Re: [pkix] a question of cert (and OCSP) extension syntax
Rob Stradling <rob.stradling@comodo.com> Mon, 30 March 2015 08:17 UTC
Return-Path: <rob.stradling@comodo.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4C531A9233 for <pkix@ietfa.amsl.com>; Mon, 30 Mar 2015 01:17:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FdshZkgZ_qPP for <pkix@ietfa.amsl.com>; Mon, 30 Mar 2015 01:17:00 -0700 (PDT)
Received: from mmextmx2.mcr.colo.comodoca.net (mmextmx2.mcr.colo.comodoca.net [IPv6:2a02:1788:402:c00::c0a8:9cd6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C6891A0013 for <pkix@ietf.org>; Mon, 30 Mar 2015 01:16:59 -0700 (PDT)
Received: (qmail 9374 invoked by uid 1004); 30 Mar 2015 08:16:57 -0000
Received: from ian.brad.office.comodo.net (HELO ian.brad.office.comodo.net) (192.168.0.202) by mmextmx2.mcr.colo.comodoca.net (qpsmtpd/0.84) with ESMTP; Mon, 30 Mar 2015 09:16:57 +0100
Received: (qmail 22340 invoked by uid 1000); 30 Mar 2015 08:16:57 -0000
Received: from and0004.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (AES128-SHA encrypted) ESMTPSA; Mon, 30 Mar 2015 09:16:57 +0100
Message-ID: <55190678.6080007@comodo.com>
Date: Mon, 30 Mar 2015 08:16:56 +0000
From: Rob Stradling <rob.stradling@comodo.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Massimiliano Pala <director@openca.org>, pkix@ietf.org
References: <9A043F3CF02CD34C8E74AC1594475C73AAFB6418@uxcn10-5.UoA.auckland.ac.nz><C961CE34-4F55-4B11-86D7-1566B701911D@seantek.com><5512C9C7.70202@comodo.com> <55159714.1070902@openca.org>
In-Reply-To: <55159714.1070902@openca.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/Wph90Drjhkfa3Qou6bfgyi1hwC8>
Subject: Re: [pkix] a question of cert (and OCSP) extension syntax
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Mar 2015 08:17:04 -0000
On 27/03/15 17:44, Massimiliano Pala wrote: > Hi Rob, all, Hi Max. > coming to your question: the extension /*will not break compatibility as > long as it is not marked critical*/. Exactly. > However, there might be some > aspects you want to think a bit more deeply about before taking a decision. > > This said, I think that the text written in section 3.4.2 is wrong and > needs to be replaced. > > In particular, the argument about the encoding is weird - from the I-D: I think it's only "wrong" and "weird" if you take the view that "if it could conceivably be constructed in ASN.1, then it MUST be constructed in ASN.1". I don't take that view. > One or more SCTs can be embedded in an X.509v3 extension that is > included in a certificate or an OCSP response. Since RFC5280 > requires the "extnValue" field (an OCTET STRING) of each X.509v3 > extension to include the DER encoding of an ASN.1 value, we cannot > embed a "SignedCertificateTimestampList" directly. Instead, we have > to wrap it inside an additional OCTET STRING (see below), which we > then put into the "extnValue" field. > > In my opinion, this text should be removed (trying to justify the use of > a data type in the encoding because you do not want to define the > required structure in ASN.1 does not really look.. good in an I-D, I am > surprised it is even there). This text was added because some folks found the description in RFC6962 to be unclear. See http://trac.tools.ietf.org/wg/trans/trac/ticket/14 > However, more considerations are required here. If you want the > extension to have a non-ASN.1 structure it is fine, Great. > but that will have > implication over the (format) compliance of data in the certificate. > This was marginally mentioned in previous posts, but it seems it > requires a more explicit explanation since it was not well understood. > > In particular, from a parsing perspective, when using the proposed > encoding, the client will not perform any validation over the contents > of the extension since this is just a blob. Usually this type of > encoding is used for binary contents that have no internal structure > (e.g., a value of a key or a digest), but it is usually avoided for > complex types (again, to provide format validation of the contents). > > The real question here is: are you willing to live with not validating > the format of the content of the extension when the extension is > actually parsed? Yes (for applications that don't recognize the extension). Applications that do recognize the extension will validate the (non-ASN.1) format and verify the SCT's signature. > Are you considering the possible attack vectors that > can derive from that (i.e. allowing custom contents in the extension)? Such as? > I hope you already discussed these aspects before proposing the extension. > If not, my suggestion is to go back to the drawing board and seriously > considering these aspects. If you go ahead with the current choice, I > would suggest to remove the 3.4.2 text and add some considerations about > it in the security considerations section (although, in that case I > would STRONGLY suggest to revisit your choice). > > This is usually a good rule of thumb when it comes to adding extensions. > > Another operational consideration that was pointed out is about > debugging the bits on the wire. If you use ASN.1 structures, standard > network tools can parse the extension properly - however, again, this > will not be the case for OCTET STRING blobs. Thus, debugging of the > extension (in case of issues) can only happen at the end points (where > the extension parser is available), not on the wire. Because the feature set of "standard network tools" is fixed forever? > I hope this helps clarifying the issues with the current proposal. > > Just my 2 cents. > > Cheers, > Max > > > On 3/25/15 9:44 AM, Rob Stradling wrote: >> On 25/03/15 14:20, Sean Leonard wrote: >>> On Mar 18, 2015, at 2:10 AM, Peter Gutmann >>> <pgut001@cs.auckland.ac.nz> wrote: >>> >>>> Melinda Shore <melinda.shore@gmail.com> writes: >>>> >>>>> it's what's in the document until someone can either point to some >>>>> normative >>>>> specification that it violates or can point to something that >>>>> actually would >>>>> break. >>>> >>>> This isn't a case of standards rules-lawyering though (in any case >>>> the PKIX >>>> spec is flexible enough that you can stuff anything you want into a >>>> certificate if you interpret things just right, see the famous >>>> MPEG-of-cat >>>> quote), it's that this is creating a situation where an *X.509 >>>> standards- >>>> compliant certificate* contains data that can't be processed by an >>>> *X.509 >>>> standards-compliant certificate application*. >>> >>> I agree with Peter. Keep the encoding as ASN.1 for this extension. It >>> is not particularly onerous, and it preserves compatibility for other >>> applications. >> >> How exactly might the certificate extension we're talking about [1] >> break compatibility with other applications? >> >> The Subject Key Identifier extension uses the exact same ASN.1 syntax >> (the content of the extension is a plain OCTET STRING). RFC5280 does >> not require applications to recognize this extension. >> >> I'm not aware of any applications that choke on the Subject Key >> Identifier extension, so why should we expect any to choke on the >> 6962-bis extension? >> >> >> [1] >> https://datatracker.ietf.org/doc/draft-ietf-trans-rfc6962-bis/?include_text=1 >> Sections 3.4.2 and 3.4.2.2 >> > > > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix > -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online Office Tel: +44.(0)1274.730505 Office Fax: +44.(0)1274.730909 www.comodo.com COMODO CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by COMODO for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software.
- [pkix] a question of cert (and OCSP) extension sy… Stephen Kent
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Gutmann
- Re: [pkix] a question of cert (and OCSP) extensio… Manger, James
- Re: [pkix] a question of cert (and OCSP) extensio… Rob Stradling
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Gutmann
- Re: [pkix] a question of cert (and OCSP) extensio… Melinda Shore
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Denis
- Re: [pkix] a question of cert (and OCSP) extensio… Stephen Kent
- Re: [pkix] a question of cert (and OCSP) extensio… Sean Leonard
- Re: [pkix] a question of cert (and OCSP) extensio… Sean Leonard
- Re: [pkix] a question of cert (and OCSP) extensio… Rob Stradling
- [pkix] update on ITU-T Public-key infrastructure:… Tony Rutkowski
- Re: [pkix] update on ITU-T Public-key infrastruct… Erik Andersen
- Re: [pkix] update on ITU-T Public-key infrastruct… George Michaelson
- Re: [pkix] a question of cert (and OCSP) extensio… Massimiliano Pala
- Re: [pkix] a question of cert (and OCSP) extensio… Massimiliano Pala
- Re: [pkix] a question of cert (and OCSP) extensio… Rob Stradling
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- [pkix] Cryptographic Message Syntax Tony Rutkowski
- Re: [pkix] a question of cert (and OCSP) extensio… Russ Housley
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Russ Housley
- Re: [pkix] Cryptographic Message Syntax Russ Housley
- Re: [pkix] a question of cert (and OCSP) extensio… Yoav Nir
- Re: [pkix] a question of cert (and OCSP) extensio… Sean Leonard
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Yee
- Re: [pkix] a question of cert (and OCSP) extensio… Stephen Farrell
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Russ Housley
- Re: [pkix] a question of cert (and OCSP) extensio… Paul Hoffman
- Re: [pkix] a question of cert (and OCSP) extensio… Melinda Shore
- Re: [pkix] a question of cert (and OCSP) extensio… Santosh Chokhani
- Re: [pkix] a question of cert (and OCSP) extensio… Peter Yee
- Re: [pkix] a question of cert (and OCSP) extensio… Melinda Shore
- Re: [pkix] a question of cert (and OCSP) extensio… Eric Rescorla