Re: [pkix] TAMP spec
"Denis Pinkas"<denis.pinkas@bull.net> Mon, 23 November 2009 16:37 UTC
Return-Path: <denis.pinkas@bull.net>
X-Original-To: pkix@core3.amsl.com
Delivered-To: pkix@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 92DE43A6816 for <pkix@core3.amsl.com>; Mon, 23 Nov 2009 08:37:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.512
X-Spam-Level:
X-Spam-Status: No, score=0.512 tagged_above=-999 required=5 tests=[AWL=2.636, BAYES_00=-2.599, HELO_EQ_FR=0.35, HELO_MISMATCH_COM=0.553, HTML_MESSAGE=0.001, HTTP_ESCAPED_HOST=0.134, J_CHICKENPOX_44=0.6, RCVD_BAD_ID=2.837, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yxkBAtv-Iimk for <pkix@core3.amsl.com>; Mon, 23 Nov 2009 08:37:11 -0800 (PST)
Received: from balder-227.proper.com (Balder-227.Proper.COM [192.245.12.227]) by core3.amsl.com (Postfix) with ESMTP id A39453A689C for <pkix@ietf.org>; Mon, 23 Nov 2009 08:37:10 -0800 (PST)
Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id nANGaxPo017527 for <ietf-pkix@imc.org>; Mon, 23 Nov 2009 09:37:05 -0700 (MST) (envelope-from denis.pinkas@bull.net)
Received: from MSGA-001.frcl.bull.fr (msga-001.frcl.bull.fr [129.184.87.31]) by odin2.bull.net (Bull S.A.) with ESMTP id E130018013 for <ietf-pkix@imc.org>; Mon, 23 Nov 2009 17:38:55 +0100 (CET)
Received: from FRCLS4013 ([129.182.108.120]) by MSGA-001.frcl.bull.fr (Lotus Domino Release 5.0.11) with SMTP id 2009112317365690:10123 ; Mon, 23 Nov 2009 17:36:56 +0100
From: Denis Pinkas <denis.pinkas@bull.net>
To: ietf-pkix <ietf-pkix@imc.org>
Date: Mon, 23 Nov 2009 17:36:58 +0100
Message-Id: <DreamMail__173658_12401253642@msga-001.frcl.bull.fr>
References: <FAD1CF17F2A45B43ADE04E140BA83D48E0E51C@scygexch1.cygnacom.com>
MIME-Version: 1.0
X-Priority: 3 (Normal)
X-Mailer: DreamMail 4.4.1.0
X-MIMETrack: Itemize by SMTP Server on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 23/11/2009 17:36:57, Serialize by Router on MSGA-001/FR/BULL(Release 5.0.11 |July 24, 2002) at 23/11/2009 17:36:58, Serialize complete at 23/11/2009 17:36:58
Content-Type: multipart/alternative; boundary="----=_NextPart_09112317365766102223481_002"
Subject: Re: [pkix] TAMP spec
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: denis.pinkas@bull.net
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2009 16:37:14 -0000
Carl, If so, I don't believe that my concerns have been solved. Denis ----- Message reçu ----- De : pkix-bounces À : ietf-pkix Date : 2009-11-23, 17:15:53 Sujet : Re: [pkix] TAMP spec Denis, I don't believe we're covering any new ground in this thread. I will submit a new draft that includes that modified security considerations section somewhere in this thread. Carl From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Denis Pinkas Sent: Monday, November 23, 2009 3:27 AM To: pkix Subject: Re: [pkix] TAMP spec Carl, Herafter are more detailed answers to your comments. Look for [DP2]. Date : 2009-11-16, 14:34:41 Sujet : RE: [pkix] TAMP spec Inline From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Denis Pinkas Sent: Monday, November 16, 2009 4:23 AM To: pkix Subject: Re: [pkix] TAMP spec I will summarize in this email my comments on the draft. I have finally been able to review the changes that were made to version 04. Some parts of the revised text are not crystal clear to me. I am still wondering whether the draft complies with draft-ietf-pkix-ta-mgmt-reqs-04. On page 11, we have: 3.5. RFC 5280 Support 3.5.1. Functional Requirements A trust anchor management protocol MUST enable management of trust anchors that will be used to validate certification paths and CRLs in accordance with [RFC5280] and [RFC5055]. A trust anchor format MUST enable the representation of constraints that influence certification path validation or otherwise establish the scope of usage of the trust anchor public key. Examples of such constraints are name constraints, certificate policies, and key usage. The problem is that the current format does not allow a RP or a TAS manager to add constraints to a self-signed certificate. This limitation should be mentioned in the TAMP draft (or the TAMP draft should be changed). Since it seems that no change will be made to the draft, I believe this limitation should be indicated. [CW] Obviously this can also be done when the self-signed certificate is created. As Geoff noted, this can also be done with a wrapper. Its not clear to me why wed want to include things in the TA that have no processing semantics but its certainly possible as it is with RFC 5280. [DP2] See my other email sent earlier today on this topic. I have provided some text below to address this concern. ===================================================================== Stefan said: I think the following text is confusing to a new reader: Some sequence number generation schemes, e.g., time-based, do not require maintenance of state information. This is a general design consideration for designing the protocol but has nothing to do with security considerations related to deployment of the specified protocol. This text seems relevant only if you provide any security related rationales why such approach was not selected. Else, I would simply remove this text and possibly add a corresponding text in some other place of the document discussing design considerations. [CW] This is approach was not not selected. Its a method the fits the usage described in the draft. In fact, using time-based sequence numbers allow to solve some issues in case more than one trust anchor store manager manages a given trust anchor store. I have provided some text at the end of this email to address the problem. Since parallel management is not mandated, the discussion can be in the security considerations section, since it really relates to security (denial of service in this case). [CW] As previously discussed, there are no synchronization issues between multiple TA store managers. There is no denial of service unless you have access to my key. My sequence number has no bearing on messages you generate and vice versa. [DP2] I may be may missing a point there, but when only the apex trust anchor is used, then it is shared. When you have a backup system you may use the same key and should not be forced to use different keys. 1. On page 21, the text says : TrustAnchorInfo is intended to serve as a minimalist representation of trust anchor information for scenarios where storage or bandwidth is highly constrained. Russ, said: I agree that the representation is not minimal. That description should be removed". I suggest : TrustAnchorInfo does not use a structure derived from RFC 5280. Since it does not include a validity field, the validity period of the trust anchor information is unspecified. The structure optionally includes a TrustAnchorTitle with a UTF8String syntax and which plays a role similar to the issuer field from a certificate with a DN syntax. It may include a specific element called certPath to control certificate path validation. [CW] I do not agree with Russ that this is not a minimal representation. I agree it need not be minimal since it can contain various information. In any case, I prefer the existing text, which is historically accurate the structure was in fact designed to enable expression representations as minimal as key and name. [DP2] Anyway, the current text that is in the draft should be changed since it still says: TrustAnchorInfo is intended to serve as a minimalist representation of trust anchor information for scenarios where storage or bandwidth is highly constrained. 2. Then the text says on the same page: Implementations are not required to support all three options. The unsupportedTrustAnchorFormat error code should be indicated when generating a TAMPError due to receipt of an unsupported trust anchor format. At this place, the characteristics of use of these three structures should be indicated since they are not identical. [CW] The differences between these structures are discussed in TAF. [DP2] See my comments in the e-mail posted just before that email today. I propose to add the following text: The functionalities supported by each option are not the same. Usually self-signed certificates (supported through the certificate field) can be used for several purposes and it is up to relying parties to decide for which purpose(s) they should be used. However, when the certificate choice is being used, the TrustAnchorChoice structure does not allow a trust anchor store manager specifying constraints nor the purpose (or scope) for which a self-signed certificate may be used. On the contrary, the two other structures are able to support additional constraints which may be defined by trust anchor store managers. When they are used without additional specific extensions, the purposes for which the trust anchor info may be used to verify certification paths needs to be locally defined; this means that different usages for different trust anchors placed in the same trust anchor store are not possible either. One way to have different usages for different trust anchors without using specific extensions is to use a different trust anchor store for every different usage. [CW] There is text in TAF that highlights the fact that no additional constraints can be associate with the certificate option but can be with TBSCert and TAI. [DP2] You changed your mind since you wrote this text. See my comments in the e-mail posted just before that email today. Note that the Extended Key Usage extension, as defined in RFC 5280 indicates one or more purposes for which the trust anchor itself may be used. Thus, it cannot be used to indicate for which purpose certificates from paths terminating to that trust anchor may be used. [CW] I dont see any reason note this in TAMP. Its more would be a good fit for an EKU constraints draft, were one to be written. [DP2] I don't believe that a EKU constraints is appropriate to solve this issue, hence why this note is here. We need an extension to indicate constraints that apply to the leaf certificates of the certification path. It could be called LEKU(Leaf Extended Key Usage). 3. On page 22, there is the following text: The TAMP Status Query message MUST be signed. For the query message to be valid, the trust anchor store MUST be an intended recipient of the query, the sequence number checking described in Section 6 MUST be successful when the TAMP message signer is a trust anchor, What does the end of the sentence mean ? A signer is not a trust anchor. Please clarify and rephrase. [CW] See section 6 for a clarification. [DP2] The problem is that my comments apply to page 22 and section 6 is on page 55. The text on page 22 is not understandable. Even reading page 55, I don't understand what this means. As you observe below, sequence number processing is not required when a TAMP message is validated using a certificate instead of a trust anchor. [DP2] What you say may be true, but the current text does not allow to understand why. 4. On page 33, the text says : « The TrustAnchorChangeInfo structure or the TBSCertificateChangeInfo structure is used to provide the revised configuration of the management or identity trust anchor". The end of the sentence is unclear management or identity trust anchor ? [CW] These terms are defined earlier in the draft. [DP2] I propose to rephrase: "The TrustAnchorChangeInfo structure or the TBSCertificateChangeInfo structure is used to provide the revised configuration of a management trust anchor or of an identity trust anchor". The point here is that apex TAs cannot be changed with this structure. Change proposal: The TrustAnchorChangeInfo structure or the TBSCertificateChangeInfo structure is used to provide the revised configuration of the tbsCert and the taInfo structures respectively. As a consequence, the trust anchor store must make a difference between the three options every time one of the structures is stored or changed. 5. On page 55, the text says: This balance is achieved by performing sequence number checking on TAMP messages that are validated directly using a trust anchor, and allowing these checks to be skipped whenever the TAMP message originator is not represented by a trust anchor. What does the end of the sentence mean? What is the difference between a TAMP message originator that is represented by a trust anchor and one which is not? TAMP message originators are trust anchor store managers that use a signing key to access the trust anchor store. Some explanations may be found, but only on the next page: This could be the apex trust anchor operational public key or a management trust anchor public key. In the first case, the apex trust anchor operational public key is used directly to validate the TAMP message digital signature. In the second case, a management trust anchor public key is used directly to validate the TAMP message digital signature. These explanations should be moved. However, I still have a problem to understand how a management trust anchor public key is defined. A final question remains: why can checks be skipped whenever the TAMP message originator is not represented by a trust anchor ? [CW] See the first paragraph of section 6. The primary reason is that its easier to know when to delete sequence number values for TAs, since they are resident in the store. Its harder for certificate holders since expiration or deletion may occur independent of the store. [DP2] I still maintain that additional explanations should be given here. 6. Then the text states on the same page: Implementations MUST perform sequence number checking on TAMP messages that are validated directly using a trust anchor but then the text states: and MAY perform sequence number checking for TAMP messages validated using a certification path. Why is there a difference between the two cases? Please explain and revise. [CW] See above. 7. On page 64, at the end of the security considerations section, I propose to add the following text: In the event of loss sequence number values by one trust anchor store manager, sequence number state can be restored by inspecting the most recently generated TAMP messages, if these messages are logged. [CW] OK. I will add if these messages are logged to the previous proposed text. [DP2] Fine. As sequence number values are used to detect replay attempts, there are difficulties to use concurrently several trust anchor store managers unless a strong and continuous synchronization between them is being maintained at all times. [CW] As noted in previous messages, this is not true. The only case where this would be true is where the two TA managers are sharing a private key and there is no need to support this scenario [DP2] This scenario may be supported when there is a configuration with a back up site. Adding these explanations may be useful. When only one trust anchor store manager is being active at a time and in case of a failure, a backup trust anchor store manager must use sequence numbers that are greater than the last ones being used. One way to avoid a continuous communication of the last sequence number values being used between different trust anchor store managers is to use sequence numbers built using a date and time value in the higher bits of the sequence number values and a random number in the lower bits. If reasonable time synchronization is maintained between the trust anchor store managers, after a few seconds, the backup trust anchor store manager should normally be able to successfully access the trust anchor stores initially managed by the master trust anchor store manager. [CW] No synchronization is required if they use different private keys. [DP2] As said above, if the same key is used (e.g. from the apex), then the comment applies. Denis ============================================================================ De : Carl Wallace À : Stefan Santesson,denis.pinkas,pkix Date : 2009-11-10, 22:54:41 Sujet : RE: [pkix] TAMP spec I agree this is an unanticipated statement for the security considerations section and will strike that sentence, which leaves the following as the draft text: As sequence number values are used to detect replay attempts, trust anchor store managers must take care to maintain their own sequence number state, i.e., knowledge of which sequence number to include in the next TAMP message generated by the trust anchor store manager. Loss of sequence number state can result in generation of TAMP messages that cannot be processed due to seqNumFailure. In the event of loss, sequence number state can be restored by inspecting the most recently generated TAMP message or in collaboration with a trust anchor store manager who can successfully issue a TAMPStatusQuery message. From: Stefan Santesson [mailto:stefan@aaa-sec.com] Sent: Wednesday, November 11, 2009 6:39 AM To: Carl Wallace; denis.pinkas@bull.net; pkix Subject: Re: [pkix] TAMP spec Carl, I think the following text is confusing to a new reader: Some sequence number generation schemes, e.g., time-based, do not require maintenance of state information. This is a general design consideration for designing the protocol but has nothing to do with security considerations related to deployment of the specified protocol. This text seems relevant only if you provide any security related rationales why such approach was not selected. Else, I would simply remove this text and possibly add a corresponding text in some other place of the document discussing design considerations. /Stefan On 09-11-11 3:23 AM, "Carl Wallace" <CWallace@cygnacom.com> wrote: Some draft text for security considerations is below. I dont think we need text on the possible future extensions. Once we agree on the text below, Ill submit a new draft. As sequence number values are used to detect replay attempts, trust anchor store managers must take care to maintain their own sequence number state, i.e., knowledge of which sequence number to include in the next TAMP message generated by the trust anchor store manager. Loss of sequence number state can result in generation of TAMP messages that cannot be processed due to seqNumFailure. In the event of loss, sequence number state can be restored by inspecting the most recently generated TAMP message or in collaboration with a trust anchor store manager who can successfully issue a TAMPStatusQuery message. Some sequence number generation schemes, e.g., time-based, do not require maintenance of state information. From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Denis Pinkas Sent: Tuesday, November 10, 2009 7:49 PM To: pkix Subject: Re: [pkix] TAMP spec Steve, I still see need for additional changes to be made to the document. In particular, Carl said on october 29: "I will add some text to the security considerations section describing the consequences of losing sequence number state". The text to cover this point is not present in version 4. I also believe that text to cover the missing functionnalities and possible future evolutions should be added. If there is an agreement on the principle of such an addition, I can propose such a text. Denis ----- Message reçu ----- De : pkix-bounces <mailto%20:pkix-bounces@ietf.org> À : pkix <mailto%20:pkix@ietf.org> Date : 2009-11-10, 07:56:51 Sujet : [pkix] TAMP spec Folks, The TAMP WGLC period ended on 10/19. While there have been useful discussions beyond that time, it now seems appropriate to consider this WGLC to be over. Based on the messages from Denis, Carl, Russ, and Santosh over the period from 10/8-11/3, I see no need for additional changes need to be made to this document. Additional features and options may be pursed in a future, extensions document. Steve _______________________________________________ pkix mailing list pkix@ietf.org <mailto:%20pkix@ietf.org> https://www.ietf.org/mailman/listinfo/pkix _______________________________________________ pkix mailing list pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix
- [pkix] TAMP spec Stephen Kent
- Re: [pkix] TAMP spec Denis Pinkas
- Re: [pkix] TAMP spec Carl Wallace
- Re: [pkix] TAMP spec Paul Hoffman
- Re: [pkix] TAMP spec Sean Turner
- Re: [pkix] TAMP spec Stefan Santesson
- Re: [pkix] TAMP spec Stefan Santesson
- Re: [pkix] TAMP spec Carl Wallace
- Re: [pkix] TAMP spec Denis Pinkas
- Re: [pkix] TAMP spec Geoff Beier
- Re: [pkix] TAMP spec Carl Wallace
- Re: [pkix] TAMP spec Denis Pinkas
- Re: [pkix] TAMP spec Geoff Beier
- Re: [pkix] TAMP spec Carl Wallace
- Re: [pkix] TAMP spec Thomas Pornin
- Re: [pkix] TAMP spec Denis Pinkas
- Re: [pkix] TAMP spec Denis Pinkas
- Re: [pkix] TAMP spec Denis Pinkas
- Re: [pkix] TAMP spec Carl Wallace
- Re: [pkix] TAMP spec Denis Pinkas
- Re: [pkix] TAMP spec Russ Housley
- Re: [pkix] TAMP spec Russ Housley
- Re: [pkix] TAMP spec Denis Pinkas
- Re: [pkix] TAMP spec Stefan Santesson