Re: [pkix] I-D Action:draft-ietf-pkix-rfc3161-update-08.txt
Stefan Santesson <stefan@aaa-sec.com> Mon, 26 October 2009 12:19 UTC
Return-Path: <stefan@aaa-sec.com>
X-Original-To: pkix@core3.amsl.com
Delivered-To: pkix@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7A4763A67DB for <pkix@core3.amsl.com>; Mon, 26 Oct 2009 05:19:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.252
X-Spam-Level:
X-Spam-Status: No, score=-0.252 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35, HTML_MESSAGE=0.001, J_CHICKENPOX_54=0.6, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1G3qIwkJthzk for <pkix@core3.amsl.com>; Mon, 26 Oct 2009 05:19:13 -0700 (PDT)
Received: from s87.loopia.se (s87.loopia.se [194.9.94.111]) by core3.amsl.com (Postfix) with ESMTP id DAAC53A67AB for <pkix@ietf.org>; Mon, 26 Oct 2009 05:19:12 -0700 (PDT)
Received: from s60.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id 0422B28B038 for <pkix@ietf.org>; Mon, 26 Oct 2009 13:19:28 +0100 (CET)
Received: (qmail 63630 invoked from network); 26 Oct 2009 12:19:23 -0000
Received: from unknown (HELO [192.168.2.16]) (stefan@fiddler.nu@[85.101.133.83]) (envelope-sender <stefan@aaa-sec.com>) by s60.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for <denis.pinkas@bull.net>; 26 Oct 2009 12:19:23 -0000
User-Agent: Microsoft-Entourage/12.20.0.090605
Date: Mon, 26 Oct 2009 13:19:17 +0200
From: Stefan Santesson <stefan@aaa-sec.com>
To: denis.pinkas@bull.net, pkix <pkix@ietf.org>
Message-ID: <C70B5255.590F%stefan@aaa-sec.com>
Thread-Topic: [pkix] I-D Action:draft-ietf-pkix-rfc3161-update-08.txt
Thread-Index: AcpWNomV1Fds2po3pk6jN+GBWaw5tA==
In-Reply-To: <DreamMail__141651_38360340381@msga-001.frcl.bull.fr>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3339407963_13023667"
Subject: Re: [pkix] I-D Action:draft-ietf-pkix-rfc3161-update-08.txt
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2009 12:19:15 -0000
Denis, I have spoken with Nick and we can both live with this change. The new security considerations section would then read: This draft incorporates the security considerations of RFC 5035 [ESSV2] with further explanations in this section. ESSCertID provides a means based on the SHA-1 hash algorithm for identifying the certificate used to verify the signature on a time stamp. The use of ESSCertIDv2 aims to enable implementers to comply with policies that require phasing out all uses of the SHA-1 algorithm. The update provided by this draft is motivated by reasons of interoperability and migration to other hash algorithms rather than mitigating new security issues. I will include this in the 09 draft and hope the rest of this list can agree to this text. /Stefan On 09-10-23 2:16 PM, "Denis Pinkas" <denis.pinkas@bull.net> wrote: > Stefan, > > I could agree with the "minimalist" text you propose by changing a single word > in it. > > Change "known" into "new". > > Then, the last paragraph would become: > > The update provided by this draft is motivated by reasons of > interoperability and migration to other hash algorithms rather than > mitigating new security issues. > > Can you live with it ? > > Denis > > ----- Message reçu ----- >> >> De : pkix-bounces <mailto :pkix-bounces@ietf.org> >> >> À : Julien Stern,pkix <mailto :julien.stern@cryptolog.com,pkix@ietf.org> >> >> Date : 2009-10-23, 11:58:02 >> >> Sujet : Re: [pkix] I-D Action:draft-ietf-pkix-rfc3161-update-08.txt >> >> >> >> >> >> >> Julien, >> >> The body of this draft has been done and agreed upon for quite some time >> now. The document is hold back only because we have not manage to agree on >> one security considerations section. >> >> Removing the security considerations section is not an option. All RFC >> documents must have one. >> >> We are NOT trying to say that ESSCertID serves no security purpose. >> The original security considerations section was trying to say that the >> motivation for allow algorithm agility (through ESSCertIDv2) is to allow >> migration to other hash algorithm rather than reasons of security. >> >> This approach did however receive serious pushback from Denis. We have since >> then tried to find a text that is both acceptable and accurate. So far >> unsuccessfully. >> >> In the effort to describe the particular threat that a stronger hash would >> protect against, it turns out that this threat requires a malicious trusted >> CA. This is however something that breaks the fundamental security >> assumptions of PKI. If you trust a bad CA, you are smoked.. No matter how >> good your protocol is. As BCP 72 requires us to tell (in the security >> considerations) what threats are in, or out, of scope of the specified >> protocol. Thus, describing this threat also requires us to tell the reader >> that threats caused by a trusted malicious CA in general are out of scope >> for a protocol to solve. >> >> Failing to do so may cause a reader to believe that he needs to migrate to >> ESSCertIDv2 to avoid serious security threats. This is not a desired outcome >> and could cause both confusion and interoperability issues trough premature >> and unmotivated migrations to ESSCertIDv2. >> >> You are free to propose text here that meets the requirements of BCP 72 >> section 5. >> >> I personally would be happy with a short note saying what we originally >> wanted to say.. That is: >> >> >> This draft incorporates the security considerations of RFC 5035 >> [ESSV2] with further explanations in this section. >> >> ESSCertID provides a means based on the SHA-1 hash algorithm for >> identifying the certificate used to verify the signature on a time >> stamp. The use of ESSCertIDv2 aims to enable implementers to comply >> with policies that require phasing out all uses of the SHA-1 >> algorithm. >> >> The update provided by this draft is motivated by reasons of >> interoperability and migration to other hash algorithms rather than >> mitigating known security issues. >> >> >> .... And delete the rest. >> >> /Stefan >> >> >> >> On 09-10-22 5:14 PM, "Julien Stern" <julien.stern@cryptolog.com <mailto: >> julien.stern@cryptolog.com> > wrote: >> >>> > Internet-Drafts@ietf.org <mailto: Internet-Drafts@ietf.org> wrote: >>>> >> A New Internet-Draft is available from the on-line Internet-Drafts >>>> >> directories. >>>> >> This draft is a work item of the Public-Key Infrastructure (X.509) >>>> Working >>>> >> Group of the IETF. >>>> >> >>>> >> >>>> >> Title : ESSCertIDv2 update for RFC 3161 >>>> >> Author(s) : S. Santesson, N. Pope >>>> >> Filename : draft-ietf-pkix-rfc3161-update-08.txt >>>> >> Pages : 8 >>>> >> Date : 2009-10-14 >>> > >>> > >>> > Dear all, >>> > >>> > Sorry for jumping in late in the discussion. >>> > >>> > I disagree with the current proposed addition to the security >>> > considerations section. >>> > >>> > In the various email exchanges on this list as well as on the ESTI ESI >>> > list, it appears that what is currently under debate is whether the >>> > ESSCertID is useful from a security standpoint. So people are trying to >>> > argue about the feasability or the infeasability, as well as the >>> > practicality and the real-life impact of various certificate >>> > substitution attacks. >>> > >>> > I do not think that this is the point. The point of this update is to >>> > allow the usage of the ESSCertID v2 (defined in RFC 5035) instead of the >>> > ESSCertID v1. >>> > >>> > I do not think that adding a security consideration that is essentially >>> > saying "oh, by the way, ESSCertID v2 is essentially useless >>> > security-wise" when it is meant to be used in S/MIME, PKIX (3161, 5126), >>> > CAdES, XAdES, PAdES, ECOM, etc fits in such an update. I'm not sure >>> > either that such an update reflects the largest view of the community... >>> > >>> > People are free to believe that ESSCertID (v1 or v2) serves no security >>> > purpose. Others are free to believe otherwise. >>> > >>> > But if the authors truly believe that the ONLY possible attack scenario >>> > is the one roughly described in the security consideration section, then >>> > let them prove it. Otherwise, remove the security consideration section. >>> > (In my humble opinion, it is not correct anyway). >>> > >>> > Regards, >>> > >>> > -- >>> > Julien >>> > _______________________________________________ >>> > pkix mailing list >>> > pkix@ietf.org <mailto: pkix@ietf.org> >>> > https://www.ietf.org/mailman/listinfo/pkix >> >> >> _______________________________________________ >> pkix mailing list >> pkix@ietf.org <mailto: pkix@ietf.org> >> https://www.ietf.org/mailman/listinfo/pkix >> > > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix
- [pkix] I-D Action:draft-ietf-pkix-rfc3161-update-… Internet-Drafts
- Re: [pkix] I-D Action:draft-ietf-pkix-rfc3161-upd… Julien Stern
- Re: [pkix] I-D Action:draft-ietf-pkix-rfc3161-upd… Dino Esposito
- Re: [pkix] I-D Action:draft-ietf-pkix-rfc3161-upd… Stefan Santesson
- Re: [pkix] I-D Action:draft-ietf-pkix-rfc3161-upd… Denis Pinkas
- Re: [pkix] I-D Action:draft-ietf-pkix-rfc3161-upd… Julien Stern
- Re: [pkix] I-D Action:draft-ietf-pkix-rfc3161-upd… Stefan Santesson
- Re: [pkix] I-D Action:draft-ietf-pkix-rfc3161-upd… Stefan Santesson