Re: [smime] Use of subjectKeyIdentifier
Blake Ramsdell <blaker@gmail.com> Thu, 01 April 2010 08:07 UTC
Return-Path: <blaker@gmail.com>
X-Original-To: smime@core3.amsl.com
Delivered-To: smime@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C6A623A67A6 for <smime@core3.amsl.com>; Thu, 1 Apr 2010 01:07:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.016
X-Spam-Level:
X-Spam-Status: No, score=-2.016 tagged_above=-999 required=5 tests=[BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, HELO_MISMATCH_COM=0.553, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2TRJEG5KzbJs for <smime@core3.amsl.com>; Thu, 1 Apr 2010 01:07:42 -0700 (PDT)
Received: from balder-227.proper.com (Balder-227.Proper.COM [192.245.12.227]) by core3.amsl.com (Postfix) with ESMTP id D96AD3A672E for <smime@ietf.org>; Thu, 1 Apr 2010 01:07:41 -0700 (PDT)
Received: from mail-pw0-f43.google.com (mail-pw0-f43.google.com [209.85.160.43]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id o3188Djw049897 for <ietf-smime@imc.org>; Thu, 1 Apr 2010 01:08:13 -0700 (MST) (envelope-from blaker@gmail.com)
Received: by pwj6 with SMTP id 6so774817pwj.16 for <ietf-smime@imc.org>; Thu, 01 Apr 2010 01:08:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:received:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=8vfgYpu3y8noWMuAdZyeN2HG9aMRNbeJMVrKtLcS2Pg=; b=T4+eC7YfTwSWp9KPrF6TQoNpVsrUvKnNi7ALwz3M11LKuzCO0YCj3f01DYl0Yd2XXl iwNRUKLnA6QFmXkkk1tMOwcRiSYeqOtahaiLwW42b0rhqTt5Zy08E46Xr84lgbKcHcD3 cdaN7leNjjzUEEdx4MeVQ4LAW/1+aXFJmDfwg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=wlEuqbSZcJRcfGquHVOOzvBvHLYgSrFopKXNtKjGaR4PLBRLPzQYKlgxNcIux2gI+B TsJsGfRpX1jwDkyRRemrww3tdY63yKXJa4bTj6WL536bIRHn8xBh2fd/cYttgW/5L5ec MZp9PRK7KS4N+QgNLgUrXEYgckI0xhwnETDuw=
MIME-Version: 1.0
Received: by 10.142.161.21 with HTTP; Thu, 1 Apr 2010 01:08:12 -0700 (PDT)
In-Reply-To: <4BB431FC.1040109@stroeder.com>
References: <E1Nx6bW-0006W6-7e@wintermute02.cs.auckland.ac.nz> <4BB431FC.1040109@stroeder.com>
Date: Thu, 01 Apr 2010 01:08:12 -0700
Received: by 10.142.66.5 with SMTP id o5mr74108wfa.159.1270109292533; Thu, 01 Apr 2010 01:08:12 -0700 (PDT)
Message-ID: <m2i985966521004010108v4af43fe5y72699efb45e5a6db@mail.gmail.com>
From: Blake Ramsdell <blaker@gmail.com>
To: Michael Ströder <michael@stroeder.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: ietf-smime@imc.org
Subject: Re: [smime] Use of subjectKeyIdentifier
X-BeenThere: smime@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SMIME Working Group <smime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/smime>, <mailto:smime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/smime>
List-Post: <mailto:smime@ietf.org>
List-Help: <mailto:smime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/smime>, <mailto:smime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2010 08:07:45 -0000
2010/3/31 Michael Ströder <michael@stroeder.com>: > Peter Gutmann wrote: >> =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com> writes: >> >>> If an S/MIME cert does not contain a subjectKeyIdentifier extension is a >>> sending S/MIME MUA allowed to generate RecipientInfos referencing the >>> receiver's cert by (self-calculated) subjectKeyIdentifier (instead of issuer >>> name and serial number)? >> >> I think there's a diference here between "can it" and "if it does, will it >> work". I can't see why an MUA can't do whatever it pleases (within the spec), >> but then since the sKID is an implicit identifier (i.e. it's "whatever binary >> blob is stored within the cert") rather than an explicit one ("you can >> generate an unambiguous sKID by doing ..."), it's more or less pot luck as to >> whether the recipient will end up with the same sKID. And I agree with this. The short answer is that even though none of the specs say that generating your own sKID and trying to match that up to a certificate that doesn't have a sKID in it is a bad idea, the implied use is that you identify a certificate by sKID when you grabbed that sKID out of the certificate extension. The second that you might think that it's a good idea to generate an sKID on the fly, in the hopes of matching it back up with the certificate from which it is derived (that does not have the extension), you might read section 4.2.1.2 of RFC 5280 and see that there are multiple uses of the word SHOULD as well as multiple alternatives for computation, which should then give you pause that "Hm. Maybe I shouldn't go down this path. Something is not right." But indeed, it never says the words "don't generate a sKID in the hopes of matching it back up with a certificate that doesn't have that extension." But the terrible smells in the area surrounding how sKIDs can be generated (which includes "Other methods of generating unique numbers are also acceptable") should be enough to make you want to pick another direction ;). As Peter points out, it's a binary blob that (if you're lucky) was generated in a deterministic way based on the public key and (if you're not) it's a counter or random value or hash or MPEG of a cat. > This is a problem with Outlook 2010 beta sending subjectKeyIdentifier in > RecipientInfos although my e-mail cert does not contain the > subjectKeyIdentifier extension. Seamonkey is not able to find my accompanying > e-mail cert and private key based on that and thus is not able to decrypt the > S/MIME message. That's bad. If Outlook 2010 is doing this, it's bad, for the reasons that Russ, Peter and I are pointing out. Generating an sKID for a certificate that doesn't have one is the wrong path, you must use issuerAndSerialNumber to identify the certificate in this case, and then make a very frowny face at the CA that generated the certificate for ignoring the SHOULD in section 4.2.1.2 of RFC 5280 "To assist applications in identifying the appropriate end entity certificate, this extension SHOULD be included in all end entity certificates" which is why we're here now. > In theory one could even determine one of the commonly used algorithms by > looking at the key id size. But I'd prefer to have a good argument that > Outlook 2010 violates a standard. I don't think we're going to find a "MUST NOT try to guess an sKID if a certificate does not have one" anywhere, but I think there's one and a half implementors that are chiming in right now and saying "OMG, that is totally creepy and isn't really going to work". Now, I can see from an implementation point of view that you might think "dangit, I really don't want to support both subjectKeyIdentifier and issuerAndSerialNumber in SignerIdentifier and RecipientIdentifier" and then try to do something like, I dunno, generate an sKID for a certificate that doesn't have that attribute, and then use the sKID CHOICE in those structures. I think we've discussed that's bad (now the receiver has to jump through the same hoops and hopefully generates the same sKID that you did, which exactly zero implementations do right now). So if that's what Outlook 2010 beta is doing, I think I'd want to hear a medium length explanation about why this is the case. Because any other implementation is going to see an sKID and then try to look up a certificate that matches that sKID and fail (since there's no certificate that contains that extension). They won't attempt to use every known sKID generation algorithm currently known to try and synthesize one, they'll just give up. I don't blame 'em, and I think it's not a good idea to attempt. > > RFC 5652, section 6.2.1 says: > > [..] the subjectKeyIdentifier identifies the > recipient's certificate by a key identifier. When an X.509 > certificate is referenced, the key identifier matches the X.509 > subjectKeyIdentifier extension value. When other certificate > formats are referenced, the documents that specify the certificate > format and their use with the CMS must include details on matching > the key identifier to the appropriate certificate field. For > recipient processing, implementations MUST support both of these > alternatives for specifying the recipient's certificate. For > sender processing, implementations MUST support at least one of > these alternatives. > > But still that's IMO not really clear for the case the e-mail certs does not > contain the subjectKeyIdentifier extension. This is a great section to quote. Sure it is -- it says "matches the X.509 subjectKeyIdentifier extension value". The value that's in the extension. If the extension isn't present, it doesn't say "if it's not present, synthesize one". If Outlook 2010 is really generating an sKID for a certificate that doesn't have one, I think that we can find a large number of implementors who will disagree with that strategy. Bottom line -- if there's no subjectKeyIdentifier, you use issuerAndSerialNumber, don't try and generate your own subjectKeyIdentifier. Blake
- [smime] Use of subjectKeyIdentifier Michael Ströder
- Re: [smime] Use of subjectKeyIdentifier Russ Housley
- Re: [smime] Use of subjectKeyIdentifier Michael Ströder
- Re: [smime] Use of subjectKeyIdentifier Blake Ramsdell
- Re: [smime] Use of subjectKeyIdentifier Jim Schaad