IETF Logo Mail Archive

Re: [pkix] How do we differentiate authentic servers from proxies performing TLS interception?

"Miller, Timothy J." <tmiller@mitre.org> Sun, 15 November 2015 23:24 UTC

Return-Path: <tmiller@mitre.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2E4D1ACE05 for <pkix@ietfa.amsl.com>; Sun, 15 Nov 2015 15:24:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.085
X-Spam-Level:
X-Spam-Status: No, score=-2.085 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s9-NecR9M3a9 for <pkix@ietfa.amsl.com>; Sun, 15 Nov 2015 15:24:11 -0800 (PST)
Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id 2C20F1ACE01 for <pkix@ietf.org>; Sun, 15 Nov 2015 15:24:10 -0800 (PST)
Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 55CD36C01FF; Sun, 15 Nov 2015 18:24:10 -0500 (EST)
Received: from imshyb01.MITRE.ORG (imshyb01.mitre.org [129.83.29.2]) by smtpvmsrv1.mitre.org (Postfix) with ESMTP id 46C7A6C01F2; Sun, 15 Nov 2015 18:24:10 -0500 (EST)
Received: from imshyb01.MITRE.ORG (129.83.29.2) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1130.7; Sun, 15 Nov 2015 18:24:10 -0500
Received: from na01-bl2-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1130.7 via Frontend Transport; Sun, 15 Nov 2015 18:24:09 -0500
Received: from BY2PR09MB109.namprd09.prod.outlook.com (10.242.36.149) by BY2PR09MB109.namprd09.prod.outlook.com (10.242.36.149) with Microsoft SMTP Server (TLS) id 15.1.318.15; Sun, 15 Nov 2015 23:24:08 +0000
Received: from BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) by BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) with mapi id 15.01.0318.003; Sun, 15 Nov 2015 23:24:08 +0000
From: "Miller, Timothy J." <tmiller@mitre.org>
To: Tom Gindin <tgindin@us.ibm.com>
Thread-Topic: [pkix] How do we differentiate authentic servers from proxies performing TLS interception?
Thread-Index: AQHRHSZik1bCWQTVykKbY4mwcvoviJ6YWKZQgAA+FQCAAAsmwIAADlcAgAAW2ICABOg5gIAAD9yA
Date: Sun, 15 Nov 2015 23:24:07 +0000
Message-ID: <6ADE63A8-8B81-48F5-BF37-F91B734935C3@mitre.org>
References: <BY2PR09MB1094EA71ADDC83440AE82F2AE120@BY2PR09MB109.namprd09.prod.outlook.com> <20151112163810.E8F351A368@ld9781.wdf.sap.corp> <BY2PR09MB109B9B70BC1746B516CB335AE120@BY2PR09MB109.namprd09.prod.outlook.com> <CAH8yC8n41uA-Aj3pLKRHgjGu1P6smwG-r-dA595rXHMjhAZC_A@mail.gmail.com> <BY2PR09MB10945A7D32E11E8C5E74750AE120@BY2PR09MB109.namprd09.prod.outlook.com> <201511152227.tAFMRTjH000463@d01av04.pok.ibm.com>
In-Reply-To: <201511152227.tAFMRTjH000463@d01av04.pok.ibm.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=tmiller@mitre.org;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [192.80.55.86]
x-microsoft-exchange-diagnostics: 1; BY2PR09MB109; 5:mExvj2ScyMq3fOKtxzpk8W3tWLJXnb7pHqJwEXBfKPB8li0NZFkrZzDB1V6a0wi7hRWTuPc1eKv0dnKgt1j4qXr65TjaAz4vQvqafLCKJOkDDVdcHFHDPKlUlRBsT2iOcOHSSFw8fJ2DtssxtEXEdw==; 24:eufj4LI4eOB99Lg4z1UcNc+3xcSXZKwCqe+VHTzW8A6nF+hJKikMfMSyfUdhXiRaPF7fwtReXtQRvgTsArBNy+QUCe0ilpw1/2kDXI0S520=; 20:NxzSZly8txSGs9n44NVeyY3o+aAJ0/uXG+7gqQ7XB0fzciaXD9aI2+zXzrVJj6rX59S6Zy/3Sil2XV1UeGLy+w==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR09MB109;
x-microsoft-antispam-prvs: <BY2PR09MB10968E12E76F264DD99CCABAE1F0@BY2PR09MB109.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(520078)(5005006)(8121501046)(10201501046)(3002001); SRVR:BY2PR09MB109; BCL:0; PCL:0; RULEID:; SRVR:BY2PR09MB109;
x-forefront-prvs: 0761DE1EDD
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(189002)(199003)(87936001)(83716003)(50986999)(5004730100002)(81156007)(82746002)(11100500001)(40100003)(36756003)(101416001)(106356001)(76176999)(586003)(77096005)(10400500002)(122556002)(5001920100001)(97736004)(5002640100001)(54356999)(102836002)(5007970100001)(99286002)(86362001)(189998001)(66066001)(5001960100002)(110136002)(5008740100001)(106116001)(92566002)(105586002)(2950100001)(33656002)(2900100001)(93886004)(7059030)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR09MB109; H:BY2PR09MB109.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: mitre.org does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-ID: <B2963D2E88D6794EB58BC4E0194B6685@namprd09.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Nov 2015 23:24:07.9990 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR09MB109
X-OriginatorOrg: mitre.org
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/cF6SoGGeca1cU5ljdZqb_KEWkmw>
Cc: PKIX <pkix@ietf.org>
Subject: Re: [pkix] How do we differentiate authentic servers from proxies performing TLS interception?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Nov 2015 23:24:12 -0000

>         One good reason for a separate EKU value for proxies might be to let the client invoke a different name matching algorithm, although I see no case for changing KeyUsage bits here.  It is reasonable for a client inside a proxied network to configure a single proxy name + issuer chain that will be accepted in advance.

You'd only need alternative name matching if the proxy actually substitutes its own certificate.  Alternatively the proxy acts as a CA and signs a new certificate on the fly--though they don't typically generate a key--containing the origin server's name and some other specific details from the origin server's certificate.  Implementations I'm familiar with can do either, but usually are deployed as a CA to avoid name matching problems.  

No certificate marking is needed, though.  Clients could invoke alternative certificate processing when a certificate name match fails but the certificate chains to a trust anchor marked as "trusted for proxy."  

-- T

v2.23.0 | Report a Bug | By Email