Re: [smime] Use of subjectKeyIdentifier

Blake Ramsdell <blaker@gmail.com> Thu, 01 April 2010 08:07 UTC

Return-Path: <blaker@gmail.com>
X-Original-To: smime@core3.amsl.com
Delivered-To: smime@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C6A623A67A6 for <smime@core3.amsl.com>; Thu, 1 Apr 2010 01:07:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.016
X-Spam-Level:
X-Spam-Status: No, score=-2.016 tagged_above=-999 required=5 tests=[BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, HELO_MISMATCH_COM=0.553, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2TRJEG5KzbJs for <smime@core3.amsl.com>; Thu, 1 Apr 2010 01:07:42 -0700 (PDT)
Received: from balder-227.proper.com (Balder-227.Proper.COM [192.245.12.227]) by core3.amsl.com (Postfix) with ESMTP id D96AD3A672E for <smime@ietf.org>; Thu, 1 Apr 2010 01:07:41 -0700 (PDT)
Received: from mail-pw0-f43.google.com (mail-pw0-f43.google.com [209.85.160.43]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id o3188Djw049897 for <ietf-smime@imc.org>; Thu, 1 Apr 2010 01:08:13 -0700 (MST) (envelope-from blaker@gmail.com)
Received: by pwj6 with SMTP id 6so774817pwj.16 for <ietf-smime@imc.org>; Thu, 01 Apr 2010 01:08:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:received:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=8vfgYpu3y8noWMuAdZyeN2HG9aMRNbeJMVrKtLcS2Pg=; b=T4+eC7YfTwSWp9KPrF6TQoNpVsrUvKnNi7ALwz3M11LKuzCO0YCj3f01DYl0Yd2XXl iwNRUKLnA6QFmXkkk1tMOwcRiSYeqOtahaiLwW42b0rhqTt5Zy08E46Xr84lgbKcHcD3 cdaN7leNjjzUEEdx4MeVQ4LAW/1+aXFJmDfwg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=wlEuqbSZcJRcfGquHVOOzvBvHLYgSrFopKXNtKjGaR4PLBRLPzQYKlgxNcIux2gI+B TsJsGfRpX1jwDkyRRemrww3tdY63yKXJa4bTj6WL536bIRHn8xBh2fd/cYttgW/5L5ec MZp9PRK7KS4N+QgNLgUrXEYgckI0xhwnETDuw=
MIME-Version: 1.0
Received: by 10.142.161.21 with HTTP; Thu, 1 Apr 2010 01:08:12 -0700 (PDT)
In-Reply-To: <4BB431FC.1040109@stroeder.com>
References: <E1Nx6bW-0006W6-7e@wintermute02.cs.auckland.ac.nz> <4BB431FC.1040109@stroeder.com>
Date: Thu, 1 Apr 2010 01:08:12 -0700
Received: by 10.142.66.5 with SMTP id o5mr74108wfa.159.1270109292533; Thu, 01 Apr 2010 01:08:12 -0700 (PDT)
Message-ID: <m2i985966521004010108v4af43fe5y72699efb45e5a6db@mail.gmail.com>
From: Blake Ramsdell <blaker@gmail.com>
To: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: ietf-smime@imc.org
Subject: Re: [smime] Use of subjectKeyIdentifier
X-BeenThere: smime@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SMIME Working Group <smime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/smime>, <mailto:smime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/smime>
List-Post: <mailto:smime@ietf.org>
List-Help: <mailto:smime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/smime>, <mailto:smime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2010 08:07:45 -0000

2010/3/31 Michael Ströder <michael@stroeder.com>om>:
> Peter Gutmann wrote:
>> =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com> writes:
>>
>>> If an S/MIME cert does not contain a subjectKeyIdentifier extension is a
>>> sending S/MIME MUA allowed to generate RecipientInfos referencing the
>>> receiver's cert by (self-calculated) subjectKeyIdentifier (instead of issuer
>>> name and serial number)?
>>
>> I think there's a diference here between "can it" and "if it does, will it
>> work".  I can't see why an MUA can't do whatever it pleases (within the spec),
>> but then since the sKID is an implicit identifier (i.e. it's "whatever binary
>> blob is stored within the cert") rather than an explicit one ("you can
>> generate an unambiguous sKID by doing ..."), it's more or less pot luck as to
>> whether the recipient will end up with the same sKID.

And I agree with this. The short answer is that even though none of
the specs say that generating your own sKID and trying to match that
up to a certificate that doesn't have a sKID in it is a bad idea, the
implied use is that you identify a certificate by sKID when you
grabbed that sKID out of the certificate extension.

The second that you might think that it's a good idea to generate an
sKID on the fly, in the hopes of matching it back up with the
certificate from which it is derived (that does not have the
extension), you might read section 4.2.1.2 of RFC 5280 and see that
there are multiple uses of the word SHOULD as well as multiple
alternatives for computation, which should then give you pause that
"Hm. Maybe I shouldn't go down this path. Something is not right."

But indeed, it never says the words "don't generate a sKID in the
hopes of matching it back up with a certificate that doesn't have that
extension." But the terrible smells in the area surrounding how sKIDs
can be generated (which includes "Other methods of generating unique
numbers are also acceptable") should be enough to make you want to
pick another direction ;). As Peter points out, it's a binary blob
that (if you're lucky) was generated in a deterministic way based on
the public key and (if you're not) it's a counter or random value or
hash or MPEG of a cat.

> This is a problem with Outlook 2010 beta sending subjectKeyIdentifier in
> RecipientInfos although my e-mail cert does not contain the
> subjectKeyIdentifier extension. Seamonkey is not able to find my accompanying
> e-mail cert and private key based on that and thus is not able to decrypt the
> S/MIME message.

That's bad. If Outlook 2010 is doing this, it's bad, for the reasons
that Russ, Peter and I are pointing out. Generating an sKID for a
certificate that doesn't have one is the wrong path, you must use
issuerAndSerialNumber to identify the certificate in this case, and
then make a very frowny face at the CA that generated the certificate
for ignoring the SHOULD in section 4.2.1.2 of RFC 5280 "To assist
applications in identifying the appropriate end entity certificate,
this extension SHOULD be included in all end entity certificates"
which is why we're here now.

> In theory one could even determine one of the commonly used algorithms by
> looking at the key id size. But I'd prefer to have a good argument that
> Outlook 2010 violates a standard.

I don't think we're going to find a "MUST NOT try to guess an sKID if
a certificate does not have one" anywhere, but I think there's one and
a half implementors that are chiming in right now and saying "OMG,
that is totally creepy and isn't really going to work".

Now, I can see from an implementation point of view that you might
think "dangit, I really don't want to support both
subjectKeyIdentifier and issuerAndSerialNumber in SignerIdentifier and
RecipientIdentifier" and then try to do something like, I dunno,
generate an sKID for a certificate that doesn't have that attribute,
and then use the sKID CHOICE in those structures. I think we've
discussed that's bad (now the receiver has to jump through the same
hoops and hopefully generates the same sKID that you did, which
exactly zero implementations do right now).

So if that's what Outlook 2010 beta is doing, I think I'd want to hear
a medium length explanation about why this is the case. Because any
other implementation is going to see an sKID and then try to look up a
certificate that matches that sKID and fail (since there's no
certificate that contains that extension). They won't attempt to use
every known sKID generation algorithm currently known to try and
synthesize one, they'll just give up. I don't blame 'em, and I think
it's not a good idea to attempt.

>
> RFC 5652, section 6.2.1 says:
>
>      [..] the subjectKeyIdentifier identifies the
>      recipient's certificate by a key identifier.  When an X.509
>      certificate is referenced, the key identifier matches the X.509
>      subjectKeyIdentifier extension value.  When other certificate
>      formats are referenced, the documents that specify the certificate
>      format and their use with the CMS must include details on matching
>      the key identifier to the appropriate certificate field.  For
>      recipient processing, implementations MUST support both of these
>      alternatives for specifying the recipient's certificate.  For
>      sender processing, implementations MUST support at least one of
>      these alternatives.
>
> But still that's IMO not really clear for the case the e-mail certs does not
> contain the subjectKeyIdentifier extension.

This is a great section to quote. Sure it is -- it says "matches the
X.509 subjectKeyIdentifier extension value". The value that's in the
extension. If the extension isn't present, it doesn't say "if it's not
present, synthesize one".

If Outlook 2010 is really generating an sKID for a certificate that
doesn't have one, I think that we can find a large number of
implementors who will disagree with that strategy.

Bottom line -- if there's no subjectKeyIdentifier, you use
issuerAndSerialNumber, don't try and generate your own
subjectKeyIdentifier.

Blake