Re: WG Last Call: AIA CRL extension
Denis Pinkas <Denis.Pinkas@bull.net> Wed, 25 May 2005 15:39 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA22304 for <pkix-archive@lists.ietf.org>; Wed, 25 May 2005 11:39:02 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j4PEZxSa022338; Wed, 25 May 2005 07:35:59 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j4PEZxwt022337; Wed, 25 May 2005 07:35:59 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j4PEZvuB022317 for <ietf-pkix@imc.org>; Wed, 25 May 2005 07:35:58 -0700 (PDT) (envelope-from Denis.Pinkas@bull.net)
Received: from cln-m001.frcl.bull.fr (cln-m001.frcl.bull.fr [129.182.91.40]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id QAA56426; Wed, 25 May 2005 16:50:41 +0200
Received: from bull.net ([129.182.108.120]) by cln-m001.frcl.bull.fr (Lotus Domino Release 5.0.10) with ESMTP id 2005052516352850:1008 ; Wed, 25 May 2005 16:35:28 +0200
Message-ID: <42948D66.7090300@bull.net>
Date: Wed, 25 May 2005 16:36:22 +0200
From: Denis Pinkas <Denis.Pinkas@bull.net>
Organization: Bull SA.
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en, fr
MIME-Version: 1.0
To: Stefan Santesson <stefans@microsoft.com>, Russ Housley <housley@vigilsec.com>
CC: ietf-pkix@imc.org
Subject: Re: WG Last Call: AIA CRL extension
References: <BF9309599A71984CAC5BAC5ECA6299440272BA48@EUR-MSG-11.europe.corp.microsoft.com>
X-MIMETrack: Itemize by SMTP Server on CLN-M001/FR/BULL(Release 5.0.10 |March 22, 2002) at 25/05/2005 16:35:28, Serialize by Router on CLN-M001/FR/BULL(Release 5.0.10 |March 22, 2002) at 25/05/2005 16:35:33, Serialize complete at 25/05/2005 16:35:33
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: 7bit
Stefan and Russ, > Denis, > I discussed this with Russ and our conclusion is that if this resolves > your last call issues, then we can live with deleting these sentences. If so, my concern is solved. Thanks, Denis PS: Stefan, we do not need to meet anymore next week on this topic, and we can spend more time to enjoy some good food on the French Riviera. :-) > Stefan Santesson > Program Manager, Standards Liaison > Windows Security > > > >>-----Original Message----- >>From: owner-ietf-pkix@mail.imc.org > > [mailto:owner-ietf-pkix@mail.imc.org] > >>On Behalf Of Denis Pinkas >>Sent: den 25 maj 2005 00:47 >>To: Russ Housley >>Cc: ietf-pkix@imc.org >>Subject: Re: WG Last Call: AIA CRL extension >> >> >>Russ, >> >>Two points: >> >>1. The current text in the security considerations section contains >> text which suggest a solution to the problem but which is not. >> At least the two following sentences SHALL be deleted: >> >> " As means of reducing problems and security issues related to > > issuer > >> name collisions, CA names SHOULD be formed in a way that reduce > > the > >> likelihood of name collisions. Implementations validating CRLs >> MUST ensure that the certification path of the target certificate >> and the CRL issuer certification path used to validate the target >> certificate, terminate at the same trust anchor". >> >>2. We strongly agree that 3280bis MUST address this issue and > > currently > >> it does not do it correctly (otherwise we would not have this >> loooong discussion), ... that we can continue within the scope >> of 3280bis. >> >>Denis >> >> >>>Julien & Tom: >>> >>>Two points: >>> >>>1. I understand this scenario. The change that you advocate as a >>>countermeasure will prevent Indirect CRLs from working in scenarios >> > that > >>>are intended. >>> >>>2. This observation has noting to do with the CRL AIA extension. >> > The > >>>attacker is inserting the bogus revocation information into the >>>repository. Any relying party that uses that repository (when using >> > the > >>>CRL AIA extension or any other configuration information to locate >> > it) > >>>will get the bogus revocation information. >>> >>>If this is a concern, then it needs to be addressed in RFC3280bis, >> > not > >>>here. >>> >>>Russ >>> >>>At 12:38 PM 5/24/2005, Julien Stern wrote: >>> >>> >>>>On Tue, May 24, 2005 at 10:36:16AM -0400, Tom Gindin wrote: >>>> >>>>> There is one scenario permitted by the "same trust >>>> > anchor" > >>rule >> >>>>>for CRL signers which seems to me to be a serious security hole. >>>> >>>>Let us >>>> >>>>>assume a valid CA which is a direct subordinate of one of the >>>> > RP's > >>>>trust >>>> >>>>>anchors. This CA issues separate CRL's and ARL's, in a quite >>>> > usual > >>>>way, >>>> >>>>>and issues cross certificates. After months or years of >>>> > operation, > >>it >> >>>>>revokes one of its cross certificates because the subject's >>>> > operator > >>>>has >>>> >>>>>gone rogue. That rogue subject then issues a fraudulent CRL >>>> > Signing > >>>>>certificate with the DN that the superior certificate has been >>>> > using > >>to >> >>>>>sign ARL's, a public key which it has newly generated, and >>>> > various > >>>>>extensions including an SKID. It then issues an updated copy of >>>> > an > >>old >> >>>>>ARL under the fraudulent CRL signer's certificate and with an >>>> > AKID > >>>>>matching the fraudulent signer's SKID. If the rogue can break >>>> > into > >>the >> >>>>>repository where the CRL is expected, this fraudulently issued >>>> > CRL > >>will >> >>>>>probably be validated whether it contains an AIA or not. It will >>>>>certainly pass the "same trust anchor" condition. >>>>> This scenario, in which a rogue CA issues an ARL >>>> > certifiying > >>>>that >>>> >>>>>its primary certificate has not been revoked and gets the ARL >>>> >>>>accepted, is >>>> >>>>>possible under "same trust anchor" but not under "signed by path >>>> >>>>member". >>>> >>>>I agree with the validity of this scenario. I believe this is very >>>>close to the issue I attempted to bring on the list a short time >>> > ago. > >>>>Of course, it assumes the existence of a rogue CA at some point in >>> >>time. >> >>>>Note that the CRL could be directly inserted into a "long term" >>>>signature (according to RFC3126 for example). This does not require >>>>a repository break-in and makes the "attack" even more realistic. >>>> >>>>Regards. >>>> >>>>-- >>>>Julien Stern >>>> >>>> >>>>> Tom Gindin >>>>> >>>>>----- Forwarded by Tom Gindin/Watson/IBM on 05/24/2005 10:13 AM >>>> > ----- > >>>>> >>>>>Tom Gindin >>>>>05/23/2005 10:46 PM >>>>> >>>>> To: wpolk@nist.gov >>>>> cc: housley@vigilsec.com, ietf-pkix@imc.org, >>>> >>kent@bbn.com, >> >>>>>stefans@microsoft.com >>>>> From: Tom Gindin/Watson/IBM@IBMUS >>>>> Subject: Re: WG Last Call: AIA CRL extension >>>>> >>>>> Tim: >>>>> >>>>> I should probably have brought this up earlier, but are >>>> > we > >>>>certain >>>> >>>>>that "same trust anchor" is a strong enough check that the CRL >>>> >>>>signer is >>>> >>>>>the one expected by the issuing CA? While I was not in San Diego >>>> >>when >> >>>>>this wording was included in the 3280 series, I do not really >>>> > think > >>>>that >>>> >>>>>that check is strong enough. I would suggest instead that the >>>> > CRL > >>>>>signer's certificate needs to be directly issued by one of the >>>> > CA's > >>>>in the >>>> >>>>>certification path back to the trust anchor used for the >>>> >>certificate's >> >>>>>verification, or by that anchor itself, unless people have >>>> > practical > >>>>>experience with CA structures which that rule would prohibit. >>>> >>>>Forcing the >>>> >>>>>CRL to be issued by the CA itself (as I understand Denis to have >>>>>suggested) prohibits the reasonable case where the CRL is issued >>>> > by a > >>>>>hierarchical superior, so it is IMHO too strict. >>>>> I am personally not sure, FWIW, that a CRL should be >>>> >>>>permitted to >>>> >>>>>be signed by a second-cousin certificate of the issuer's >>>> >>>>certificate. By >>>> >>>>>analogy to the use of the terms in families, "sibling" >>>> > certificates > >>>>would >>>> >>>>>have the same issuer, "first-cousin" certificates would be issued >>>> > by > >>>>>siblings, and "second-cousin" certificates would be issued by >>>> > first > >>>>>cousins - so they are both three levels down from the same trust >>>> >>>>anchor, >>>> >>>>>or from the last common CA in their paths. This issue is not >>>> > newly > >>>>caused >>>> >>>>>by CRL AIA, since the same issue can arise with CRL's containing >>>> > only > >>>>>AKID. AIA only allows RP's to build a path (whether right or >>>> > wrong) > >>>>more >>>> >>>>>quickly. >>>>> In any case, nothing more than a note in Security >>>> >>>>Considerations >>>> >>>>>is appropriate in any of our RFC's other than 3280 and its >>>> > successor. > >>>>> Tom Gindin >>>>>P.S. - The above views are mine, and not necessarily those of my >>>> >>>>employer >>>> >>>>> >>>>> >>>>> >>>>> >>>>>Tim Polk <tim.polk@nist.gov> >>>>>Sent by: owner-ietf-pkix@mail.imc.org >>>>>05/10/2005 05:27 PM >>>>> >>>>> To: ietf-pkix@imc.org >>>>> cc: kent@bbn.com, stefans@microsoft.com, >>>> >>>>housley@vigilsec.com >>>> >>>>> Subject: WG Last Call: AIA CRL extension >>>>> >>>>> >>>>> >>>>> >>>>>This message initiates working group Last Call for the >>>> > specification > >>>>>"Internet X.509 Public Key Infrastructure: Authority Information >>>> >>Access >> >>>>>CRL >>>>>Extension". While some issues raised in the working group are >>>> >>>>unresolved, >>>> >>>>>the editors believe that rough consensus supports the current >>>>>specification. >>>>> >>>>>The URL for this Internet-Draft is: >>>>> >>>>>http://www.ietf.org/internet-drafts/draft-ietf-pkix-crlaia-01.txt >>>>> >>>>>Last Call will run for (at least) two weeks. That is, Last Call >>>> > will > >>>>not >>>> >>>>>close before May 24. >>>>> >>>>>Thanks, >>>>> >>>>>Tim Polk >>>>> >>>>> >>>>> >>>> >>> >>> >>> > >
- WG Last Call: AIA CRL extension Tim Polk
- Re: WG Last Call: AIA CRL extension Tom Gindin
- Re: WG Last Call: AIA CRL extension Tom Gindin
- Re: WG Last Call: AIA CRL extension Denis Pinkas
- Re: WG Last Call: AIA CRL extension Julien Stern
- Re: WG Last Call: AIA CRL extension Jean-Marc Desperrier
- Re: WG Last Call: AIA CRL extension Russ Housley
- RE: WG Last Call: AIA CRL extension Stefan Santesson
- Re: WG Last Call: AIA CRL extension Julien Stern
- CRL Issue (Was RE: WG Last Call: AIA CRL extensio… Santosh Chokhani
- Re: WG Last Call: AIA CRL extension Denis Pinkas
- Re: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Tom Gindin
- RE: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Santosh Chokhani
- RE: WG Last Call: AIA CRL extension Stefan Santesson
- Re: WG Last Call: AIA CRL extension Denis Pinkas
- Re: WG Last Call: AIA CRL extension Tim Polk
- RE: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Tom Gindin
- RE: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Santosh Chokhani
- RE: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Tom Gindin