IETF Logo Mail Archive

Re: [saag] SHA-1 to SHA-n transition

Eric Rescorla <ekr@networkresonance.com> Sun, 22 February 2009 01:44 UTC

Return-Path: <ekr@networkresonance.com>
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 10F933A6A79 for <saag@core3.amsl.com>; Sat, 21 Feb 2009 17:44:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.379
X-Spam-Level:
X-Spam-Status: No, score=-2.379 tagged_above=-999 required=5 tests=[AWL=0.220, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wuOSALqJpvtB for <saag@core3.amsl.com>; Sat, 21 Feb 2009 17:44:06 -0800 (PST)
Received: from romeo.rtfm.com (romeo.rtfm.com [74.95.2.173]) by core3.amsl.com (Postfix) with ESMTP id 468FD3A67B2 for <saag@ietf.org>; Sat, 21 Feb 2009 17:44:06 -0800 (PST)
Received: from romeo.rtfm.com (localhost.rtfm.com [127.0.0.1]) by romeo.rtfm.com (Postfix) with ESMTP id 8621A50822; Sat, 21 Feb 2009 18:07:09 -0800 (PST)
Date: Sat, 21 Feb 2009 18:07:09 -0800
From: Eric Rescorla <ekr@networkresonance.com>
To: Stephen Kent <kent@bbn.com>
In-Reply-To: <p06240802c5c5c22d92f0@[128.89.89.88]>
References: <p06240802c5c5c22d92f0@[128.89.89.88]>
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20090222020709.8621A50822@romeo.rtfm.com>
Cc: saag@ietf.org
Subject: Re: [saag] SHA-1 to SHA-n transition
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Feb 2009 01:44:07 -0000

At Sat, 21 Feb 2009 11:10:03 -0500,
Stephen Kent wrote:
> I agree wit Phil's suggestion that we begin work on this topic sooner 
> rather than later.  Solutions probably will require coordination 
> between folks in both PKIX and TLS, plus some browser experts from 
> the APP area.

I should note that TLS 1.2 already has support for SHA-n, as
well as mechanisms for indicating that an implementation 
will accept these certificates. Deployment of 1.2 has been
minimal so far, but I'm not aware of any new protocol design
work that needs to be done here.

> Since we're talking about how well browsers implement PKI mechanisms 
> in the context of SSL/TLS, it is worth noting a presentation at last 
> week's Black Hat conference in D.C. The presentation provided details 
> on how several browsers remain vulnerable to attacks because they 
> fails to check the Basic Constraints extension. This oversight of one 
> of those pristine principles of PKIX ( we can use the acronym P3 
> going forward) and allows a web sites to act as a CA, based o the EE 
> cert issued to it by any of the trust anchors embedded in the browser.

I agree that this is a problem.


> Another vulnerability, and matching MITM attack, is enabled by the 
> issuance of certs that contain wildcard DNS names. This is not, a 
> violation of P3, because PKIX caved to pressure from the TLS WG, to 
> accommodate web site operators who wanted to purchase one cert from a 
> TTP that could be used to verify the EE certs for multiple web sites. 
> I argued against this, but lost. The phrase "I told you so" comes to 
> mind :-).

Can you briefly describe how this leads to MITM attacks? This is something
I haven't heard before.

Best,
-Ekr

v2.23.0 | Report a Bug | By Email