RE: OCSP Algorithm Agility
"Hallam-Baker, Phillip" <pbaker@verisign.com> Tue, 16 October 2007 04:31 UTC
Return-path: <owner-ietf-pkix@mail.imc.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ihe5b-0007BM-45 for pkix-archive@lists.ietf.org; Tue, 16 Oct 2007 00:31:31 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Ihe5O-00027M-Bm for pkix-archive@lists.ietf.org; Tue, 16 Oct 2007 00:31:25 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l9G3a65K061130 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 15 Oct 2007 20:36:06 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l9G3a6Xv061129; Mon, 15 Oct 2007 20:36:06 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from robin.verisign.com (robin.verisign.com [65.205.251.75]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l9G3a24v061116 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-pkix@imc.org>; Mon, 15 Oct 2007 20:36:05 -0700 (MST) (envelope-from pbaker@verisign.com)
Received: from mou1wnexcn01.vcorp.ad.vrsn.com (mailer1.verisign.com [65.205.251.34]) by robin.verisign.com (8.12.11/8.13.4) with ESMTP id l9G3WvVE032106; Mon, 15 Oct 2007 20:32:57 -0700
Received: from MOU1WNEXMB09.vcorp.ad.vrsn.com ([10.25.15.197]) by mou1wnexcn01.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 15 Oct 2007 20:35:50 -0700
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C80FA5.A59CF9BC"
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject: RE: OCSP Algorithm Agility
Date: Mon, 15 Oct 2007 20:35:50 -0700
Message-ID: <2788466ED3E31C418E9ACC5C31661557084EC5@mou1wnexmb09.vcorp.ad.vrsn.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: OCSP Algorithm Agility
Thread-Index: Acf8l4NIxZexIh9rTveKgrEJmUDxVQAAJZEAAlba1eAAAH/7QAEC+OtgACFXyuAABd3wIAAA1HmAADQyQqABDKGdvQ==
References: <82D5657AE1F54347A734BDD33637C879096C9ABE@EXVS01.ex.dslextreme.net> <2788466ED3E31C418E9ACC5C31661557053771@mou1wnexmb09.vcorp.ad.vrsn.com> <82D5657AE1F54347A734BDD33637C879096CA5E3@EXVS01.ex.dslextreme.net> <E2339D02A340A546998AD2E6251332D605461816@csexchange1.corestreet.com>
From: "Hallam-Baker, Phillip" <pbaker@verisign.com>
To: Seth Hitchings <shitchings@corestreet.com>, Santosh Chokhani <chokhani@orionsec.com>, ietf-pkix@imc.org
X-OriginalArrivalTime: 16 Oct 2007 03:35:50.0984 (UTC) FILETIME=[A60B5480:01C80FA5]
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a2c4a3535d1556ada67f8703d3d31591
Whether a server could make a sensible choice is beside the point. For a specification to provide an interoperable standard we must have a definitive statement. Otherwise interoperability ends up depending on heuristics and undocumented assumptions. Unless I missed the section in the RFC that describes the algorithm agility strategy it seems to me we must either: 1) Document the server algorithm selection as proposed by Santosh 2) Doucment the server algorithm selection as proposed by Santosh with an optional extension to allow the client to specify the choices it supports. Either way we need a draft if we are going to meet the algorithm agility requirement. ________________________________ From: owner-ietf-pkix@mail.imc.org on behalf of Seth Hitchings Sent: Wed 10/10/2007 3:25 PM To: Santosh Chokhani; Hallam-Baker, Phillip; ietf-pkix@imc.org Subject: RE: OCSP Algorithm Agility I'm generally in favor of simpler approaches, such as those suggested by Santosh, as they favor interoperability. Updating deployed applications to understand new elements of the protocol could take just as long to roll out as the new algorithm support that's purportedly lacking. I can see a situation in which the CA cannot assume that the entire user population understands a new algorithm such as SHA-256, and thus has to continue using SHA-1 with RSA when signing certificates. Individual clients that do understand SHA-256 may wish to receive OCSP responses signed using SHA-256 with RSA, and would need a way to signal their desires to the OCSP responder. The question is, then, is there any security benefit to having the signature algorithm on the OCSP response stronger than the signature algorithm on the certificate? If you can break the algorithm and cause me to accept a contrived OCSP response, could you not do the same thing with a certificate? Seth -----Original Message----- From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Santosh Chokhani Sent: Wednesday, October 10, 2007 2:28 PM To: Hallam-Baker, Phillip; ietf-pkix@imc.org Subject: RE: OCSP Algorithm Agility See responses in-line below. -----Original Message----- From: Hallam-Baker, Phillip [mailto:pbaker@verisign.com] Sent: Tuesday, October 09, 2007 2:07 PM To: Santosh Chokhani; ietf-pkix@imc.org Subject: RE: OCSP Algorithm Agility Not if they don't know that the client can understand them they can't. [Santosh Chokhani] The Responder has two ways to know what the client understands. From certID or from CA. If the client does not understand the algorithm used in certificate signing, revocation information is useless. And the issue is not just hashing algorithms, it is signature algorithms. Like your previous posts you continue to assume that cipher strength is a linear quantity with only one dimension and that any client which supports strength 2X must automatically support strength X. [Santosh Chokhani] I am making no such assumptions. I am saying that if an algorithm is good enough for a certificate, it is good enough for revocation notification for that certificate. That is not the case if you consider the practicalities of deploying ECC in an RSA world. To give a practical example, VeriSign issues a cert for an ECC key signed with an ECC key. The email program on Alice's machine in the DHS supports ECC but not the DHS SCVP server or OCSP relay. [Santosh Chokhani] And what is the problem with that? They have no choice but to use RSA. In the real world the OCSP service does not have a necessary connection to the CA. There are plenty of commercial OCSP offerings that report on certificates issued by other CAs. [Santosh Chokhani] And how does this relate to algorithm agility? If the OCSP does not do ECDSA it won't. If OCSP supports both RSA and ECDSA, it can take the cue from the CA CRL to determine what algorithm to use for signing OCSP responses. If the OCSP does not consume CRL, the mechanism that tells it revocation information can also tell it the signature algorithm to use. > -----Original Message----- > From: owner-ietf-pkix@mail.imc.org > [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Santosh Chokhani > Sent: Tuesday, October 09, 2007 11:16 AM > To: Hallam-Baker, Phillip; ietf-pkix@imc.org > Subject: RE: OCSP Algorithm Agility > > > The OCSP and SCVP can transition to stronger algorithms any > time they want. > > The OCSP can take their clue from the CA or the certID field > to decide the hashing algorithm. When multiple certID is > present, OCSP can take low water mark of these. > > SCVP is no different than a client in terms of validating a > path. In terms of signing a response, it can take the low > water mark of the hashing algorithms in the certificate chain. > > -----Original Message----- > From: owner-ietf-pkix@mail.imc.org > [mailto:owner-ietf-pkix@mail.imc.org] > On Behalf Of Hallam-Baker, Phillip > Sent: Monday, October 08, 2007 7:27 PM > To: Santosh Chokhani; Andrews, Rick; ietf-pkix@imc.org > Subject: RE: OCSP Algorithm Agility > > > The objective here is to overcome a real deployment obstacle > that creates a lockstep issue when use of stronger algorithms > is attempted. > > The CA cannot issue a certificate that employs a new > algorithm until it is known that all clients that might rely > on the certificate are capable of processing the new > certificate. Requiring lockstep updates to the OCSP and SCVP > infrastructure to be made at the same time renders transition > to stronger algorithms a much lengthier and much less > practical proposition. > > > > -----Original Message----- > > From: owner-ietf-pkix@mail.imc.org > > [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Santosh Chokhani > > Sent: Saturday, October 06, 2007 4:12 PM > > To: Andrews, Rick; ietf-pkix@imc.org > > Subject: RE: OCSP Algorithm Agility > > > > > > Rick, > > > > SCVP or other intermediaries are red herring. Whoever > processes the > > certificate processes the revocation information for that > certificate. > > It does not change the following: > > > > 1. There is no security benefit in using a stronger algorithm for > > OCSP > > response than for the certificate in question. Neither, > there is any > > benefit from interoperability viewpoint for these two to be > different. > > > > 2. If the OCSP Responder does not get a CRL, it can use the same > > mechanism to get the hashing algorithm used as it uses to get the > > revocation information. > > > > -----Original Message----- > > From: Andrews, Rick [mailto:RAndrews@verisign.com] > > Sent: Wednesday, October 03, 2007 3:29 PM > > To: Santosh Chokhani; ietf-pkix@imc.org > > Subject: RE: OCSP Algorithm Agility > > > > Santosh, > > > > Sorry for the long delay in responding - travel and vacation. > > > > Not all OCSP responders work from CRLs, so they won't take > their cue > > from the CRL. Nor should they take their cue from the > signature on the > > cert in question, I believe. Let me try to restate my argument in a > > different way. > > > > With SCVP delegated path validation, the client requesting a cert's > > status from an OCSP responder will be different from the > client at the > > other end of the SSL connection. Those two clients may have very > > different capabilities in terms of supported signature and hash > > algorithms. It's not realistic to expect that all SSL clients, all > > SCVP servers, and all CAs will be able to upgrade in > lockstep to new > > algorithms as they are developed. Allowing the OCSP client > and server > > to negotiate a mutually-acceptable set of algorithms is > essential to > > the deployment of newer, stronger algorithms. > > > > Likewise, companies that run large OCSP responders may wish to > > gradually move to ECC-based signatures for all their OCSP > responses, > > even those for certs with RSA or DSA keys, because ECC > signatures are > > cheaper to produce. If algorithm agility is added to OCSP, those > > companies can gradually achieve the move to ECC without > disrupting the > > installed base of OCSP clients that don't support ECC. > > > > -Rick Andrews > > > > > -----Original Message----- > > > From: owner-ietf-pkix@mail.imc.org > > > [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of > Santosh Chokhani > > > Sent: Friday, September 21, 2007 2:45 PM > > > To: Paul Hoffman; Stephen Kent; ietf-pkix@imc.org > > > Subject: RE: OCSP Algorithm Agility > > > > > > > > > Paul, > > > > > > Here are my views on this. > > > > > > The client should be first asking for the algorithm suite > > that signed > > > the certificate in question. There is no need for the > > client to ask > > > for anything stronger. The client can ask for stronger suites as > > > secondary, if client has them. > > > > > > In the scenario you cite, the Responder certificate will > > not include > > > RSA with SHA 1 any longer. So, client will know that > > Responder only > > > supported his second choice and he should be ok with it. > > > > > > -----Original Message----- > > > From: owner-ietf-pkix@mail.imc.org > > > [mailto:owner-ietf-pkix@mail.imc.org] > > > On Behalf Of Paul Hoffman > > > Sent: Friday, September 21, 2007 4:39 PM > > > To: Stephen Kent; ietf-pkix@imc.org > > > Subject: RE: OCSP Algorithm Agility > > > > > > > > > At 2:07 PM -0400 9/21/07, Stephen Kent wrote: > > > >How about defining an extension to be included in the cert > > > issued to an > > > >OCSP responder by a CA. The extension would have an > > ordered list of > > > >algorithms (hash and signature if we want to address more > > > than the hash > > > >agility issue) accepted by the OCSP responder. An OCSP > > > client can use > > > >this info to determine what is the "best" algorithm (or alg > > > pair) that > > > >it and the responder share. The combination of this > > extension and an > > > >OCSP negotiation procedure will allow the client to detect MITM > > > >downgrade attacks. In fact, if the client acquires the > > > responder's cert > > > >prior to making a request, there would not even be a > need for real > > > >negotiation, since the client would know what alg to > request in a > > > >response. > > > > > > Imagine the list of algorithms is RSA-with-SHA1 first and > > > DSA-with-SHA1 second. How does your negotiation work? The > > client asks > > > for this message to be signed with RSA-with-SHA1. > > > But the server knows that RSA-with-SHA1 has been > > compromised since it > > > got that certificate from the CA. What does the server say to the > > > client to indicate that it only wants to sign with > > DSA-with-SHA1? What > > > prevents Mallory from saying the same thing to the client? > > > > > > --Paul Hoffman, Director > > > --VPN Consortium > > > > > > > > > > > > > > > >
- OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Stefan Santesson
- RE: OCSP Algorithm Agility Michael Myers
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Michael Myers
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Andrews, Rick
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Andrews, Rick
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Paul Hoffman
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Stefan Santesson
- RE: OCSP Algorithm Agility Stephen Kent
- RE: OCSP Algorithm Agility Stefan Santesson
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Paul Hoffman
- RE: OCSP Algorithm Agility Stephen Kent
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Paul Hoffman
- RE: OCSP Algorithm Agility Andrews, Rick
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Seth Hitchings
- RE: OCSP Algorithm Agility Stefan Santesson
- RE: OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Santosh Chokhani