5/MFRlEXShwLEbgJLftwllwxyQPx38uQt92bDXEACzCKirHeDaQhokc ELArTbsDhm4+1APq1+wwrfTY7Eikw+hr+hKWo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=RJbMBcWFUfsv9F1vT5PKT2j/KmoMYOGej9iU3NANBZ0=; b=U2wDmGqOI2qNlizbP8sUc1Jr/w7ByZg0DPEeyNTQFy4HvngwFu+RWj2bXb3MNz975J 3TGk0GcXwx6KP/OeRX1qTAF9aBcajbeRgkoEImr+MMiU88PIVeDIOC9aKckFmE5hZvrh 7XEJrdf2zTodWACZ4PRwml2thbYuRqycYPtbIeEs7kpA9akMj+DEh3WwGE/bR43T8VQ+ c2ugYvGF8ZExOwlZbKRou93sDXK8JCCIXL8LXHjjtSRCscTZQdKIKB73g8vGuoY5Zcky HKXnNsRGAYkeg4JGVS65UdyZzaGHH/MILBQVoPVjku5R2YIRkQ8WLfKBKgdOa19puZ/O /Kew==
X-Gm-Message-State: AJaThX7BIYFK7FRIAEcuj0VpiRxAEMZU8M258eFA2XQ/fM+WnUAPClbo bc01lIQTpdZqSRc3flfL2cLU3K6ZO1HRQkDHLArvSaBnbvRlJ3Vgb4bqfP/cUXTjc//xF5TyQSD GB062OpWAU3oJag==
X-Google-Smtp-Source: AGs4zMY0/Mux3zVlBucvX38OCQEz2cfg2KBNbyL2BQZj4mDiLtxVLbb5f1ETOH75VkGvrfTFztcY6V5K5lLDUauinNk=
X-Received: by 10.36.104.211 with SMTP id v202mr2204987itb.153.1510651691257; Tue, 14 Nov 2017 01:28:11 -0800 (PST)
MIME-Version: 1.0
Received: by 10.2.106.34 with HTTP; Tue, 14 Nov 2017 01:27:40 -0800 (PST)
In-Reply-To: <1bf08c5e-db95-03b5-9c7e-5ee0a6c7eb9e@sunet.se>
References: <1bf08c5e-db95-03b5-9c7e-5ee0a6c7eb9e@sunet.se>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 14 Nov 2017 17:27:40 +0800
Message-ID: <CA+k3eCQKoxErxXR2A=KC8+w8yHY2iO-rScG-5rk9d_pADgweuA@mail.gmail.com>
To: Leif Johansson <leifj@sunet.se>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001a1143fb3e6feddb055dee01db"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/TJ9g68Rc2iEAbqQeN5hOdGV_7Jc>
Subject: Re: [OAUTH-WG] cert spoofing in mtls & short-lived certs
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Nov 2017 09:28:14 -0000
The expectation/assumption is that the SubjectDN would be a stable identifier through re-issuance of certificates, regardless of whether they be short or long term. We've had basically this as a product feature for years and use of the SubjectDN as the identifier hasn't been an issue. And it's not been raised, that I'm aware of anyway, as a concern in the banking use-cases where there will be some central entity issuing these certificates to the participants. Not sure if that exactly addresses your question but that's how things got the way they are in the document. If there's some better or additional text you'd like to see for the security considerations, please do suggest it. On Tue, Nov 14, 2017 at 4:44 PM, Leif Johansson <leifj@sunet.se> wrote: > > So I reviewed the security considerations text which basically sais > that the server can avoid being spoofed by managing its set of trust > anchors. The text is better than nothing. > > However this lead me to ask another question about the use of > SubjectDN as an identifier for the subject in client metadata: don't > we expect certificates to be issued as short-term credentials from > an STS-like thing? > > If so the SubjectDN is probably going to change every time the STS > gets called (say by including a serial number) and such a SubjectDN > probably isn't the best thing to put in client metadata. > > Would it make sense to make it possible to identify subjects based > on (say) SubjectAltName as an alternative for this case? > > I don't want to hold up the process on this but I'm curious if this > has been raised or just overlooked...? > > Cheers Leif > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- *CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.*
- [OAUTH-WG] cert spoofing in mtls & short-lived ce… Leif Johansson
- Re: [OAUTH-WG] cert spoofing in mtls & short-live… Brian Campbell
- Re: [OAUTH-WG] cert spoofing in mtls & short-live… Leif Johansson