Re: [pkix] An alternative proposal Was: Fwd: New Version Notification for draft-hamilton-cmr-00.txt
"Miller, Timothy J." <tmiller@mitre.org> Thu, 03 November 2011 18:57 UTC
Return-Path: <tmiller@mitre.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 353F611E80F0 for <pkix@ietfa.amsl.com>; Thu, 3 Nov 2011 11:57:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h9P9G4r0afWQ for <pkix@ietfa.amsl.com>; Thu, 3 Nov 2011 11:57:41 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 5F07811E80DA for <pkix@ietf.org>; Thu, 3 Nov 2011 11:57:41 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id B362321B1079; Thu, 3 Nov 2011 14:57:40 -0400 (EDT)
Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id A0F0421B0982; Thu, 3 Nov 2011 14:57:40 -0400 (EDT)
Received: from IMCMBX01.MITRE.ORG ([169.254.1.57]) by IMCCAS02.MITRE.ORG ([129.83.29.79]) with mapi id 14.01.0339.001; Thu, 3 Nov 2011 14:57:40 -0400
From: "Miller, Timothy J." <tmiller@mitre.org>
To: Rob Stradling <rob.stradling@comodo.com>, "pkix@ietf.org" <pkix@ietf.org>
Thread-Topic: [pkix] An alternative proposal Was: Fwd: New Version Notification for draft-hamilton-cmr-00.txt
Thread-Index: AQHMmOR+3o6yhaO2SES0DD1Qj9f8npWZbmMAgADWC4CAALnHAIAAXdcA//+xnYCAAFepAIAADQmA
Date: Thu, 03 Nov 2011 18:57:40 +0000
Message-ID: <CAD84AD8.2055%tmiller@mitre.org>
In-Reply-To: <201111031311.00428.rob.stradling@comodo.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.13.0.110805
x-originating-ip: [172.31.60.130]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <A42DD1C78512BC4B9B09A9CDC545955F@imc.mitre.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [pkix] An alternative proposal Was: Fwd: New Version Notification for draft-hamilton-cmr-00.txt
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Nov 2011 18:57:42 -0000
On 11/3/11 8:10 AM, "Rob Stradling" <rob.stradling@comodo.com> wrote: >On Thursday 03 Nov 2011 12:57:14 Miller, Timothy J. wrote: >> On 11/3/11 7:37 AM, "Phillip Hallam-Baker" <hallam@gmail.com> wrote: >>>In the DigiNotar case, whitelisting could have allowed the issue to be >> >detected much earlier. >> >> Ok, how? Give me a scenario. > >http://isc.sans.edu/diary.html?storyid=11512 > >"Some of the CA servers have had parts of their logs deleted, leading to >DigiNotar not knowing what certificates were issued." > >"The OCSP server's working at DigiNotar has been reversed since Sept 1st. >Normally these servers respond with good to all certificates except those >on >the CRL (a blacklist). The OCSP now operates in whitelist mode: it will >call >all unknown certificates signed by DigiNotar as revoked (a whitelist). >Hence we need to make sure to use the OCSP server to validate DigiNotar >certificates -should we want/need to- and not rely on the published CRLs >anymore." This is a valid *response* strategy in the DigiNotar case because of the specifics of the attack; switching DigiNotar's responder to whitelisting essentially functions as a bulk revocation of everything but certs issued prior to the compromise (which are assumed valid) without having to positively identify those certs individually. This is necessary because the corrupted CA data meant that the attacker-issued certs simply can't be identified; even given external data with which to validate an issuance, the issuance data is missing, so revocation simply can't be done. However, from a *pre-attack detection* standpoint, I don't see how whitelisting helps. The attacker corrupted the CA data for unknown reasons; indeed, he may simply have been erasing record of the intrusion, and cast too wide a net. A more careful attacker may not do this, in which case whitelisting doesn't yield a benefit as the attacker-issued certs *are on the whitelist*. Further, whitelisting would not be necessary as a response in cases where the CA data is preserved because the data to support revocation is available, as we see in Comodo's case. I won't dispute that it may still be convenient. What's most telling to me in the DigiNotar case is that whitelisting was accomplished with no change to the standard or client implementation; DigiNotar simply altered the behavior of the responder. This tells me that a whitelisting feature of the protocol simply isn't needed. If you want to run your responder as a whitelist you already have everything you need, just plop a statement or two in your CP and/or CPS and get on with it. -- T
- [pkix] An alternative proposal Was: Fwd: New Vers… Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Walter.Goulet
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … denis.pinkas
- Re: [pkix] An alternative proposal Was: Fwd: New … Trevor Freeman
- Re: [pkix] An alternative proposal Was: Fwd: New … Walter.Goulet
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Paul Hoffman
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Walter.Goulet
- Re: [pkix] An alternative proposal Was: Fwd: New … Kemp, David P.
- Re: [pkix] An alternative proposal Was: Fwd: New … David A. Cooper
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … David A. Cooper
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Paul Hoffman
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Sylvester
- Re: [pkix] An alternative proposal Was: Fwd: New … Kemp, David P.
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] OCSP stapling Michael Myers
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Paul Hoffman
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Gutmann
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Stephen Wilson
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Gutmann
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Yoav Nir
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Kemp, David P.
- Re: [pkix] An alternative proposal Was: Fwd: New … Stephen Kent
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Gutmann
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Gutmann
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- [pkix] Proposed new singleExtension for OCSP denis.pinkas
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Sylvester
- Re: [pkix] Proposed new singleExtension for OCSP Peter Sylvester
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] Proposed new singleExtension for OCSP Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Kemp, David P.
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Stephen Kent
- Re: [pkix] Proposed new singleExtension for OCSP Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Phillip Hallam-Baker
- Re: [pkix] Proposed new singleExtension for OCSP Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Martin Rex
- Re: [pkix] Proposed new singleExtension for OCSP Tom Ritter
- Re: [pkix] Proposed new singleExtension for OCSP Kemp, David P.
- Re: [pkix] Proposed new singleExtension for OCSP denis.pinkas
- Re: [pkix] Proposed new singleExtension for OCSP Liaquat Khan
- Re: [pkix] Proposed new singleExtension for OCSP Paul Hoffman
- Re: [pkix] Proposed new singleExtension for OCSP Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Tom Gindin
- [pkix] Malaysian CA (Was: An alternative proposal… Yoav Nir
- Re: [pkix] Malaysian CA (Was: An alternative prop… Rob Stradling
- Re: [pkix] Malaysian CA (Was: An alternative prop… Tim Moses
- Re: [pkix] Proposed new singleExtension for OCSP Peter Sylvester
- Re: [pkix] An alternative proposal Was: Fwd: New … Stephen Kent
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Kemp, David P.
- Re: [pkix] An alternative proposal Was: Fwd: New … David A. Cooper
- Re: [pkix] Proposed new singleExtension for OCSP Peter Sylvester
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] Malaysian CA (Was: An alternative prop… Peter Gutmann
- [pkix] CRL Whitelist Requirements Was An alternat… Tom Gindin
- Re: [pkix] Malaysian CA (Was: An alternative prop… Yoav Nir
- Re: [pkix] Malaysian CA (Was: An alternative prop… Peter Gutmann
- Re: [pkix] Malaysian CA (Was: An alternative prop… Yoav Nir
- Re: [pkix] Malaysian CA (Was: An alternative prop… Tim Moses
- Re: [pkix] Malaysian CA (Was: An alternative prop… Peter Gutmann
- Re: [pkix] Malaysian CA (Was: An alternative prop… Tim Moses