IETF Logo Mail Archive

Re: [saag] [lamps] subordinate vs intermediate certification authority

Eliot Lear <lear@cisco.com> Mon, 08 February 2021 18:40 UTC

Return-Path: <lear@cisco.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E03C23A14A9; Mon, 8 Feb 2021 10:40:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Level:
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id neqR4VQyh8a2; Mon, 8 Feb 2021 10:40:37 -0800 (PST)
Received: from aer-iport-3.cisco.com (aer-iport-3.cisco.com [173.38.203.53]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD3353A14A5; Mon, 8 Feb 2021 10:40:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6668; q=dns/txt; s=iport; t=1612809637; x=1614019237; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=Wa2D2mINJeFan+5d5tMhirq61HxkjqwM3gDiyTJkgmQ=; b=P4Xo0tFNWNwsFNS0oJiEi0wrgfS0mmufh40FgwOA7XzOZKLHH2if4DNU eX4l59ECFh57MXAPVQYLiO1K4ddt/9uvYw7TBSV8vkiJ3lVm6S8Azyu3y 8SodVuKNWcrNNg0rkt5xMqFC+eN3eUMVbkQjo5fPMjS6exUgH2O4Ce6b5 A=;
X-Files: signature.asc : 488
X-IPAS-Result: A0CkBABHhSFg/xbLJq1iHgEBCxIMggQLgSOCUAQBJxKEcokEiFgDh3CMOYgdBAcBAQEKAwEBLwQBAYRLAoIDJjcGDgIDAQEBAwIDAQEBAQUBAQECAQYEcYVuhXIBBAEjVhALQgICVwaDOQGCZiCuSHaBMoVZhF0QgTiBU4UrhkVBggCBOByCVj6EJoMxNIIsBIJABYEsMoEiGZFIjB6cQoMEgymBOpcgAx+TNY9tjzOiIWKDcgIEBgUCFoFsJIFXMxoIGxVlAYI/PRIZDZxsQANnAgYBCQEBAwmJUS2CGgEB
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.81,163,1610409600"; d="asc'?scan'208,217";a="30879408"
Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 08 Feb 2021 18:40:32 +0000
Received: from [10.61.193.214] ([10.61.193.214]) by aer-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 118IeVY4016410 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 8 Feb 2021 18:40:32 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <F54D454D-D8BF-48EC-91E2-8493E4E921A0@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_F083B323-15FB-460A-A96F-3A916455EE7A"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
Date: Mon, 08 Feb 2021 18:59:43 +0100
In-Reply-To: <CAErg=HHesEG1T+39WCgFGa---wzd884FQNGLndT35dvVAKf+kA@mail.gmail.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, LAMPS <spasm@ietf.org>, saag@ietf.org
To: Ryan Sleevi <ryan-ietf@sleevi.com>
References: <30833.1612411843@localhost> <5a88fc8c-dbd2-cc77-2b06-db0fd9da4da4@openca.org> <6108.1612645177@localhost> <CAErg=HHesEG1T+39WCgFGa---wzd884FQNGLndT35dvVAKf+kA@mail.gmail.com>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
X-Outbound-SMTP-Client: 10.61.193.214, [10.61.193.214]
X-Outbound-Node: aer-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/UrK7vxDgNWZCaJ0zBTIgrXyJNBE>
Subject: Re: [saag] [lamps] subordinate vs intermediate certification authority
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2021 18:40:39 -0000

Ryan,

> 
> No one, anywhere, should ever pin to a CA that they don’t directly control, and even then, they still shouldn’t :)


> 
> Pinning is just a poor-man’s attempt at a server controlling the client’s trust anchors, and thus inevitably runs into issues, since client policy is inherently _client_ policy. Especially important is never pinning to a so-called “public” CA, precisely because their very existence is predicated on client policy that is intentionally not controlled/controllable by servers.

I think we’ve lost the point of the discussion.  In this case, the client starts with just one CA in its trusted root cache, and maybe not any.  These are small devices, and that one cert is a manufacturer CA.

When we are talking about pinning we are talking about an environment in which a public CA cert is somehow involved.  That “somehow” is very much up in the air. Another way of addressing this is with a domain constraint, but the problem with such a constraint is that the device needs to understand DNS, and it may or may not, in which case some sort of other method is needed to signal that a particular intermediate needs to be in the chain for validation.

The manufacturer is the only trusted element in this picture, as far as the device is concerned, but it IS trusted in this scenario to explicitly configure trust for the device.  Thus it is in a very good position to signal that a particular intermediate certificate must be present in the chain.  How to do that?

That’s the question of the hour, as I see it.  And how to do it such that it doesn’t completely cause various libraries to cough up blood?  BIGGER question.

Eliot

v2.23.0 | Report a Bug | By Email