Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E866621F8B36 for ; Wed, 14 Dec 2011 02:21:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.534 X-Spam-Level: X-Spam-Status: No, score=-2.534 tagged_above=-999 required=5 tests=[AWL=-0.065, BAYES_00=-2.599, SARE_RMML_Stock10=0.13] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WLJQgRe0tLAY for ; Wed, 14 Dec 2011 02:21:19 -0800 (PST) Received: from mmmail1.mcr.colo.comodoca.net (mdfw.comodoca.net [91.209.196.68]) by ietfa.amsl.com (Postfix) with ESMTP id C95BD21F8B33 for ; Wed, 14 Dec 2011 02:21:17 -0800 (PST) Received: (qmail 31479 invoked from network); 14 Dec 2011 10:21:14 -0000 Received: from ian.bd.office.comodo.net (HELO ian.brad.office.comodo.net) (192.168.0.201) by mail.colo.comodoca.net with ESMTPS (DHE-RSA-AES256-SHA encrypted); 14 Dec 2011 10:21:14 -0000 Received: (qmail 7696 invoked by uid 1000); 14 Dec 2011 10:21:13 -0000 Received: from nigel.brad.office.comodo.net (HELO nigel.localnet) (192.168.0.58) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (AES256-SHA encrypted) ESMTPS; Wed, 14 Dec 2011 10:21:13 +0000 From: Rob Stradling To: Adam Langley Date: Wed, 14 Dec 2011 10:21:12 +0000 User-Agent: KMail/1.13.7 (Linux/3.0.6-gentoo; KDE/4.7.3; i686; ; ) References: <201112130956.48936.rob.stradling@comodo.com> In-Reply-To: MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <201112141021.12649.rob.stradling@comodo.com> Cc: pkix@ietf.org Subject: Re: [pkix] fyi: Sovereign Keys: an EFF proposal for more secure TLS authentication X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Dec 2011 10:21:20 -0000 On Tuesday 13 Dec 2011 16:05:52 Adam Langley wrote: > On Tue, Dec 13, 2011 at 4:56 AM, Rob Stradling wrote: > > If "requiring OCSP stapling from all sites" cannot reasonably be > > deployed, then surely we cannot expect ubiquitous support for _any_ new > > TLS extension? > > I agree. In additional to the requirement to support a TLS extension, > OCSP stapling requires constant, fresh data making it even harder. Fair point. CT Audit Proofs don't have this "even harder" requirement, of course, since they will be static data. > > So when you say that "most existing verification code will ignore it", > > you are correct. However, I concluded that "most" was not good enough. > > Yep, if we can't wedge the extra data in anywhere then we're in > trouble. But the sooner that we start working on making it possible, > the better things will be. I've thought of a couple of other ways of wedging the data into the TLS handshake, although these methods would require more collaboration from the CAs than you've thus far intended to require (or perhaps expected). IDEA 1 - PUT THE AUDIT PROOF INSIDE THE END-ENTITY CERTIFICATE: When a CA is about to issue a certificate, it publishes the "ToBeSigned" certificate data to the Public Log. The Public Log generates an Audit Proof of the "ToBeSigned" data and returns this to the CA. The CA encapsulates the Audit Proof in a certificate extension, appends this extension to the "ToBeSigned" certificate data, and recalculates ASN.1 tag lengths as necessary. Then the CA signs the certificate and provides it to the certificate applicant. Browsers would recognize the Audit Proof certificate extension and would have code to strip this extension and reconstruct the original "ToBeSigned" certificate data, so that the Audit Proof can be verified. Since the Public Log is involved prior to certificate issuance, the Public Log could conceivably check CAA records, the Google Safebrowsing blacklist, etc, etc, and refuse to generate an Audit Proof if any problems are encountered. IDEA 2 - CERTIFICATE INSIDE A CERTIFICATE: A certificate is issued and added to the Public Log in the manner your doc describes. Then, the CA issues a second certificate, which contains (in a certificate extension) the Audit Proof and the first certificate's signature and serial number. The second certificate's Subject, Issuer, Validity Dates, Extensions, etc, must exactly match those of the first certificate. The site owner configures their TLS Server to send the second certificate. Browsers would recognize the new certificate extension and would have code to pull apart the second certificate, reconstruct the first certificate, and verify the Audit Proof. Since the first certificate would never be seen by legacy Browsers, its signature could use SHA-2. The second certificate's signature would probably use SHA-1 whilst there remain a significant number of legacy Browsers that don't support SHA-2. Certificate serial numbers are meant to be unique amongst the set of certificates issued by any particular CA, but maybe it would be OK to break this rule for each pair of certificates envisaged by this idea, since they are essentially the same. If revocation is required, both certificates should be revoked together, so sharing a serial number would make sure this happens. Comments welcome. > This is not something that we expect to be done next year, it's going > to take many years to deploy. If at least one my ideas would work, I think it could be deployed more quickly than that. You'd only need buy-in from the CAs and Browsers. No need to update any webserver software, and no need for site admins to do anything any differently. > Cheers > > AGL Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online