IETF Logo Mail Archive

Re: [saag] subordinate vs intermediate certification authority

Michael Richardson <mcr+ietf@sandelman.ca> Sun, 07 February 2021 02:04 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA84F3A2E64 for <saag@ietfa.amsl.com>; Sat, 6 Feb 2021 18:04:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yu0j1MWmGvGC for <saag@ietfa.amsl.com>; Sat, 6 Feb 2021 18:04:38 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A18D3A2E61 for <saag@ietf.org>; Sat, 6 Feb 2021 18:04:37 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id D5333389A9 for <saag@ietf.org>; Sat, 6 Feb 2021 21:07:40 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id akeoLwR4J-Vp for <saag@ietf.org>; Sat, 6 Feb 2021 21:07:39 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 18988389A7 for <saag@ietf.org>; Sat, 6 Feb 2021 21:07:39 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 26451C65 for <saag@ietf.org>; Sat, 6 Feb 2021 21:04:34 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: saag@ietf.org
In-Reply-To: <YB8LSrp/nokGNDui@straasha.imrryr.org>
References: <30833.1612411843@localhost> <5a88fc8c-dbd2-cc77-2b06-db0fd9da4da4@openca.org> <6108.1612645177@localhost> <YB8LSrp/nokGNDui@straasha.imrryr.org>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sat, 06 Feb 2021 21:04:34 -0500
Message-ID: <28961.1612663474@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/hL1SFwFv9cMLcJjr022LGQz_7QA>
Subject: Re: [saag] subordinate vs intermediate certification authority
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Feb 2021 02:04:41 -0000

Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
    > On Sat, Feb 06, 2021 at 03:59:37PM -0500, Michael Richardson wrote:

    >> The issue comes up with pinning as it relates to ownership.  It's not
    >> a problem if every organization that can own Things has it's own
    >> private CA.  Pinning that CA works great.  Pinning some other EE is
    >> very much more specific, but also, may be too ephemeral.
    >>
    >> Where it gets complex is when organizations have outsourced the CA
    >> function elsewhere.  It's meaningless to pin LetsEncrypt or GoDaddy.
    >> It might be meaningful to pin a Subordinate CA signed by some public
    >> CA though.

    > Are you trying to get at generalising the issue described at:

    >     http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html

Hi, that's a very interesting read, and I also haven't seen the diagram at:
   https://letsencrypt.org/certificates/#intermediate-certificates

I also really like the rounded box with the wave bottom to represent a certificate.
I've been looking for a good icon for certificates, it seems for years :-)

    > (where I track sloppy SMTP server operators who've pinned the now
    > retired Let's Encrypt "X3" CA, and have failed to keep up with the
    > times)?

As I understand your page, this is case where example.com is declaring via
DANE-TA what their intended CA is.  Because of the way that LE is changing
their PKI structure, the declared pin point is no longer the "DST Root CA X3",
but now R3/E1/R4/E1.

But, why would they pin that, rather than X1/X2?
Ah, I guess because X1/X2 also sign CAs other than LetsEncrypt.
So this is where the issue is similar.

The difference is that the pinning is not being declared by the serving entity,
but rather by the client entity.  (Mostly, this is not TOFU, btw)

    > The number of MX hosts with such TLSA RRs is falling as they eventually
    > notice (or the issue is brought to their attention).  And, fortunately,
    > with DANE TLSA RRs published in their DNS zone, they can update the pin
    > on their end, without having to ask the world to update some local
    > copy.

Yes, it makes sense to do it this way here.

    > There is a tiny population of SMTP operators who've attempted to
    > publish TLSA RRs that pin the EE public key of a provider's SMTP server
    > they don't control.  That's a mistake, and they eventually figure this
    > out and drop unmaintainable TLSA RRs for servers they don't control.

An analogy, perhaps imperfect, to email operations would be an MUA
which was attempting to pin the key of their IMAPS/SMTP-submit server.
For a provider to which they believe they have a relationship with, in the
sense that their provider owns their mailbox.
This analogy could go further, and perhaps it should continue in DANISH.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email