Re: [pkix] Managing Long-Lived CA certs

Carl Wallace <carl@redhoundsoftware.com> Mon, 17 July 2017 16:46 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9839B131B33 for <pkix@ietfa.amsl.com>; Mon, 17 Jul 2017 09:46:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XX7UQ5Zwkoe2 for <pkix@ietfa.amsl.com>; Mon, 17 Jul 2017 09:46:56 -0700 (PDT)
Received: from mail-qk0-x22d.google.com (mail-qk0-x22d.google.com [IPv6:2607:f8b0:400d:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87CA7131B48 for <pkix@ietf.org>; Mon, 17 Jul 2017 09:46:56 -0700 (PDT)
Received: by mail-qk0-x22d.google.com with SMTP id d78so125112100qkb.1 for <pkix@ietf.org>; Mon, 17 Jul 2017 09:46:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; h=user-agent:date:subject:from:to:message-id:thread-topic:references :in-reply-to:mime-version; bh=Bjx5PUP2C0qwUORUF9NEX+86msfO76bloUAThmDewyw=; b=hHG9qLEAitDoLYbTvh030sGCvEoBbixn0xq1oYmaPjuqynvVRr6sPGq+nTTffqENej uSOehoq+5NbDE94AHTGG2YhBKgiYtgGPqsBc1nMF3kzQy5QRz4ui1sHDXwfWaVU5mV7C 5FN6vXrgTwB+G4xcfCNOvJM6P1bdlibh56z2k=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:message-id :thread-topic:references:in-reply-to:mime-version; bh=Bjx5PUP2C0qwUORUF9NEX+86msfO76bloUAThmDewyw=; b=TnoeNV90nYQI+jmvQlH2trWG4fI+xt6JB14hMSIyVerOGwd4BZQYl/MfZCpq9JWqqf gnIzaPohcaOwsVNJYVBYQvzWIc9AGg0JHvk6J0KlZT+wa5Yg2vs73tTxXWY8k84bntEX Fc5TnAXEEaez9ob2bkUId8ZbTc/7AykZxs8ca+GZGkWyygenFIxRL7Nch0VXPEqCLoA0 I3wcSQQfb1zGE0qjDh/xrJJKk9lA7npvnbVOGFb1k3G/Sycnx7mXiaOtSklTx9+K93Zh 6Q2fDYprYjJuTbBeF3OLEoLGnQoVF535EWV1HbUWa8Czxcvt+BERet5x32d/GQm4NsXo S/kA==
X-Gm-Message-State: AIVw113INg2tMaCm5KsDEgt6+syhd88O71whQAMG7HVx25ctrJDaRZWR 2LQOZ5J8JHceX56U
X-Received: by 10.55.23.231 with SMTP id 100mr26672666qkx.67.1500310015608; Mon, 17 Jul 2017 09:46:55 -0700 (PDT)
Received: from [192.168.2.27] (pool-173-66-76-215.washdc.fios.verizon.net. [173.66.76.215]) by smtp.googlemail.com with ESMTPSA id s24sm834798qtc.7.2017.07.17.09.46.54 (version=TLS1 cipher=AES128-SHA bits=128/128); Mon, 17 Jul 2017 09:46:55 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/14.7.4.170508
Date: Mon, 17 Jul 2017 12:46:51 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: "Dr. Pala" <director@openca.org>, <pkix@ietf.org>
Message-ID: <D5925FC2.98219%carl@redhoundsoftware.com>
Thread-Topic: [pkix] Managing Long-Lived CA certs
References: <467c8936-f6aa-0853-878c-24fc8803c599@openca.org> <D5925287.981D0%carl@redhoundsoftware.com> <8fee3040-d629-762b-f5b0-b8e770911639@openca.org>
In-Reply-To: <8fee3040-d629-762b-f5b0-b8e770911639@openca.org>
Mime-version: 1.0
Content-type: multipart/mixed; boundary="B_3583140414_15259628"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/q9a5U3xI20NTZ_Ln4Aj6i1Gnhiw>
Subject: Re: [pkix] Managing Long-Lived CA certs
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 16:46:58 -0000

If the system is compromised, revoke all issued certs since you stopped
using the key (assuming the system compromise isn't such that your efforts
can be undone by the attacker). You could do this fairly easily with OCSP
and a whitelist of issued certs generated when the private key stops being
used for certificates. That begs a different question. What about responder
certs? Would there be a loophole for those?

The upside feels light relative to the challenge of updating path validation
implementations and I tend to doubt enough implementations would pick this
up to obviate the need for one of the above steps anyway – especially when
considering a target is implementations that are already incomplete.

From:  pkix <pkix-bounces@ietf.org> on behalf of "Dr. Pala"
<director@openca.org>
Organization:  OpenCA Labs
Date:  Monday, July 17, 2017 at 12:29 PM
To:  <pkix@ietf.org>
Subject:  Re: [pkix] Managing Long-Lived CA certs

>     
>  
> 
> Hi Carl,
>  
> 
> you are totally right :D That case would be covered by the revocation of the
> CA key. However, there are also other types of compromises (e.g., the system
> is compromised, but the key is not - certificates issued by non-authorized
> person).
>  
> 
> Keep in mind that in the ecosystem where this happens (device certs and many
> others) certificate revocation is not really checked... this would limit the
> exposure for non-catastrophic compromise events.
>  
> 
> Does this make sense ? What do you think ?
>  
> 
> Cheers,
>  Max
>  [*] = I know that checking revocation is still, regrettably, not common...
>  
>  
> On 7/17/17 5:42 PM, Carl Wallace wrote:
>  
>  
>> [...] 
>> [CW] Wouldn't the protection need to come in the form of revocation? If the
>> CA key is compromised, the validity period in certificates cannot be trusted.
>> [...]
>>   
>  
>  
> -- 
>  
>  Best Regards, 
>  Massimiliano Pala, Ph.D.
>  OpenCA Labs Director
>  
>  
>  
>  
>  
> _______________________________________________ pkix mailing list
> pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix