RE: CRL Issue (Was RE: WG Last Call: AIA CRL extension)

[Tom Gindin <tgindin@us.ibm.com>]

        Santosh:

        That is indeed the scenario.  I'm glad to hear that both your 
library and Stefan's do reject paths like this.  I didn't say that no one 
does or understands these things, just that I doubted that people who 
hadn't implemented a library did (you ran into an infinite loop in this 
case while testing, which suggests that it hadn't been fully understood 
before that).
        If any implementor interpreted 6.1.3-a-3's "not revoked and not on 
hold status" to not reject cases where his code could not determine the 
status, they could easily accept this path.

                Tom Gindin





"Santosh Chokhani" <chokhani@orionsec.com>
Sent by: owner-ietf-pkix@mail.imc.org
05/26/2005 07:57 AM
 
        To:     <ietf-pkix@imc.org>
        cc: 
        Subject:        RE: CRL Issue (Was RE: WG Last Call: AIA CRL 
extension)



Tom,

BTW, we may be putting Peter Guttman and rest of the group to sleep again,
which may not be all bad.

You need to provide a clear streamlined scenario.  From what I discern, 
you
are saying the following.

Root R --> C

C --> C1 as CRL issuer & C --> S and C asserts in S C1.

C1 issues CRL.

S goes rouge.  C instructs C1 to put S on CRLgood.

S --> C1.  Now, the new C1 can issue a CRLbad without S on it.

In order to verify signature on CRLbad, you need the path R --> C --> S 
-->
C1.  But, note that in order to verify signature on C --> S either you 
will
find the correct path and CRL (R --> C --> C1 and CRLgood) or you will 
have
circularity since C-->S require C1 CRL.

There is no sense in having this e-mail discussion unless you lay out the
scenario precisely as above as to what the various certification paths 
are.

So far, when I fill in the gaps, all I see is circularity issues or what
Stefan calls infinite loops.

-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] 
On
Behalf Of Tom Gindin
Sent: Wednesday, May 25, 2005 10:22 PM
To: Santosh Chokhani
Cc: ietf-pkix@imc.org
Subject: RE: CRL Issue (Was RE: WG Last Call: AIA CRL extension)



        Santosh:

        I thought that I had made that particular issue clear.  The 
indirect CRL being retrieved governs C's certificates and its issuer name 
(call it C1) is supposed to belong to C.  Indeed, C has issued a CRL 
signing certificate with subject name C1.  However, S has created another 
CRL signing certificate with this same subject name and has created a CRL 
with that key pair.  C did not create any circularity.  The original 
certificate for C1 was issued by C and the corresponding private key 
belongs to an entity under C's control, while the new certificate for C1 
was issued by S and the corresponding private key belongs to a malicious 
subsystem inside S.  While certificates are issued to entities, relying 
parties know the name and the chain but not the entity.
        No relevant CRL is issued by S.  I'm sure that your objection to '
looking at CRL issued by C' actually meant 'issued by S', because you 
normally verify certificates by looking at CRL's issued by the certificate 

issuer or its delegate.

                Tom Gindin






"Santosh Chokhani" <chokhani@orionsec.com>
Sent by: owner-ietf-pkix@mail.imc.org
05/25/2005 08:58 AM
 
        To:     <ietf-pkix@imc.org>
        cc: 
        Subject:        RE: CRL Issue (Was RE: WG Last Call: AIA CRL 
extension)



Tom,

It is not clear from your example who the indirect CRL issuer is and what
role the "indirect CRL" plays in the attack.  If S is the indirect CRL
issuer, C should be smart enough to not create circularity (a good toolkit
will not verify path when C issues a certificate to S and points to S as 
the
indirect CRL issuer since it causes circularity and chicken and egg
problem).  That scenario can be easily rectified within current standard 
by
C not declaring S as the indirect CRL issuer for certificate issued to S. 
C
can declare itself in the CDP or some other issuer.

I suspect you do not mean this.  Your example may be simpler.  To me the
attack is still not plausible.  Your scenario is not detailed enough to
illustrate an attack.  It does not seem that there is a way to validate 
the
certificate issued to C by S without looking at CRL issued by C, resulting
in circularity, which relying party clients should not accept. 

(Note that my November presentation to IETF in DC covered the circularity
issues in CRL and OCSP and recommendations for 3280 and 2560 in addition 
to
the CRL certification path)

-----Original Message-----
From: Tom Gindin [mailto:tgindin@us.ibm.com] 
Sent: Wednesday, May 25, 2005 7:50 AM
To: Santosh Chokhani
Cc: ietf-pkix@imc.org; 'Julien Stern'
Subject: Re: CRL Issue (Was RE: WG Last Call: AIA CRL extension)


        Santosh:

        A relatively concrete example would be the following:
        Assume a trust anchor called A, and CA it has issued a cross 
certificate to called C.  Further assume that C uses indirect CRL's, and 
has issued a cross certificate without name constraints to another CA 
called S. Then assume that S goes rogue and creates a CRL signing 
certificate with the same name as C uses for its indirect CRL's (the key 
pair in that certificate is hereinafter called the "rogue CRL signer"). 
Further assume that C finds out about this and creates a CRL listing S as 
revoked, but that S successfully replaces that CRL in the repository by 
one signed by the rogue CRL signer.
        Does RFC 3280 path validation consider S invalid?  If so, which 
step loops or fails?  It looks to me like 6.3.3-b-1 passes.  Is there 
always a bi-modal loop between 6.3.3-f and 6.1.3-a-3?  If not, what else 
would be likely to cause S to be recognized as invalid?  You could 
probably patch any difficulties by adding "if the certificate whose 
revocation is being checked appears in the path, reject it" to 6.3.3-f.

                Tom Gindin






"Santosh Chokhani" <chokhani@orionsec.com>
05/24/2005 06:42 PM
 
        To:     Tom Gindin/Watson/IBM@IBMUS, <ietf-pkix@imc.org>
        cc:     "'Julien Stern'" <julien.stern@cryptolog.com>
        Subject:        CRL Issue (Was RE: WG Last Call: AIA CRL 
extension)


Tom,


I assume you are talking about CRL certification path solution I proposed
will not permit the scenario?  I still do not see in your case, if the
Subject CA (cross certified CA) is revoked, you will verify the path to it
in the first place.  May be I am not understanding your scenario properly.
How does the revoked CA gets verified?


Julien,

We have defined and proven the solution for how to do this.  The scenario
you proposed is not something X.509 worries about (A CA that is still 
valid,
but has gone bad).

-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] 
On
Behalf Of Julien Stern
Sent: Tuesday, May 24, 2005 3:49 PM
To: Stefan Santesson
Cc: Tom Gindin; ietf-pkix@imc.org
Subject: Re: WG Last Call: AIA CRL extension



On Tue, May 24, 2005 at 07:28:11PM +0100, Stefan Santesson wrote:
> Tom and Julien,
> 
> Since this is a repetition of the discussion we had before San Diego 
> and I don't want to repeat it here. I'm not saying that this 
> discussion is invalid; it is just directed towards the wrong draft.

Stefan,

I agree with you. Actually, I would tend to believe that a _real_ 
discussion
would have to take place at some point regarding the overall security 
model
of CRL validation, but I have absolutely no objection to the AIA, as soon 
as
it is made clear that it's only goal is to simplify path building
implementations, and not to adress security issues. My very humble take on
the subject is that Denis and yourself have been arguing on the list on
absolutely valid but different matters.

So, I chose not to comment expect for my last mail (and will not any more)
about AIA, but I still think that a discusssion regarding revocation
validation should take place for RFC3280bis, eventually.

Regards,

--
Julien Stern

> 
> As Tom pointed out:
> > this fraudulently issued CRL will probably be validated whether it
> > contains an AIA or not.
> 
> This indicates once again that this is not an issue caused by the use 
> of AIA in CRLs but a generic CRL validation issue that belongs with 
> RFC 3280bis and not with the CRL-AIA draft.
> 
> Stefan Santesson
> Program Manager, Standards Liaison
> Windows Security
> 
> 
> > -----Original Message-----
> > From: owner-ietf-pkix@mail.imc.org
> [mailto:owner-ietf-pkix@mail.imc.org]
> > On Behalf Of Julien Stern
> > Sent: den 24 maj 2005 09:39
> > To: Tom Gindin
> > Cc: ietf-pkix@imc.org
> > Subject: Re: WG Last Call: AIA CRL extension
> > 
> > 
> > On Tue, May 24, 2005 at 10:36:16AM -0400, Tom Gindin wrote:
> > >
> > >         There is one scenario permitted by the "same trust anchor"
> rule
> > > for CRL signers which seems to me to be a serious security hole.
> Let us
> > > assume a valid CA which is a direct subordinate of one of the RP's
> trust
> > > anchors.  This CA issues separate CRL's and ARL's, in a quite 
> > > usual
> way,
> > > and issues cross certificates.  After months or years of 
> > > operation,
> it
> > > revokes one of its cross certificates because the subject's 
> > > operator
> has
> > > gone rogue.  That rogue subject then issues a fraudulent CRL 
> > > Signing certificate with the DN that the superior certificate has 
> > > been using
> to
> > > sign ARL's, a public key which it has newly generated, and various 
> > > extensions including an SKID.  It then issues an updated copy of 
> > > an
> old
> > > ARL under the fraudulent CRL signer's certificate and with an AKID 
> > > matching the fraudulent signer's SKID.  If the rogue can break 
> > > into
> the
> > > repository where the CRL is expected, this fraudulently issued CRL
> will
> > > probably be validated whether it contains an AIA or not.  It will 
> > > certainly pass the "same trust anchor" condition.
> > >         This scenario, in which a rogue CA issues an ARL
> > > certifiying
> > that
> > > its primary certificate has not been revoked and gets the ARL
> accepted,
> > is
> > > possible under "same trust anchor" but not under "signed by path
> > member".
> > 
> > I agree with the validity of this scenario. I believe this is very 
> > close to the issue I attempted to bring on the list a short time 
> > ago. Of course, it assumes the existence of a rogue CA at some point 
> > in
> time.
> > 
> > Note that the CRL could be directly inserted into a "long term" 
> > signature (according to RFC3126 for example). This does not require 
> > a repository break-in and makes the "attack" even more realistic.
> > 
> > Regards.
> > 
> > --
> > Julien Stern
> > 
> > >
> > >                 Tom Gindin
> > >
> > > ----- Forwarded by Tom Gindin/Watson/IBM on 05/24/2005 10:13 AM
> -----
> > >
> > >
> > > Tom Gindin
> > > 05/23/2005 10:46 PM
> > >
> > >         To:     wpolk@nist.gov
> > >         cc:     housley@vigilsec.com, ietf-pkix@imc.org,
> kent@bbn.com,
> > > stefans@microsoft.com
> > >         From:   Tom Gindin/Watson/IBM@IBMUS
> > >         Subject:        Re: WG Last Call: AIA CRL extension
> > >
> > >         Tim:
> > >
> > >         I should probably have brought this up earlier, but are we
> > certain
> > > that "same trust anchor" is a strong enough check that the CRL
> signer is
> > > the one expected by the issuing CA?  While I was not in San Diego
> when
> > > this wording was included in the 3280 series, I do not really 
> > > think
> that
> > > that check is strong enough.  I would suggest instead that the CRL 
> > > signer's certificate needs to be directly issued by one of the 
> > > CA's
> in
> > the
> > > certification path back to the trust anchor used for the
> certificate's
> > > verification, or by that anchor itself, unless people have 
> > > practical experience with CA structures which that rule would 
> > > prohibit.
> Forcing
> > the
> > > CRL to be issued by the CA itself (as I understand Denis to have
> > > suggested) prohibits the reasonable case where the CRL is issued 
> > > by
> a
> > > hierarchical superior, so it is IMHO too strict.
> > >         I am personally not sure, FWIW, that a CRL should be
> permitted
> > to
> > > be signed by a second-cousin certificate of the issuer's
> certificate.
> > By
> > > analogy to the use of the terms in families, "sibling" 
> > > certificates
> > would
> > > have the same issuer, "first-cousin" certificates would be issued 
> > > by siblings, and "second-cousin" certificates would be issued by 
> > > first cousins - so they are both three levels down from the same 
> > > trust
> anchor,
> > > or from the last common CA in their paths.  This issue is not 
> > > newly
> > caused
> > > by CRL AIA, since the same issue can arise with CRL's containing
> only
> > > AKID.  AIA only allows RP's to build a path (whether right or
> > > wrong)
> > more
> > > quickly.
> > >         In any case, nothing more than a note in Security
> Considerations
> > > is appropriate in any of our RFC's other than 3280 and its
> successor.
> > >
> > >         Tom Gindin
> > > P.S. -  The above views are mine, and not necessarily those of my
> > employer
> > >
> > >
> > >
> > >
> > >
> > > Tim Polk <tim.polk@nist.gov>
> > > Sent by: owner-ietf-pkix@mail.imc.org
> > > 05/10/2005 05:27 PM
> > >
> > >         To:     ietf-pkix@imc.org
> > >         cc:     kent@bbn.com, stefans@microsoft.com,
> > housley@vigilsec.com
> > >         Subject:        WG Last Call: AIA CRL extension
> > >
> > >
> > >
> > >
> > > This message initiates working group Last Call for the 
> > > specification "Internet X.509 Public Key Infrastructure: Authority 
> > > Information
> Access
> > > CRL
> > > Extension".  While some issues raised in the working group are
> > unresolved,
> > >
> > > the editors believe that rough consensus supports the current 
> > > specification.
> > >
> > > The URL for this Internet-Draft is:
> > >
> > > http://www.ietf.org/internet-drafts/draft-ietf-pkix-crlaia-01.txt
> > >
> > > Last Call will run for (at least) two weeks. That is, Last Call 
> > > will
> not
> > > close before May 24.
> > >
> > > Thanks,
> > >
> > > Tim Polk
> > >
> > >
> > >
>