Re: [pkix] a question of cert (and OCSP) extension syntax
Massimiliano Pala <director@openca.org> Fri, 27 March 2015 17:45 UTC
Return-Path: <director@openca.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2624C1A88CA for <pkix@ietfa.amsl.com>; Fri, 27 Mar 2015 10:45:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.093
X-Spam-Level: **
X-Spam-Status: No, score=2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FH_HOST_EQ_D_D_D_D=0.765, HELO_MISMATCH_NET=0.611, HOST_EQ_IT=1.245, HOST_EQ_STATICB=1.372, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id buZviTETCaaD for <pkix@ietfa.amsl.com>; Fri, 27 Mar 2015 10:45:09 -0700 (PDT)
Received: from server.hackmasters.net (static-217-133-36-163.clienti.tiscali.it [217.133.36.163]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF8911A88F8 for <pkix@ietf.org>; Fri, 27 Mar 2015 10:45:06 -0700 (PDT)
Received: from nyc.openca.org (unknown [192.168.101.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by server.hackmasters.net (Postfix) with ESMTPS id 317A84125C for <pkix@ietf.org>; Fri, 27 Mar 2015 18:45:04 +0100 (CET)
Received: from localhost (unknown [127.0.0.1]) by nyc.openca.org (Postfix) with ESMTP id B9ACE154CB92 for <pkix@ietf.org>; Fri, 27 Mar 2015 17:45:02 +0000 (UTC)
X-Virus-Scanned: amavisd-new at openca.org
Received: from nyc.openca.org ([127.0.0.1]) by localhost (blackmamba.openca.dyndns.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EORa3-XMwx8r for <pkix@ietf.org>; Fri, 27 Mar 2015 13:44:54 -0400 (EDT)
Received: from dhcp-b0a0.meeting.ietf.org (dhcp-b0a0.meeting.ietf.org [31.133.176.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by nyc.openca.org (Postfix) with ESMTPSA id 8296F154C668 for <pkix@ietf.org>; Fri, 27 Mar 2015 13:44:54 -0400 (EDT)
Message-ID: <55159714.1070902@openca.org>
Date: Fri, 27 Mar 2015 12:44:52 -0500
From: Massimiliano Pala <director@openca.org>
Organization: OpenCA Labs
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: pkix@ietf.org
References: <9A043F3CF02CD34C8E74AC1594475C73AAFB6418@uxcn10-5.UoA.auckland.ac.nz> <C961CE34-4F55-4B11-86D7-1566B701911D@seantek.com> <5512C9C7.70202@comodo.com>
In-Reply-To: <5512C9C7.70202@comodo.com>
Content-Type: multipart/alternative; boundary="------------040003010103060206020508"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/76wIANC0Sk404jih_kR35cqg2fE>
Subject: Re: [pkix] a question of cert (and OCSP) extension syntax
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Mar 2015 17:45:15 -0000
Hi Rob, all, coming to your question: the extension /*will not break compatibility as long as it is not marked critical*/. However, there might be some aspects you want to think a bit more deeply about before taking a decision. This said, I think that the text written in section 3.4.2 is wrong and needs to be replaced. In particular, the argument about the encoding is weird - from the I-D: One or more SCTs can be embedded in an X.509v3 extension that is included in a certificate or an OCSP response. Since RFC5280 requires the "extnValue" field (an OCTET STRING) of each X.509v3 extension to include the DER encoding of an ASN.1 value, we cannot embed a "SignedCertificateTimestampList" directly. Instead, we have to wrap it inside an additional OCTET STRING (see below), which we then put into the "extnValue" field. In my opinion, this text should be removed (trying to justify the use of a data type in the encoding because you do not want to define the required structure in ASN.1 does not really look.. good in an I-D, I am surprised it is even there). However, more considerations are required here. If you want the extension to have a non-ASN.1 structure it is fine, but that will have implication over the (format) compliance of data in the certificate. This was marginally mentioned in previous posts, but it seems it requires a more explicit explanation since it was not well understood. In particular, from a parsing perspective, when using the proposed encoding, the client will not perform any validation over the contents of the extension since this is just a blob. Usually this type of encoding is used for binary contents that have no internal structure (e.g., a value of a key or a digest), but it is usually avoided for complex types (again, to provide format validation of the contents). The real question here is: are you willing to live with not validating the format of the content of the extension when the extension is actually parsed? Are you considering the possible attack vectors that can derive from that (i.e. allowing custom contents in the extension)? I hope you already discussed these aspects before proposing the extension. If not, my suggestion is to go back to the drawing board and seriously considering these aspects. If you go ahead with the current choice, I would suggest to remove the 3.4.2 text and add some considerations about it in the security considerations section (although, in that case I would STRONGLY suggest to revisit your choice). This is usually a good rule of thumb when it comes to adding extensions. Another operational consideration that was pointed out is about debugging the bits on the wire. If you use ASN.1 structures, standard network tools can parse the extension properly - however, again, this will not be the case for OCTET STRING blobs. Thus, debugging of the extension (in case of issues) can only happen at the end points (where the extension parser is available), not on the wire. I hope this helps clarifying the issues with the current proposal. Just my 2 cents. Cheers, Max On 3/25/15 9:44 AM, Rob Stradling wrote: > On 25/03/15 14:20, Sean Leonard wrote: >> On Mar 18, 2015, at 2:10 AM, Peter Gutmann >> <pgut001@cs.auckland.ac.nz> wrote: >> >>> Melinda Shore <melinda.shore@gmail.com> writes: >>> >>>> it's what's in the document until someone can either point to some >>>> normative >>>> specification that it violates or can point to something that >>>> actually would >>>> break. >>> >>> This isn't a case of standards rules-lawyering though (in any case >>> the PKIX >>> spec is flexible enough that you can stuff anything you want into a >>> certificate if you interpret things just right, see the famous >>> MPEG-of-cat >>> quote), it's that this is creating a situation where an *X.509 >>> standards- >>> compliant certificate* contains data that can't be processed by an >>> *X.509 >>> standards-compliant certificate application*. >> >> I agree with Peter. Keep the encoding as ASN.1 for this extension. It >> is not particularly onerous, and it preserves compatibility for other >> applications. > > How exactly might the certificate extension we're talking about [1] > break compatibility with other applications? > > The Subject Key Identifier extension uses the exact same ASN.1 syntax > (the content of the extension is a plain OCTET STRING). RFC5280 does > not require applications to recognize this extension. > > I'm not aware of any applications that choke on the Subject Key > Identifier extension, so why should we expect any to choke on the > 6962-bis extension? > > > [1] > https://datatracker.ietf.org/doc/draft-ietf-trans-rfc6962-bis/?include_text=1 > Sections 3.4.2 and 3.4.2.2 >
- [pkix] a question of cert (and OCSP) extension sy… Stephen Kent
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Gutmann
- Re: [pkix] a question of cert (and OCSP) extensio… Manger, James
- Re: [pkix] a question of cert (and OCSP) extensio… Rob Stradling
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Gutmann
- Re: [pkix] a question of cert (and OCSP) extensio… Melinda Shore
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Denis
- Re: [pkix] a question of cert (and OCSP) extensio… Stephen Kent
- Re: [pkix] a question of cert (and OCSP) extensio… Sean Leonard
- Re: [pkix] a question of cert (and OCSP) extensio… Sean Leonard
- Re: [pkix] a question of cert (and OCSP) extensio… Rob Stradling
- [pkix] update on ITU-T Public-key infrastructure:… Tony Rutkowski
- Re: [pkix] update on ITU-T Public-key infrastruct… Erik Andersen
- Re: [pkix] update on ITU-T Public-key infrastruct… George Michaelson
- Re: [pkix] a question of cert (and OCSP) extensio… Massimiliano Pala
- Re: [pkix] a question of cert (and OCSP) extensio… Massimiliano Pala
- Re: [pkix] a question of cert (and OCSP) extensio… Rob Stradling
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- [pkix] Cryptographic Message Syntax Tony Rutkowski
- Re: [pkix] a question of cert (and OCSP) extensio… Russ Housley
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Russ Housley
- Re: [pkix] Cryptographic Message Syntax Russ Housley
- Re: [pkix] a question of cert (and OCSP) extensio… Yoav Nir
- Re: [pkix] a question of cert (and OCSP) extensio… Sean Leonard
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Yee
- Re: [pkix] a question of cert (and OCSP) extensio… Stephen Farrell
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Russ Housley
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Melinda Shore
- Re: [pkix] a question of cert (and OCSP) extensio… Santosh Chokhani
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Yee
- Re: [pkix] a question of cert (and OCSP) extensio… Melinda Shore
- Re: [pkix] a question of cert (and OCSP) extensio… Eric Rescorla