IETF Logo Mail Archive

Re: [pkix] OCSP Signing Certificate Key usage standards

"Dr. Massimiliano Pala" <massimiliano.pala@gmail.com> Tue, 05 April 2016 14:13 UTC

Return-Path: <massimiliano.pala@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1820D12D542 for <pkix@ietfa.amsl.com>; Tue, 5 Apr 2016 07:13:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.689
X-Spam-Level:
X-Spam-Status: No, score=-2.689 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_HK_NAME_FM_DR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TaHoUjyJ_3Qi for <pkix@ietfa.amsl.com>; Tue, 5 Apr 2016 07:13:53 -0700 (PDT)
Received: from mail-qg0-x230.google.com (mail-qg0-x230.google.com [IPv6:2607:f8b0:400d:c04::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC23A12D4FB for <pkix@ietf.org>; Tue, 5 Apr 2016 07:13:52 -0700 (PDT)
Received: by mail-qg0-x230.google.com with SMTP id j35so11205480qge.0 for <pkix@ietf.org>; Tue, 05 Apr 2016 07:13:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:subject:to:references:message-id:date:user-agent:mime-version :in-reply-to; bh=+JXRAV5zoG+a38bTybkTb2fl78KVnnkUt/a5atb+Arg=; b=RzSdBPkLFEnmVzRUw4F5NI0Lj9wMtKUQvjKixGtrB2ahGI7qj0a67Z7ftybpU0lwfO BbbrPaWhDzmxBZKRPUcRkesGj6NbIpyoMOM1I4bQtHPUAJ/31hpxPX6fYBfEoEb4h+Ro 17g2ma9LykN1RRc4B3Jhs8HuoK3HlSUa45YykE7hMJVdKjFNdYzcI9KQeC8GEGS7+cTj po15dBYsHgvQjhRdKpL+6RUTrt7GliAbezzYrrOArgHXmnnlC7Q4zYjy7f+vuTRyhoib 5G/ezau/R/vOxaWA9TkeALk8d/77Z1CmaoyVkk33Q6uH7gCR2bDW8Dk2oa5tLhXMx+5h mmjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:subject:to:references:message-id:date :user-agent:mime-version:in-reply-to; bh=+JXRAV5zoG+a38bTybkTb2fl78KVnnkUt/a5atb+Arg=; b=kW3a8fXiNTkKGPPieo5YgGe8a2ltWFFIDV5n1FGXEHjsz6WAc0/dH41je2nvgE30R1 VwkfNtzLOPH4SgGb1uPC0sWJt901Q4ET5Al1R8UkfbV9FgOHQXFAxR6wH9G0doROe4wa z5xOcxGbS9MryOtSAnFnk0u28qQ6wyvak2VU5ggDTwCvHGTp4FU5H04VOJDmMTnm9F3G 6WtxL4+scLrUpS5FYXvx/H+C7pt7klAYZJrWYbFaai6AuXj89LfeXhcw03WbJI2WiXyx wmZwpBEcPuwjgl0WZ98TZzBbgLItj50XY7FVhLWTzDT17oGL8BZNXZcs3SU24IK3dRyq 3SEg==
X-Gm-Message-State: AD7BkJJji0+RVzDmUuYlrXwHOsXal0STyHMbea6UmEuJaMRThZl9iSWlbNX+SZDnteoVSA==
X-Received: by 10.140.23.139 with SMTP id 11mr17320343qgp.62.1459865631817; Tue, 05 Apr 2016 07:13:51 -0700 (PDT)
Received: from iMassi.local ([2001:67c:1231:998:b4eb:f1f4:3a02:7256]) by smtp.googlemail.com with ESMTPSA id s8sm14511317qhb.20.2016.04.05.07.13.50 for <pkix@ietf.org> (version=TLSv1/SSLv3 cipher=OTHER); Tue, 05 Apr 2016 07:13:51 -0700 (PDT)
From: "Dr. Massimiliano Pala" <massimiliano.pala@gmail.com>
To: pkix@ietf.org
References: <CAJKvcBTk6i2K1QYCm3VaO1jOm9sNTi7R8_oUuRVuuhBnzcZw9w@mail.gmail.com>
Message-ID: <5703C81C.50906@gmail.com>
Date: Tue, 05 Apr 2016 11:13:48 -0300
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <CAJKvcBTk6i2K1QYCm3VaO1jOm9sNTi7R8_oUuRVuuhBnzcZw9w@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------040606070507080403080001"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/RN31yF5ATMfAOg26BlnX7nu88Ns>
Subject: Re: [pkix] OCSP Signing Certificate Key usage standards
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Apr 2016 14:13:55 -0000

Hi Daniel,

personally, as long as the key is properly protected (and you are using 
HSMs for that - so it should be ok) and rotated (limited lifetime) and 
you have an easy way to request the different certificates from the 
different CAs (hopefully you have an automated interface to them), I 
would go with Option #2 - this simplifies key management as you said.

However, this comes with a price on security in case the key is 
compromised - in this case, you will have to revoke 20 certificates at 
once and get a new certificate for all the 20 CAs you are serving. For 
this, the "automation" for getting the certificate and have the old ones 
revoked is a key feature, IMHO.

To address the last point, my suggestion would be to play ahead. Have 2 
different keys and have certificates issued for both of them. Use one 
key in production and keep the other one in a safe place (separate form 
the deployment one). Then setup a procedure to switch the keys when 
needed - this allows you to stop using a compromised key without having 
to wait for the 20 (or more) CAs to process your revocation and new 
certificate requests which can now be processed in parallel. (This said, 
clients will continue to trust the compromised key until the proper 
revocation is provided by the different CAs - but that is true for both 
options)

If you value simplicity, this might provide you with an easy 
implementation and yet gives you the ability to respond quickly. Of 
course, not knowing the capabilities and setup of your systems there 
might be more clever and/or better fitting solutions... this is a very 
generic response!

Last but not least - I am a bit curious about the HSM you are using: in 
my experience current HSMs are really too slow for any crypto operation 
that is in response to live traffic (modern CPUs outperform them by A 
LOT). For that reason (and others, actually) it is common, today, to 
pre-produce all responses and store them in CDNs so that the performance 
of the HSMs is not an issue (but, of course, you might have a 
"publishing" window vulnerability in this case).

I hope this helps,

Cheers,
Max


On 4/4/16 4:07 PM, daniel bryan wrote:
> Hello,
>
> I am looking for guidance/standards on deploying an OCSP service in 
> specific regards to the key management of the OCSP Signing certificate.
>
> Suppose I have a service, and I want to provide certificate status on 
> 20 different certificate authorities using a "CA Designated responder" 
> described in section 2.2 of RFC 6960. Technically I have a few options:
>
> *Option #1:* Generate 20 Keys on my HSM, Create 20 PKCS 10s, Submit 
> all 20 for Signing to each CA. Import the Signed Certificate into my 
> OCSP service.
>
> *Option #2:* Generate 1 Key on the HSM, Create 1 PKCS 10 with a 
> generic CN, Submit 1 CSR to all 20 CA's. The CA will override the CN 
> value during Signing to reference their CA name, Import all 20 Signed 
> certificates into my OCSP service.
>
> Option #1 adds complexity to key management, could potentially have an 
> impact on signing speed. An advantage is that if a key is 
> lost/compromised, it would only involve troubling one CA instead of all.
>
> Option #2 will greatly simplify key management, and I speculate it 
> will increase the signing speed potential of the HSM, being that it 
> doesn't have to determine which key to use from a pool of 20 keys.  
> Obviously the bad side is, if we ever loose the key, I would have to 
> get all 20 CAs to sign another request. This is especially bad when 
> the certs have the noCheck extension.
>
>
> Here are my 2 questions:
>
> *Q1:* From a security perspective, is option #2 worth considering. 
> Simplification is a huge priority, but security is a must.
> *
> Q2:* Does the IETF/cabforum/Any other authority provide 
> guidance/standards on key management in this situation that I can use 
> to support/defend the choice?
>
> Thanks,
>
> --Dan
>
>
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix
>
> -- 
> Massimiliano Pala, PhD
> Director at OpenCA Labs
> twitter: @openca

v2.23.0 | Report a Bug | By Email