RE: WG Last Call: AIA CRL extension
"Stefan Santesson" <stefans@microsoft.com> Tue, 24 May 2005 19:16 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA03373 for <pkix-archive@lists.ietf.org>; Tue, 24 May 2005 15:16:49 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j4OISQQn046572; Tue, 24 May 2005 11:28:26 -0700 (PDT) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j4OISQ4S046571; Tue, 24 May 2005 11:28:26 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mail-eur.microsoft.com (mail-eur.microsoft.com [213.199.128.145]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j4OISOQF046556 for <ietf-pkix@imc.org>; Tue, 24 May 2005 11:28:25 -0700 (PDT) (envelope-from stefans@microsoft.com)
Received: from EUR-MSG-11.europe.corp.microsoft.com ([65.53.193.197]) by mail-eur.microsoft.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 24 May 2005 19:28:19 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: WG Last Call: AIA CRL extension
Date: Tue, 24 May 2005 19:28:11 +0100
Message-ID: <BF9309599A71984CAC5BAC5ECA629944026EC1B3@EUR-MSG-11.europe.corp.microsoft.com>
Thread-Topic: WG Last Call: AIA CRL extension
Thread-Index: AcVghl4hQGnOpNmhQJqTj0yo+nDs+gABuyzA
From: Stefan Santesson <stefans@microsoft.com>
To: Julien Stern <julien.stern@cryptolog.com>, Tom Gindin <tgindin@us.ibm.com>
Cc: ietf-pkix@imc.org
X-OriginalArrivalTime: 24 May 2005 18:28:19.0020 (UTC) FILETIME=[5BB5F0C0:01C5608E]
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id j4OISPQF046566
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Content-Transfer-Encoding: 8bit
Tom and Julien, Since this is a repetition of the discussion we had before San Diego and I don't want to repeat it here. I'm not saying that this discussion is invalid; it is just directed towards the wrong draft. As Tom pointed out: > this fraudulently issued CRL will probably be validated whether it > contains an AIA or not. This indicates once again that this is not an issue caused by the use of AIA in CRLs but a generic CRL validation issue that belongs with RFC 3280bis and not with the CRL-AIA draft. Stefan Santesson Program Manager, Standards Liaison Windows Security > -----Original Message----- > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] > On Behalf Of Julien Stern > Sent: den 24 maj 2005 09:39 > To: Tom Gindin > Cc: ietf-pkix@imc.org > Subject: Re: WG Last Call: AIA CRL extension > > > On Tue, May 24, 2005 at 10:36:16AM -0400, Tom Gindin wrote: > > > > There is one scenario permitted by the "same trust anchor" rule > > for CRL signers which seems to me to be a serious security hole. Let us > > assume a valid CA which is a direct subordinate of one of the RP's trust > > anchors. This CA issues separate CRL's and ARL's, in a quite usual way, > > and issues cross certificates. After months or years of operation, it > > revokes one of its cross certificates because the subject's operator has > > gone rogue. That rogue subject then issues a fraudulent CRL Signing > > certificate with the DN that the superior certificate has been using to > > sign ARL's, a public key which it has newly generated, and various > > extensions including an SKID. It then issues an updated copy of an old > > ARL under the fraudulent CRL signer's certificate and with an AKID > > matching the fraudulent signer's SKID. If the rogue can break into the > > repository where the CRL is expected, this fraudulently issued CRL will > > probably be validated whether it contains an AIA or not. It will > > certainly pass the "same trust anchor" condition. > > This scenario, in which a rogue CA issues an ARL certifiying > that > > its primary certificate has not been revoked and gets the ARL accepted, > is > > possible under "same trust anchor" but not under "signed by path > member". > > I agree with the validity of this scenario. I believe this is very > close to the issue I attempted to bring on the list a short time ago. > Of course, it assumes the existence of a rogue CA at some point in time. > > Note that the CRL could be directly inserted into a "long term" > signature (according to RFC3126 for example). This does not require > a repository break-in and makes the "attack" even more realistic. > > Regards. > > -- > Julien Stern > > > > > Tom Gindin > > > > ----- Forwarded by Tom Gindin/Watson/IBM on 05/24/2005 10:13 AM ----- > > > > > > Tom Gindin > > 05/23/2005 10:46 PM > > > > To: wpolk@nist.gov > > cc: housley@vigilsec.com, ietf-pkix@imc.org, kent@bbn.com, > > stefans@microsoft.com > > From: Tom Gindin/Watson/IBM@IBMUS > > Subject: Re: WG Last Call: AIA CRL extension > > > > Tim: > > > > I should probably have brought this up earlier, but are we > certain > > that "same trust anchor" is a strong enough check that the CRL signer is > > the one expected by the issuing CA? While I was not in San Diego when > > this wording was included in the 3280 series, I do not really think that > > that check is strong enough. I would suggest instead that the CRL > > signer's certificate needs to be directly issued by one of the CA's in > the > > certification path back to the trust anchor used for the certificate's > > verification, or by that anchor itself, unless people have practical > > experience with CA structures which that rule would prohibit. Forcing > the > > CRL to be issued by the CA itself (as I understand Denis to have > > suggested) prohibits the reasonable case where the CRL is issued by a > > hierarchical superior, so it is IMHO too strict. > > I am personally not sure, FWIW, that a CRL should be permitted > to > > be signed by a second-cousin certificate of the issuer's certificate. > By > > analogy to the use of the terms in families, "sibling" certificates > would > > have the same issuer, "first-cousin" certificates would be issued by > > siblings, and "second-cousin" certificates would be issued by first > > cousins - so they are both three levels down from the same trust anchor, > > or from the last common CA in their paths. This issue is not newly > caused > > by CRL AIA, since the same issue can arise with CRL's containing only > > AKID. AIA only allows RP's to build a path (whether right or wrong) > more > > quickly. > > In any case, nothing more than a note in Security Considerations > > is appropriate in any of our RFC's other than 3280 and its successor. > > > > Tom Gindin > > P.S. - The above views are mine, and not necessarily those of my > employer > > > > > > > > > > > > Tim Polk <tim.polk@nist.gov> > > Sent by: owner-ietf-pkix@mail.imc.org > > 05/10/2005 05:27 PM > > > > To: ietf-pkix@imc.org > > cc: kent@bbn.com, stefans@microsoft.com, > housley@vigilsec.com > > Subject: WG Last Call: AIA CRL extension > > > > > > > > > > This message initiates working group Last Call for the specification > > "Internet X.509 Public Key Infrastructure: Authority Information Access > > CRL > > Extension". While some issues raised in the working group are > unresolved, > > > > the editors believe that rough consensus supports the current > > specification. > > > > The URL for this Internet-Draft is: > > > > http://www.ietf.org/internet-drafts/draft-ietf-pkix-crlaia-01.txt > > > > Last Call will run for (at least) two weeks. That is, Last Call will not > > close before May 24. > > > > Thanks, > > > > Tim Polk > > > > > >
- WG Last Call: AIA CRL extension Tim Polk
- Re: WG Last Call: AIA CRL extension Tom Gindin
- Re: WG Last Call: AIA CRL extension Tom Gindin
- Re: WG Last Call: AIA CRL extension Denis Pinkas
- Re: WG Last Call: AIA CRL extension Julien Stern
- Re: WG Last Call: AIA CRL extension Jean-Marc Desperrier
- Re: WG Last Call: AIA CRL extension Russ Housley
- RE: WG Last Call: AIA CRL extension Stefan Santesson
- Re: WG Last Call: AIA CRL extension Julien Stern
- CRL Issue (Was RE: WG Last Call: AIA CRL extensio… Santosh Chokhani
- Re: WG Last Call: AIA CRL extension Denis Pinkas
- Re: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Tom Gindin
- RE: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Santosh Chokhani
- RE: WG Last Call: AIA CRL extension Stefan Santesson
- Re: WG Last Call: AIA CRL extension Denis Pinkas
- Re: WG Last Call: AIA CRL extension Tim Polk
- RE: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Tom Gindin
- RE: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Santosh Chokhani
- RE: CRL Issue (Was RE: WG Last Call: AIA CRL exte… Tom Gindin