Re: [pkix] Signature Verification and DER requirements
Jeffrey Walton <noloader@gmail.com> Fri, 15 May 2015 19:40 UTC
Return-Path: <noloader@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3D4C1A710D for <pkix@ietfa.amsl.com>; Fri, 15 May 2015 12:40:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 02GXUZr5afbp for <pkix@ietfa.amsl.com>; Fri, 15 May 2015 12:40:07 -0700 (PDT)
Received: from mail-ig0-x22a.google.com (mail-ig0-x22a.google.com [IPv6:2607:f8b0:4001:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E6321A1A9E for <pkix@ietf.org>; Fri, 15 May 2015 12:40:07 -0700 (PDT)
Received: by igbyr2 with SMTP id yr2so2995420igb.0 for <pkix@ietf.org>; Fri, 15 May 2015 12:40:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=wnf7yaq32T6rlI25s1m8i0MwDJT6x3hOV/kvlyZU9NU=; b=j7u28D0Bs6xGTKijl4WvoIGSMXP2K4Ean71CSaRyxU8hHcppjnxnieocyvsZYO0Fk2 kZ2PIjOQS46NM1XWSgqB+rdgIZAqHwF6pArgKeqpRBvpmj4s+lPQdtetXGXNDoDwUaes Ldl0jBoJf1Mf4kFK60ZerUTREYqo4dNbjaGScbIvbY7iwUIi5c4mcVRVTDoOZnQwRHbR AcyfnsDIuCwIvdowp7DADnKnA8f0+mfQWDMqb2PeSuPoVLPaq3UIfLq9HIlg8C3fUfF0 wMn5aL8j0Ja1apsevXNlPudTe/rGZVd6ByjXbirZswJIDH4JTJG3aZaX6fvBJjTEBGS+ WKJA==
MIME-Version: 1.0
X-Received: by 10.107.29.148 with SMTP id d142mr15668836iod.9.1431718806699; Fri, 15 May 2015 12:40:06 -0700 (PDT)
Received: by 10.36.77.15 with HTTP; Fri, 15 May 2015 12:40:06 -0700 (PDT)
In-Reply-To: <000001d08f19$3210caa0$96325fe0$@x500.eu>
References: <9A043F3CF02CD34C8E74AC1594475C73AB020EBB@uxcn10-tdc05.UoA.auckland.ac.nz> <000001d08f19$3210caa0$96325fe0$@x500.eu>
Date: Fri, 15 May 2015 15:40:06 -0400
Message-ID: <CAH8yC8m6V1=PtSua5q5ZWXFY+WnUwdiV_cyoyXyMDeT0iByH_g@mail.gmail.com>
From: Jeffrey Walton <noloader@gmail.com>
To: Erik Andersen <era@x500.eu>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/k-qvCWubOtokDyY7ttoOG2osnZM>
Cc: IETF PKIX <pkix@ietf.org>
Subject: Re: [pkix] Signature Verification and DER requirements
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: noloader@gmail.com
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 May 2015 19:40:08 -0000
On Fri, May 15, 2015 at 10:12 AM, Erik Andersen <era@x500.eu> wrote: > As Peter states. It is confusing, and I am not sure how to get it right. > > ... > I am interested in comments. > Maybe the easiest course is to side-step the issue altogether. The issue here is verification, so focus on it. Leave things the way they are related to encoding the certificate and signing the certificate (or more correctly, tbsCertificate). Then be explicit about how to verify it. That is, explicitly state bits should be verified as they are received; and they should not be rearranged to comply with anything because that will usually (always?) invalidate the signature. Allowing the bits to be rearranged during verification just seems wrong. It effectively creates a potential for a DoS when there's no need for one to exist. The security goals were met earlier, when the identity was bound to the public key. I also think you should give an implementation a choice during verification: they can choose to reject a non-DER encoded certificate because that's how things are written. But they should reject for the proper reason: reject because its no-DER encoded; and not becuase they re-arranged bits that caused a signature failure. Allowing a receiver to rearrange bits and then claim the signature verification failed is just plain wrong. They may as well have performed 'certificate[0] XOR 0x01' and claimed the certificate was tampered. There's no difference. Jeff
- [pkix] Signature Verification and DER requirements Jeffrey Walton
- Re: [pkix] Signature Verification and DER require… Martin Rex
- Re: [pkix] Signature Verification and DER require… Erwann Abalea
- Re: [pkix] Signature Verification and DER require… Jeffrey Walton
- Re: [pkix] Signature Verification and DER require… Anders Rundgren
- Re: [pkix] Signature Verification and DER require… Bruce Stephens
- Re: [pkix] Signature Verification and DER require… Peter Gutmann
- Re: [pkix] Signature Verification and DER require… Stephen Farrell
- Re: [pkix] Signature Verification and DER require… Erik Andersen
- Re: [pkix] Signature Verification and DER require… Martin Rex
- Re: [pkix] Signature Verification and DER require… Jeffrey Walton
- Re: [pkix] Signature Verification and DER require… Santosh Chokhani
- Re: [pkix] Signature Verification and DER require… Erik Andersen
- Re: [pkix] Signature Verification and DER require… Jeffrey Walton