Re: [pkix] a question of cert (and OCSP) extension syntax

"Manger, James" <James.H.Manger@team.telstra.com> Tue, 17 March 2015 23:08 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13B6C1A1BA9; Tue, 17 Mar 2015 16:08:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.799
X-Spam-Level: *
X-Spam-Status: No, score=1.799 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RCVD_IN_DNSWL_LOW=-0.7, RELAY_IS_203=0.994, WEIRD_PORT=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u8Fpfs8A3cHu; Tue, 17 Mar 2015 16:08:12 -0700 (PDT)
Received: from ipxcvo.tcif.telstra.com.au (ipxcvo.tcif.telstra.com.au [203.35.135.208]) by ietfa.amsl.com (Postfix) with ESMTP id ADCD71A1BCF; Tue, 17 Mar 2015 16:08:11 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.11,418,1422882000"; d="scan'208";a="76950754"
Received: from unknown (HELO ipccvi.tcif.telstra.com.au) ([10.97.217.208]) by ipocvi.tcif.telstra.com.au with ESMTP; 18 Mar 2015 09:38:26 +1100
X-IronPort-AV: E=McAfee;i="5600,1067,7743"; a="284037117"
Received: from wsmsg3703.srv.dir.telstra.com ([172.49.40.171]) by ipccvi.tcif.telstra.com.au with ESMTP; 18 Mar 2015 10:08:09 +1100
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3703.srv.dir.telstra.com ([172.49.40.171]) with mapi; Wed, 18 Mar 2015 10:08:09 +1100
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: Stephen Kent <kent@bbn.com>, pkix <pkix@ietf.org>, "trans@ietf.org" <trans@ietf.org>
Date: Wed, 18 Mar 2015 10:08:08 +1100
Thread-Topic: [pkix] a question of cert (and OCSP) extension syntax
Thread-Index: AdBg6YKgnqK8ubTHQe+lGZN7OB2IYQAFTW6Q
Message-ID: <255B9BB34FB7D647A506DC292726F6E12855BD177A@WSMSG3153V.srv.dir.telstra.com>
References: <550881DE.8090304@bbn.com>
In-Reply-To: <550881DE.8090304@bbn.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/OkwZCe1nkX3pQEhGZUpzh_T_7Aw>
Subject: Re: [pkix] a question of cert (and OCSP) extension syntax
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Mar 2015 23:08:15 -0000

I came across a real cert with a Certificate Transparency extension the other day and took a look inside.

(I assume) the cert extension complies with RFC6962 "Certificate Transparency", and I believe this is also consistent with the current update draft-ietf-trans-rfc6962-bis-07.

Below are extracts from the certificate in hex: preceded by line numbers; indenting to show structure; and some comments starting with #.

Notable items:

Line 145: start of cert extension holding 3 signed cert timestamps (SCTs).

Line 147: extnValue OCTET STRING

Line 148: Another OCTET STRING, embedded in extnValue. Hence, an "ASN.1 DER encoded structure" (this OCTET STRING) "is the value of the octet string extnValue". That is, the syntax is a valid extension.

Lines 149-182: TLS-style encoding (eg most 2-byte/4-hexdigit items are lengths).

Lines 158-160: A DER-encoding embedded in the TLS-style encoding.

Each SCT has version (1 byte), log id (32 bytes), timestamp (8 bytes, milliseconds since 1970), alg ids (1 byte each), and a signature (DER-encoding of SEQ. {r, s}).
The signature in the extension is calculated over (most of) the tbsCertificate, but the tbsCertificate does NOT appear in the extension.


I suggest keeping this TLS-style-encoding-embedded-in-an-OCTET-STRING. It is a bit Frankenstein-esq, but I don’t think that is avoidable. Certificate Transparency mixes X.500 and TLS, they chose different encoding styles, the styles have to meet somewhere.
The cert extension should definitely have the exact bytes for fields that will be signed, which means TLS-style 1-byte alg ids, 8-byte timestamp, and SCT extensions. Converting each individual field to ASN.1 would just make it more awkward to reconstruct the exact bytes to be signed.


# Certificate Transparency extension
# from the certificate for https://op.certification.openid.net:60054/
# 3 SignedCertificateTimestamps
# from Google 'Pilot' (A4...10), DigiCert (56...DD), Google 'Aviator' (68...C4)

     1	30 82072A # certificate
     2	   30 820612 # tbsCertificate (to be signed)
     3	      A0 03
     4	         02 01 02 # v3
     5	      02 10 0D1C890FBE7061A327B970DA2FC3B90A # cert serial number
...
    74	         31 24
    75	            30 22
    76	               06 03 550403 # cn
    77	               0C 1B 6F702E63657274696669636174696F6E2E6F70656E69642E6E6574 # op.certification.openid.net
...
    86	      A3 8202F5
    87	         30 8202F1
    88	            30 26
    89	               06 03 551D11 # id-ce-subjectAltName
    90	               04 1F
    91	                  30 1D
    92	                     82 1B 6F702E63657274696669636174696F6E2E6F70656E69642E6E6574 # op.certification.openid.net
...
   145	            30 82017C
   146	               06 0A 2B06010401D679020402 # 1.3.6.1.4.1.11129.2.4.2 
   147	               04 82016C
   148	                  04 820168 # PrecertificateSCTList
   149	0166
   150	  0075
   151	    00 # version
   152	    A4B90990B418581487BB13A2CC67700A3C359804F91BDFB8E377CD0EC80DDC10 # id Google Pilot
   153	    0000014B99953C14 # timestamp
   154	    0000 # extensions
   155	    04 # hash sha256
   156	    03 # signature ecdsa
   157	    0046
   158	      30 44
   159	         02 20 11666B9E97E4E4AC6434E4B67C02617A31FB14DAEE4BB018D7B2B178133E1630 # r
   160	         02 20 6A13F32E7C704CDCB7B1D12241AA3E346F4DED5670CA01DA5B850BCFB04285B5 # s
   161	  0075
   162	    00
   163	    5614069A2FD7C2ECD3F5E1BD44B23EC74676B9BC99115CC0EF949855D689D0DD # id DigiCert
   164	    0000014B99953E24
   165	    0000
   166	    04
   167	    03
   168	    0046
   169	      30 44
   170	         02 20 3EC2C5C2408ED171F2D3B8B0FD3DFA8CA09C4BE3A7DD1ADA871444D39B0828A7
   171	         02 20 596955FE3F434579E9CD9144455AE7848094CDA89EED2A5F3DC254B38F2E4335
   172	  0076
   173	    00
   174	    68F698F81F6482BE3A8CEEB9281D4CFC71515D6793D444D10A67ACBB4F4FFBC4 # id Google Aviator
   175	    0000014B99953C08
   176	    0000
   177	    04
   178	    03
   179	    0047
   180	      30 45
   181	         02 21 008E8E239C48C46E0AD1F0B102071B2CA73E199C791654E93B406F9F3BB4EEC967
   182	         02 20 49427C3C633C5D0FC21088921AE2F01BF49D8B21012A0A8EEBD8B2967B72F2B4
   183	
   184	   30 0D
   185	      06 09 2A864886F70D01010B # sha256WithRSAEncryption
   186	      05 00
   187	   03 820101 009710D1B54C9F9241694CF1927223F0AE6901B7AD419685F1DBE39F2959ADCCAD7EB0C1FD10583E1502DE6A52D58078ECEA9F17DA018D203E7EA5A5805FEA2811031776F3EDC02C18A426AC80A76735C69DCC87E885D76E40E75D3FA70F060F967D551CDBC1AECEC8993169BDCA45764B0D2857CCFDF87E0DF0A1594E3EF35EC031D4967F844EFE07C402FEC501DDEA5787D1DD4D6F0EF0E9E1B241E200922A35C279C41F248E62015494FD2820823317C9B08B5EFC5C46943453AB81AB7BC78DAA35B757CAD323F97F8C1DC5A0B69C39FE77A4354685ECB68AE04C5F32B152D39C4DA22A3A16CE395FE0CFC03BF7247265BCD032AF1E5A80D86D38B2F9D749C6 # signature



A few more comments inline below.

--
James Manger



----------
From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Stephen Kent
Sent: Wednesday, 18 March 2015 6:35 AM
To: pkix
Subject: [pkix] a question of cert (and OCSP) extension syntax

Folks,
 
Stephen Farrell suggested that I pose a question to this list based on an ongoing  debate in another WG.
 
A certificate and OCSP extension has been proposed in TRANS. The extension consists of a few data items, principally:
	version number (an integer)
	a log ID (an octet string)
	a time stamp
	a certificate or TBS certificate 

[JM] No, the cert/tbsCert is NOT in this cert ext

	a hash value (a bit or octet string)

[JM] I think you mean a signature

	an optional set of TBD protocol-specific extensions 
 
The authors of the proposed extension elected to encode all of these data items as one big OCTET STRING, rather than using the existing, base ASN.1 data types. They elected to not use an ASN.1 structure here because one of the three ways to communicate this data to a client is via a TLS handshake. They believe that the TLS handshake will eventually become the predominant means of transporting this data. (I didn’t find the argument for this prediction compelling, but ...). Thus they chose to employ the syntax defined in RFC 5246.
 
Russ Housley and I have argued that using OCTET STRING here is inconsistent with the intent of 5280 (and 2594 and 3280), which defines an extension as:
 
Each extension includes an OID and an ASN.1 structure.  When an extension appears in a certificate, the OID appears as the field extnID and the corresponding ASN.1 DER encoded structure is the value of the octet string extnValue.
 
Since the bulk of the data items have an obvious ASN.1 representation,

[JM] Is the "obvious ASN.1" for the timestamp (ms since 1970) GeneralizedTime or INTEGER or OCTET STRING (SIZE(8))?
[JM] I guess the "obvious ASN.1" for the alg ids is INTEGER {sha256(4), ...}, even though ASN.1 uses OID (or actually AlgorithmIdentifier).
[JM] The ASN.1 for SCT extensions would presumably be SEQUENCE OF OCTET STRING, which still embeds a TLS-style encoding in an OCTET STRING.


 and the certificate or TBS certificate are native ASN.1 structures, we feel that the decision to stuff all of the data items into an OCTET STRING is inappropriate, and that it sets a bad precedent for others developing certificate (and OCSP) extensions in the future
 
I’m soliciting feedback from this list on this topic, to pass on to Stephen, Kathleen, and the TRANS WG.
 
Thanks,
 
Steve