IETF Logo Mail Archive

Re: [saag] [lamps] subordinate vs intermediate certification authority

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 08 February 2021 17:44 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D98853A13F1 for <saag@ietfa.amsl.com>; Mon, 8 Feb 2021 09:44:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nnBJ3DakIBQJ for <saag@ietfa.amsl.com>; Mon, 8 Feb 2021 09:44:37 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6A603A13F0 for <saag@ietf.org>; Mon, 8 Feb 2021 09:44:37 -0800 (PST)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id A96D21A31D2; Mon, 8 Feb 2021 12:44:36 -0500 (EST)
Date: Mon, 8 Feb 2021 12:44:36 -0500
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: saag@ietf.org
Message-ID: <YCF4hPTq1Myurgqv@straasha.imrryr.org>
Reply-To: saag@ietf.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAMm+Lwjks9M+yV0SOsne85eiycyNPm2NtHreDY3=BitAsqt18Q@mail.gmail.com> <CAErg=HHesEG1T+39WCgFGa---wzd884FQNGLndT35dvVAKf+kA@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/PGkj_2cNrsylnXsamzJyyBbSavU>
Subject: Re: [saag] [lamps] subordinate vs intermediate certification authority
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2021 17:44:39 -0000

On Mon, Feb 08, 2021 at 11:48:57AM -0500, Ryan Sleevi wrote:

> > Where it gets complex is when organizations have outsourced the CA
> > function elsewhere.  It's meaningless to pin LetsEncrypt or GoDaddy.
> > It might be meaningful to pin a Subordinate CA signed by some public
> > CA though.
> 
> No one, anywhere, should ever pin to a CA that they don’t directly control,
> and even then, they still shouldn’t :)
> 
> Pinning is just a poor-man’s attempt at a server controlling the client’s
> trust anchors, and thus inevitably runs into issues, since client policy is
> inherently _client_ policy. Especially important is never pinning to a
> so-called “public” CA, precisely because their very existence is predicated
> on client policy that is intentionally not controlled/controllable by
> servers.

With DANE-TA(2), the server is *asserting* the trust-anchor that's
relevant for validation of its certificate.  It is not a pin as such.
The real trust-anchor is the DNSKEY RRset that ultimately signs the
chain leading to validated TLSA records.

Clients that implement DANE-TA(2) support will use whatever appears in
the TLSA record, so there's no assumption of client policy.  (Indeed
less assumption of client policy than with WebPKI, where one must
tacitly assume that the CA one has elected to issue one's certs is
trusted by the relevant clients).

That said, a few operators have on some occasion been too sloppy to
ensure that the actual certificate they deploy matches the trust anchor
listed in their own TLSA records.  This is entirely a server-side issue:
operational negligence, unrelated to client policy.

One can criticise choosing to publish TLSA RRs that "pin" one's own
issuer CA as a potentially fragile configuration, and indeed I rather
recommend DANE-EE(3) instead, and this is what most DANE users use.

Thus, use of DANE-TA(2) is not a potential conflict with client policy,
and with care, e.g. by delaying new EE cert deployment when the issuer
CA keys change, until new TLSA RRs have been published for a few TTLs,
one can use DANE-TA(2) safely even with a third-party issuing CA (most
typically Let's Encrypt these days).  However, I don't recommend this
except perhaps as a fallback, just in case the DANE-EE(3) rollover is
botched.

On Mon, Feb 08, 2021 at 12:13:36PM -0500, Phillip Hallam-Baker wrote:

> > No one, anywhere, should ever pin to a CA that they don’t directly
> > control, and even then, they still shouldn’t :)
> 
> Almost agree. Should not pin to a PKIX CA.

Perhaps this is the short version of what I tried to spell out in more
detail.

-- 
    Viktor.

v2.8.7 | Report a Bug | By Email