Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15
mrex@sap.com (Martin Rex) Wed, 03 April 2013 16:05 UTC
Return-Path: <mrex@sap.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A386E21F8D14; Wed, 3 Apr 2013 09:05:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.924
X-Spam-Level:
X-Spam-Status: No, score=-9.924 tagged_above=-999 required=5 tests=[AWL=-0.275, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iK0ZM0Sm1u2z; Wed, 3 Apr 2013 09:05:52 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 3A6C421F8BF8; Wed, 3 Apr 2013 09:05:52 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id r33G5XXE029554 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 3 Apr 2013 18:05:33 +0200 (MEST)
In-Reply-To: <003e01ce3077$5b6329f0$12297dd0$@ditenity.com>
To: Piyush Jain <piyush@ditenity.com>
Date: Wed, 03 Apr 2013 18:05:32 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20130403160532.EB4FD1A68A@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
X-Mailman-Approved-At: Thu, 04 Apr 2013 06:49:19 -0700
Cc: ambarish@gmail.com, slava.galperin@gmail.com, cadams@eecs.uottawa.ca, 'Stefan Santesson' <stefan@aaa-sec.com>, "'Black, David'" <david.black@emc.com>, sts@aaa-sec.com, pkix@ietf.org, gen-art@ietf.org
Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2013 16:05:53 -0000
I have strong doubts that regurgitating the entire previous discussion is going to help. Piyush Jain wrote: > > > > If you want to describe "an OCSP responder no longer responding 'good' > > for certificate serial numbers for which no records of issuance exist" > > as "breaking compatibility with older clients", then yes, this is what > > we want to do. > > [Piyush] That is not what I implied. There were alternatives proposed to > address fraudulently-issued certificates in OCSP (none of them solved the > problem completely BTW). OCSP is *NOT* about certificates and therefore the use of the term "fraudulently-issued" certificate does not make any sense. OCSP is about certificate serial status. Everything else is inferences by RPs, some of them bold, some of them flawed. > > The reason cited by you along with a few others was that any other proposal > would require clients to be updated. This is what breaking backward > compatibility means. If you have an installed base with with a ratio of > 1000:1 for Cli:Srv, and the choice for a protocol feature update between "having to update all clients and server" and "having to update only servers", then the latter has a significant deployment advantage. > > > But in reality, this is change is about fixing a security problem that was > > documented as such in rfc2560 for the "good" status. > > [Piyush] What security problem? The "good" state indicates a positive response to the status inquiry. At a minimum, this positive response indicates that the certificate is not revoked, but does not necessarily mean that the certificate was ever issued or that the time at which the response was produced is within the certificate's validity interval. This text is pretty explicit that "good" is potentially lame, equally lame as infering "good" from the absence of a revocation on published CRLs. > > in RFC 2560 bis and repeated refusal to discuss how 2560bis solves any > security problems. rfc2560bis itself does not solve security problems. We're in the IETF not in the roman catholic church. rfc2560bis describes a minimal mitigation that OCSP responder implementations can adopt to discontinue reporting "good" for "not issued" certs in a corherent and standardized fashion. > > I also see a creative way to circumvent responder trust issue by saying that > servers indicate "non-issued" by setting the revocation date to 1970 but > clients should not interpret the response as non-issued. That is a lame argument. If you look at the ASN.1 in rfc2560: RevokedInfo ::= SEQUENCE { revocationTime GeneralizedTime, revocationReason [0] EXPLICIT CRLReason OPTIONAL } the "revocationTime" element in RevokedInfo is a mandatory element. Since our "synthesized" certificateHold revocation status does not originate from a CRL, we will have to define what value to convey in revocationTime -- and choose a value that will not interfere with any future "traditional" status information in case a certificate with that serial gets issued. Defining a simple fixed value for this field that can not possibly cause any such confusion is an obvious, simple and straightforward engineering solution. > > > > > I believe that Stefan is trying to convey that requiring servers to > > > return revoked in this context will make them non-compliant with 2560 > > > and 5019 as opposed to breaking interoperability with legacy clients. > > > [Piyush] This part I agree with as I stated in my original post. Backward > compatibility is wrong choice of words. Compliance with other standards is > the right choice. > Standards are not backward compatible. Implementations of standards are. The issue of backwards compatibility also applies to changes of a standard. If you either newly require different behaviour or prohibit previously allowed or previously required behaviour, then a standards change is backwards-incompabible. Some Qualified Electronic Signature (QES) consumers (including legislation) require OCSP responders to include a certificateHash as proof-of-issuance in an OCSP response and require OCSP clients to verify that the certificateHash is present in a "good" OCSP response and matches the hash of the certificate under investigation -- as a means to work around the shortcoming (security problems) inherent in CRLs and rfc2560 OCSP. However, such additional requirements are backwards incompatible and require updating of the entire installed base, so this approach is typically embraced only where there is not installed base yet, or when updating the installed base is not seen as a deterrent to adoption/deployment. > > > The proposed change primarily intends to _standardize_ how to report > > revoked/certificateHold for "not-issued" certificate serial numbers, > > something that has been found useful (and already been used) in dealing > > with certain kinds of security breaches of CAs/RAs. > > > [Piyush] May be so. But that is not the goal cited for this update. Yes a > few CA vendors may have adopted it but that no way indicates consensus among > CA vendors. > If you refer to CAB forum thread, most reputable CA vendors are reluctant to > adopt it. What is so difficult about the concept of standardizing/documenting: "if you want to do this (e.g in case of emergency response), this is how:" > > > Returning an error code response status would be > > just dumb for an authoritative OCSP responder. > > [Piyush] Really. And why is that. It actually makes a lot of sense No, it does not make any sense at all. An error code is unsigned and can be easily inserted into the communication by an attacker. Which is why there exists the fallback to CRL checking -- except that it is impossible to discourage an RP from trusting a non-issued cert through CRL checking, because the whole concept of revocation through CRLs is fundamentally flawed and is unable to convey proof-of-issuance. > > and that is why CAs "who are not compromised" continue to return > an error code for such responses. These kinds of argument are based on two very flawed premises: (1) the premise that there exist only two possible states for a CA: (a) safe and pristine (b) full and thorough compromise of each and everything (2) that a huge PKI (100k+ entities) can be nuked and re-personalized after a CA compromise at close to zero cost and within the blink of an eye and both premises exhibit a throrough cluelessness about security, risk management and the real world. > > > Should rfc5019 be interpreted to suggest for authoritative OCSP responders > > to returning an error code for "not-issued" certs does not make such > > behaviour any less dumb. > > > [Piyush] The behavior that you are calling dumb has enabled the CAs to scale > their OCSP infrastructure. > What is dumb IMO is to continue to run the CA after being compromised and > demanding that standards be updated to support such behavior. "scale their OCSP infrastructure"? *cough* The TLS multiple OCSP response stapling extension is a design that scales. On demand CRL downloading and on demand OCSP checking scales between poorly and hardly. AFAIK, Verisign put rfc5019 OCSP responder behaviour into production in early 2004, but Windows XP and Windows 2003 will be end-of-lifed in 2014, never having had revocation checking enabled by default in their entire lifetime. And many RPs which do have revocation checking enabled still soft-fail on OCSP lookup erros. Non-negligible amounts of programmatic RPs (curl/wget?) probably still have revocation checking unconfigured or disabled today. -Martin
- [pkix] Gen-ART review of draft-ietf-pkix-rfc2560b… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Sean Turner
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
- [pkix] Gen-ART review of draft-ietf-pkix-rfc2560b… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- [pkix] review of draft-ietf-pkix-rfc2560bis-15 Peter Rybar
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Stefan Santesson
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Andris Berzins
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Andris Berzins
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Stefan Santesson
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Peter Rybar
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Peter Rybar
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Martin Rex
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Martin Rex
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Sean Turner
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Sean Turner
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Peter Rybar
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Sean Turner
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson