Re: [saag] SHA-1 to SHA-n transition
Nicolas Williams <Nicolas.Williams@sun.com> Thu, 26 February 2009 17:03 UTC
Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: saag@core3.amsl.com
Delivered-To: saag@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BB1303A6A65 for <saag@core3.amsl.com>; Thu, 26 Feb 2009 09:03:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.027
X-Spam-Level:
X-Spam-Status: No, score=-6.027 tagged_above=-999 required=5 tests=[AWL=0.019, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Aqr2stZjJ8Dl for <saag@core3.amsl.com>; Thu, 26 Feb 2009 09:03:36 -0800 (PST)
Received: from sca-ea-mail-2.sun.com (sca-ea-mail-2.Sun.COM [192.18.43.25]) by core3.amsl.com (Postfix) with ESMTP id C65323A68CB for <saag@ietf.org>; Thu, 26 Feb 2009 09:03:36 -0800 (PST)
Received: from dm-central-01.central.sun.com ([129.147.62.4]) by sca-ea-mail-2.sun.com (8.13.7+Sun/8.12.9) with ESMTP id n1QH3wYq008721 for <saag@ietf.org>; Thu, 26 Feb 2009 17:03:58 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id n1QH3vOA064578 for <saag@ietf.org>; Thu, 26 Feb 2009 10:03:57 -0700 (MST)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id n1QGsqiA008930; Thu, 26 Feb 2009 10:54:52 -0600 (CST)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id n1QGsmLo008929; Thu, 26 Feb 2009 10:54:48 -0600 (CST)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Thu, 26 Feb 2009 10:54:48 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Bill Sommerfeld <sommerfeld@sun.com>
Message-ID: <20090226165448.GK9992@Sun.COM>
References: <2788466ED3E31C418E9ACC5C3166155768B2CB@mou1wnexmb09.vcorp.ad.vrsn.com> <0c2301c9979f$8a1cd770$0600a8c0@china.huawei.com> <2788466ED3E31C418E9ACC5C3166155768B2CE@mou1wnexmb09.vcorp.ad.vrsn.com> <20090226143809.GF7227@mit.edu> <1235663917.3293.16.camel@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1235663917.3293.16.camel@localhost>
User-Agent: Mutt/1.5.7i
Cc: der Mouse <mouse@Rodents-Montreal.ORG>, saag@ietf.org
Subject: Re: [saag] SHA-1 to SHA-n transition
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Feb 2009 17:03:37 -0000
On Thu, Feb 26, 2009 at 07:58:37AM -0800, Bill Sommerfeld wrote: > IMHO we need a transition plan which allows websites to deploy with > sha-n certs in parallel to sha-1 certs from day 1 (and, if I dare > mention it, we need to find some way to do this without making them pay > a bunch of nuisance fees to CA operators). Indeed. And not having to pay "nuisance fees to CA operators" falls out of not having a real PKI -- no real PKI, no real CAs to pay. What we need is something like DIGEST-MD5, but tied into browser apps in a different way than DIGEST-MD5 is today (more on this below). Given this we can forego PKI -- just do channel binding to TLS (with or without server certs, whether CA-issued or self-signed). My proposal: 1) Add JavaScript interfaces to deal with DIGEST-MD5, successors, GSS-API, ... These could be simple XmlHttpRequest object extensions, where DIGEST-MD5 can already be used, and where HTTP/Nego and successors could be used too. 2) Tie the above interfaces to the browser UI. Mark pages/windows/tabs with colors/text/sound/whatever appropriate markers as: - plain (nothing is authenticated) - weak server authentication (what we do today with HTTPS) - mutually authenticated (DIGEST-MD5/something else was used through the above mentioned interfaces, with credentials furnished through the trusted path) Add markers for degree of security based on crypto algs used. Make it simple for users to see the authenticated identities. We'll also need a new flavor of cookies. We have "secure" and "not secure" cookies now; we'll need "issued in mutually authenticated context" -- call them "authenticated cookies." Prompting for DIGEST-MD5/whatever credentials needs to be done securely. As with all UI design matters, it's important to find a way to prevent attackers from emulating the UI with enough fidelity. (E.g., don't allow full-screen apps.) 3) Teach users to look for the new markers. *This* is the hard part. Education will always be the hard part. (Not that UI design isn't hard -- it is, and it is a requirement to get the UI right if we're to educate users successfully.) 4) Federation/whatever fits into (2). We already have lots of federation choices. The propblem is how federation fits in generally. Given (1), (2) and (3) the transition to SHA-n looks a lot simpler: it's completely piecemeal, there's no CAs to shame into getting SHA-n support because PKI gets cut out of the picture (even if server certs are still used, they no longer matter for security). TLS would still be used, so getting TLS implementations updated to 1.2 so that SHA-n would be a requirement. As would be a successor to DIGEST-MD5. We'd also be solving some of the other web security problems with this approach. Nico --
- Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
- [saag] SHA-1 to SHA-n transition Stephen Kent
- Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
- Re: [saag] SHA-1 to SHA-n transition Hannes Tschofenig
- Re: [saag] SHA-1 to SHA-n transition Stephen Kent
- Re: [saag] SHA-1 to SHA-n transition Chandersekaran, Coimbatore S
- Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Yoav Nir
- Re: [saag] SHA-1 to SHA-n transition Pasi.Eronen
- Re: [saag] SHA-1 to SHA-n transition David McGrew
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Santosh Chokhani
- Re: [saag] SHA-1 to SHA-n transition der Mouse
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Paul Hoffman
- Re: [saag] SHA-1 to SHA-n transition David Harrington
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Michael O'Neill
- Re: [saag] SHA-1 to SHA-n transition Theodore Tso
- [saag] Deployment Deadlock Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Bill Sommerfeld
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- [saag] Channel binding is great but not a silver … Sam Hartman
- Re: [saag] Channel binding is great but not a sil… Nicolas Williams
- Re: [saag] Channel binding is great but not a sil… Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] Channel binding is great but not a sil… Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
- Re: [saag] Channel binding is great but not a sil… Jeffrey Hutzelman
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] Channel binding is great but not a sil… Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
- Re: [saag] Channel binding is great but not a sil… Alan DeKok
- Re: [saag] Channel binding is great but not a sil… Jeffrey Hutzelman
- Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
- Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
- Re: [saag] Channel binding is great but not a sil… Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] Channel binding is great but not a sil… Alan DeKok
- [saag] Or grow a real PKI (Re: SHA-1 to SHA-n tra… Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
- Re: [saag] SHA-1 to SHA-n transition Stephen Kent
- Re: [saag] Channel binding is great but not a sil… Stephen Kent
- Re: [saag] Channel binding is great but not a sil… Stephen Kent
- Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Stephen Kent
- Re: [saag] Channel binding is great but not a sil… Nicolas Williams
- Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Nicolas Williams
- Re: [saag] Deployment Deadlock Pasi.Eronen
- Re: [saag] Deployment Deadlock Hallam-Baker, Phillip
- Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
- Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
- Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
- Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Nicolas Williams
- Re: [saag] SHA-1 to SHA-n transition Nicolas Williams
- Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Hallam-Baker, Phillip
- Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Jeffrey Hutzelman
- Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
- Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
- Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Stephen Kent
- Re: [saag] Or grow a real PKI (Re: SHA-1 to SHA-n… Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
- Re: [saag] SHA-1 to SHA-n transition Eric Rescorla
- Re: [saag] SHA-1 to SHA-n transition Peter Gutmann
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
- Re: [saag] SHA-1 to SHA-n transition Jeffrey Hutzelman
- Re: [saag] SHA-1 to SHA-n transition Theodore Tso
- Re: [saag] SHA-1 to SHA-n transition Hallam-Baker, Phillip
- Re: [saag] SHA-1 to SHA-n transition Bill Sommerfeld
- [saag] Credential portability RE: SHA-1 to SHA-n … Hallam-Baker, Phillip