[pkix] Deployment Clarifications about RFC6960 - Section 2.2 and 4.4.8
"Dr. Massimiliano Pala" <massimiliano.pala@gmail.com> Thu, 13 November 2014 22:18 UTC
Return-Path: <massimiliano.pala@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE2401ADF33 for <pkix@ietfa.amsl.com>; Thu, 13 Nov 2014 14:18:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.99
X-Spam-Level:
X-Spam-Status: No, score=-1.99 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001, T_HK_NAME_FM_DR=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pZXxN9_F7lWB for <pkix@ietfa.amsl.com>; Thu, 13 Nov 2014 14:18:00 -0800 (PST)
Received: from mail-wg0-x230.google.com (mail-wg0-x230.google.com [IPv6:2a00:1450:400c:c00::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 126851AD6F3 for <pkix@ietf.org>; Thu, 13 Nov 2014 14:17:59 -0800 (PST)
Received: by mail-wg0-f48.google.com with SMTP id y19so7105961wgg.7 for <pkix@ietf.org>; Thu, 13 Nov 2014 14:17:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=gj2b9MhO7W/ifAPlptOI/mZqqTqt8jNtL3Mb2UY5RW4=; b=Y53VjHN5fkhZPeOE0U5bftYNdzAWDkwwHZg4Tv6bS1sHd5KFKQZIfmlFgYAOczpAP3 fIszt2VUAJPjYdHf9j+YrNV312ZEsqcPk5p2uS5ttIR5N1QmUZJVHi17b2UvXB3YK5om tOO5SNciL0Wk5XqRJS+mzt059+0GInvLBxrH/YbMiV1kWo2cgvrnKdUUAArL3GZTZdBA N79Pu1WZETEy1PnoPobw6I1WkY6qPQtmcrpjZK5V5SnrhAFxgsIy/Rdt7YS6LH6aO/Vc KabUniBkCMCMYSIJl4HeNuLdQo+OtMC4o6kQImh1xgfnCt3us4Rc0i6QDJqXLjnQlbqr zrZQ==
X-Received: by 10.180.100.129 with SMTP id ey1mr2237979wib.28.1415917077865; Thu, 13 Nov 2014 14:17:57 -0800 (PST)
Received: from dhcp-b737.meeting.ietf.org (dhcp-b737.meeting.ietf.org. [31.133.183.55]) by mx.google.com with ESMTPSA id e7sm4230428wjx.31.2014.11.13.14.17.55 for <pkix@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 13 Nov 2014 14:17:57 -0800 (PST)
Message-ID: <54652E19.8050903@gmail.com>
Date: Thu, 13 Nov 2014 12:18:01 -1000
From: "Dr. Massimiliano Pala" <massimiliano.pala@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: "pkix@ietf.org" <pkix@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/dhFgfDSyVjiJD7TB90BLZyz4Yms
Subject: [pkix] Deployment Clarifications about RFC6960 - Section 2.2 and 4.4.8
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Nov 2014 22:18:06 -0000
Hello PKIX,
recently I have been asked to implement the "Extended Revoked
Definition" in our implementation of the OCSP server (OpenCA). However,
after reviewing RFC 6960 I have serious issues with that, and I would
like to know what your opinions are about my concerns. Just to be
precise: I do not want to re-open any work on this topic, but I would
like to know if my concerns are sensible or if I should add support for it.
In particular, by extending the responsibilities of the OCSP responders
to provide also information about the issuing status (instead of just
the revocation information) we might have potential deployment issues -
that is, for pre-computed responses, it seems difficult to make any
useful use of the Extender Revoked extension. This also applies for
other transport protocols that could be defined to make the OCSP
responses easily accessible (e.g., OCSP over DNS or OCSP over LDAP - not
currently standardized, but, I think, useful). If there are people who
deployed support for this, could you please let me know how did you
managed to make any use of this option ?
Also, I think there are some security considerations. The first one is
about protecting against certificate enumeration. Originally, the OCSP
standard was designed in such a way to protect the number of issued
certificates. Since the request does not need to have the certificate in
order to build the OCSP request (just the serial number and the issuing
CA certificate), answering "Good" was seen as a protection against
certificate enumeration. That is the same reason that pushed almost all
Internet Certification Authorities to move from an incremental serial
number to a randomized one few years ago. I have the impression that
when the new RFC was issue, there was a lot of pressure to fix the issue
of compromised CAs that draw the integration of this feature into the
new RFC (specifically coming from the the Web/Browsers world). To
address that issue, other venues are also today explored (e.g., DANE,
Certificate Pinning) that, I think, are more appropriate than OCSP
(personal opinion). Is certificate enumeration not seen as a possible
threat anymore ? If so, why CAs not going back to sequential serial
numbers (easier to verify which certs have been issued since the S/N is
unique and monotonic).
The second security consideration is about the source of trust for the
validity information.
Historically, CRLs were the source of revocation information for the
OCSP. The use of signed data establishes the trust with the CA so that
nobody can change the revocation status by simply change a configuration
file (which is not signed by the CA key) or a database entry. The use of
the CA's Key is required (much simpler to monitor). This also enables
the secure transfer across different OCSP responder and CAs (i.e., the
OCSP can safely retrieve the CRLs, verify the signature from the CA and
provide responses for CAs that are not tightly coupled with).
Unfortunately there is no standard for a signed "white" list - this
would be huge for many CAs. If CRLs are bad for sizes and they usually
are 10% of the overall population of certificates, the list of valid
certificates is quite huge and should be updated (and synchronized
throughout all the OCSP server cloud) each time a new certificate is
issued. This would mean that a CA has now to make 2 signatures each time
a certificate is issued - one of which over a huge file (the white list
itself). IF the "white" list is not updated and distributed to the OCSP
responders as soon as the new certificates are issued, you will not be
able to use the certificate until that happens (as noted in the security
considerations). This approach adds, IMHO, a level of complexity that is
not necessary. From the security considerations:
<<For this service to be effective, certificate-using systems must
connect to the certificate status service provider. In the event
such a connection cannot be obtained, certificate-using systems could
implement CRL processing logic as a fall-back position.>>
seems to address the point, however it does not mandate for any form of
authentication to be performed on the source of information. That means,
according to me, that the security of OCSP responders that use CRLs is
definitely better that any unspecified "connection to the certificate
status service provider". Isn't this an under-specification for the
security considerations in the RFC ? If the source of "white-list" inf
Sorry for the long e-mail, please let me know your point of view (even
offline).
As it is now, I would not implement the feature as I think it reduces
the overall security of the OCSP infrastructure.
Cheers,
Max
- [pkix] Deployment Clarifications about RFC6960 - … Dr. Massimiliano Pala
- Re: [pkix] Deployment Clarifications about RFC696… Gervase Markham
- Re: [pkix] Deployment Clarifications about RFC696… Massimiliano Pala