RE: CRL Issue (Was RE: WG Last Call: AIA CRL extension)
"Stefan Santesson" <stefans@microsoft.com> Wed, 25 May 2005 20:31 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA26964 for <pkix-archive@lists.ietf.org>; Wed, 25 May 2005 16:31:32 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j4PJZ0pk089335; Wed, 25 May 2005 12:35:00 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j4PJZ0hg089334; Wed, 25 May 2005 12:35:00 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mail-eur1.microsoft.com (mail-eur1.microsoft.com [213.199.128.139]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j4PJYwwc089303 for <ietf-pkix@imc.org>; Wed, 25 May 2005 12:34:59 -0700 (PDT) (envelope-from stefans@microsoft.com)
Received: from EUR-MSG-11.europe.corp.microsoft.com ([65.53.193.197]) by mail-eur1.microsoft.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 25 May 2005 20:34:53 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: CRL Issue (Was RE: WG Last Call: AIA CRL extension)
Date: Wed, 25 May 2005 20:34:51 +0100
Message-ID: <BF9309599A71984CAC5BAC5ECA6299440272BE43@EUR-MSG-11.europe.corp.microsoft.com>
Thread-Topic: CRL Issue (Was RE: WG Last Call: AIA CRL extension)
Thread-Index: AcVhXm8ooUxoytr5QSaYmzrpXI8E5AAAkefw
From: Stefan Santesson <stefans@microsoft.com>
To: Santosh Chokhani <chokhani@orionsec.com>, ietf-pkix@imc.org
X-OriginalArrivalTime: 25 May 2005 19:34:53.0134 (UTC) FILETIME=[D2CD1EE0:01C56160]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id j4PJYxwc089323
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: 8bit
Santosh, Agree, I was talking about 3280bis. Stefan Santesson Program Manager, Standards Liaison Windows Security > -----Original Message----- > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] > On Behalf Of Santosh Chokhani > Sent: den 25 maj 2005 11:23 > To: ietf-pkix@imc.org > Subject: RE: CRL Issue (Was RE: WG Last Call: AIA CRL extension) > > > Stephan, > > Validation related text (e.g., infinite loops) belongs more in 3280. > Having > it in the new I-D does not harm. But, validation should be addressed by > 3280 and not diced up in multiple RFC and then served. > > -----Original Message----- > From: Stefan Santesson [mailto:stefans@microsoft.com] > Sent: Wednesday, May 25, 2005 2:18 PM > To: Tom Gindin; Santosh Chokhani > Cc: ietf-pkix@imc.org; Julien Stern > Subject: RE: CRL Issue (Was RE: WG Last Call: AIA CRL extension) > > > Tom, > > If the substitution would be successful the validation would go into an > infinite loop and fail. Validation of S's fake CRL requires validation of > C's cross certificate to S which triggers another validation of S's fake > CRL > and so on. > > I think we added some text against infinite loops but I don't have it > fresh > in my memory. > > > Stefan Santesson > Program Manager, Standards Liaison > Windows Security > > > -----Original Message----- > > From: owner-ietf-pkix@mail.imc.org > [mailto:owner-ietf-pkix@mail.imc.org] > > On Behalf Of Tom Gindin > > Sent: den 25 maj 2005 04:50 > > To: Santosh Chokhani > > Cc: ietf-pkix@imc.org; 'Julien Stern' > > Subject: Re: CRL Issue (Was RE: WG Last Call: AIA CRL extension) > > > > > > Santosh: > > > > A relatively concrete example would be the following: > > Assume a trust anchor called A, and CA it has issued a cross > > certificate to called C. Further assume that C uses indirect CRL's, > and > > has issued a cross certificate without name constraints to another CA > > called S. Then assume that S goes rogue and creates a CRL signing > > certificate with the same name as C uses for its indirect CRL's (the > key > > pair in that certificate is hereinafter called the "rogue CRL > signer"). > > Further assume that C finds out about this and creates a CRL listing S > as > > revoked, but that S successfully replaces that CRL in the repository > by > > one signed by the rogue CRL signer. > > Does RFC 3280 path validation consider S invalid? If so, > which > > step loops or fails? It looks to me like 6.3.3-b-1 passes. Is there > > always a bi-modal loop between 6.3.3-f and 6.1.3-a-3? If not, what > else > > would be likely to cause S to be recognized as invalid? You could > > probably patch any difficulties by adding "if the certificate whose > > revocation is being checked appears in the path, reject it" to > 6.3.3-f. > > > > Tom Gindin > > > > > > > > > > > > > > "Santosh Chokhani" <chokhani@orionsec.com> > > 05/24/2005 06:42 PM > > > > To: Tom Gindin/Watson/IBM@IBMUS, <ietf-pkix@imc.org> > > cc: "'Julien Stern'" <julien.stern@cryptolog.com> > > Subject: CRL Issue (Was RE: WG Last Call: AIA CRL > > extension) > > > > > > Tom, > > > > > > I assume you are talking about CRL certification path solution I > proposed > > will not permit the scenario? I still do not see in your case, if the > > Subject CA (cross certified CA) is revoked, you will verify the path > to it > > in the first place. May be I am not understanding your scenario > properly. > > How does the revoked CA gets verified? > > > > > > Julien, > > > > We have defined and proven the solution for how to do this. The > scenario > > you proposed is not something X.509 worries about (A CA that is still > > valid, but has gone bad). > > > > -----Original Message----- > > From: owner-ietf-pkix@mail.imc.org > [mailto:owner-ietf-pkix@mail.imc.org] > > On > > Behalf Of Julien Stern > > Sent: Tuesday, May 24, 2005 3:49 PM > > To: Stefan Santesson > > Cc: Tom Gindin; ietf-pkix@imc.org > > Subject: Re: WG Last Call: AIA CRL extension > > > > > > > > On Tue, May 24, 2005 at 07:28:11PM +0100, Stefan Santesson wrote: > > > Tom and Julien, > > > > > > Since this is a repetition of the discussion we had before San Diego > > > and I don't want to repeat it here. I'm not saying that this > > > discussion is invalid; it is just directed towards the wrong draft. > > > > Stefan, > > > > I agree with you. Actually, I would tend to believe that a _real_ > > discussion would have to take place at some point regarding the > > overall security model > > of CRL validation, but I have absolutely no objection to the AIA, as > soon > > as > > it is made clear that it's only goal is to simplify path building > > implementations, and not to adress security issues. My very humble > take on > > the subject is that Denis and yourself have been arguing on the list > on > > absolutely valid but different matters. > > > > So, I chose not to comment expect for my last mail (and will not any > more) > > about AIA, but I still think that a discusssion regarding revocation > > validation should take place for RFC3280bis, eventually. > > > > Regards, > > > > -- > > Julien Stern > > > > > > > > As Tom pointed out: > > > > this fraudulently issued CRL will probably be validated whether it > > > > contains an AIA or not. > > > > > > This indicates once again that this is not an issue caused by the > use > > > of AIA in CRLs but a generic CRL validation issue that belongs with > > > RFC 3280bis and not with the CRL-AIA draft. > > > > > > Stefan Santesson > > > Program Manager, Standards Liaison > > > Windows Security > > > > > > > > > > -----Original Message----- > > > > From: owner-ietf-pkix@mail.imc.org > > > [mailto:owner-ietf-pkix@mail.imc.org] > > > > On Behalf Of Julien Stern > > > > Sent: den 24 maj 2005 09:39 > > > > To: Tom Gindin > > > > Cc: ietf-pkix@imc.org > > > > Subject: Re: WG Last Call: AIA CRL extension > > > > > > > > > > > > On Tue, May 24, 2005 at 10:36:16AM -0400, Tom Gindin wrote: > > > > > > > > > > There is one scenario permitted by the "same trust > anchor" > > > rule > > > > > for CRL signers which seems to me to be a serious security hole. > > > Let us > > > > > assume a valid CA which is a direct subordinate of one of the > RP's > > > trust > > > > > anchors. This CA issues separate CRL's and ARL's, in a quite > > > > > usual > > > way, > > > > > and issues cross certificates. After months or years of > > > > > operation, > > > it > > > > > revokes one of its cross certificates because the subject's > > > > > operator > > > has > > > > > gone rogue. That rogue subject then issues a fraudulent CRL > > > > > Signing certificate with the DN that the superior certificate > has > > > > > been using > > > to > > > > > sign ARL's, a public key which it has newly generated, and > various > > > > > extensions including an SKID. It then issues an updated copy of > > > > > an > > > old > > > > > ARL under the fraudulent CRL signer's certificate and with an > AKID > > > > > matching the fraudulent signer's SKID. If the rogue can break > > > > > into > > > the > > > > > repository where the CRL is expected, this fraudulently issued > CRL > > > will > > > > > probably be validated whether it contains an AIA or not. It > will > > > > > certainly pass the "same trust anchor" condition. > > > > > This scenario, in which a rogue CA issues an ARL > > > > > certifiying > > > > that > > > > > its primary certificate has not been revoked and gets the ARL > > > accepted, > > > > is > > > > > possible under "same trust anchor" but not under "signed by path > > > > member". > > > > > > > > I agree with the validity of this scenario. I believe this is very > > > > close to the issue I attempted to bring on the list a short time > > > > ago. Of course, it assumes the existence of a rogue CA at some > point > > > > in > > > time. > > > > > > > > Note that the CRL could be directly inserted into a "long term" > > > > signature (according to RFC3126 for example). This does not > require > > > > a repository break-in and makes the "attack" even more realistic. > > > > > > > > Regards. > > > > > > > > -- > > > > Julien Stern > > > > > > > > > > > > > > Tom Gindin > > > > > > > > > > ----- Forwarded by Tom Gindin/Watson/IBM on 05/24/2005 10:13 AM > > > ----- > > > > > > > > > > > > > > > Tom Gindin > > > > > 05/23/2005 10:46 PM > > > > > > > > > > To: wpolk@nist.gov > > > > > cc: housley@vigilsec.com, ietf-pkix@imc.org, > > > kent@bbn.com, > > > > > stefans@microsoft.com > > > > > From: Tom Gindin/Watson/IBM@IBMUS > > > > > Subject: Re: WG Last Call: AIA CRL extension > > > > > > > > > > Tim: > > > > > > > > > > I should probably have brought this up earlier, but are > we > > > > certain > > > > > that "same trust anchor" is a strong enough check that the CRL > > > signer is > > > > > the one expected by the issuing CA? While I was not in San > Diego > > > when > > > > > this wording was included in the 3280 series, I do not really > > > > > think > > > that > > > > > that check is strong enough. I would suggest instead that the > CRL > > > > > signer's certificate needs to be directly issued by one of the > > > > > CA's > > > in > > > > the > > > > > certification path back to the trust anchor used for the > > > certificate's > > > > > verification, or by that anchor itself, unless people have > > > > > practical experience with CA structures which that rule would > > > > > prohibit. > > > Forcing > > > > the > > > > > CRL to be issued by the CA itself (as I understand Denis to have > > > > > suggested) prohibits the reasonable case where the CRL is issued > > > > > by > > > a > > > > > hierarchical superior, so it is IMHO too strict. > > > > > I am personally not sure, FWIW, that a CRL should be > > > permitted > > > > to > > > > > be signed by a second-cousin certificate of the issuer's > > > certificate. > > > > By > > > > > analogy to the use of the terms in families, "sibling" > > > > > certificates > > > > would > > > > > have the same issuer, "first-cousin" certificates would be > issued > > > > > by siblings, and "second-cousin" certificates would be issued by > > > > > first cousins - so they are both three levels down from the same > > > > > trust > > > anchor, > > > > > or from the last common CA in their paths. This issue is not > > > > > newly > > > > caused > > > > > by CRL AIA, since the same issue can arise with CRL's containing > > > only > > > > > AKID. AIA only allows RP's to build a path (whether right or > > > > > wrong) > > > > more > > > > > quickly. > > > > > In any case, nothing more than a note in Security > > > Considerations > > > > > is appropriate in any of our RFC's other than 3280 and its > > > successor. > > > > > > > > > > Tom Gindin > > > > > P.S. - The above views are mine, and not necessarily those of > my > > > > employer > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Tim Polk <tim.polk@nist.gov> > > > > > Sent by: owner-ietf-pkix@mail.imc.org > > > > > 05/10/2005 05:27 PM > > > > > > > > > > To: ietf-pkix@imc.org > > > > > cc: kent@bbn.com, stefans@microsoft.com, > > > > housley@vigilsec.com > > > > > Subject: WG Last Call: AIA CRL extension > > > > > > > > > > > > > > > > > > > > > > > > > This message initiates working group Last Call for the > > > > > specification "Internet X.509 Public Key Infrastructure: > Authority > > > > > Information > > > Access > > > > > CRL > > > > > Extension". While some issues raised in the working group are > > > > unresolved, > > > > > > > > > > the editors believe that rough consensus supports the current > > > > > specification. > > > > > > > > > > The URL for this Internet-Draft is: > > > > > > > > > > > http://www.ietf.org/internet-drafts/draft-ietf-pkix-crlaia-01.txt > > > > > > > > > > Last Call will run for (at least) two weeks. That is, Last Call > > > > > will > > > not > > > > > close before May 24. > > > > > > > > > > Thanks, > > > > > > > > > > Tim Polk > > > > > > > > > > > > > > > > > > > > > > > >
- RE: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Stefan Santesson
- RE: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Santosh Chokhani
- RE: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Stefan Santesson
- RE: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Tom Gindin
- RE: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Santosh Chokhani
- RE: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Stefan Santesson