IETF Logo Mail Archive

Re: [saag] draft-iab-crypto-alg-agility-00

Ben Laurie <ben@links.org> Sun, 06 April 2014 11:09 UTC

Return-Path: <benlaurie@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA6641A03C2 for <saag@ietfa.amsl.com>; Sun, 6 Apr 2014 04:09:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0rQmX4zZn1I8 for <saag@ietfa.amsl.com>; Sun, 6 Apr 2014 04:09:37 -0700 (PDT)
Received: from mail-qg0-x231.google.com (mail-qg0-x231.google.com [IPv6:2607:f8b0:400d:c04::231]) by ietfa.amsl.com (Postfix) with ESMTP id 39F821A037D for <saag@ietf.org>; Sun, 6 Apr 2014 04:09:37 -0700 (PDT)
Received: by mail-qg0-f49.google.com with SMTP id 63so2049279qgz.8 for <saag@ietf.org>; Sun, 06 Apr 2014 04:09:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=GabnB75LNJwnV72sqg+esPoOVzrHbYVmvjGmAdWwTPE=; b=ep8ICDiGcvybBfLVDlyCifL8TDBf5DO+6cCR7LlZe0IJy3Ewmk8hrkI8g9+pe77+l9 TIB0Rpbt1MX6AWYdN73ei4OnXhBM0zSmaWnU+znMyF1o4hJDmrbxud5DJSbMeH7YwEzx TU9l8n5rYybyc37deZHMpYII3eAwXTDa2qqax7SNqjt8bOdktvPl8sviP3KtzwtOaSey /tTb4rWxkSiKvqzQHsHrLeQvBH9XYk06S4K2JA8/+b9LUOZT+mMk0sXo/UGEKoiULC1V hYMqRwHTKV3cb1CaBEzazaTs5B7EUqM64bzAAKBH9+PFmovAiZ07i1w/OiWnSYG/iJbC E6cA==
MIME-Version: 1.0
X-Received: by 10.140.109.132 with SMTP id l4mr7479177qgf.72.1396782571877; Sun, 06 Apr 2014 04:09:31 -0700 (PDT)
Sender: benlaurie@gmail.com
Received: by 10.96.157.137 with HTTP; Sun, 6 Apr 2014 04:09:31 -0700 (PDT)
In-Reply-To: <5999195E-9073-4649-A224-BF71BA61CBAF@vigilsec.com>
References: <5999195E-9073-4649-A224-BF71BA61CBAF@vigilsec.com>
Date: Sun, 6 Apr 2014 12:09:31 +0100
X-Google-Sender-Auth: aHnjjA0AUBfIY2emN49yvc_lqGc
Message-ID: <CAG5KPzzqSQ++YpQcnYesecL0GQ0+J0ieMXBrNk6txMAC58xEQQ@mail.gmail.com>
From: Ben Laurie <ben@links.org>
To: Russ Housley <housley@vigilsec.com>
Content-Type: text/plain; charset=ISO-8859-1
Archived-At: http://mailarchive.ietf.org/arch/msg/saag/eSwjIFAykIzy7_iOrewFED0IahE
Cc: IETF SAAG <saag@ietf.org>
Subject: Re: [saag] draft-iab-crypto-alg-agility-00
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Apr 2014 11:09:41 -0000

On 3 April 2014 18:51, Russ Housley <housley@vigilsec.com> wrote:
>
> I gave a presentation at the SAAG session in London about this document.  Stephen said that the discussion would continue on this list.  I'm posting this message to get that discussion going.


Thinking about this in the context of Certificate Transparency, it
seems there are a couple of problems with the I-D.

"IETF protocols that make use of cryptographic algorithms MUST carry
one or more algorithm identifier."

CT (at least currently) does not carry the algorithm identifier in
band, it is metadata that is known about each log. Allowing logs to
choose algorithms on-the-fly probably results in reduced security.

I guess this is because the threat model is unusual: the bad guy is
running the log. Normally one assumes that the bad guy is not one of
the endpoints.

A corollary of this is that

" If a protocol does not carry an algorithm identifier, then the
   protocol version number or some other major change is needed to
   transition from one algorithm to another.  The inclusion of an
   algorithm identifier is a minimal step toward cryptographic algorithm
   agility."

would appear to be incorrect.

Finally, I'm not really sure what s3.3 is getting at. It makes some
statements about some protocols without drawing any conclusions that I
can discern.

v2.8.7 | Report a Bug | By Email