Re: [pkix] Deployment Clarifications about RFC6960 - Section 2.2 and 4.4.8
Massimiliano Pala <massimiliano.pala@gmail.com> Fri, 14 November 2014 17:14 UTC
Return-Path: <massimiliano.pala@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A54A21A1B0A for <pkix@ietfa.amsl.com>; Fri, 14 Nov 2014 09:14:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cggjzIJtI4ZM for <pkix@ietfa.amsl.com>; Fri, 14 Nov 2014 09:14:24 -0800 (PST)
Received: from mail-pa0-x22d.google.com (mail-pa0-x22d.google.com [IPv6:2607:f8b0:400e:c03::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 862531A1B04 for <pkix@ietf.org>; Fri, 14 Nov 2014 09:14:24 -0800 (PST)
Received: by mail-pa0-f45.google.com with SMTP id lf10so17859016pab.18 for <pkix@ietf.org>; Fri, 14 Nov 2014 09:14:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=lMoJ5yy/fr5+FzIA1L3XXuWGM8vVuptjZM/1nCWfVAw=; b=NYY+LTyk3AbPykoaMIYlMO++FDq8HHDz3/ueXtK1ohxuHoLFt3UX6vKfa54GapJxh3 MzrN0AmCjwTufWWEZGeejus/hc4xkT9fYUIINvGUr+6/V02GhOQxFiHyRGrBc/ptl6aX vFtlx3F3pSy8+tB+SwqhLu8I5RrrrD4p1V/BVU9evZndDQ39ECEcfv9azrVlKtVfkhQ3 I2cn9myjhPgcgaUfk1mW3TL4TQwpXCA0AgnFtQj81sMhMD3YyJFnlbniVLrFKxcF5gNY 1W42elBbWB05o4YQh4561phgdYfNZiP241YMKs2AkflUephw3w4C9jk+gFtlovvpkdbc VOhQ==
X-Received: by 10.68.224.6 with SMTP id qy6mr11489043pbc.35.1415985263636; Fri, 14 Nov 2014 09:14:23 -0800 (PST)
Received: from [192.168.2.5] (ip-64-134-239-108.public.wayport.net. [64.134.239.108]) by mx.google.com with ESMTPSA id ra2sm28031456pbc.27.2014.11.14.09.14.22 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 14 Nov 2014 09:14:22 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Massimiliano Pala <massimiliano.pala@gmail.com>
X-Mailer: iPhone Mail (12B411)
In-Reply-To: <54662471.8060500@mozilla.org>
Date: Fri, 14 Nov 2014 07:14:22 -1000
Content-Transfer-Encoding: quoted-printable
Message-Id: <6E230091-EC1F-44E5-B39F-D67C2A886067@gmail.com>
References: <54652E19.8050903@gmail.com> <54662471.8060500@mozilla.org>
To: Gervase Markham <gerv@mozilla.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/sGJ71NxgVHZxh-qmEZLWA9MrlBw
Cc: "pkix@ietf.org" <pkix@ietf.org>
Subject: Re: [pkix] Deployment Clarifications about RFC6960 - Section 2.2 and 4.4.8
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Nov 2014 17:15:00 -0000
Hi Gerv, responses inline... > On Nov 14, 2014, at 5:49 AM, Gervase Markham <gerv@mozilla.org> wrote: > > I wasn't involved in writing RFC 6960, but: > >> On 13/11/14 22:18, Dr. Massimiliano Pala wrote: >> In particular, by extending the responsibilities of >> currently standardized, but, I think, useful). > > As far as the web is concerned, HTTP (and stapling) is the way to go. > CRL retrieval over LDAP (for example) is no longer supported by Firefox, > if it ever was. OCSPD over LDAP: I do not think it ever was because there is no standard for that! It is an idea that I was playing with. However, directories are HEAVILY a used in corporate environments (and academia) so it would be another good transport for fast and easy access to revocation information. On the extended revocation support, as you point out, the web is going to have stapling.. and this is mostly for server-side... but what about client side certificates? I do not remember if the stapling also applies to client side (I do not think so), but If it does, I do not think that there are many client-side applications that implement that. So, we are still missing 1/2 of the puzzle here, AFAIK. (BTW, the extension that enables the new behavior, if I am not missing something here, is useless when using stapling - only with live signing OCSP responder you have the possibility to use it - therefore in practically all deployment of OCSP for the web that I am aware of - I.e. via CDNs or via stapling, the extension is not useful at all) > >> Also, I think there are some security considerations. The first one is >> about protecting against certificate enumeration. > > Is that a security consideration, or a "protect a CA's business secrets" > > Yep. That's no longer possible, for the reasons you give. An OCSP > responder is more than just a CRL-fragment-responder. And this raises a security / performances and synchronization issue - see my points below. > >> Unfortunately there is no standard for a signed "white" list - this >> would be huge for many CAs. If CRLs are bad for sizes and they usually >> are 10% of the overall population of certificates, the list of valid >> certificates is quite huge and should be updated (and synchronized >> throughout all the OCSP server cloud) each time a new certificate is >> issued. This would mean that a CA has now to make 2 signatures each time >> a certificate is issued - one of which over a huge file (the white list >> itself). > > Why not just send a copy of the certificate itself? It's signed by the > CA's key, and it is small. That would be an option. However, it is not that simple. Now, instead of just looking up in a relatively small DB (I.e. most of the time less than few hundred thousands entries), when a request is received, the server has to make a first lookup to see if the certificate is in the CRL, if not (the vast majority of times) then a second lookup (in a much larger DB) is needed to find the certificate itself, and then the certificate's signature must now be validated in order to protect against DB pollution (AFAIK, all this work had lot of push because of a compromised DB in a CA - if that is the case, we just made things worse). As you can see, by adding this extension (that does not add much in terms of security, IMHO) we now have reduced the performances of live responders (where you have better security via NONCES and possibly secure/validated connections) a lot. Therefore, I think that from a design perspective, the consequences of this change are quite extensive and have not been taken into consideration (or, if they have, I would like to know what was the reasoning for ignoring them). > >> As it is now, I would not implement the feature as I think it reduces >> the overall security of the OCSP infrastructure. > > If your OCSP responder does not implement this feature, it will not be > possible for any hierarchy which wishes to be CAB Forum BR-compliant to > use your software. (I don't know whether this is a matter of concern for > you or not.) Herb, thanks for the comments - however, so far, as an implementer (and not just an RFC adopter) there is no good reason to implement this extension, but there are many NOT to implement that. In fact, that would Uber-complicate the software and open new attack vectors (especially when the responder is run by a different organization other than the one that runs the certification services). For example, what if a consortium of CAs wants to setup an OCSP server for all of the participating parties ? How to integrate the services to offer the extended_revocation extension remains un-specified. Is there anybody who has implemented the feature and actually use it in a high volume environments? What trust compromises did you have to implement (no signature verification? providing answers off a database? Throw money at the problem by building bigger server farms?). A small note that I think could be worth think about (maybe by the ADs?) is that the more I think about many of the recent RFCs and draft that have been worked on in the security area, the more it seems to me that the protocols are too skewed towards the Web. The reality is that TLS and PKIs are used in many different non-web environments. Maybe we should have more representatives from other environments to guarantee that standards take in consideration those environments too. Or, another option, would be to explicitly restrict the scope of these standards and leave open the space for defining protocols better suited for non-web environments. Just my two cents... But I am still interested to hear some convincing argument about the benefits of the extension.. anybody? Cheers, Max
- [pkix] Deployment Clarifications about RFC6960 - … Dr. Massimiliano Pala
- Re: [pkix] Deployment Clarifications about RFC696… Gervase Markham
- Re: [pkix] Deployment Clarifications about RFC696… Massimiliano Pala