Re: Son of RFC3280 path validation rules
"Denis Pinkas" <denis.pinkas@bull.net> Fri, 20 October 2006 09:20 UTC
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GaqYG-0004yw-GH for pkix-archive@lists.ietf.org; Fri, 20 Oct 2006 05:20:28 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GaqYF-0000yI-0e for pkix-archive@lists.ietf.org; Fri, 20 Oct 2006 05:20:28 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k9K8T1md076005; Fri, 20 Oct 2006 01:29:01 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k9K8T1n9076004; Fri, 20 Oct 2006 01:29:01 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k9K8T0hM075998 for <ietf-pkix@imc.org>; Fri, 20 Oct 2006 01:29:00 -0700 (MST) (envelope-from denis.pinkas@bull.net)
Received: from MSGA-001.frcl.bull.fr (msga-001.frcl.bull.fr [129.184.87.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id KAA30546 for <ietf-pkix@imc.org>; Fri, 20 Oct 2006 10:31:20 +0200
Received: from frcls4013 ([129.182.108.120]) by MSGA-001.frcl.bull.fr (Lotus Domino Release 5.0.11) with SMTP id 2006102010285871:7236 ; Fri, 20 Oct 2006 10:28:58 +0200
Date: Fri, 20 Oct 2006 10:28:56 +0200
From: Denis Pinkas <denis.pinkas@bull.net>
To: "ietf-pkix@imc.org" <ietf-pkix@imc.org>
Subject: Re: Son of RFC3280 path validation rules
X-mailer: Foxmail 5.0 [-fr-]
Mime-Version: 1.0
X-MIMETrack: Itemize by SMTP Server on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 20/10/2006 10:28:58, Serialize by Router on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 20/10/2006 10:28:59, Serialize complete at 20/10/2006 10:28:59
Message-ID: <OF9C911E1E.06A28373-ONC125720D.002E992F@frcl.bull.fr>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
X-Spam-Score: 0.5 (/)
X-Scan-Signature: b5d20af10c334b36874c0264b10f59f1
Julien, Your remark is important. >Folks, > >a fairly major difference came up between RFC3280 and son-of-RFC3280 >regarding path validation, namely: > >RFC3280: > > (f) Obtain and validate the certification path for the complete CRL > issuer. If a key usage extension is present in the CRL issuer's > certificate, verify that the cRLSign bit is set. > >son-of-RFC3280: > (f) Obtain and validate the certification path for the issuer of > the complete CRL. The trust anchor for the certification path > MUST be the same as the trust anchor used to validate the target > certificate. If a key usage extension is present in the CRL > issuer's certificate, verify that the cRLSign bit is set. > >So, son-of-RFC3280 adds the additional constraint of having both >paths ending at the same trust anchor. > >I'm a bit surprised that this modification does not come with more >details and explaination. As a matter of fact, it breaks compatibility >with previous versions of the standard, with X509, and the advantages >of this additional constraint are not clear. X.509 is fairly too open and in some cases insecure ! For this reason, I do not care too much about "breaking compatiblity" when at the same time security is also broken. However ,I care about security and the sentence : "The trust anchor for the certification path MUST be the same as the trust anchor used to validate the target certificate" does not allow to address the cases where: a) two CAs in different branches of a certification tree would have the same DN, and b) two CAs in different trees of a certification forest would have the same DN. Dave, the text of son-of-RFC328 is currently insufficient to enable secure implementations. Denis >X509 specifically allows the certificate issuer and the CRL issuer to be >two different trust anchors, as indicated in section 8.1.5 of X509 v5: > >X509.v5 8.1.5 > If an authority uses the same key to sign certificates and CRLs, a > single self-issued certificate of category a) shall be used. If an > authority uses a different key to sign CRLs than that used to sign > certificates, the authority may choose to issue two self-issued > certificates of category a), one for each of the keys. In this > situation, certificate users would need access to both self-issued > certificates to establish separate trust anchors for certificates and > CRLs signed by that authority. Alternatively, an authority may issue > one self-issued certificate of category a) for certificate signing and > one self-issued certificate of category b) for CRL signing. In this > situation, certificate users use the key certified in the certificate of > category a) as their single trust anchor for both certificates and CRLs > signed by that authority. In this case, if the self-issued certificate > of category b) were to be used to verify signatures on CRLs, there > is no means defined in this standard to check the validity of that > certificate. > >Also, this additional constraint can make indirect CRLs much harder >to implement in practice, if not impossible in some cases. It means >that if two different CAs wish to delegate CRL issuance to the same >CRL issuer, the CRL issuer needs to have two (cross) certificates >with the same key, or all three need to chain to the same root. > >It will also make key-rollover more complex when the CA has issued >a certificate to itself for CRL signing. > >Finally, this constraint does not add security. It merely helps >path builders to speed up the reconstruction process, and possibly >to detect an ambiguity if two CAs with the same name happen to exist. >It does not however prevent a rogue CA from issuing a bogus CRL. > >So, all in all, is a "MUST" really what we want? Or should we simply >say that an implementation may check this additional constraint, but >risks in that case to refuse perfectly valid CRLs from a PKI following >an older version of the PKIX standard or X509 ? > >Regards, > >-- >Julien Stern
- Son of RFC3280 path validation rules Julien Stern
- Re: Son of RFC3280 path validation rules Denis Pinkas
- Re: Son of RFC3280 path validation rules Stephen Farrell
- Re: Son of RFC3280 path validation rules Peter Sylvester
- RE: Son of RFC3280 path validation rules Santosh Chokhani
- RE: Son of RFC3280 path validation rules Santosh Chokhani
- Re: Son of RFC3280 path validation rules Stephen Farrell
- Re: Son of RFC3280 path validation rules Denis Pinkas
- Re: Son of RFC3280 path validation rules Stephen Farrell
- Re: Son of RFC3280 path validation rules Stephen Farrell
- RE: Son of RFC3280 path validation rules Michael Myers
- Re: Son of RFC3280 path validation rules Julien Stern
- Re: Son of RFC3280 path validation rules Stephen Farrell
- RE: Son of RFC3280 path validation rules Michael Myers
- RE: Son of RFC3280 path validation rules Santosh Chokhani
- Re: Son of RFC3280 path validation rules Julien Stern
- Re: Son of RFC3280 path validation rules Stephen Farrell
- Re: Son of RFC3280 path validation rules Julien Stern