IETF Logo Mail Archive

Re: [saag] On PKI vs. Pinning (SAAG 108 preview)

Michael Richardson <mcr+ietf@sandelman.ca> Sun, 23 August 2020 20:38 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA51F3A0E4F for <saag@ietfa.amsl.com>; Sun, 23 Aug 2020 13:38:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aOY01FJc5Ig9 for <saag@ietfa.amsl.com>; Sun, 23 Aug 2020 13:38:32 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B0E03A0B4E for <saag@ietf.org>; Sun, 23 Aug 2020 13:38:32 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 93F04389D4 for <saag@ietf.org>; Sun, 23 Aug 2020 16:17:34 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id f6nNdI1-uz4h for <saag@ietf.org>; Sun, 23 Aug 2020 16:17:32 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 97D22389CA for <saag@ietf.org>; Sun, 23 Aug 2020 16:17:31 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 258855ED for <saag@ietf.org>; Sun, 23 Aug 2020 16:38:27 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: saag@ietf.org
In-Reply-To: <20200822014328.GI37427@straasha.imrryr.org>
References: <20200728191331.GV41010@kduck.mit.edu> <20200822014328.GI37427@straasha.imrryr.org>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sun, 23 Aug 2020 16:38:27 -0400
Message-ID: <32690.1598215107@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/Lk0iZYlPnOyLj41UJoWlRtdlX1g>
Subject: Re: [saag] On PKI vs. Pinning (SAAG 108 preview)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Aug 2020 20:38:35 -0000

Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
    >> Is there benefit in arranging for a description of the system where
    >> the ability to pin is just a degenerate case of a PKI, with a single
    >> trust anchor and no real hierarchy?

    > FWIW, I should mention that the DANE support in OpenSSL (since 1.1.0) is
    > really just support for verifying a certificate chain against a list of
    > EE and/or TA pins.  The pins need not come from DNS, and DNSSEC is not
    > required to use the "DANE" in OpenSSL.  How the application obtains the
    > pin values is not OpenSSL's concern.

    > The PKIX-TA and PKIX-EE pins are second factors, while the DANE-TA
    > and DANE-EE pins are bypass verification via the usual root CA
    > store, and use only the pins to validate the chain.

There are some terms here that I want to lift up:

1) PKIX-TA
2) PKIX-EE
3) DANE-TA
4) DANE-EE

I think that the "DANE" in (3) and (4) are not, (as is pointed out in by Viktor),
specifically DNS/DNSEC, but rather the point is that they aren't descending
from a *PKIX* trust anchor.

That there are four ways to pin seems consistent with other comments on this
thread.  It seems to me that having a short document that explains the
four methods would be a useful thing to do.  Are there more than four? Maybe.

    > Thus, for example, in Postfix the following all use the same underlying
    > "DANE" (really general-purpose pinning) API.

    > - The "fingerprint" security level that verifies the peer
    > against a static locally configured list of acceptable
    > certificate or public key fingerprints.

    > - The "secure" level with a local per-destination "tafile",
    > which pins acceptable (possibly intermediate) issuer
    > certificates or public keys.  The chain must be signed
    > by an issuer that matches one of the pins.

    > - The "dane" level, where the "pins" take the form of
    > dynamically obtained DNSSEC-validated TLSA records,
    > which can be a mixture of EE and TA pins.

These have different security properties, and maybe represent two additional
forms of pin.

    > So if an OpenSSL application wants to implement pinning that
    > either replaces or augments WebPKI validation, the code is
    > already there in OpenSSL, in the form of support for "DANE",
    > but perhaps it is not correctly "marketed".  It is a really
    > a fairly general framework for validating certificate chains
    > against a list of "pins" ("OR" rather than "AND" semantics,
    > success when any *one* of the pins works out).

Stephen Farrel mentioned the banking app that comes with a pin.
I think that such a an app would like to know that it is not getting through
due to Enterprise audit-based MITM, or National-Firewall MITM.
Of course, it could also be another attacker, and RFC7258 in many ways labels
the above as attacks.

Someone using that app might want to ask their bank about what kind of
pin they are using, and they might like to get back a clear answer.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [


--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email