Re: [pkix] Fixing OCSP agility
Phillip Hallam-Baker <hallam@gmail.com> Wed, 10 November 2010 01:29 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: pkix@core3.amsl.com
Delivered-To: pkix@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BBCA23A68A0 for <pkix@core3.amsl.com>; Tue, 9 Nov 2010 17:29:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7VG46E+toxsw for <pkix@core3.amsl.com>; Tue, 9 Nov 2010 17:29:52 -0800 (PST)
Received: from mail-gw0-f44.google.com (mail-gw0-f44.google.com [74.125.83.44]) by core3.amsl.com (Postfix) with ESMTP id 22B453A69A8 for <pkix@ietf.org>; Tue, 9 Nov 2010 17:29:52 -0800 (PST)
Received: by gwb17 with SMTP id 17so64777gwb.31 for <pkix@ietf.org>; Tue, 09 Nov 2010 17:30:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=oVLqHf3dFdU1v8m8l1lTcDXjDrgtTGlWrm5Jk9iX8wI=; b=PuNQt8IstwDlUUiSzYXxINHtM8lGws+lT3nPmhvunTZjFf+IOtoswqv3W7hvL6luOs ySNVSFyIf0F4EmeZguDhNCTacteoEEUevbm0JX5J3NIe0XEv9Jw8f3d1Elu1gKcyjvqe Cjy2sbw9ly8Nb7FMORInhvYAwk5umgOPq7OtY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=ptvhvrwANMf/Qd2FnBKaFHFkuB2XT9VBWc+aBj73K3q1dMfXzE+AL8Uen7aCxIfMFm 0pUAcE3ASCSVycWtFUFgb+i1PsbWA4in8W4Ph5EK62GsDZuVL8OW8Kbn7BtBM08rz4o+ Z3MGUSFB7ybvFk4kgXQ2XV8mCQ1cbtSw9HOns=
MIME-Version: 1.0
Received: by 10.100.135.14 with SMTP id i14mr4228988and.202.1289352616761; Tue, 09 Nov 2010 17:30:16 -0800 (PST)
Received: by 10.100.41.14 with HTTP; Tue, 9 Nov 2010 17:30:16 -0800 (PST)
In-Reply-To: <310A6B94-1BA2-440E-992D-A28EEE527568@mimectl>
References: <C8FE69A3.B9B9%stefan@aaa-sec.com> <C5EAB5A2C34F409EA38F311E1629C864@proverbs> <310A6B94-1BA2-440E-992D-A28EEE527568@mimectl>
Date: Tue, 09 Nov 2010 20:30:16 -0500
Message-ID: <AANLkTi=vQRbQpTSbdWOMsgGU71CezHN_3djgnmhpa=2k@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: "Miller, Timothy J." <tmiller@mitre.org>
Content-Type: multipart/alternative; boundary="0016e645b8e2b65d670494a8cc9c"
Cc: Stefan Santesson <stefan@aaa-sec.com>, Jim Schaad <ietf@augustcellars.com>, "pkix@ietf.org" <pkix@ietf.org>
Subject: Re: [pkix] Fixing OCSP agility
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Nov 2010 01:29:54 -0000
I don't want to move from SHA-1 to SHA-2 for this purpose. There really isn't the value proposition to do that given that we expect to want to retire SHA-2 in the near future. But equally, if I am deploying a completely green-field application of OCSP with no legacy and constrained devices, I don't want to have to run two different sets of hash functions just to be legacy compatible. It is not just a question of the code, it is the hashes themselves that may be an issue. If I have an implementation that is using SHA3-256 as the basis for creating cert digests, I maybe don't want to have to store the same data twice. On Tue, Nov 9, 2010 at 9:44 AM, Miller, Timothy J. <tmiller@mitre.org>wrote: > SHA-1 isn't going anywhere. MD5 hasn't gone anywhere. Heck, even MD2 > hasn't gone anywhere. The best preimage attack against SHA-1 is for a > reduced-round variant. Even MD2 still requires 2^73 amount of work for a > preimage collision, which is still only considered 'practical' by the truly > paranoid. :) > > -- Tim > > ------------------------------ > *From:* Jim Schaad [ietf@augustcellars.com] > *Sent:* Monday, November 08, 2010 8:12 PM > *To:* Stefan Santesson; Miller, Timothy J.; Phillip Hallam-Baker > *Cc:* pkix@ietf.org > > *Subject:* Re: [pkix] Fixing OCSP agility > > There is one reason that agility is nice and that is that at some point > in the future I don’t want to have to implement SHA-1 just for this purpose > and for no other reason. > > jim > *From:* Stefan Santesson <stefan@aaa-sec.com> > *Sent:* Tuesday, November 09, 2010 10:03 AM > *To:* Miller, Timothy J. <tmiller@mitre.org> ; Phillip Hallam-Baker<hallam@gmail.com> > *Cc:* pkix@ietf.org ; Jim Schaad <ietf@augustcellars.com> > *Subject:* Re: [pkix] Fixing OCSP agility > > Not that I totally disagree, but this seems to me like one of those > things that looks bad in theory that hardly poses any practical problems in > reality. > I think I'd rather add a few MUST support algorithms. If you use any other > algorithm and get into problems, just revert to one of the MUST support > ones. > > /Stefan > > From: "Miller, Timothy J." <tmiller@mitre.org> > Date: Mon, 8 Nov 2010 10:18:13 -0500 > To: Phillip Hallam-Baker <hallam@gmail.com>, Stefan Santesson < > stefan@aaa-sec.com> > Cc: "pkix@ietf.org" <pkix@ietf.org>, Jim Schaad <ietf@augustcellars.com> > Subject: RE: [pkix] Fixing OCSP agility > > I agree that for CertID purposes, hash agility isn't needed. > > However, I don't see a need to extend OCSP to signal errors where a > requested CertID was created with an unsupported hash algorithm. In the > case where a request arrives with CertID derived from some non-SHA1 hash, > then the existing logic covers the possible results. Either the server > finds a match, in which case that result is sent and the client is left to > work it out; or it fails to find a match, in which case the proper response > is 'unknown' because this case is indistinguishable from all the other > client errors (e.g., requesting from the wrong OCSP service, client > canonicalization errors, client hash algorithm errors, etc.). > > -- Tim > > ------------------------------ > *From:* pkix-bounces@ietf.org [pkix-bounces@ietf.org] On Behalf Of Phillip > Hallam-Baker [hallam@gmail.com] > *Sent:* Friday, November 05, 2010 11:23 PM > *To:* Stefan Santesson > *Cc:* pkix@ietf.org; Jim Schaad > *Subject:* Re: [pkix] Fixing OCSP agility > > Again, I have still not had any reply. > > On Thu, Oct 14, 2010 at 12:36 AM, Phillip Hallam-Baker <hallam@gmail.com> > wrote: > > I posted this on Sept 13th but did not get any reply either. > > > > I had some pushback from our technical/product management folk at Comodo > who > > reviewed this pointed out that we are not solving algorithm agility > issues > > associated with the OCSPRequest->CertID->hashAlgorithm > > This situation is worse than I thought as the OCSP spec does not actually > > consider the case of what to do if the CertID algorithm presented is > > unknown. The only thing that the responder can do is report 'unknown'. > The > > OCSP spec does not distinguish between 'unknown cert' and 'unknown hash > > algorithm'. > > > > Now this does not matter at all at the moment since SHA1 is perfectly > > adequate as a hash function, it is only inadequate as a cryptographic > > digest. And in any case we definitely do not want to upgrade from SHA1 to > > SHA256 for this specific purpose. We would want to hop straight from SHA1 > to > > SHA3. > > I suggest a fix as follows: > > 1) Define an OCSP response extension as follows: > > > > id-pkix-ocsp-certid-hashAlgorithm-Unkown OBJECT IDENTIFIER ::= { > > id-pkix-ocsp TBS } > > > > AcceptableCertIDHashAlgorithms ::= SEQUENCE OF OBJECT IDENTIFIER > > > > This means that in ten years time when we have people telling us that we > > have to stop using SHA1 and show that we are not using it, that we will > at > > least have a means of tracking the error. > > While the use of SHA1 for this purpose is safe, it is not inexpensive if > you > > are running systems in a regulated environment with a requirement for > annual > > audits. Every use of an obsolete crypto alg is going to mean auditor > time. > > > > 2) Note in the security considerations > > Note that SHA1 is also used for OCSPRequest->CertID->hashAlgorithm > > Note that this purpose has been reviewed and is considered safe since > there > > is negligible chance of an accidental collision and the existence of a > > deliberate collision would at worst cause a response for the wrong cert > > which would in turn mean the response did not match and chain validation > > would fail which is probably what you SHOULD want in that particular > case. > > > > On Fri, Oct 8, 2010 at 10:15 AM, Stefan Santesson <stefan@aaa-sec.com> > > wrote: > >> > >> I would like to know who favors using the S/MIME Capabilities way of > >> specifying preferred algorithm instead of algorithmIdentifier? > >> > >> I have no problem using S/MIME Capability if that makes things clearer. > >> The ASN.1 syntax is the same for these. The only thing that differs is > the > >> rules regarding parameters and potentially they may use different OIDs > for > >> the same algorithm even though neither I nor Jim can think of one that > >> differs of the algorithms we normally are interested in. > >> > >> It would be good to determine this now and move on with a new WG last > >> call. > >> > >> /Stefan > >> > >> > >> > >> On 10-09-14 8:05 AM, "Jim Schaad" <ietf@augustcellars.com> wrote: > >> > >> > Stefan, > >> > > >> > > >> > > >> > The big difference between using the algorithm identifier and the > S/MIME > >> > Capability is a question of what is placed in the parameters field. > >> > Thus > >> > for example the signature algorithm for RSA-PKCS#1 uses a NULL for the > >> > parameters field while the S/MIME Capability uses an empty parameter > >> > field. > >> > The parameters are supposed to only be present in the S/MIME > Capability > >> > when > >> > they are needed to differentiate between different levels or pieces of > >> > an > >> > algorithm. (The classic one being the effective key length of RC2.) > >> > > >> > > >> > > >> > We chose not to include the hash algorithm in RSA-PSS but could have > >> > re-defined the S/MIME Capability parameters for this algorithm to have > >> > been > >> > a sequence of hash algorithms and a sequence of masking functions that > >> > specified which ones were supported. > >> > > >> > > >> > > >> > In every case that I can currently remember, the OID is actually the > >> > same > >> > between the algorithm identifier and the s/mime capability. The > weasel > >> > wording was put in place to deal with the fact that originally the > same > >> > OID > >> > was being used to identify both the RSA-PKCS#1 signature algorithm and > >> > the > >> > RSA public key. (The RSA public key OID being used in both > locations.) > >> > This is no longer an acceptable practice. > >> > > >> > > >> > > >> > Jim > >> > > >> > > >> > > >> > > >> > > >> > From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org<pkix-bounces@ietf.org>] > On Behalf Of > >> > Stefan Santesson > >> > Sent: Tuesday, September 07, 2010 5:07 AM > >> > To: pkix@ietf.org > >> > Subject: [pkix] Fixing OCSP agility > >> > > >> > > >> > > >> > At the last IETF meeting it was concluded that the OCSP Agility draft > >> > needed > >> > another round in the WG with a new WG Last Call. > >> > > >> > http://tools.ietf.org/html/draft-ietf-pkix-ocspagility-09 > >> > > >> > Generally people were unhappy with the specified solution for > specifying > >> > signature algorithms with specific parameter constraints. > >> > Jim has suggested to use the SMIME capabilities form instead. > >> > > >> > The current structure for algorithm preferences in ocspagility is: > >> > > >> > PreferredSignatureAlgorithms ::= SEQUENCE OF > >> > PreferredSignatureAlgorithm > >> > > >> > PreferredSignatureAlgorithm ::= SEQUENCE { > >> > sigIdentifier AlgorithmIdentifier, > >> > certIdentifier AlgorithmIdentifier OPTIONAL > >> > } > >> > > >> > The structure of SMIME Capabilities is: > >> > > >> > SMIMECapabilities ::= SEQUENCE OF SMIMECapability > >> > > >> > SMIMECapability ::= SEQUENCE { > >> > capabilityID OBJECT IDENTIFIER, > >> > parameters ANY DEFINED BY capabilityID OPTIONAL } > >> > > >> > > >> > AlgorithmIdentifier has the same syntax as SMIME Capabilities, being: > >> > > >> > AlgorithmIdentifier ::= SEQUENCE { > >> > algorithm OBJECT IDENTIFIER, > >> > parameters ANY DEFINED BY algorithm OPTIONAL } > >> > > >> > > >> > So one could ask what the benefit here is. > >> > > >> > The difference to my understanding lies in the assignment of algorithm > >> > OIDs > >> > and their parameters dependent on whether this is a pure signature > >> > algorithm > >> > OID, a public key algorithm OID or whether it is an OID for > >> > SMIMECapabilites > >> > (which SHOULD be the algorithm OID). > >> > > >> > RFC 5751 (SMIME Capabilities 2.5.2): > >> > "The OIDs that correspond to algorithms SHOULD use the same OID > as > >> > the > >> > actual algorithm, except in the case where the algorithm usage is > >> > ambiguous from the OID." > >> > > >> > I would like to have your opinion on how we should resolve this issue > so > >> > we > >> > can move on. > >> > > >> > /Stefan > >> > > >> > >> > >> _______________________________________________ > >> pkix mailing list > >> pkix@ietf.org > >> https://www.ietf.org/mailman/listinfo/pkix > > > > > > > > -- > > Website: http://hallambaker.com/ > > > > > > > > -- > Website: http://hallambaker.com/ > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix > -- Website: http://hallambaker.com/
- [pkix] Fixing OCSP agility Stefan Santesson
- Re: [pkix] Fixing OCSP agility Phillip Hallam-Baker
- Re: [pkix] Fixing OCSP agility Jim Schaad
- Re: [pkix] Fixing OCSP agility Stefan Santesson
- Re: [pkix] Fixing OCSP agility Denis Pinkas
- Re: [pkix] Fixing OCSP agility Stefan Santesson
- Re: [pkix] Fixing OCSP agility Denis Pinkas
- Re: [pkix] Fixing OCSP agility Phillip Hallam-Baker
- Re: [pkix] Fixing OCSP agility Phillip Hallam-Baker
- Re: [pkix] Fixing OCSP agility Stefan Santesson
- Re: [pkix] Fixing OCSP agility Miller, Timothy J.
- Re: [pkix] Fixing OCSP agility Stefan Santesson
- Re: [pkix] Fixing OCSP agility Jim Schaad
- Re: [pkix] Fixing OCSP agility Stefan Santesson
- Re: [pkix] Fixing OCSP agility Miller, Timothy J.
- Re: [pkix] Fixing OCSP agility Rob Stradling
- Re: [pkix] Fixing OCSP agility Phillip Hallam-Baker
- Re: [pkix] Fixing OCSP agility Phillip Hallam-Baker
- Re: [pkix] Fixing OCSP agility Rob Stradling