Re: WG Last Call: AIA CRL extension
"Julien Stern" <julien.stern@cryptolog.com> Tue, 24 May 2005 17:25 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA20630 for <pkix-archive@lists.ietf.org>; Tue, 24 May 2005 13:25:39 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j4OGd7wL019774; Tue, 24 May 2005 09:39:07 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j4OGd7W4019772; Tue, 24 May 2005 09:39:07 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mallaury.noc.nerim.net (smtp-102-tuesday.noc.nerim.net [62.4.17.102]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j4OGd6Q1019734 for <ietf-pkix@imc.org>; Tue, 24 May 2005 09:39:06 -0700 (PDT) (envelope-from julien.stern@cryptolog.com)
Received: from uranus.cry.pto (cryptolog.net4.nerim.net [62.212.120.81]) by mallaury.noc.nerim.net (Postfix) with ESMTP id E0C8F62D07; Tue, 24 May 2005 18:39:02 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1]) by uranus.cry.pto (Postfix) with ESMTP id CC9DA440ED; Tue, 24 May 2005 18:39:37 +0200 (CEST)
Received: from uranus.cry.pto ([127.0.0.1]) by localhost (uranus [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 19169-04; Tue, 24 May 2005 18:39:31 +0200 (CEST)
Received: from callisto.cry.pto (callisto.cry.pto [10.0.1.4]) by uranus.cry.pto (Postfix) with SMTP id D7FB7440AF; Tue, 24 May 2005 18:39:31 +0200 (CEST)
Received: by callisto.cry.pto (sSMTP sendmail emulation); Tue, 24 May 2005 18:38:58 +0200
From: Julien Stern <julien.stern@cryptolog.com>
Date: Tue, 24 May 2005 18:38:58 +0200
To: Tom Gindin <tgindin@us.ibm.com>
Cc: ietf-pkix@imc.org
Subject: Re: WG Last Call: AIA CRL extension
Message-ID: <20050524163852.GA13889@cryptolog.com>
Mail-Followup-To: Julien Stern <julien.stern@cryptolog.com>, Tom Gindin <tgindin@us.ibm.com>, ietf-pkix@imc.org
References: <OFFC5CD11F.470A76B3-ON8525700B.004E1E23-8525700B.005037B6@us.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <OFFC5CD11F.470A76B3-ON8525700B.004E1E23-8525700B.005037B6@us.ibm.com>
User-Agent: Mutt/1.5.6+20040907i
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at cryptolog.com
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
On Tue, May 24, 2005 at 10:36:16AM -0400, Tom Gindin wrote: > > There is one scenario permitted by the "same trust anchor" rule > for CRL signers which seems to me to be a serious security hole. Let us > assume a valid CA which is a direct subordinate of one of the RP's trust > anchors. This CA issues separate CRL's and ARL's, in a quite usual way, > and issues cross certificates. After months or years of operation, it > revokes one of its cross certificates because the subject's operator has > gone rogue. That rogue subject then issues a fraudulent CRL Signing > certificate with the DN that the superior certificate has been using to > sign ARL's, a public key which it has newly generated, and various > extensions including an SKID. It then issues an updated copy of an old > ARL under the fraudulent CRL signer's certificate and with an AKID > matching the fraudulent signer's SKID. If the rogue can break into the > repository where the CRL is expected, this fraudulently issued CRL will > probably be validated whether it contains an AIA or not. It will > certainly pass the "same trust anchor" condition. > This scenario, in which a rogue CA issues an ARL certifiying that > its primary certificate has not been revoked and gets the ARL accepted, is > possible under "same trust anchor" but not under "signed by path member". I agree with the validity of this scenario. I believe this is very close to the issue I attempted to bring on the list a short time ago. Of course, it assumes the existence of a rogue CA at some point in time. Note that the CRL could be directly inserted into a "long term" signature (according to RFC3126 for example). This does not require a repository break-in and makes the "attack" even more realistic. Regards. -- Julien Stern > > Tom Gindin > > ----- Forwarded by Tom Gindin/Watson/IBM on 05/24/2005 10:13 AM ----- > > > Tom Gindin > 05/23/2005 10:46 PM > > To: wpolk@nist.gov > cc: housley@vigilsec.com, ietf-pkix@imc.org, kent@bbn.com, > stefans@microsoft.com > From: Tom Gindin/Watson/IBM@IBMUS > Subject: Re: WG Last Call: AIA CRL extension > > Tim: > > I should probably have brought this up earlier, but are we certain > that "same trust anchor" is a strong enough check that the CRL signer is > the one expected by the issuing CA? While I was not in San Diego when > this wording was included in the 3280 series, I do not really think that > that check is strong enough. I would suggest instead that the CRL > signer's certificate needs to be directly issued by one of the CA's in the > certification path back to the trust anchor used for the certificate's > verification, or by that anchor itself, unless people have practical > experience with CA structures which that rule would prohibit. Forcing the > CRL to be issued by the CA itself (as I understand Denis to have > suggested) prohibits the reasonable case where the CRL is issued by a > hierarchical superior, so it is IMHO too strict. > I am personally not sure, FWIW, that a CRL should be permitted to > be signed by a second-cousin certificate of the issuer's certificate. By > analogy to the use of the terms in families, "sibling" certificates would > have the same issuer, "first-cousin" certificates would be issued by > siblings, and "second-cousin" certificates would be issued by first > cousins - so they are both three levels down from the same trust anchor, > or from the last common CA in their paths. This issue is not newly caused > by CRL AIA, since the same issue can arise with CRL's containing only > AKID. AIA only allows RP's to build a path (whether right or wrong) more > quickly. > In any case, nothing more than a note in Security Considerations > is appropriate in any of our RFC's other than 3280 and its successor. > > Tom Gindin > P.S. - The above views are mine, and not necessarily those of my employer > > > > > > Tim Polk <tim.polk@nist.gov> > Sent by: owner-ietf-pkix@mail.imc.org > 05/10/2005 05:27 PM > > To: ietf-pkix@imc.org > cc: kent@bbn.com, stefans@microsoft.com, housley@vigilsec.com > Subject: WG Last Call: AIA CRL extension > > > > > This message initiates working group Last Call for the specification > "Internet X.509 Public Key Infrastructure: Authority Information Access > CRL > Extension". While some issues raised in the working group are unresolved, > > the editors believe that rough consensus supports the current > specification. > > The URL for this Internet-Draft is: > > http://www.ietf.org/internet-drafts/draft-ietf-pkix-crlaia-01.txt > > Last Call will run for (at least) two weeks. That is, Last Call will not > close before May 24. > > Thanks, > > Tim Polk > > >
- WG Last Call: AIA CRL extension Tim Polk
- Re: WG Last Call: AIA CRL extension Tom Gindin
- Re: WG Last Call: AIA CRL extension Tom Gindin
- Re: WG Last Call: AIA CRL extension Denis Pinkas
- Re: WG Last Call: AIA CRL extension Julien Stern
- Re: WG Last Call: AIA CRL extension Jean-Marc Desperrier
- Re: WG Last Call: AIA CRL extension Russ Housley
- RE: WG Last Call: AIA CRL extension Stefan Santesson
- Re: WG Last Call: AIA CRL extension Julien Stern
- CRL Issue (Was RE: WG Last Call: AIA CRL extensio… Santosh Chokhani
- Re: WG Last Call: AIA CRL extension Denis Pinkas
- Re: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Tom Gindin
- RE: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Santosh Chokhani
- RE: WG Last Call: AIA CRL extension Stefan Santesson
- Re: WG Last Call: AIA CRL extension Denis Pinkas
- Re: WG Last Call: AIA CRL extension Tim Polk
- RE: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Tom Gindin
- RE: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Santosh Chokhani
- RE: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Tom Gindin