IETF Logo Mail Archive

Re: [saag] SHA-1 to SHA-n transition

<Pasi.Eronen@nokia.com> Tue, 24 February 2009 11:49 UTC

Return-Path: <Pasi.Eronen@nokia.com>
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7BF693A682A for <saag@core3.amsl.com>; Tue, 24 Feb 2009 03:49:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.566
X-Spam-Level:
X-Spam-Status: No, score=-6.566 tagged_above=-999 required=5 tests=[AWL=0.032, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sn+5KKJZjhjp for <saag@core3.amsl.com>; Tue, 24 Feb 2009 03:49:09 -0800 (PST)
Received: from mgw-mx03.nokia.com (smtp.nokia.com [192.100.122.230]) by core3.amsl.com (Postfix) with ESMTP id 59E763A69F3 for <saag@ietf.org>; Tue, 24 Feb 2009 03:49:07 -0800 (PST)
Received: from esebh105.NOE.Nokia.com (esebh105.ntc.nokia.com [172.21.138.211]) by mgw-mx03.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id n1OBnKwL027376; Tue, 24 Feb 2009 13:49:24 +0200
Received: from vaebh102.NOE.Nokia.com ([10.160.244.23]) by esebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 24 Feb 2009 13:49:00 +0200
Received: from smtp.mgd.nokia.com ([65.54.30.7]) by vaebh102.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Tue, 24 Feb 2009 13:48:55 +0200
Received: from nok-am1mhub-08.mgdnok.nokia.com (65.54.30.15) by NOK-AM1MHUB-03.mgdnok.nokia.com (65.54.30.7) with Microsoft SMTP Server (TLS) id 8.1.291.1; Tue, 24 Feb 2009 12:48:55 +0100
Received: from NOK-EUMSG-01.mgdnok.nokia.com ([65.54.30.106]) by nok-am1mhub-08.mgdnok.nokia.com ([65.54.30.15]) with mapi; Tue, 24 Feb 2009 12:48:54 +0100
From: Pasi.Eronen@nokia.com
To: pbaker@verisign.com, saag@ietf.org
Date: Tue, 24 Feb 2009 12:48:53 +0100
Thread-Topic: [saag] SHA-1 to SHA-n transition
Thread-Index: AcmUPu2BuBpQlTXAQDetUEXQp8IetwBp3nWtACN79IA=
Message-ID: <808FD6E27AD4884E94820BC333B2DB7727E7B494E9@NOK-EUMSG-01.mgdnok.nokia.com>
References: <p06240802c5c5c22d92f0@[128.89.89.88]> <2788466ED3E31C418E9ACC5C3166155768B2BD@mou1wnexmb09.vcorp.ad.vrsn.com>
In-Reply-To: <2788466ED3E31C418E9ACC5C3166155768B2BD@mou1wnexmb09.vcorp.ad.vrsn.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_808FD6E27AD4884E94820BC333B2DB7727E7B494E9NOKEUMSG01mgd_"
MIME-Version: 1.0
X-OriginalArrivalTime: 24 Feb 2009 11:48:55.0714 (UTC) FILETIME=[DF38A020:01C99675]
X-Nokia-AV: Clean
Subject: Re: [saag] SHA-1 to SHA-n transition
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Feb 2009 11:49:10 -0000

Phillip,

Since you did suggest that adhering to "pristine principles of the
PKIX infrastructure" would get us in deep trouble, does that mean you
think relaxing/dropping some of those principles would allow us to
avoid some of the trouble?

Or in other words, what are you proposing? I'd certainly be interested
in hearing it, even if it's not totally in line with how we've done
things earlier...

Best regards,
Pasi

________________________________
From: saag-bounces@ietf.org [mailto:saag-bounces@ietf.org] On Behalf Of ext Hallam-Baker, Phillip
Sent: 23 February, 2009 21:14
To: Stephen Kent; saag@ietf.org
Subject: Re: [saag] SHA-1 to SHA-n transition

Let us see, I suggest that we might need to slay a sacred PKIX cow or two in order to make the SHA-n transition work. Stephen:

* Describes the suggestion as 'offensive'
* Raises a non sequitor about certificate issue policy

I canot imagine why Stephen would imagine that a sensible response to a technical issue would be found in relaxing certificate issue policy criteria, or for that matter why I would be likely to be suggesting that.

I did however anticipate that Stephen would find my proposal objectionable. But was somewhat surprised that he didn't wait to find out what it was before objecting.


We have a problem here that requires us to work out a coherent transition plan for enabling browsers to make use of the stronger security of SHA2 and SHAn at the earliest possible date taking into account that we have a very small installed base of SHA2 capable clients and no spec for SHAn.

The problem is that you do not gain security from introducing stronger algorithms, you only gain security from withdrawing insecure algorithms from use. And for better or worse, there are real limits to what the Internet user base will tollerate for security.

So simply adding SHA2 support to existing browsers does not help us much unless we have a way to retrospectively shut off SHA1 support when it is no longer trustworthy.

And even that does not help very much as there will be a large number of certificate customers who want to sell to people who can only use SHA1 capable browsers.

And then we have the problem that PKIX does not really have a strategy for algorithm transition. It has the ability to use multiple algorithms but not very much thought of how the transition from one to another takes place.


________________________________
From: saag-bounces@ietf.org on behalf of Stephen Kent
Sent: Sat 2/21/2009 11:10 AM
To: saag@ietf.org
Subject: [saag] SHA-1 to SHA-n transition

I agree wit Phil's suggestion that we begin work on this topic sooner rather than later.  Solutions probably will require coordination between folks in both PKIX and TLS, plus some browser experts from the APP area.

However, Phil's comment (underling added by me)

If we start addressing the problem now we can lay ourselves an insurance policy. If we try to insist on the pristine principles of the PKIX infrastructure we are going to be in deep trouble in about five years time.

is offensive, at best. Moreover, unless Phil and his favorite browser vendors already have a solution in mind, and he anticipates that it will be objectionable to PKIX, this comment is gratuitous.

Since we're talking about how well browsers implement PKI mechanisms in the context of SSL/TLS, it is worth noting a presentation at last week's Black Hat conference in D.C. The presentation provided details on how several browsers remain vulnerable to attacks because they fails to check the Basic Constraints extension. This oversight of one of those pristine principles of PKIX ( we can use the acronym P3 going forward) and allows a web sites to act as a CA, based o the EE cert issued to it by any of the trust anchors embedded in the browser.

Another vulnerability, and matching MITM attack, is enabled by the issuance of certs that contain wildcard DNS names. This is not, a violation of P3, because PKIX caved to pressure from the TLS WG, to accommodate web site operators who wanted to purchase one cert from a TTP that could be used to verify the EE certs for multiple web sites. I argued against this, but lost. The phrase "I told you so" comes to mind :-).

So, contrary to Phil's assertion that adherence to P3 will get us into deep trouble in five years (with regard to this transition issue), I believe that PKI shortcuts (hacks) in browsers have gotten us into deep trouble for many years, and are likely to persist.

Steve

v2.23.0 | Report a Bug | By Email