Re: Son of RFC3280 path validation rules
"Denis Pinkas" <denis.pinkas@bull.net> Fri, 20 October 2006 09:20 UTC
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GaqYG-0004yw-GH for pkix-archive@lists.ietf.org; Fri, 20 Oct 2006 05:20:28 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GaqYF-0000yI-0e for pkix-archive@lists.ietf.org; Fri, 20 Oct 2006 05:20:28 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k9K8T1md076005; Fri, 20 Oct 2006 01:29:01 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id k9K8T1n9076004; Fri, 20 Oct 2006 01:29:01 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id k9K8T0hM075998 for <ietf-pkix@imc.org>; Fri, 20 Oct 2006 01:29:00 -0700 (MST) (envelope-from denis.pinkas@bull.net)
Received: from MSGA-001.frcl.bull.fr (msga-001.frcl.bull.fr [129.184.87.31]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id KAA30546 for <ietf-pkix@imc.org>; Fri, 20 Oct 2006 10:31:20 +0200
Received: from frcls4013 ([129.182.108.120]) by MSGA-001.frcl.bull.fr (Lotus Domino Release 5.0.11) with SMTP id 2006102010285871:7236 ; Fri, 20 Oct 2006 10:28:58 +0200
Date: Fri, 20 Oct 2006 10:28:56 +0200
From: Denis Pinkas <denis.pinkas@bull.net>
To: "ietf-pkix@imc.org" <ietf-pkix@imc.org>
Subject: Re: Son of RFC3280 path validation rules
X-mailer: Foxmail 5.0 [-fr-]
Mime-Version: 1.0
X-MIMETrack: Itemize by SMTP Server on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 20/10/2006 10:28:58, Serialize by Router on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 20/10/2006 10:28:59, Serialize complete at 20/10/2006 10:28:59
Message-ID: <OF9C911E1E.06A28373-ONC125720D.002E992F@frcl.bull.fr>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
X-Spam-Score: 0.5 (/)
X-Scan-Signature: b5d20af10c334b36874c0264b10f59f1
Julien,
Your remark is important.
>Folks,
>
>a fairly major difference came up between RFC3280 and son-of-RFC3280
>regarding path validation, namely:
>
>RFC3280:
>
> (f) Obtain and validate the certification path for the complete CRL
> issuer. If a key usage extension is present in the CRL issuer's
> certificate, verify that the cRLSign bit is set.
>
>son-of-RFC3280:
> (f) Obtain and validate the certification path for the issuer of
> the complete CRL. The trust anchor for the certification path
> MUST be the same as the trust anchor used to validate the target
> certificate. If a key usage extension is present in the CRL
> issuer's certificate, verify that the cRLSign bit is set.
>
>So, son-of-RFC3280 adds the additional constraint of having both
>paths ending at the same trust anchor.
>
>I'm a bit surprised that this modification does not come with more
>details and explaination. As a matter of fact, it breaks compatibility
>with previous versions of the standard, with X509, and the advantages
>of this additional constraint are not clear.
X.509 is fairly too open and in some cases insecure ! For this reason,
I do not care too much about "breaking compatiblity" when at the same time security is also broken.
However ,I care about security and the sentence : "The trust anchor for the certification path
MUST be the same as the trust anchor used to validate the target certificate" does not allow
to address the cases where:
a) two CAs in different branches of a certification tree would have the same DN, and
b) two CAs in different trees of a certification forest would have the same DN.
Dave, the text of son-of-RFC328 is currently insufficient to enable secure implementations.
Denis
>X509 specifically allows the certificate issuer and the CRL issuer to be
>two different trust anchors, as indicated in section 8.1.5 of X509 v5:
>
>X509.v5 8.1.5
> If an authority uses the same key to sign certificates and CRLs, a
> single self-issued certificate of category a) shall be used. If an
> authority uses a different key to sign CRLs than that used to sign
> certificates, the authority may choose to issue two self-issued
> certificates of category a), one for each of the keys. In this
> situation, certificate users would need access to both self-issued
> certificates to establish separate trust anchors for certificates and
> CRLs signed by that authority. Alternatively, an authority may issue
> one self-issued certificate of category a) for certificate signing and
> one self-issued certificate of category b) for CRL signing. In this
> situation, certificate users use the key certified in the certificate of
> category a) as their single trust anchor for both certificates and CRLs
> signed by that authority. In this case, if the self-issued certificate
> of category b) were to be used to verify signatures on CRLs, there
> is no means defined in this standard to check the validity of that
> certificate.
>
>Also, this additional constraint can make indirect CRLs much harder
>to implement in practice, if not impossible in some cases. It means
>that if two different CAs wish to delegate CRL issuance to the same
>CRL issuer, the CRL issuer needs to have two (cross) certificates
>with the same key, or all three need to chain to the same root.
>
>It will also make key-rollover more complex when the CA has issued
>a certificate to itself for CRL signing.
>
>Finally, this constraint does not add security. It merely helps
>path builders to speed up the reconstruction process, and possibly
>to detect an ambiguity if two CAs with the same name happen to exist.
>It does not however prevent a rogue CA from issuing a bogus CRL.
>
>So, all in all, is a "MUST" really what we want? Or should we simply
>say that an implementation may check this additional constraint, but
>risks in that case to refuse perfectly valid CRLs from a PKI following
>an older version of the PKIX standard or X509 ?
>
>Regards,
>
>--
>Julien Stern
- Son of RFC3280 path validation rules Julien Stern
- Re: Son of RFC3280 path validation rules Denis Pinkas
- Re: Son of RFC3280 path validation rules Stephen Farrell
- Re: Son of RFC3280 path validation rules Peter Sylvester
- RE: Son of RFC3280 path validation rules Santosh Chokhani
- RE: Son of RFC3280 path validation rules Santosh Chokhani
- Re: Son of RFC3280 path validation rules Stephen Farrell
- Re: Son of RFC3280 path validation rules Denis Pinkas
- Re: Son of RFC3280 path validation rules Stephen Farrell
- Re: Son of RFC3280 path validation rules Stephen Farrell
- RE: Son of RFC3280 path validation rules Michael Myers
- Re: Son of RFC3280 path validation rules Julien Stern
- Re: Son of RFC3280 path validation rules Stephen Farrell
- RE: Son of RFC3280 path validation rules Michael Myers
- RE: Son of RFC3280 path validation rules Santosh Chokhani
- Re: Son of RFC3280 path validation rules Julien Stern
- Re: Son of RFC3280 path validation rules Stephen Farrell
- Re: Son of RFC3280 path validation rules Julien Stern