IETF Logo Mail Archive

Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15

"Piyush Jain" <piyush@ditenity.com> Wed, 03 April 2013 17:38 UTC

Return-Path: <piyush@ditenity.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B45921F8484 for <pkix@ietfa.amsl.com>; Wed, 3 Apr 2013 10:38:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.872
X-Spam-Level:
X-Spam-Status: No, score=-0.872 tagged_above=-999 required=5 tests=[AWL=-1.468, BAYES_00=-2.599, DOS_OUTLOOK_TO_MX=1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_EQ_LT4=0.442, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cpqqS7pGMY2S for <pkix@ietfa.amsl.com>; Wed, 3 Apr 2013 10:38:32 -0700 (PDT)
Received: from mail-yh0-x229.google.com (mail-yh0-x229.google.com [IPv6:2607:f8b0:4002:c01::229]) by ietfa.amsl.com (Postfix) with ESMTP id BF6EA21F84E9 for <pkix@ietf.org>; Wed, 3 Apr 2013 10:38:32 -0700 (PDT)
Received: by mail-yh0-f41.google.com with SMTP id 47so276821yhr.0 for <pkix@ietf.org>; Wed, 03 Apr 2013 10:38:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-type:content-transfer-encoding :x-mailer:thread-index:content-language:x-gm-message-state; bh=JK5ZCv4NaA4qje+54HJpN/2PfL22jKjnqXWLfJAv3SA=; b=c0rnaEfafzGQVN+J+dvRzXJ2bYR6ywBRjo1FJneU7BZ1KF7xM91c4m+usel19HmQHj mzq7Ngw/gN1BJwFm5YM1lqzMH0RyEXnsoXAMFLI5dHrOOoJzTqIPuOGD2vSInhVFwCFd jMcxnMAdlRxB8i64arV7HQRUYVOwW9eDInGQVuEbqnustmcS/HuObxrAh1hl83AJV5XU dpFEPoTpvi9IZ2o71B7UYC5Y+ICJ06y2iv0myrJwXv4WeyLbK3QON08VX7kVe7XIkOoG 3zZffWYglZiaPqwmxttTYCKudNgPVI4lG3RfiFDKPPunU86t6qWifcj4xHo0/8axEk9j xoqA==
X-Received: by 10.236.0.167 with SMTP id 27mr1580138yhb.162.1365010712043; Wed, 03 Apr 2013 10:38:32 -0700 (PDT)
Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id i78sm10702443yhf.14.2013.04.03.10.38.29 (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 03 Apr 2013 10:38:31 -0700 (PDT)
From: Piyush Jain <piyush@ditenity.com>
To: mrex@sap.com
References: <003e01ce3077$5b6329f0$12297dd0$@ditenity.com> <20130403160532.EB4FD1A68A@ld9781.wdf.sap.corp>
In-Reply-To: <20130403160532.EB4FD1A68A@ld9781.wdf.sap.corp>
Date: Wed, 03 Apr 2013 10:38:20 -0700
Message-ID: <00a401ce3092$0a1415d0$1e3c4170$@ditenity.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQLGPak8yDNHA17reyWVE3Dtue90lZbUkR7w
Content-Language: en-us
X-Gm-Message-State: ALoCoQm7Q0yCom94nL1fLT+jE/iMp1f1njeTR55GYc3zFAuOzbs1svZuY1UnCzimi+WE6r/tn3E1
X-Mailman-Approved-At: Thu, 04 Apr 2013 06:49:19 -0700
Cc: ambarish@gmail.com, slava.galperin@gmail.com, cadams@eecs.uottawa.ca, 'Stefan Santesson' <stefan@aaa-sec.com>, "'Black, David'" <david.black@emc.com>, sts@aaa-sec.com, pkix@ietf.org, gen-art@ietf.org
Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2013 17:38:33 -0000

> No, it does not make any sense at all.  An error code is unsigned and can
be
> easily inserted into the communication by an attacker. 

[Piyush] Funny that you make this argument. How does returning a signed
revoked address this? Attacker can still replace signed revoked with an
UNSIGNED TRY_LATER.

> These kinds of argument are based on two very flawed premises:
> 
>  (1) the premise that there exist only two possible states for a CA:
>       (a) safe and pristine
>       (b) full and thorough compromise of each and everything
[Piyush] NIST has addressed RA compromise and CA key compromise separately
so this is not true.
And you have not listed what other breaches you are trying to address
offering revoked for non-issued as the silver bullet for all those unknown
security breaches.
 You tendency to allude to vague problems to justify a particular solution,
couple with a reluctance to engage in a discussion regarding the security
implications continues to amuse me. List the other states and have a
discussion around how this solution solves those problems.> 
>  (2) that a huge PKI (100k+ entities) can be nuked and
>      re-personalized after a CA compromise at close to zero cost and
>      within the blink of an eye

and both premises exhibit a throrough cluelessness about security, risk
> management and the real world.
 
Let's get this right.
Only possible benefit of revoked for non-issued exists when there are CA
SIGNED certificates floating in the wild and CA has no clue that it has
issued it and therefore cannot revoke it.

Now, to say that clients are secure and CA can continue to operate if it
issues revoked OCSP response for such certificate indicates cluelessness
about security. 

Customers pay a lot of money for certificates for which the marginal cost of
issuance is almost 0. CAs obligation is to make sure that they are secure
and to address any breach securely.
To say that customers will tolerate a CA security breach just because it
issues revoked for non-issued and continues to publish CRLs that imply
fraudulent certificates as good indicates cluelessness about risk management
and real world.

v2.23.0 | Report a Bug | By Email