Re: [pkix] a question of cert (and OCSP) extension syntax

Massimiliano Pala <director@openca.org> Fri, 27 March 2015 17:45 UTC

Return-Path: <director@openca.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2624C1A88CA for <pkix@ietfa.amsl.com>; Fri, 27 Mar 2015 10:45:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.093
X-Spam-Level: **
X-Spam-Status: No, score=2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FH_HOST_EQ_D_D_D_D=0.765, HELO_MISMATCH_NET=0.611, HOST_EQ_IT=1.245, HOST_EQ_STATICB=1.372, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id buZviTETCaaD for <pkix@ietfa.amsl.com>; Fri, 27 Mar 2015 10:45:09 -0700 (PDT)
Received: from server.hackmasters.net (static-217-133-36-163.clienti.tiscali.it [217.133.36.163]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF8911A88F8 for <pkix@ietf.org>; Fri, 27 Mar 2015 10:45:06 -0700 (PDT)
Received: from nyc.openca.org (unknown [192.168.101.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by server.hackmasters.net (Postfix) with ESMTPS id 317A84125C for <pkix@ietf.org>; Fri, 27 Mar 2015 18:45:04 +0100 (CET)
Received: from localhost (unknown [127.0.0.1]) by nyc.openca.org (Postfix) with ESMTP id B9ACE154CB92 for <pkix@ietf.org>; Fri, 27 Mar 2015 17:45:02 +0000 (UTC)
X-Virus-Scanned: amavisd-new at openca.org
Received: from nyc.openca.org ([127.0.0.1]) by localhost (blackmamba.openca.dyndns.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EORa3-XMwx8r for <pkix@ietf.org>; Fri, 27 Mar 2015 13:44:54 -0400 (EDT)
Received: from dhcp-b0a0.meeting.ietf.org (dhcp-b0a0.meeting.ietf.org [31.133.176.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by nyc.openca.org (Postfix) with ESMTPSA id 8296F154C668 for <pkix@ietf.org>; Fri, 27 Mar 2015 13:44:54 -0400 (EDT)
Message-ID: <55159714.1070902@openca.org>
Date: Fri, 27 Mar 2015 12:44:52 -0500
From: Massimiliano Pala <director@openca.org>
Organization: OpenCA Labs
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: pkix@ietf.org
References: <9A043F3CF02CD34C8E74AC1594475C73AAFB6418@uxcn10-5.UoA.auckland.ac.nz> <C961CE34-4F55-4B11-86D7-1566B701911D@seantek.com> <5512C9C7.70202@comodo.com>
In-Reply-To: <5512C9C7.70202@comodo.com>
Content-Type: multipart/alternative; boundary="------------040003010103060206020508"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/76wIANC0Sk404jih_kR35cqg2fE>
Subject: Re: [pkix] a question of cert (and OCSP) extension syntax
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Mar 2015 17:45:15 -0000

Hi Rob, all,

coming to your question: the extension /*will not break compatibility as 
long as it is not marked critical*/. However, there might be some 
aspects you want to think a bit more deeply about before taking a decision.

This said, I think that the text written in section 3.4.2 is wrong and 
needs to be replaced.

In particular, the argument about the encoding is weird - from the I-D:

        One or more SCTs can be embedded in an X.509v3 extension that is
        included in a certificate or an OCSP response.  Since RFC5280
        requires the "extnValue" field (an OCTET STRING) of each X.509v3
        extension to include the DER encoding of an ASN.1 value, we cannot
        embed a "SignedCertificateTimestampList" directly.  Instead, we have
        to wrap it inside an additional OCTET STRING (see below), which we
        then put into the "extnValue" field.

In my opinion, this text should be removed (trying to justify the use of 
a data type in the encoding because you do not want to define the 
required structure in ASN.1 does not really look.. good in an I-D, I am 
surprised it is even there).

However, more considerations are required here. If you want the 
extension to have a non-ASN.1 structure it is fine, but that will have 
implication over the (format) compliance of data in the certificate. 
This was marginally mentioned in previous posts, but it seems it 
requires a more explicit explanation since it was not well understood.

In particular, from a parsing perspective, when using the proposed 
encoding, the client will not perform any validation over the contents 
of the extension since this is just a blob. Usually this type of 
encoding is used for binary contents that have no internal structure 
(e.g., a value of a key or a digest), but it is usually avoided for 
complex types (again, to provide format validation of the contents).

The real question here is: are you willing to live with not validating 
the format of the content of the extension when the extension is 
actually parsed? Are you considering the possible attack vectors that 
can derive from that (i.e. allowing custom contents in the extension)? I 
hope you already discussed these aspects before proposing the extension. 
If not, my suggestion is to go back to the drawing board and seriously 
considering these aspects. If you go ahead with the current choice, I 
would suggest to remove the 3.4.2 text and add some considerations about 
it in the security considerations section (although, in that case I 
would STRONGLY suggest to revisit your choice).

This is usually a good rule of thumb when it comes to adding extensions.

Another operational consideration that was pointed out is about 
debugging the bits on the wire. If you use ASN.1 structures, standard 
network tools can parse the extension properly - however, again, this 
will not be the case for OCTET STRING blobs. Thus, debugging of the 
extension (in case of issues) can only happen at the end points (where 
the extension parser is available), not on the wire.

I hope this helps clarifying the issues with the current proposal.

Just my 2 cents.

Cheers,
Max


On 3/25/15 9:44 AM, Rob Stradling wrote:
> On 25/03/15 14:20, Sean Leonard wrote:
>> On Mar 18, 2015, at 2:10 AM, Peter Gutmann 
>> <pgut001@cs.auckland.ac.nz> wrote:
>>
>>> Melinda Shore <melinda.shore@gmail.com> writes:
>>>
>>>> it's what's in the document until someone can either point to some 
>>>> normative
>>>> specification that it violates or can point to something that 
>>>> actually would
>>>> break.
>>>
>>> This isn't a case of standards rules-lawyering though (in any case 
>>> the PKIX
>>> spec is flexible enough that you can stuff anything you want into a
>>> certificate if you interpret things just right, see the famous 
>>> MPEG-of-cat
>>> quote), it's that this is creating a situation where an *X.509 
>>> standards-
>>> compliant certificate* contains data that can't be processed by an 
>>> *X.509
>>> standards-compliant certificate application*.
>>
>> I agree with Peter. Keep the encoding as ASN.1 for this extension. It 
>> is not particularly onerous, and it preserves compatibility for other 
>> applications.
>
> How exactly might the certificate extension we're talking about [1] 
> break compatibility with other applications?
>
> The Subject Key Identifier extension uses the exact same ASN.1 syntax 
> (the content of the extension is a plain OCTET STRING). RFC5280 does 
> not require applications to recognize this extension.
>
> I'm not aware of any applications that choke on the Subject Key 
> Identifier extension, so why should we expect any to choke on the 
> 6962-bis extension?
>
>
> [1] 
> https://datatracker.ietf.org/doc/draft-ietf-trans-rfc6962-bis/?include_text=1
>   Sections 3.4.2 and 3.4.2.2
>