Re: [pkix] Self-issued certificates

王文正 <wcwang@cht.com.tw> Wed, 15 July 2015 18:14 UTC

Return-Path: <wcwang@cht.com.tw>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF65B1B337E for <pkix@ietfa.amsl.com>; Wed, 15 Jul 2015 11:14:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.525
X-Spam-Level: ****
X-Spam-Status: No, score=4.525 tagged_above=-999 required=5 tests=[BAYES_50=0.8, CHARSET_FARAWAY_HEADER=3.2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_TW=1.335, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U7F534CfrANV for <pkix@ietfa.amsl.com>; Wed, 15 Jul 2015 11:14:07 -0700 (PDT)
Received: from scan11.cht.com.tw (scan11.cht.com.tw [202.39.160.141]) by ietfa.amsl.com (Postfix) with ESMTP id 9CBA81B337F for <pkix@ietf.org>; Wed, 15 Jul 2015 11:14:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=cht.com.tw; s=bill; c=relaxed/simple; q=dns/txt; i=@cht.com.tw; t=1436984041; x=1439576041; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=FCLjogO+GBw5YnD81rcOf2JfSA1tA3AkE4yZLBOBUFM=; b=IeimAaliQDsPDGfd/duo7HcizBDXd8v0lZ0dcy/IMS8scjBtBu48FMiFqHoQo28w mGbjq6VeLBZL2V6m3IaOyO8VRjTPNnuwxsDFeP1V0tFaGENEhxeq2yCs+n5MBXZv e6z7jnJB063UId4PBwVymxPBZPcDedKjvGFf2A+mWUE=;
X-AuditID: 0aa00765-f79976d000005eba-af-55a6a2e9fe6d
Received: from scanrelay1.cht.com.tw ( [10.160.7.106]) by scan11.cht.com.tw (CHT Outgoing ESMTP Mail Server) with SMTP id B3.32.24250.9E2A6A55; Thu, 16 Jul 2015 02:14:01 +0800 (CST)
Received: from CAS4.app.corp.cht.com.tw (unknown [10.172.18.166]) by scanrelay1.cht.com.tw (Symantec Mail Security) with ESMTP id F3C1CC000088; Thu, 16 Jul 2015 02:14:00 +0800 (CST)
Received: from MBS6.app.corp.cht.com.tw ([fe80::3178:69dd:b794:fa86]) by CAS4.app.corp.cht.com.tw ([fe80::f179:c93d:e31a:eb23%12]) with mapi id 14.02.0342.003; Thu, 16 Jul 2015 02:13:22 +0800
From: =?iso-2022-jp?B?GyRCMiZKOEA1GyhC?= <wcwang@cht.com.tw>
To: "mrex@sap.com" <mrex@sap.com>
Thread-Topic: [pkix] Self-issued certificates
Thread-Index: AQHQvO6GAYPrVwbgc064vRlSWTnR1Z3YHn2AgAEqVND//8o1gIABb2ZwgACfJkf//8FjAIABpRXAgABR9co=
Date: Wed, 15 Jul 2015 18:13:20 +0000
Message-ID: <20825998BCB8D84C983674C159E25E753D6244C3@mbs6.app.corp.cht.com.tw>
References: <20825998BCB8D84C983674C159E25E753D621BA2@mbs6.app.corp.cht.com.tw> <20150714201254.42B171A1DE@ld9781.wdf.sap.corp>
In-Reply-To: <20150714201254.42B171A1DE@ld9781.wdf.sap.corp>
Accept-Language: zh-TW, en-US
Content-Language: zh-TW
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mimectl: Produced By Microsoft Exchange V14.2.247.1
x-originating-ip: [202.39.167.17]
Content-Type: multipart/alternative; boundary="_000_20825998BCB8D84C983674C159E25E753D6244C3mbs6appcorpchtc_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrAKsWRmVeSWpSXmKPExsXCtYA9S/flomWhBs9n8Fr0/t7BbHHxYJED k8eSJT+ZPKZ83soYwBTVwGiTmJeXX5JYkqqQklqcbKuUnFGim5JZnJyTmJmbWqSbmpeupJCZ YqtkoqRQkJOYnJqbmldiq5RYUJCal6Jkx6WAAWyAyjLzFFLzkvNTMvPSbZU8g/11LSxMLXUN lewCclITi1MVklIVElPKMotTUxQSNshkXOxsZy04WlDxa9FE1gbGnpguRk4OCQETiaX3l7FB 2GISF+6tB7K5OIQEtjNKLDzczgTh7GSU+PNsAZRzmFHi/53lrCAtbAI2Ev+vLmUEsUUEFCVu tU9j72Lk4GAWkJDou6kAEhYW0JG4dWc/E0SJrsSlZ9/ZIOwkiYMn57OD2CwCqhL9vdNYQGxe AX+JrfN3Qu1qBFo8cw9YghNo17op88AGMQrISjxZ8AzMZhYQlzh3sZUd4gUBiSV7zjND2KIS Lx//Y4WwTSV+bfjACHKbBNCdfYvlIM7Ml2jdHAexVlDi5MwnLBMYxWchGToLoWoWkiqIEn2J PRNPQdnaEssWvmaGsPUk7u34ywphW0p0fOhgQlazgJFjFaNgcXJinqGhHjAd6CXn5+qVlG9i hKSm1B2MW+c7HmIU4GBU4uFtaF4WKsSaWFZcmXuIUYKDWUmE998MoBBvSmJlVWpRfnxRaU5q 8SFGU2AYTmSWEk3OB6bNvJJ4Q2NLYwtDIwMzY3MLCyVxXom2zBAhgXRgAsxOTS1ILYLpY+Lg lGpg9PlZIe57//AUz39JQWySpmumpbrUcbyIF1v86grL07Qzmjb5a/0cblTkTs6fqrg1yXKj 5OWZBeL2vZeW3uT677hfZLv9XfP2ew+KeF3q3688t23Rq3itbZ994/nbrru0KoX0/f6z7Mvc g1cU+vynnNcz2r01/f8bjox11Vs/eYR8nli3lOG6rRJLcUaioRZzUXEiAOuP/wFjAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/f9XGnePusxqACPvGTzgm2LfZOdg>
Cc: PKIX <pkix@ietf.org>
Subject: Re: [pkix] Self-issued certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2015 18:14:14 -0000

Hi Martin,

-----Original Message-----
From: Martin Rex [mailto:mrex@sap.com]
Sent: Wednesday, July 15, 2015 4:13 AM
To: 王文正
Cc: mrex@sap.com; PKIX
Subject: Re: [pkix] Self-issued certificates

> The originaly idea in X.509 predates the UN convention, so it's only
> current consumers that are making use of this half-baked misfeature
> that are violatin the UN convention.

IIRC, the notion of "key rollover with self-issued certificates" arose in RFC 2510 (1999) and the 4th edition of ITU-T X.509 (2000). Please take a look at the 1997 version of ITU-T X.509, the term "self-issued certificate" does not appeared in that version. Therefore, it does not predate the 1997 UN convention.

>> I believe the philosophy of X.509 (or the whole X.500 series) is that
>> a Distinguished Name (DN) represents the identity of an entity.
>> Therefore, if the DN is changed, it means the identity of that entity
>> has been changed. With this philosophy, the DN of each entity should
>> not be changed unless its identity is changed.
>
> The last sentence is a non-sequitur.

If the DN represents the identity, I do not see why the last sentence is a non-sequitur. The analogy is that if your name or your Facebook ID represents your identity, will you frequently change your name or your Facebook ID?

> It's extremely difficult to believe that anyone could get confused
> about the entity/entities represented by name that simply include
> generation identifiers to avoid self-issued problems.
>
>   "CN=VeriSign Class 3 Public Primary Certification Authority - G3, ..."
>   "CN=VeriSign Class 3 Public Primary Certification Authority - G5, ..."

Isn't it dangerous to trust two entities as the same one simply because they have similar DN? How do you know these two CA is the same one?
Besides, differnet CA might use different way add "generation identifiers" to their CN, O, or OU. There is no systematically secure way to tell whether they are the same entity. Your decision to accept G5 because your trust G3 is only based on your intuition and that might be dangrous.

> Distinguished names contain semantic structure on purpose.  Use whatever
> RDName component you like to avoid the troubles and complexitis of
> self-issued certificates.

Indeed, DNs are designed to contain semantic structure on purpose, and that is because X.500 wants every entity use the semantic structure to uniquely name themself to establish trust relationship based on their persistent DNs.

> For root CA certs, the distinguished name regularly does not describe
> the true entity that operates the CA anyway, because many of them change
> ownership once or more often while they're in use.
>
>  e.g.  RSA->VeriSign->Symantec

No mater who operates the CA, the CA is itself an entity and has its identity in the PKI world. People trust the VeriSign CA not because it is operated by Symantec Corp. or VeriSign Inc., it is because the CA fullfil some international security criteria and has been audited.

> The fashion in which the processing of self-issued certificates is specified
> actually _creates_ a security problem.  Normally, one might assume that using
> a path len constraint of 0 in the certificate of an online CA would preclude
> that an attacker who manages to briefly obtain control over a CA key to
> issue himself a CA cert.  The official processing rules for self-issued
> certs subverts that assumed protection -- the attacker can sign himself
> a self-issued CA cert and use that to screw all RPs that process cert
> chains in the fashion that X.509 / PKIX specifies.

Your reasoning is really illogical. If a CA key is compromised, nothing further can be trusted. I do not see why this secure problem will be more specific to a CA which adopt self-issued certificates for key rollovers. If an attacker obtains control over the certificate sining key of a CA which has a "generation identifier" in its DN, doesn't the attacker be able to sign a himself a subordinate CA certificate?



> From the perspective of risk management, not supporting self-issued
> certificates is IMHO a very resonable decision.
>
> For CAs to do rollover with Generation identifiers in DNames
> is a no-brainer.  It will also facilitate recognizing and
> telling apart the CA certificates -- for RPs that start with an
> empty trust store rather than a trust store prepopulated
> with hundreds of omnipotent CAs -- or a dynamic trust store
> such as that of newer Versions of Microsoft Windows, where you
> essentially have no control over the trust anchors any more and
> no idea who is trusted.

I assume you know the reason why the root CA key (usually in the form of a self-signed certificate) must be distributed to RPs through an out-of-band secure channel. If you do, you may realized what PKIX and X.509 tried to do is to specify a systematically secure way to distribute the next generation root CA key to RPs. There are at least two advantages if a root CA do its key rollover with self-issued certificates:



(1) Since RPs had already receieved the previous generation of the root CA key from a secure channel and trust it, the RPs can use the trusted root CA key to verified the new-with-old self-issued certificate and build the trust to the new generation of the root CA key (and therefore the new self-signed certificate of the root CA).

(2) The self-issued certificate can temporarily be used to chain the new certificate chain up to the old self-signed certificate of the root CA, before the new self-signed certificate is finally distributed to all RPs.



I do not see why adopting a non-systemantical and messy way such as adding Generation identifiers in DNames is more reasonable than the standard way suggested by X.509/PKIX. It is unfortunate that there are many RPs does not fully implement the certification path validation algorithm defined by X.509/PKIX. This might be the reason why many root CAs choose to adopt the messy way for key rollovers. I guess there are some CA implementors do not fully understand the standard way for key rollovers suggested by X.509/PKIX, they simply saw some big CA vendors do such thing and they learnt to do it.

Wen-Cheng Wang

Please be advised that this email message (including any attachments) contains confidential information and may be legally privileged. If you are not the intended recipient, please destroy this message and all attachments from your system and do not further collect, process, or use them. Chunghwa Telecom and all its subsidiaries and associated companies shall not be liable for the improper or incomplete transmission of the information contained in this email nor for any delay in its receipt or damage to your system. If you are the intended recipient, please protect the confidential and/or personal information contained in this email with due care. Any unauthorized use, disclosure or distribution of this message in whole or in part is strictly prohibited.  Also, please self-inspect attachments and hyperlinks contained in this email to ensure the information security and to protect personal information.