RE: CRL Issue (Was RE: WG Last Call: AIA CRL extension)
"Stefan Santesson" <stefans@microsoft.com> Wed, 25 May 2005 19:00 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA09133 for <pkix-archive@lists.ietf.org>; Wed, 25 May 2005 15:00:15 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j4PII1t3077633; Wed, 25 May 2005 11:18:01 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j4PII1s8077632; Wed, 25 May 2005 11:18:01 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mail-eur.microsoft.com (mail-eur.microsoft.com [213.199.128.145]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j4PIHxDS077624 for <ietf-pkix@imc.org>; Wed, 25 May 2005 11:18:00 -0700 (PDT) (envelope-from stefans@microsoft.com)
Received: from EUR-MSG-11.europe.corp.microsoft.com ([65.53.193.197]) by mail-eur.microsoft.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 25 May 2005 19:17:54 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: CRL Issue (Was RE: WG Last Call: AIA CRL extension)
Date: Wed, 25 May 2005 19:17:51 +0100
Message-ID: <BF9309599A71984CAC5BAC5ECA6299440272BDF5@EUR-MSG-11.europe.corp.microsoft.com>
Thread-Topic: CRL Issue (Was RE: WG Last Call: AIA CRL extension)
Thread-Index: AcVhJ7hMyO7FTj+VSwauDRaoZ34EWQALZJgQ
From: Stefan Santesson <stefans@microsoft.com>
To: Tom Gindin <tgindin@us.ibm.com>, Santosh Chokhani <chokhani@orionsec.com>
Cc: ietf-pkix@imc.org, Julien Stern <julien.stern@cryptolog.com>
X-OriginalArrivalTime: 25 May 2005 18:17:54.0270 (UTC) FILETIME=[11BE67E0:01C56156]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id j4PII0DS077627
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: 8bit
Tom, If the substitution would be successful the validation would go into an infinite loop and fail. Validation of S's fake CRL requires validation of C's cross certificate to S which triggers another validation of S's fake CRL and so on. I think we added some text against infinite loops but I don't have it fresh in my memory. Stefan Santesson Program Manager, Standards Liaison Windows Security > -----Original Message----- > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] > On Behalf Of Tom Gindin > Sent: den 25 maj 2005 04:50 > To: Santosh Chokhani > Cc: ietf-pkix@imc.org; 'Julien Stern' > Subject: Re: CRL Issue (Was RE: WG Last Call: AIA CRL extension) > > > Santosh: > > A relatively concrete example would be the following: > Assume a trust anchor called A, and CA it has issued a cross > certificate to called C. Further assume that C uses indirect CRL's, and > has issued a cross certificate without name constraints to another CA > called S. Then assume that S goes rogue and creates a CRL signing > certificate with the same name as C uses for its indirect CRL's (the key > pair in that certificate is hereinafter called the "rogue CRL signer"). > Further assume that C finds out about this and creates a CRL listing S as > revoked, but that S successfully replaces that CRL in the repository by > one signed by the rogue CRL signer. > Does RFC 3280 path validation consider S invalid? If so, which > step loops or fails? It looks to me like 6.3.3-b-1 passes. Is there > always a bi-modal loop between 6.3.3-f and 6.1.3-a-3? If not, what else > would be likely to cause S to be recognized as invalid? You could > probably patch any difficulties by adding "if the certificate whose > revocation is being checked appears in the path, reject it" to 6.3.3-f. > > Tom Gindin > > > > > > > "Santosh Chokhani" <chokhani@orionsec.com> > 05/24/2005 06:42 PM > > To: Tom Gindin/Watson/IBM@IBMUS, <ietf-pkix@imc.org> > cc: "'Julien Stern'" <julien.stern@cryptolog.com> > Subject: CRL Issue (Was RE: WG Last Call: AIA CRL > extension) > > > Tom, > > > I assume you are talking about CRL certification path solution I proposed > will not permit the scenario? I still do not see in your case, if the > Subject CA (cross certified CA) is revoked, you will verify the path to it > in the first place. May be I am not understanding your scenario properly. > How does the revoked CA gets verified? > > > Julien, > > We have defined and proven the solution for how to do this. The scenario > you proposed is not something X.509 worries about (A CA that is still > valid, > but has gone bad). > > -----Original Message----- > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] > On > Behalf Of Julien Stern > Sent: Tuesday, May 24, 2005 3:49 PM > To: Stefan Santesson > Cc: Tom Gindin; ietf-pkix@imc.org > Subject: Re: WG Last Call: AIA CRL extension > > > > On Tue, May 24, 2005 at 07:28:11PM +0100, Stefan Santesson wrote: > > Tom and Julien, > > > > Since this is a repetition of the discussion we had before San Diego > > and I don't want to repeat it here. I'm not saying that this > > discussion is invalid; it is just directed towards the wrong draft. > > Stefan, > > I agree with you. Actually, I would tend to believe that a _real_ > discussion > would have to take place at some point regarding the overall security > model > of CRL validation, but I have absolutely no objection to the AIA, as soon > as > it is made clear that it's only goal is to simplify path building > implementations, and not to adress security issues. My very humble take on > the subject is that Denis and yourself have been arguing on the list on > absolutely valid but different matters. > > So, I chose not to comment expect for my last mail (and will not any more) > about AIA, but I still think that a discusssion regarding revocation > validation should take place for RFC3280bis, eventually. > > Regards, > > -- > Julien Stern > > > > > As Tom pointed out: > > > this fraudulently issued CRL will probably be validated whether it > > > contains an AIA or not. > > > > This indicates once again that this is not an issue caused by the use > > of AIA in CRLs but a generic CRL validation issue that belongs with > > RFC 3280bis and not with the CRL-AIA draft. > > > > Stefan Santesson > > Program Manager, Standards Liaison > > Windows Security > > > > > > > -----Original Message----- > > > From: owner-ietf-pkix@mail.imc.org > > [mailto:owner-ietf-pkix@mail.imc.org] > > > On Behalf Of Julien Stern > > > Sent: den 24 maj 2005 09:39 > > > To: Tom Gindin > > > Cc: ietf-pkix@imc.org > > > Subject: Re: WG Last Call: AIA CRL extension > > > > > > > > > On Tue, May 24, 2005 at 10:36:16AM -0400, Tom Gindin wrote: > > > > > > > > There is one scenario permitted by the "same trust anchor" > > rule > > > > for CRL signers which seems to me to be a serious security hole. > > Let us > > > > assume a valid CA which is a direct subordinate of one of the RP's > > trust > > > > anchors. This CA issues separate CRL's and ARL's, in a quite > > > > usual > > way, > > > > and issues cross certificates. After months or years of > > > > operation, > > it > > > > revokes one of its cross certificates because the subject's > > > > operator > > has > > > > gone rogue. That rogue subject then issues a fraudulent CRL > > > > Signing certificate with the DN that the superior certificate has > > > > been using > > to > > > > sign ARL's, a public key which it has newly generated, and various > > > > extensions including an SKID. It then issues an updated copy of > > > > an > > old > > > > ARL under the fraudulent CRL signer's certificate and with an AKID > > > > matching the fraudulent signer's SKID. If the rogue can break > > > > into > > the > > > > repository where the CRL is expected, this fraudulently issued CRL > > will > > > > probably be validated whether it contains an AIA or not. It will > > > > certainly pass the "same trust anchor" condition. > > > > This scenario, in which a rogue CA issues an ARL > > > > certifiying > > > that > > > > its primary certificate has not been revoked and gets the ARL > > accepted, > > > is > > > > possible under "same trust anchor" but not under "signed by path > > > member". > > > > > > I agree with the validity of this scenario. I believe this is very > > > close to the issue I attempted to bring on the list a short time > > > ago. Of course, it assumes the existence of a rogue CA at some point > > > in > > time. > > > > > > Note that the CRL could be directly inserted into a "long term" > > > signature (according to RFC3126 for example). This does not require > > > a repository break-in and makes the "attack" even more realistic. > > > > > > Regards. > > > > > > -- > > > Julien Stern > > > > > > > > > > > Tom Gindin > > > > > > > > ----- Forwarded by Tom Gindin/Watson/IBM on 05/24/2005 10:13 AM > > ----- > > > > > > > > > > > > Tom Gindin > > > > 05/23/2005 10:46 PM > > > > > > > > To: wpolk@nist.gov > > > > cc: housley@vigilsec.com, ietf-pkix@imc.org, > > kent@bbn.com, > > > > stefans@microsoft.com > > > > From: Tom Gindin/Watson/IBM@IBMUS > > > > Subject: Re: WG Last Call: AIA CRL extension > > > > > > > > Tim: > > > > > > > > I should probably have brought this up earlier, but are we > > > certain > > > > that "same trust anchor" is a strong enough check that the CRL > > signer is > > > > the one expected by the issuing CA? While I was not in San Diego > > when > > > > this wording was included in the 3280 series, I do not really > > > > think > > that > > > > that check is strong enough. I would suggest instead that the CRL > > > > signer's certificate needs to be directly issued by one of the > > > > CA's > > in > > > the > > > > certification path back to the trust anchor used for the > > certificate's > > > > verification, or by that anchor itself, unless people have > > > > practical experience with CA structures which that rule would > > > > prohibit. > > Forcing > > > the > > > > CRL to be issued by the CA itself (as I understand Denis to have > > > > suggested) prohibits the reasonable case where the CRL is issued > > > > by > > a > > > > hierarchical superior, so it is IMHO too strict. > > > > I am personally not sure, FWIW, that a CRL should be > > permitted > > > to > > > > be signed by a second-cousin certificate of the issuer's > > certificate. > > > By > > > > analogy to the use of the terms in families, "sibling" > > > > certificates > > > would > > > > have the same issuer, "first-cousin" certificates would be issued > > > > by siblings, and "second-cousin" certificates would be issued by > > > > first cousins - so they are both three levels down from the same > > > > trust > > anchor, > > > > or from the last common CA in their paths. This issue is not > > > > newly > > > caused > > > > by CRL AIA, since the same issue can arise with CRL's containing > > only > > > > AKID. AIA only allows RP's to build a path (whether right or > > > > wrong) > > > more > > > > quickly. > > > > In any case, nothing more than a note in Security > > Considerations > > > > is appropriate in any of our RFC's other than 3280 and its > > successor. > > > > > > > > Tom Gindin > > > > P.S. - The above views are mine, and not necessarily those of my > > > employer > > > > > > > > > > > > > > > > > > > > > > > > Tim Polk <tim.polk@nist.gov> > > > > Sent by: owner-ietf-pkix@mail.imc.org > > > > 05/10/2005 05:27 PM > > > > > > > > To: ietf-pkix@imc.org > > > > cc: kent@bbn.com, stefans@microsoft.com, > > > housley@vigilsec.com > > > > Subject: WG Last Call: AIA CRL extension > > > > > > > > > > > > > > > > > > > > This message initiates working group Last Call for the > > > > specification "Internet X.509 Public Key Infrastructure: Authority > > > > Information > > Access > > > > CRL > > > > Extension". While some issues raised in the working group are > > > unresolved, > > > > > > > > the editors believe that rough consensus supports the current > > > > specification. > > > > > > > > The URL for this Internet-Draft is: > > > > > > > > http://www.ietf.org/internet-drafts/draft-ietf-pkix-crlaia-01.txt > > > > > > > > Last Call will run for (at least) two weeks. That is, Last Call > > > > will > > not > > > > close before May 24. > > > > > > > > Thanks, > > > > > > > > Tim Polk > > > > > > > > > > > > > > > >
- RE: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Stefan Santesson
- RE: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Santosh Chokhani
- RE: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Stefan Santesson
- RE: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Tom Gindin
- RE: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Santosh Chokhani
- RE: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Stefan Santesson