IETF Logo Mail Archive

Re: [pkix] I-D Action:draft-ietf-pkix-rfc3161-update-08.txt

Stefan Santesson <stefan@aaa-sec.com> Mon, 26 October 2009 12:19 UTC

Return-Path: <stefan@aaa-sec.com>
X-Original-To: pkix@core3.amsl.com
Delivered-To: pkix@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7A4763A67DB for <pkix@core3.amsl.com>; Mon, 26 Oct 2009 05:19:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.252
X-Spam-Level:
X-Spam-Status: No, score=-0.252 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35, HTML_MESSAGE=0.001, J_CHICKENPOX_54=0.6, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1G3qIwkJthzk for <pkix@core3.amsl.com>; Mon, 26 Oct 2009 05:19:13 -0700 (PDT)
Received: from s87.loopia.se (s87.loopia.se [194.9.94.111]) by core3.amsl.com (Postfix) with ESMTP id DAAC53A67AB for <pkix@ietf.org>; Mon, 26 Oct 2009 05:19:12 -0700 (PDT)
Received: from s60.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id 0422B28B038 for <pkix@ietf.org>; Mon, 26 Oct 2009 13:19:28 +0100 (CET)
Received: (qmail 63630 invoked from network); 26 Oct 2009 12:19:23 -0000
Received: from unknown (HELO [192.168.2.16]) (stefan@fiddler.nu@[85.101.133.83]) (envelope-sender <stefan@aaa-sec.com>) by s60.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for <denis.pinkas@bull.net>; 26 Oct 2009 12:19:23 -0000
User-Agent: Microsoft-Entourage/12.20.0.090605
Date: Mon, 26 Oct 2009 13:19:17 +0200
From: Stefan Santesson <stefan@aaa-sec.com>
To: denis.pinkas@bull.net, pkix <pkix@ietf.org>
Message-ID: <C70B5255.590F%stefan@aaa-sec.com>
Thread-Topic: [pkix] I-D Action:draft-ietf-pkix-rfc3161-update-08.txt
Thread-Index: AcpWNomV1Fds2po3pk6jN+GBWaw5tA==
In-Reply-To: <DreamMail__141651_38360340381@msga-001.frcl.bull.fr>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3339407963_13023667"
Subject: Re: [pkix] I-D Action:draft-ietf-pkix-rfc3161-update-08.txt
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2009 12:19:15 -0000

Denis,

I have spoken with Nick and we can both live with this change.

The new security considerations section would then read:

   This draft incorporates the security considerations of RFC 5035
   [ESSV2] with further explanations in this section.

   ESSCertID provides a means based on the SHA-1 hash algorithm for
   identifying the certificate used to verify the signature on a time
   stamp. The use of ESSCertIDv2 aims to enable implementers to comply
   with policies that require phasing out all uses of the SHA-1
   algorithm.

   The update provided by this draft is motivated by reasons of
   interoperability and migration to other hash algorithms rather than
   mitigating new security issues.

I will include this in the 09 draft and hope the rest of this list can agree
to this text.

/Stefan


On 09-10-23 2:16 PM, "Denis Pinkas" <denis.pinkas@bull.net> wrote:

> Stefan,
>  
> I could agree with the "minimalist" text you propose by changing a single word
> in it.
>  
> Change "known" into "new".
>  
> Then, the last paragraph would become:
> 
>    The update provided by this draft is motivated by reasons of
>    interoperability and migration to other hash algorithms rather than
>    mitigating new security issues.
> 
> Can you live with it ?
>  
> Denis
> 
> ----- Message reçu -----
>>  
>> De  : pkix-bounces <mailto :pkix-bounces@ietf.org>
>>  
>> À  : Julien  Stern,pkix <mailto :julien.stern@cryptolog.com,pkix@ietf.org>
>>  
>> Date  : 2009-10-23, 11:58:02
>>  
>> Sujet  : Re: [pkix] I-D Action:draft-ietf-pkix-rfc3161-update-08.txt
>>  
>> 
>>  
>>  
>>  
>>  
>> Julien,
>> 
>> The body of this draft has been done and agreed upon for  quite some time
>> now. The document is hold back only because we have not  manage to agree on
>> one security considerations section.
>> 
>> Removing the  security considerations section is not an option. All RFC
>> documents must  have one.
>> 
>> We are NOT trying to say that ESSCertID serves no security  purpose.
>> The original security considerations section was trying to say  that the
>> motivation for allow algorithm agility (through ESSCertIDv2) is to  allow
>> migration to other hash algorithm rather than reasons of  security.
>> 
>> This approach did however receive serious pushback from  Denis. We have since
>> then tried to find a text that is both acceptable and  accurate. So far
>> unsuccessfully.
>> 
>> In the effort to describe the  particular threat that a stronger hash would
>> protect against, it turns out  that this threat requires a malicious trusted
>> CA. This is however something  that breaks the fundamental security
>> assumptions of PKI. If you trust a bad  CA, you are smoked.. No matter how
>> good your protocol is. As BCP 72  requires us to tell (in the security
>> considerations) what threats are in,  or out, of scope of the specified
>> protocol. Thus, describing this threat  also requires us to tell the reader
>> that threats caused by a trusted  malicious CA in general are out of scope
>> for a protocol to  solve.
>> 
>> Failing to do so may cause a reader to believe that he needs to  migrate to
>> ESSCertIDv2 to avoid serious security threats. This is not a  desired outcome
>> and could cause both confusion and interoperability issues  trough premature
>> and unmotivated migrations to ESSCertIDv2.
>> 
>> You are  free to propose text here that meets the requirements of BCP 72
>> section  5.
>> 
>> I personally would be happy with a short note saying what we  originally
>> wanted to say.. That is:
>> 
>> 
>>    This draft  incorporates the security considerations of RFC  5035
>>    [ESSV2] with further explanations in this  section.
>> 
>>    ESSCertID provides a means based on the  SHA-1 hash algorithm for
>>    identifying the certificate used  to verify the signature on a time
>>    stamp. The use of  ESSCertIDv2 aims to enable implementers to comply
>>    with  policies that require phasing out all uses of the  SHA-1
>>    algorithm.
>> 
>>    The update  provided by this draft is motivated by reasons  of
>>    interoperability and migration to other hash  algorithms rather than
>>    mitigating known security  issues.
>> 
>> 
>> .... And delete the rest.
>> 
>> /Stefan
>> 
>> 
>> 
>> On  09-10-22 5:14 PM, "Julien Stern" <julien.stern@cryptolog.com <mailto:
>> julien.stern@cryptolog.com> >  wrote:
>> 
>>> > Internet-Drafts@ietf.org <mailto: Internet-Drafts@ietf.org>   wrote:
>>>> >> A New Internet-Draft is available from the on-line  Internet-Drafts
>>>> >> directories.
>>>> >> This draft is a work item  of the Public-Key Infrastructure (X.509)
>>>> Working
>>>> >> Group of the  IETF.
>>>> >> 
>>>> >> 
>>>> >> Title : ESSCertIDv2 update for RFC  3161
>>>> >> Author(s) : S. Santesson, N. Pope
>>>> >> Filename :  draft-ietf-pkix-rfc3161-update-08.txt
>>>> >> Pages : 8
>>>> >> Date :  2009-10-14
>>> > 
>>> > 
>>> > Dear all,
>>> > 
>>> > Sorry for  jumping in late in the discussion.
>>> > 
>>> > I disagree with the  current proposed addition to the security
>>> > considerations  section.
>>> > 
>>> > In the various email exchanges on this list as well  as on the ESTI ESI
>>> > list, it appears that what is currently under  debate is whether the
>>> > ESSCertID is useful from a security standpoint.  So people are trying to
>>> > argue about the feasability or the  infeasability, as well as the
>>> > practicality and the real-life impact of  various certificate
>>> > substitution attacks.
>>> > 
>>> > I do not  think that this is the point. The point of this update is to
>>> > allow the  usage of the ESSCertID v2 (defined in RFC 5035) instead of the
>>> >  ESSCertID v1.
>>> > 
>>> > I do not think that adding a security  consideration that is essentially
>>> > saying "oh, by the way, ESSCertID v2  is essentially useless
>>> > security-wise" when it is meant to be used in  S/MIME, PKIX (3161, 5126),
>>> > CAdES, XAdES, PAdES, ECOM, etc fits in such  an update. I'm not sure
>>> > either that such an update reflects the  largest view of the community...
>>> > 
>>> > People are free to believe  that ESSCertID (v1 or v2) serves no security
>>> > purpose. Others are free  to believe otherwise.
>>> > 
>>> > But if the authors truly believe that  the ONLY possible attack scenario
>>> > is the one roughly described in the  security consideration section, then
>>> > let them prove it. Otherwise,  remove the security consideration section.
>>> > (In my humble opinion, it  is not correct anyway).
>>> > 
>>> > Regards,
>>> > 
>>> > --
>>> >  Julien
>>> > _______________________________________________
>>> > pkix  mailing list
>>> > pkix@ietf.org <mailto: pkix@ietf.org>
>>> >  https://www.ietf.org/mailman/listinfo/pkix
>> 
>> 
>> _______________________________________________
>> pkix  mailing list
>> pkix@ietf.org <mailto: pkix@ietf.org>
>> https://www.ietf.org/mailman/listinfo/pkix
>> 
> 
> 
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix

v2.23.0 | Report a Bug | By Email