Re: [pkix] Fixing OCSP agility
Phillip Hallam-Baker <hallam@gmail.com> Sat, 06 November 2010 04:23 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: pkix@core3.amsl.com
Delivered-To: pkix@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A62B63A6809 for <pkix@core3.amsl.com>; Fri, 5 Nov 2010 21:23:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.577
X-Spam-Level:
X-Spam-Status: No, score=-2.577 tagged_above=-999 required=5 tests=[AWL=0.022, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BgnwzU4aoegl for <pkix@core3.amsl.com>; Fri, 5 Nov 2010 21:23:24 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 60E1C3A67FE for <pkix@ietf.org>; Fri, 5 Nov 2010 21:23:24 -0700 (PDT)
Received: by iwn40 with SMTP id 40so3639572iwn.31 for <pkix@ietf.org>; Fri, 05 Nov 2010 21:23:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=HAMLV4QZn1AOg3ITSPajI+kE1GphO0dq/Kov2rm+Q7w=; b=pCjluPYemMoEDs7ISiU+kRwg/k04427MB+dTzs930J/0m9kkE7TGRqcB92Si23yC/t ChCa+xUywWXEwIcZVBrHKze8jzc2Z9glj9yPg+6eUPG/ARp4DhOYI/MrIZMWiIG1w9AF EOn4Dvv/uI9YsNFt1LMdyzCWtZE+lvsBtu0fc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=BEJOeV8wQQGIuRQjDBvuw6b8zdQBIAB61NKLTVMcqymnSWVgBoTqZQI/p8IViPxipX T0h1xeTkvpE4bOXy/AdFl12wrd5505plbwLa1WJ0KK66zHJLzAuE+raT0hqn3PU7hm3M eNIL+q94a0/A401KJTaxzTDfK4Bkt2H5WPXtI=
MIME-Version: 1.0
Received: by 10.42.166.6 with SMTP id m6mr157248icy.342.1289017418533; Fri, 05 Nov 2010 21:23:38 -0700 (PDT)
Received: by 10.42.77.4 with HTTP; Fri, 5 Nov 2010 21:23:38 -0700 (PDT)
In-Reply-To: <AANLkTi=XoQsBY7+DNfXhcN-fJDJRTxijKEqHHSuz7+Qw@mail.gmail.com>
References: <000501cb53d2$de9c3d90$9bd4b8b0$@augustcellars.com> <C8D4F43D.FD4C%stefan@aaa-sec.com> <AANLkTi=XoQsBY7+DNfXhcN-fJDJRTxijKEqHHSuz7+Qw@mail.gmail.com>
Date: Sat, 06 Nov 2010 00:23:38 -0400
Message-ID: <AANLkTimqT8v4N+YGidFCLPcBG9ddSc9zJ_vuoxWKMGCV@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Stefan Santesson <stefan@aaa-sec.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: pkix@ietf.org, Jim Schaad <ietf@augustcellars.com>
Subject: Re: [pkix] Fixing OCSP agility
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Nov 2010 04:23:25 -0000
Again, I have still not had any reply. On Thu, Oct 14, 2010 at 12:36 AM, Phillip Hallam-Baker <hallam@gmail.com> wrote: > I posted this on Sept 13th but did not get any reply either. > > I had some pushback from our technical/product management folk at Comodo who > reviewed this pointed out that we are not solving algorithm agility issues > associated with the OCSPRequest->CertID->hashAlgorithm > This situation is worse than I thought as the OCSP spec does not actually > consider the case of what to do if the CertID algorithm presented is > unknown. The only thing that the responder can do is report 'unknown'. The > OCSP spec does not distinguish between 'unknown cert' and 'unknown hash > algorithm'. > > Now this does not matter at all at the moment since SHA1 is perfectly > adequate as a hash function, it is only inadequate as a cryptographic > digest. And in any case we definitely do not want to upgrade from SHA1 to > SHA256 for this specific purpose. We would want to hop straight from SHA1 to > SHA3. > I suggest a fix as follows: > 1) Define an OCSP response extension as follows: > > id-pkix-ocsp-certid-hashAlgorithm-Unkown OBJECT IDENTIFIER ::= { > id-pkix-ocsp TBS } > > AcceptableCertIDHashAlgorithms ::= SEQUENCE OF OBJECT IDENTIFIER > > This means that in ten years time when we have people telling us that we > have to stop using SHA1 and show that we are not using it, that we will at > least have a means of tracking the error. > While the use of SHA1 for this purpose is safe, it is not inexpensive if you > are running systems in a regulated environment with a requirement for annual > audits. Every use of an obsolete crypto alg is going to mean auditor time. > > 2) Note in the security considerations > Note that SHA1 is also used for OCSPRequest->CertID->hashAlgorithm > Note that this purpose has been reviewed and is considered safe since there > is negligible chance of an accidental collision and the existence of a > deliberate collision would at worst cause a response for the wrong cert > which would in turn mean the response did not match and chain validation > would fail which is probably what you SHOULD want in that particular case. > > On Fri, Oct 8, 2010 at 10:15 AM, Stefan Santesson <stefan@aaa-sec.com> > wrote: >> >> I would like to know who favors using the S/MIME Capabilities way of >> specifying preferred algorithm instead of algorithmIdentifier? >> >> I have no problem using S/MIME Capability if that makes things clearer. >> The ASN.1 syntax is the same for these. The only thing that differs is the >> rules regarding parameters and potentially they may use different OIDs for >> the same algorithm even though neither I nor Jim can think of one that >> differs of the algorithms we normally are interested in. >> >> It would be good to determine this now and move on with a new WG last >> call. >> >> /Stefan >> >> >> >> On 10-09-14 8:05 AM, "Jim Schaad" <ietf@augustcellars.com> wrote: >> >> > Stefan, >> > >> > >> > >> > The big difference between using the algorithm identifier and the S/MIME >> > Capability is a question of what is placed in the parameters field. >> > Thus >> > for example the signature algorithm for RSA-PKCS#1 uses a NULL for the >> > parameters field while the S/MIME Capability uses an empty parameter >> > field. >> > The parameters are supposed to only be present in the S/MIME Capability >> > when >> > they are needed to differentiate between different levels or pieces of >> > an >> > algorithm. (The classic one being the effective key length of RC2.) >> > >> > >> > >> > We chose not to include the hash algorithm in RSA-PSS but could have >> > re-defined the S/MIME Capability parameters for this algorithm to have >> > been >> > a sequence of hash algorithms and a sequence of masking functions that >> > specified which ones were supported. >> > >> > >> > >> > In every case that I can currently remember, the OID is actually the >> > same >> > between the algorithm identifier and the s/mime capability. The weasel >> > wording was put in place to deal with the fact that originally the same >> > OID >> > was being used to identify both the RSA-PKCS#1 signature algorithm and >> > the >> > RSA public key. (The RSA public key OID being used in both locations.) >> > This is no longer an acceptable practice. >> > >> > >> > >> > Jim >> > >> > >> > >> > >> > >> > From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of >> > Stefan Santesson >> > Sent: Tuesday, September 07, 2010 5:07 AM >> > To: pkix@ietf.org >> > Subject: [pkix] Fixing OCSP agility >> > >> > >> > >> > At the last IETF meeting it was concluded that the OCSP Agility draft >> > needed >> > another round in the WG with a new WG Last Call. >> > >> > http://tools.ietf.org/html/draft-ietf-pkix-ocspagility-09 >> > >> > Generally people were unhappy with the specified solution for specifying >> > signature algorithms with specific parameter constraints. >> > Jim has suggested to use the SMIME capabilities form instead. >> > >> > The current structure for algorithm preferences in ocspagility is: >> > >> > PreferredSignatureAlgorithms ::= SEQUENCE OF >> > PreferredSignatureAlgorithm >> > >> > PreferredSignatureAlgorithm ::= SEQUENCE { >> > sigIdentifier AlgorithmIdentifier, >> > certIdentifier AlgorithmIdentifier OPTIONAL >> > } >> > >> > The structure of SMIME Capabilities is: >> > >> > SMIMECapabilities ::= SEQUENCE OF SMIMECapability >> > >> > SMIMECapability ::= SEQUENCE { >> > capabilityID OBJECT IDENTIFIER, >> > parameters ANY DEFINED BY capabilityID OPTIONAL } >> > >> > >> > AlgorithmIdentifier has the same syntax as SMIME Capabilities, being: >> > >> > AlgorithmIdentifier ::= SEQUENCE { >> > algorithm OBJECT IDENTIFIER, >> > parameters ANY DEFINED BY algorithm OPTIONAL } >> > >> > >> > So one could ask what the benefit here is. >> > >> > The difference to my understanding lies in the assignment of algorithm >> > OIDs >> > and their parameters dependent on whether this is a pure signature >> > algorithm >> > OID, a public key algorithm OID or whether it is an OID for >> > SMIMECapabilites >> > (which SHOULD be the algorithm OID). >> > >> > RFC 5751 (SMIME Capabilities 2.5.2): >> > "The OIDs that correspond to algorithms SHOULD use the same OID as >> > the >> > actual algorithm, except in the case where the algorithm usage is >> > ambiguous from the OID." >> > >> > I would like to have your opinion on how we should resolve this issue so >> > we >> > can move on. >> > >> > /Stefan >> > >> >> >> _______________________________________________ >> pkix mailing list >> pkix@ietf.org >> https://www.ietf.org/mailman/listinfo/pkix > > > > -- > Website: http://hallambaker.com/ > > -- Website: http://hallambaker.com/
- [pkix] Fixing OCSP agility Stefan Santesson
- Re: [pkix] Fixing OCSP agility Phillip Hallam-Baker
- Re: [pkix] Fixing OCSP agility Jim Schaad
- Re: [pkix] Fixing OCSP agility Stefan Santesson
- Re: [pkix] Fixing OCSP agility Denis Pinkas
- Re: [pkix] Fixing OCSP agility Stefan Santesson
- Re: [pkix] Fixing OCSP agility Denis Pinkas
- Re: [pkix] Fixing OCSP agility Phillip Hallam-Baker
- Re: [pkix] Fixing OCSP agility Phillip Hallam-Baker
- Re: [pkix] Fixing OCSP agility Stefan Santesson
- Re: [pkix] Fixing OCSP agility Miller, Timothy J.
- Re: [pkix] Fixing OCSP agility Stefan Santesson
- Re: [pkix] Fixing OCSP agility Jim Schaad
- Re: [pkix] Fixing OCSP agility Stefan Santesson
- Re: [pkix] Fixing OCSP agility Miller, Timothy J.
- Re: [pkix] Fixing OCSP agility Rob Stradling
- Re: [pkix] Fixing OCSP agility Phillip Hallam-Baker
- Re: [pkix] Fixing OCSP agility Phillip Hallam-Baker
- Re: [pkix] Fixing OCSP agility Rob Stradling