IETF Logo Mail Archive

Re: [pkix] [Technical Errata Reported] RFC5280 (7164)

Aaron Gable <aaron@letsencrypt.org> Fri, 14 October 2022 23:14 UTC

Return-Path: <aaron@letsencrypt.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20547C14CF13 for <pkix@ietfa.amsl.com>; Fri, 14 Oct 2022 16:14:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.434
X-Spam-Level:
X-Spam-Status: No, score=-1.434 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.571, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C7081q4gzHy5 for <pkix@ietfa.amsl.com>; Fri, 14 Oct 2022 16:14:08 -0700 (PDT)
Received: from mail-vs1-xe35.google.com (mail-vs1-xe35.google.com [IPv6:2607:f8b0:4864:20::e35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07428C14CF0A for <pkix@ietf.org>; Fri, 14 Oct 2022 16:14:08 -0700 (PDT)
Received: by mail-vs1-xe35.google.com with SMTP id 1so2118784vsx.1 for <pkix@ietf.org>; Fri, 14 Oct 2022 16:14:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ToJmQWLFi6p50zzFB4vVnRt7mGV/DdeW42oL/tvJsmM=; b=JOY31wM8L2VAlj4IvjpQIcBlt9a8csk+TTpm6/6jwlb3zo/pWj1LwIdLgeMDPUpmtr Nh6S13vCvLYPrGEnpHg2rOvip04WEhgzRrcqlebvBHjzu7OIoSa84XDXe41sOTKbuhV4 HamE/Yw0iJBP9PWoNZRZA3Q8+9vdqNGH+HAkw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ToJmQWLFi6p50zzFB4vVnRt7mGV/DdeW42oL/tvJsmM=; b=RrihdT0Uf+I0EjzATpKjP+mK+s14ySieGquqyFfKFqMCuel0wTQyGORqRWqmUngNKA OozL20gxvxrjlrgogHOJUcynu34YTqRhy1ge7Z+63ZNdQt6HUdNvRJJ5xTtwZq6GjRK4 b3L6kpI8f6x34A+ZWppIbi0fNyeDwQnYCzaQNcip35jbfaZp/eY//xqib51T4FdnhDyp rMo+tvzh+rj7MSc7D7cAsDHjJW0Gf1qhe5VoZrcjscAhunGNYpnL5gl1caMYC7bkpYqR /SuHcUW5ACh/P09mUkSY7Mu0RuPHvjLrzIJkiBF7jkDqNXX9egxmEQrA9RHt/UCt+SYi Dd7g==
X-Gm-Message-State: ACrzQf2HMSsxDM9XbPEJ6EEfB3bE3QkVKYGlrE0c9PNNFv7iei/EmvUm fkpyVJoYw/af4kfkrfFudqkpkTmfOf4FN37tUMaT0g==
X-Google-Smtp-Source: AMsMyM5xvFQSuqg5JmVFooeKk8dz6ypgMs45UDu5XzRMze/tILnI1tNGLlAk3vdX3t4FO8fzoUzOXN44v27lK7xhHdk=
X-Received: by 2002:a67:ee19:0:b0:3a7:d03d:82f2 with SMTP id f25-20020a67ee19000000b003a7d03d82f2mr112769vsp.7.1665789246999; Fri, 14 Oct 2022 16:14:06 -0700 (PDT)
MIME-Version: 1.0
References: <20221014193934.45A8855E27@rfcpa.amsl.com> <f0316f70-a901-1683-8345-8798f702c85b@nist.gov>
In-Reply-To: <f0316f70-a901-1683-8345-8798f702c85b@nist.gov>
From: Aaron Gable <aaron@letsencrypt.org>
Date: Fri, 14 Oct 2022 16:13:56 -0700
Message-ID: <CAEmnErd3LMav5amb_nf+QZza1K85AvOqghMQvTSvH8set5m6cQ@mail.gmail.com>
To: "David A. Cooper" <david.cooper@nist.gov>
Cc: RFC Errata System <rfc-editor@rfc-editor.org>, pkix@ietf.org
Content-Type: multipart/alternative; boundary="00000000000056a6ee05eb06c827"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/GyQHFirSLIXRezK3cuhS8FEgynQ>
Subject: Re: [pkix] [Technical Errata Reported] RFC5280 (7164)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2022 23:14:13 -0000

Ah, interesting. I agree that the distributionPoint URL does not seem
necessary in cases where the CRL contains extensions which fully describe
its scope and inclusion in a scope which can be computed based on fields of
the certificate itself. For example, a CRL with a crlScope extension with a
serialNumberRange indicating that it contains entries for certificates with
even-numbered serials is not vulnerable to substitution attacks because a
relying party can compute whether or not the certificate in question falls
within the scope of the CRL.

But Section 5 explicitly allows CRLs to have scopes which cannot be encoded
using the issuingDistributionPoint, crlScope, or
AAissuingDistributionPoint extensions, such as "all certificates issued to
the NIST employees located in Boulder". And, of course, the
crlScope extension was already deprecated by the time X.509 (08/2005) was
published, removing the ability of even a CRL with a scope like "all
even-numbered serials" to be representable within the CRL itself.

This leads me to believe that the intent of this requirement was to ensure
that all sharded/partitioned/scoped CRLs should have a distributionPoint to
defend against substitution attacks. However, the actual text of the
requirement, via its inclusion of the "within its scope" qualifier, fails
to convey that intent. That is why I suggested this errata in this location.

Aaron

On Fri, Oct 14, 2022 at 1:17 PM David A. Cooper <david.cooper@nist.gov>
wrote:

> I believe that this errata is incorrect. The text from RFC 5280 that is
> proposed to be modified is referring to the distributionPoint field of
> the issuingDistributionPoint extension, whereas the text that is quoted
> from X.509 is referring to the issuingDistributionPoint extension as a
> whole.
>
> X.509 is noting that if there is no extension limiting the scope of the
> CRL, then the scope of the CRL must be all unexpired public-key
> certificates issued by the CRL issuer. The extension limiting the scope
> could be the issuingDistributionPoint extension or it could be some
> other extension (e.g., crlScope or AAissuingDistributionPoint). The text
> from Section 5.2.5 of RFC 5280 is about the case in which the
> issuingDistributionPoint extension is present, but the distributionPoint
> field in that extension is absent, in which case the scope of the CRL is
> presumably limited by some other field in the issuingDistributionPoint
> extension.
>
> The submitter may be correct that RFC 5280 never explicitly says that
> the scope of a CRL must include all unexpired certificates issued by the
> CRL issuer unless the CRL contains an extension (or extensions) that
> limit the scope, but addressing that would involve a different change
> from the one proposed here.
>
> On 10/14/22 12:39 PM, RFC Errata System wrote:
> > The following errata report has been submitted for RFC5280,
> > "Internet X.509 Public Key Infrastructure Certificate and Certificate
> Revocation List (CRL) Profile".
> >
> > --------------------------------------
> > Type: Technical
> > Reported by: Aaron Gable <aaron@letsencrypt.org>
> >
> > Section: 5.2.5
> >
> > Original Text
> > -------------
> >     If the distributionPoint field is absent, the CRL MUST contain
> >     entries for all revoked unexpired certificates issued by the CRL
> >     issuer, if any, within the scope of the CRL.
> >
> > Corrected Text
> > --------------
> >     If the distributionPoint field is absent, the CRL MUST contain
> >     entries for all revoked unexpired certificates issued by the CRL
> >     issuer.
> >
> > Notes
> > -----
> > The removed phrase does not appear in the original text that this
> requirement is derived from, ITU-T Rec. X.509 (08/2005) Section 8.6.2.2:
> "If the issuing distribution point field, the AA issuing distribution point
> field, and the CRL scope field are all absent, the CRL shall contain
> entries for all revoked unexpired public-key certificates issued by the CRL
> issuer."
> >
> > The removed phrase does not serve to create a stricter requirement;
> rather it creates a looser requirement which allows a CRL which does
> contain entries for all revoked unexpired certificates *within its scope*
> to not include the distributionPoint field. Given that the
> distributionPoint field serves an important security purpose in preventing
> substitution attacks, it is unlikely that this loosening was the intent of
> the original authors.
> >
> > Instructions:
> > -------------
> > This erratum is currently posted as "Reported". If necessary, please
> > use "Reply All" to discuss whether it should be verified or
> > rejected. When a decision is reached, the verifying party
> > can log in to change the status and edit the report, if necessary.
> >
> > --------------------------------------
> > RFC5280 (draft-ietf-pkix-rfc3280bis-11)
> > --------------------------------------
> > Title               : Internet X.509 Public Key Infrastructure
> Certificate and Certificate Revocation List (CRL) Profile
> > Publication Date    : May 2008
> > Author(s)           : D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R.
> Housley, W. Polk
> > Category            : PROPOSED STANDARD
> > Source              : Public-Key Infrastructure (X.509)
> > Area                : Security
> > Stream              : IETF
> > Verifying Party     : IESG
>
>
>

v2.23.0 | Report a Bug | By Email