IETF Logo Mail Archive

Re: [saag] SHA-1 to SHA-n transition

Nicolas Williams <Nicolas.Williams@sun.com> Thu, 26 February 2009 17:03 UTC

Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BB1303A6A65 for <saag@core3.amsl.com>; Thu, 26 Feb 2009 09:03:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.027
X-Spam-Level:
X-Spam-Status: No, score=-6.027 tagged_above=-999 required=5 tests=[AWL=0.019, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Aqr2stZjJ8Dl for <saag@core3.amsl.com>; Thu, 26 Feb 2009 09:03:36 -0800 (PST)
Received: from sca-ea-mail-2.sun.com (sca-ea-mail-2.Sun.COM [192.18.43.25]) by core3.amsl.com (Postfix) with ESMTP id C65323A68CB for <saag@ietf.org>; Thu, 26 Feb 2009 09:03:36 -0800 (PST)
Received: from dm-central-01.central.sun.com ([129.147.62.4]) by sca-ea-mail-2.sun.com (8.13.7+Sun/8.12.9) with ESMTP id n1QH3wYq008721 for <saag@ietf.org>; Thu, 26 Feb 2009 17:03:58 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id n1QH3vOA064578 for <saag@ietf.org>; Thu, 26 Feb 2009 10:03:57 -0700 (MST)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id n1QGsqiA008930; Thu, 26 Feb 2009 10:54:52 -0600 (CST)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id n1QGsmLo008929; Thu, 26 Feb 2009 10:54:48 -0600 (CST)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Thu, 26 Feb 2009 10:54:48 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Bill Sommerfeld <sommerfeld@sun.com>
Message-ID: <20090226165448.GK9992@Sun.COM>
References: <2788466ED3E31C418E9ACC5C3166155768B2CB@mou1wnexmb09.vcorp.ad.vrsn.com> <0c2301c9979f$8a1cd770$0600a8c0@china.huawei.com> <2788466ED3E31C418E9ACC5C3166155768B2CE@mou1wnexmb09.vcorp.ad.vrsn.com> <20090226143809.GF7227@mit.edu> <1235663917.3293.16.camel@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1235663917.3293.16.camel@localhost>
User-Agent: Mutt/1.5.7i
Cc: der Mouse <mouse@Rodents-Montreal.ORG>, saag@ietf.org
Subject: Re: [saag] SHA-1 to SHA-n transition
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Feb 2009 17:03:37 -0000

On Thu, Feb 26, 2009 at 07:58:37AM -0800, Bill Sommerfeld wrote:
> IMHO we need a transition plan which allows websites to deploy with
> sha-n certs in parallel to sha-1 certs from day 1 (and, if I dare
> mention it, we need to find some way to do this without making them pay
> a bunch of nuisance fees to CA operators).

Indeed.  And not having to pay "nuisance fees to CA operators" falls out
of not having a real PKI -- no real PKI, no real CAs to pay.

What we need is something like DIGEST-MD5, but tied into browser apps in
a different way than DIGEST-MD5 is today (more on this below).  Given
this we can forego PKI -- just do channel binding to TLS (with or
without server certs, whether CA-issued or self-signed).

My proposal:

1) Add JavaScript interfaces to deal with DIGEST-MD5, successors,
   GSS-API, ...

   These could be simple XmlHttpRequest object extensions, where
   DIGEST-MD5 can already be used, and where HTTP/Nego and successors
   could be used too.

2) Tie the above interfaces to the browser UI.

   Mark pages/windows/tabs with colors/text/sound/whatever appropriate
   markers as:

    - plain (nothing is authenticated)
    - weak server authentication (what we do today with HTTPS)
    - mutually authenticated (DIGEST-MD5/something else was used through
      the above mentioned interfaces, with credentials furnished through
      the trusted path)

   Add markers for degree of security based on crypto algs used.

   Make it simple for users to see the authenticated identities.

   We'll also need a new flavor of cookies.  We have "secure" and "not
   secure" cookies now; we'll need "issued in mutually authenticated
   context" -- call them "authenticated cookies."

   Prompting for DIGEST-MD5/whatever credentials needs to be done
   securely.

   As with all UI design matters, it's important to find a way to
   prevent attackers from emulating the UI with enough fidelity.  (E.g.,
   don't allow full-screen apps.)

3) Teach users to look for the new markers.  *This* is the hard part.
   Education will always be the hard part.

   (Not that UI design isn't hard -- it is, and it is a requirement to
   get the UI right if we're to educate users successfully.)

4) Federation/whatever fits into (2).  We already have lots of
   federation choices.  The propblem is how federation fits in
   generally.

Given (1), (2) and (3) the transition to SHA-n looks a lot simpler: it's
completely piecemeal, there's no CAs to shame into getting SHA-n support
because PKI gets cut out of the picture (even if server certs are still
used, they no longer matter for security).  TLS would still be used, so
getting TLS implementations updated to 1.2 so that SHA-n would be a
requirement.  As would be a successor to DIGEST-MD5.

We'd also be solving some of the other web security problems with this
approach.

Nico
--

v2.23.0 | Report a Bug | By Email