IETF Logo Mail Archive

Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CAcertificate

Robert Moskowitz <rgm-sec@htt-consult.com> Fri, 02 January 2009 15:36 UTC

Return-Path: <saag-bounces@ietf.org>
X-Original-To: saag-archive@ietf.org
Delivered-To: ietfarch-saag-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1A67D3A69A4; Fri, 2 Jan 2009 07:36:43 -0800 (PST)
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B65E13A69A4 for <saag@core3.amsl.com>; Fri, 2 Jan 2009 07:36:41 -0800 (PST)
X-Quarantine-ID: <diZ4k8Tf+j6t>
X-Virus-Scanned: amavisd-new at amsl.com
X-Amavis-Alert: BAD HEADER, Header field occurs more than once: "References" occurs 6 times
X-Spam-Flag: NO
X-Spam-Score: -2.284
X-Spam-Level:
X-Spam-Status: No, score=-2.284 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id diZ4k8Tf+j6t for <saag@core3.amsl.com>; Fri, 2 Jan 2009 07:36:41 -0800 (PST)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [208.83.67.147]) by core3.amsl.com (Postfix) with ESMTP id C9BA53A6849 for <saag@ietf.org>; Fri, 2 Jan 2009 07:36:39 -0800 (PST)
Received: from z9m9z.htt-consult.com (localhost.localdomain [127.0.0.1]) by z9m9z.htt-consult.com (8.13.8/8.13.8) with ESMTP id n02FZsW3016664; Fri, 2 Jan 2009 10:35:54 -0500
Received: from nc2400.htt-consult.com (onlo.htt-consult.com [208.83.67.148]) by z9m9z.htt-consult.com (Scalix SMTP Relay 11.3.0.11339) via ESMTP; Fri, 02 Jan 2009 10:35:43 -0500 (EST)
Date: Fri, 02 Jan 2009 10:35:34 -0500
From: Robert Moskowitz <rgm-sec@htt-consult.com>
To: Peter Hesse <pmhesse@geminisecurity.com>
Message-ID: <495E3446.4070606@htt-consult.com>
In-Reply-To: <0c6f01c96ce8$2c13d700$843b8500$@com>
References: <495BA5E9.8040305@pobox.com>
References: <E1LILYj-00066V-WE@wintermute01.cs.auckland.ac.nz>
References: <1b587cab0901010706j6e8cd2f8pf23345660a4825a5@mail.gmail.com>
References: <FAD1CF17F2A45B43ADE04E140BA83D489365F0@scygexch1.cygnacom.com>
References: <495CE68A.5040709@pobox.com>
References: <0c6f01c96ce8$2c13d700$843b8500$@com>
x-scalix-Hops: 1
User-Agent: Thunderbird 2.0.0.18 (X11/20081120)
MIME-Version: 1.0
Content-Disposition: inline
Cc: ietf-pkix@imc.org, 'Mike' <mike-list@pobox.com>, cfrg@irtf.org, saag@ietf.org, ietf-smime@imc.org
Subject: Re: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CAcertificate
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: saag-bounces@ietf.org
Errors-To: saag-bounces@ietf.org

Peter Hesse wrote:
>> Is there anything that could be added to RP software to reliably
>> detect and thwart the use of a rogue CA certificate?  Or would
>> any attempt to do that just cause too many problems?
>>     
>
> Since MD5 is known bad and potentially dangerous at this point, I would
> suggest that the best client side action would be to fail to verify any
> signatures created using MD5.  This will break some things, especially if
> existing business processes are relying on a certificate signed with MD5.
> However, it is a fail-safe and would prevent a rogue CA certificate created
> in this fashion from being considered trustworthy.
>
> And to Santosh's point (and others), my earlier email about
> removing/replacing trust anchors was not because the self-signed
> certificates are signed using MD5; I agree the trust anchor public keys are
> protected using other mechanisms.  I am recommending that if CAs do nothing
> to prevent this kind of attack (non-random serial numbers, issue
> certificates signed with MD5, issue certificates in an automated,
> predictable fashion) that those CAs should be removed from trust lists
> because they are no longer acting in the interest of the relying party--they
> are an accomplice to the creation of these rogue certificates.
Peter,

This sounds great at an IETF mike, but out in the field how do you get 
all those millions of browsers to pull down a new trust list that will 
no longer include CA foobar?

Can't happen now, and the way things are going, ain't going to happen 
before 2026 either.

So what tool do we have to get compliance to best practices? The good 
old 5th estate, get out their and give bad press to foobar until they 
fix their behaviour or their business model collapses and they go out of 
business and can no longer issue potentially rogue certs.

We can talk and posture all we want in the IETF. We are rather good at 
that, IMNSHO. But this is perfect proof of our impact as such on the 
business model of companies that use our technology; they will do what 
is expedient, not what is Best Practices.


_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

v2.23.0 | Report a Bug | By Email