IETF Logo Mail Archive

Re: [pkix] DER encoding in RFC 3161

Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 11 August 2020 03:58 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CAE73A09F8 for <pkix@ietfa.amsl.com>; Mon, 10 Aug 2020 20:58:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cPChQmWGXzNy for <pkix@ietfa.amsl.com>; Mon, 10 Aug 2020 20:58:45 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [124.47.189.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 887C13A0A6E for <pkix@ietf.org>; Mon, 10 Aug 2020 20:58:44 -0700 (PDT)
Received: from AUS01-ME1-obe.outbound.protection.outlook.com (mail-me1aus01lp2058.outbound.protection.outlook.com [104.47.116.58]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-2-updPsjtKOFGxffB3j38yTA-1; Tue, 11 Aug 2020 13:58:40 +1000
X-MC-Unique: updPsjtKOFGxffB3j38yTA-1
Received: from SG2PR01CA0135.apcprd01.prod.exchangelabs.com (2603:1096:4:8f::15) by MEAPR01MB3030.ausprd01.prod.outlook.com (2603:10c6:201:b::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3261.21; Tue, 11 Aug 2020 03:58:30 +0000
Received: from SG2APC01FT025.eop-APC01.prod.protection.outlook.com (2603:1096:4:8f:cafe::1b) by SG2PR01CA0135.outlook.office365.com (2603:1096:4:8f::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3261.18 via Frontend Transport; Tue, 11 Aug 2020 03:58:30 +0000
X-MS-Exchange-Authentication-Results: spf=none (sender IP is 130.216.95.208) smtp.mailfrom=cs.auckland.ac.nz; ietf.org; dkim=none (message not signed) header.d=none; ietf.org; dmarc=none action=none header.from=cs.auckland.ac.nz;
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (130.216.95.208) by SG2APC01FT025.mail.protection.outlook.com (10.152.250.187) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3261.16 via Frontend Transport; Tue, 11 Aug 2020 03:58:29 +0000
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) by uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 11 Aug 2020 15:58:28 +1200
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::99ff:fdcc:ecb:10c7]) by uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::99ff:fdcc:ecb:10c7%14]) with mapi id 15.00.1497.006; Tue, 11 Aug 2020 15:58:28 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "Manger, James" <James.H.Manger@team.telstra.com>, "mrex@sap.com" <mrex@sap.com>
CC: "pkix@ietf.org" <pkix@ietf.org>, Phillip Hallam-Baker <phill@hallambaker.com>, Koichi Sugimoto <koichi.sugimoto=40globalsign.com@dmarc.ietf.org>
Thread-Topic: [pkix] DER encoding in RFC 3161
Thread-Index: AdZksx18VlMWy5IjSUeqIghIxhGjWgA1PjsAAO9AsYAAQIiIUQElcU+AACnzgO///1DxgIAAzLGV
Date: Tue, 11 Aug 2020 03:58:27 +0000
Message-ID: <1597118311197.91455@cs.auckland.ac.nz>
References: <PS1PR03MB48921EE23E93434559DF1ECE9D730@PS1PR03MB4892.apcprd03.prod.outlook.com> <CAMm+LwhdgfkbwXrfX8yiK3UDJRGOGzMJ2mXuyKqZWTdGbBE6gQ@mail.gmail.com> <20200803152056.014E9404B@ld9781.wdf.sap.corp> <1596535762003.26579@cs.auckland.ac.nz>, <20200810181053.AB421404B@ld9781.wdf.sap.corp> <1597111968117.61312@cs.auckland.ac.nz>, <ME2PR01MB3011431F8DD66E5BC832A668E5450@ME2PR01MB3011.ausprd01.prod.outlook.com>
In-Reply-To: <ME2PR01MB3011431F8DD66E5BC832A668E5450@ME2PR01MB3011.ausprd01.prod.outlook.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 907cc120-cbcf-4193-6d5b-08d83daaceef
X-MS-TrafficTypeDiagnostic: MEAPR01MB3030:
X-Microsoft-Antispam-PRVS: <MEAPR01MB3030324ED213DFA3878095B7EE450@MEAPR01MB3030.ausprd01.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:3276;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: E+9F8C7qf8gXEnNBfmopkqljTuoEx7GW4e5qHm9ruPBRdsmvyc3OR3ZS81jXBdoO+p9+y7bLCMiz9J6+XUrb0sT8ZsdUbK3/6z1WcomZXN+UNSH6A8DqcmwwBY2tpZRCxfXr/f1/cm196Cgo/pHsboKy8ma5YihA+Hm74bAb7/rxiuYew/53k8Anmyg0Pm34lygvXo+IfV1R5/JDc2JCgSQVUtg8tUWxYb2NJ0SpBadYdczkye7nxUf7fyS4YgkF9rgqwRBaGOfCLmTNop+KXJ6j2IObdk+G73aTx4y1p+HndO6RN8Zk4AsZ7gT3f7P2QVr2lM9dSwXGLI+ZI6+E2bvxEJlrbYGOvg0OnHnL555N8Dm892QCrmAOo/l7UgO60Ayw9mLduIbFK60qaYbYm4Zkk4WJaj0wXw1MLewNmdUmpihLJoEyNwWwhZAVzDahiD39Fi7812zguOnihgfGXYcTjO3+oP9ZYxGArT/I3jU=
X-Forefront-Antispam-Report: CIP:130.216.95.208; CTRY:NZ; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:uxcn13-tdc-d.UoA.auckland.ac.nz; PTR:natgate1-1.auckland.ac.nz; CAT:NONE; SFTY:; SFS:(4636009)(376002)(136003)(346002)(396003)(39860400002)(46966005)(336012)(8676002)(26005)(4326008)(5660300002)(70586007)(83380400001)(110136005)(70206006)(4744005)(2906002)(54906003)(7636003)(82310400002)(356005)(2616005)(86362001)(36906005)(966005)(186003)(478600001)(786003)(316002)(8936002)(47076004)(82740400003); DIR:OUT; SFP:1101;
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Aug 2020 03:58:29.5568 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 907cc120-cbcf-4193-6d5b-08d83daaceef
X-MS-Exchange-CrossTenant-Id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d1b36e95-0d50-42e9-958f-b63fa906beaa; Ip=[130.216.95.208]; Helo=[uxcn13-tdc-d.UoA.auckland.ac.nz]
X-MS-Exchange-CrossTenant-AuthSource: SG2APC01FT025.eop-APC01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MEAPR01MB3030
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CAU17A13 smtp.mailfrom=pgut001@cs.auckland.ac.nz
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/NA5NYoI4JUuIQDx1n16kVvq4kCE>
Subject: Re: [pkix] DER encoding in RFC 3161
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2020 03:58:49 -0000

Manger, James <James.H.Manger@team.telstra.com> writes:

>Such whole-of-cert fingerprints are very widely used, but a slight change of
>context (from an allowlist to a blocklist) can make them unexpectedly
>dangerous.

Sure, but if you're using default-allow (= blocklist), which makes #1 in the
"The Six Dumbest Ideas in Computer Security",
https://www.ranum.com/security/computer_security/editorials/dumb/, then your
security mechanism is broken from the start and you need to fix the mechanism
you're using.

(This was debated years ago on this very list: We can't use cert fingerprints
because they're not bug-compatible with the default-allow brokenness of CRLs
et al, which is one reason why after thirty-odd years we're still permanently
stuck behind attackers who can move faster than our blocklists can catch up).

Peter.

v2.23.0 | Report a Bug | By Email