IETF Logo Mail Archive

RE: OCSP Algorithm Agility

Paul Hoffman <paul.hoffman@vpnc.org> Fri, 21 September 2007 18:05 UTC

Return-path: <owner-ietf-pkix@mail.imc.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IYmsI-0002Cn-M3 for pkix-archive@lists.ietf.org; Fri, 21 Sep 2007 14:05:10 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IYms7-0001OA-CE for pkix-archive@lists.ietf.org; Fri, 21 Sep 2007 14:05:00 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l8LHFBQ8071574 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 21 Sep 2007 10:15:11 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l8LHFBoW071573; Fri, 21 Sep 2007 10:15:11 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from [165.227.249.200] (dsl-63-249-108-169.cruzio.com [63.249.108.169]) (authenticated bits=0) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l8LHF9C1071565 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-pkix@imc.org>; Fri, 21 Sep 2007 10:15:10 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p0624080ec319a977190d@[165.227.249.200]>
In-Reply-To: <2788466ED3E31C418E9ACC5C3166155703DF57@mou1wnexmb09.vcorp.ad.vrsn.com>
References: <2788466ED3E31C418E9ACC5C3166155703DF57@mou1wnexmb09.vcorp.ad.vrsn.com>
Date: Fri, 21 Sep 2007 10:15:06 -0700
To: ietf-pkix@imc.org
From: Paul Hoffman <paul.hoffman@vpnc.org>
Subject: RE: OCSP Algorithm Agility
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 3e15cc4fdc61d7bce84032741d11c8e5

At 7:04 AM -0700 9/21/07, Hallam-Baker, Phillip wrote:
>The way I see it, the process of transition from one algorithm to 
>another has two sets of constraints, the first is the security 
>considerations, the second is the operational/management 
>considerations.
>
>In the past security issues have been the alpha and omega of PKI. 
>The only justification accepted for a change has been to improve 
>security. So we end up with a whole slew of arbitrary operational 
>constraints and then wonder why people have such difficulty 
>deploying and maintaining these systems.
>
>If we want to deploy new algorithms we have to decouple the OCSP and 
>Cert issuing infrastructures, otherswise we will perpetually be in 
>situations where we are waiting for an evolution in one 
>infrastructure before a change can be made in the other.

Fully agree up to here.

>We have to get PKIX in order before we start proposing work for the 
>TLS group. Than means making OCSP algorithm agile.

And mostly agree with this. Where I disagree with Phill (I think) is 
what "algorithm agile" means. My reading of OCSP is that it is 
*already* fully algorithm agile.

 From Phill's message at the start of this thread, I think what he 
means is "agile in a way that is not susceptible to downgrade attacks 
by a MITM". The list then went into the design of an anti-downgrade 
revision to OCSP. This is quite similar to the discussion we had in 
the DKIM WG on a very similar topic.

The most important feature of these attacks is that Mallory can 
impersonate the OCSP responder by signing a message with a 
compromised algorithm. I contend that this attack is isomorphic to 
the problem of, even with no algorithm agility, Mallory impersonating 
the OCSP responder using a stolen signing key. In fact, the latter 
seems much more likely than the former in the real world.

We haven't even thought about how an OCSP responder could say in an 
unspoofable fashion "here is my legitimate signing key, don't trust 
that stolen key". That is been a non-issue for all these years, 
probably because it is intractable without going out-of-band. The 
compromised-algorithm problem is likely to be just as intractable 
without going out of band. Once we go out of band, the OCSP responder 
simply gives the key and algorithm of the day.

So, can we can safely say that OCSP is algorithm agile without 
needing a solution to the compromised algorithm problem? If not, how 
is the problem different operationally from the stolen-key problem?

--Paul Hoffman, Director
--VPN Consortium

v2.23.0 | Report a Bug | By Email