Re: [saag] subordinate vs intermediate certification authority
Michael Richardson <mcr+ietf@sandelman.ca> Sun, 07 February 2021 02:04 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA84F3A2E64 for <saag@ietfa.amsl.com>; Sat, 6 Feb 2021 18:04:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yu0j1MWmGvGC for <saag@ietfa.amsl.com>; Sat, 6 Feb 2021 18:04:38 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A18D3A2E61 for <saag@ietf.org>; Sat, 6 Feb 2021 18:04:37 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id D5333389A9 for <saag@ietf.org>; Sat, 6 Feb 2021 21:07:40 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id akeoLwR4J-Vp for <saag@ietf.org>; Sat, 6 Feb 2021 21:07:39 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 18988389A7 for <saag@ietf.org>; Sat, 6 Feb 2021 21:07:39 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 26451C65 for <saag@ietf.org>; Sat, 6 Feb 2021 21:04:34 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: saag@ietf.org
In-Reply-To: <YB8LSrp/nokGNDui@straasha.imrryr.org>
References: <30833.1612411843@localhost> <5a88fc8c-dbd2-cc77-2b06-db0fd9da4da4@openca.org> <6108.1612645177@localhost> <YB8LSrp/nokGNDui@straasha.imrryr.org>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sat, 06 Feb 2021 21:04:34 -0500
Message-ID: <28961.1612663474@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/hL1SFwFv9cMLcJjr022LGQz_7QA>
Subject: Re: [saag] subordinate vs intermediate certification authority
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Feb 2021 02:04:41 -0000
Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > On Sat, Feb 06, 2021 at 03:59:37PM -0500, Michael Richardson wrote: >> The issue comes up with pinning as it relates to ownership. It's not >> a problem if every organization that can own Things has it's own >> private CA. Pinning that CA works great. Pinning some other EE is >> very much more specific, but also, may be too ephemeral. >> >> Where it gets complex is when organizations have outsourced the CA >> function elsewhere. It's meaningless to pin LetsEncrypt or GoDaddy. >> It might be meaningful to pin a Subordinate CA signed by some public >> CA though. > Are you trying to get at generalising the issue described at: > http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html Hi, that's a very interesting read, and I also haven't seen the diagram at: https://letsencrypt.org/certificates/#intermediate-certificates I also really like the rounded box with the wave bottom to represent a certificate. I've been looking for a good icon for certificates, it seems for years :-) > (where I track sloppy SMTP server operators who've pinned the now > retired Let's Encrypt "X3" CA, and have failed to keep up with the > times)? As I understand your page, this is case where example.com is declaring via DANE-TA what their intended CA is. Because of the way that LE is changing their PKI structure, the declared pin point is no longer the "DST Root CA X3", but now R3/E1/R4/E1. But, why would they pin that, rather than X1/X2? Ah, I guess because X1/X2 also sign CAs other than LetsEncrypt. So this is where the issue is similar. The difference is that the pinning is not being declared by the serving entity, but rather by the client entity. (Mostly, this is not TOFU, btw) > The number of MX hosts with such TLSA RRs is falling as they eventually > notice (or the issue is brought to their attention). And, fortunately, > with DANE TLSA RRs published in their DNS zone, they can update the pin > on their end, without having to ask the world to update some local > copy. Yes, it makes sense to do it this way here. > There is a tiny population of SMTP operators who've attempted to > publish TLSA RRs that pin the EE public key of a provider's SMTP server > they don't control. That's a mistake, and they eventually figure this > out and drop unmaintainable TLSA RRs for servers they don't control. An analogy, perhaps imperfect, to email operations would be an MUA which was attempting to pin the key of their IMAPS/SMTP-submit server. For a provider to which they believe they have a relationship with, in the sense that their provider owns their mailbox. This analogy could go further, and perhaps it should continue in DANISH. -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [saag] subordinate vs intermediate certification … Michael Richardson
- Re: [saag] subordinate vs intermediate certificat… Viktor Dukhovni
- Re: [saag] [lamps] subordinate vs intermediate ce… Brockhaus, Hendrik
- Re: [saag] subordinate vs intermediate certificat… Michael Richardson
- Re: [saag] subordinate vs intermediate certificat… Viktor Dukhovni
- Re: [saag] subordinate vs intermediate certificat… Dr. Pala
- Re: [saag] [lamps] subordinate vs intermediate ce… Michael Richardson
- Re: [saag] subordinate vs intermediate certificat… Michael Richardson
- Re: [saag] subordinate vs intermediate certificat… Michael Richardson
- Re: [saag] subordinate vs intermediate certificat… Viktor Dukhovni
- Re: [saag] subordinate vs intermediate certificat… Michael Richardson
- Re: [saag] [lamps] subordinate vs intermediate ce… Ryan Sleevi
- Re: [saag] [lamps] subordinate vs intermediate ce… Phillip Hallam-Baker
- Re: [saag] [lamps] subordinate vs intermediate ce… Viktor Dukhovni
- Re: [saag] [lamps] subordinate vs intermediate ce… Eliot Lear
- Re: [saag] [lamps] subordinate vs intermediate ce… Phillip Hallam-Baker
- Re: [saag] [lamps] subordinate vs intermediate ce… Phillip Hallam-Baker
- Re: [saag] [lamps] subordinate vs intermediate ce… Viktor Dukhovni
- Re: [saag] subordinate vs intermediate certificat… Michael Richardson