RE: OCSP Algorithm Agility
Paul Hoffman <paul.hoffman@vpnc.org> Fri, 21 September 2007 18:05 UTC
Return-path: <owner-ietf-pkix@mail.imc.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IYmsI-0002Cn-M3 for pkix-archive@lists.ietf.org; Fri, 21 Sep 2007 14:05:10 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IYms7-0001OA-CE for pkix-archive@lists.ietf.org; Fri, 21 Sep 2007 14:05:00 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l8LHFBQ8071574 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 21 Sep 2007 10:15:11 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l8LHFBoW071573; Fri, 21 Sep 2007 10:15:11 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from [165.227.249.200] (dsl-63-249-108-169.cruzio.com [63.249.108.169]) (authenticated bits=0) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l8LHF9C1071565 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ietf-pkix@imc.org>; Fri, 21 Sep 2007 10:15:10 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p0624080ec319a977190d@[165.227.249.200]>
In-Reply-To: <2788466ED3E31C418E9ACC5C3166155703DF57@mou1wnexmb09.vcorp.ad.vrsn.com>
References: <2788466ED3E31C418E9ACC5C3166155703DF57@mou1wnexmb09.vcorp.ad.vrsn.com>
Date: Fri, 21 Sep 2007 10:15:06 -0700
To: ietf-pkix@imc.org
From: Paul Hoffman <paul.hoffman@vpnc.org>
Subject: RE: OCSP Algorithm Agility
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 3e15cc4fdc61d7bce84032741d11c8e5
At 7:04 AM -0700 9/21/07, Hallam-Baker, Phillip wrote: >The way I see it, the process of transition from one algorithm to >another has two sets of constraints, the first is the security >considerations, the second is the operational/management >considerations. > >In the past security issues have been the alpha and omega of PKI. >The only justification accepted for a change has been to improve >security. So we end up with a whole slew of arbitrary operational >constraints and then wonder why people have such difficulty >deploying and maintaining these systems. > >If we want to deploy new algorithms we have to decouple the OCSP and >Cert issuing infrastructures, otherswise we will perpetually be in >situations where we are waiting for an evolution in one >infrastructure before a change can be made in the other. Fully agree up to here. >We have to get PKIX in order before we start proposing work for the >TLS group. Than means making OCSP algorithm agile. And mostly agree with this. Where I disagree with Phill (I think) is what "algorithm agile" means. My reading of OCSP is that it is *already* fully algorithm agile. From Phill's message at the start of this thread, I think what he means is "agile in a way that is not susceptible to downgrade attacks by a MITM". The list then went into the design of an anti-downgrade revision to OCSP. This is quite similar to the discussion we had in the DKIM WG on a very similar topic. The most important feature of these attacks is that Mallory can impersonate the OCSP responder by signing a message with a compromised algorithm. I contend that this attack is isomorphic to the problem of, even with no algorithm agility, Mallory impersonating the OCSP responder using a stolen signing key. In fact, the latter seems much more likely than the former in the real world. We haven't even thought about how an OCSP responder could say in an unspoofable fashion "here is my legitimate signing key, don't trust that stolen key". That is been a non-issue for all these years, probably because it is intractable without going out-of-band. The compromised-algorithm problem is likely to be just as intractable without going out of band. Once we go out of band, the OCSP responder simply gives the key and algorithm of the day. So, can we can safely say that OCSP is algorithm agile without needing a solution to the compromised algorithm problem? If not, how is the problem different operationally from the stolen-key problem? --Paul Hoffman, Director --VPN Consortium
- OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Stefan Santesson
- RE: OCSP Algorithm Agility Michael Myers
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Michael Myers
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Andrews, Rick
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Andrews, Rick
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Paul Hoffman
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Stefan Santesson
- RE: OCSP Algorithm Agility Stephen Kent
- RE: OCSP Algorithm Agility Stefan Santesson
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Paul Hoffman
- RE: OCSP Algorithm Agility Stephen Kent
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Paul Hoffman
- RE: OCSP Algorithm Agility Andrews, Rick
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Seth Hitchings
- RE: OCSP Algorithm Agility Stefan Santesson
- RE: OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Santosh Chokhani