[OAUTH-WG] cert spoofing in mtls & short-lived certs
Leif Johansson <leifj@sunet.se> Tue, 14 November 2017 08:44 UTC
Return-Path: <leifj@sunet.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07C03126DCA for <oauth@ietfa.amsl.com>; Tue, 14 Nov 2017 00:44:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sunet-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eo6WpbYJMJoX for <oauth@ietfa.amsl.com>; Tue, 14 Nov 2017 00:44:07 -0800 (PST)
Received: from mail-pg0-x233.google.com (mail-pg0-x233.google.com [IPv6:2607:f8b0:400e:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71B78127866 for <oauth@ietf.org>; Tue, 14 Nov 2017 00:44:06 -0800 (PST)
Received: by mail-pg0-x233.google.com with SMTP id t10so13807557pgo.3 for <oauth@ietf.org>; Tue, 14 Nov 2017 00:44:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sunet-se.20150623.gappssmtp.com; s=20150623; h=to:from:subject:message-id:date:user-agent:mime-version :content-language:content-transfer-encoding; bh=JBFCTE45pxiuGmV9/GLo01J71xLK1r/omereZ1rTJ3g=; b=uOchxGDfzktyWbPRk9jHcXSrabm9kIrfZBKgAUVtNoPdWao2ES5AgIjAie5IL48xBE J61vKwawdezhq11jEOxk9aBPiRyZLDGro+ueWlBbzaFChXHPRtBmc3emRd+WsB7uJHEL rUMo/KlVwEPMwhX3hkKJXPq3p11oSR17J7oKFtW9vzvo3CE4DPYar+zi58DrSFMfn2RL wNhFvFhc8naKGiIZAUIdi640HQm1KXZqC8Oz6SInRepUxnKGdrZqnjWrKUI+ggwJELSB QZENVaM2quLhwaFOS7d5e8ExPB2m3fwJ2X9pyyWzSAau1gEhY0OX5VL3dk+OL+vxjlrf eu/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-language:content-transfer-encoding; bh=JBFCTE45pxiuGmV9/GLo01J71xLK1r/omereZ1rTJ3g=; b=YLFVP6RqDUYelhkPiGQZ+Kpx9qB3caC42ykUHoZWV61pXClF8f2FX+N31QKcL/YRxV tuwEB7VOKprXrqg3wiLXLvvqRPlAgWrw9l5BqS7KIi31322PMFIPmEnzJJBHqrIIgezN Sa5XRFgKV66+OpYKDlt0mHByXJj1rXFOoNj1fnThPhGKtt+jZwYxJIg0HtmotTpArm1u 31D66kV5XX7FnucEPsGo98PejAOYgC+9QbZ4V8CotUBf4U34C/AENOemGIox/N2kVben W2pGxpIBTDwlnHxQSgbJ8WlG0U2mAHQffMaiLR6YCunOxWqaXrd0UG6/Xe7BtuHNzpep t6Pw==
X-Gm-Message-State: AJaThX6ZSn4+mS4mb4BQ+d/Eu8u8HqsB42U/kgNPfv6jHPxyYyKk0sXf 90TdKgfbI+vqVwiunKOWSNVPTT1Li04=
X-Google-Smtp-Source: AGs4zMarEHwLZNTPnT0cv1cmNZHJAc4tYT9GhXQIWMKbdpJ6S8AxTG+oIH4tAktDyFNI3zO3PjMv7A==
X-Received: by 10.84.192.37 with SMTP id b34mr11500431pld.221.1510649045667; Tue, 14 Nov 2017 00:44:05 -0800 (PST)
Received: from ?IPv6:2001:67c:370:128:418a:5b2a:53f5:49b? ([2001:67c:370:128:418a:5b2a:53f5:49b]) by smtp.gmail.com with ESMTPSA id 77sm144891pfh.43.2017.11.14.00.44.04 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 14 Nov 2017 00:44:05 -0800 (PST)
To: oauth@ietf.org
From: Leif Johansson <leifj@sunet.se>
Message-ID: <1bf08c5e-db95-03b5-9c7e-5ee0a6c7eb9e@sunet.se>
Date: Tue, 14 Nov 2017 09:44:01 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/hplOvqeSx5zt875jDOjpLZv179g>
Subject: [OAUTH-WG] cert spoofing in mtls & short-lived certs
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Nov 2017 08:44:09 -0000
So I reviewed the security considerations text which basically sais that the server can avoid being spoofed by managing its set of trust anchors. The text is better than nothing. However this lead me to ask another question about the use of SubjectDN as an identifier for the subject in client metadata: don't we expect certificates to be issued as short-term credentials from an STS-like thing? If so the SubjectDN is probably going to change every time the STS gets called (say by including a serial number) and such a SubjectDN probably isn't the best thing to put in client metadata. Would it make sense to make it possible to identify subjects based on (say) SubjectAltName as an alternative for this case? I don't want to hold up the process on this but I'm curious if this has been raised or just overlooked...? Cheers Leif
- [OAUTH-WG] cert spoofing in mtls & short-lived ce… Leif Johansson
- Re: [OAUTH-WG] cert spoofing in mtls & short-live… Brian Campbell
- Re: [OAUTH-WG] cert spoofing in mtls & short-live… Leif Johansson