Re: Request change in son-of-rfc2633
Steve Hanna <steve.hanna@sun.com> Wed, 29 October 2003 15:29 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA13806 for <smime-archive@lists.ietf.org>; Wed, 29 Oct 2003 10:29:29 -0500 (EST)
Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.10/8.12.8) with ESMTP id h9TEwgkT022934 for <ietf-smime-bks@above.proper.com>; Wed, 29 Oct 2003 06:58:42 -0800 (PST) (envelope-from owner-ietf-smime@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.10/8.12.9/Submit) id h9TEwgf0022933 for ietf-smime-bks; Wed, 29 Oct 2003 06:58:42 -0800 (PST)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-smime@mail.imc.org using -f
Received: from nwkea-mail-2.sun.com (nwkea-mail-2.sun.com [192.18.42.14]) by above.proper.com (8.12.10/8.12.8) with ESMTP id h9TEwekT022918; Wed, 29 Oct 2003 06:58:40 -0800 (PST) (envelope-from steve.hanna@sun.com)
Received: from sydney.East.Sun.COM ([129.148.9.16]) by nwkea-mail-2.sun.com (8.12.10/8.12.9) with ESMTP id h9TEwOxA001116; Wed, 29 Oct 2003 06:58:24 -0800 (PST)
Received: from sun.com (dhcp-ubur02-75-161 [129.148.75.161]) by sydney.East.Sun.COM (8.11.7p1+Sun/8.11.7/ENSMAIL,v2.2) with ESMTP id h9TEwNB19615; Wed, 29 Oct 2003 09:58:23 -0500 (EST)
Message-ID: <3F9FD56A.771A262C@sun.com>
Date: Wed, 29 Oct 2003 09:57:46 -0500
From: Steve Hanna <steve.hanna@sun.com>
X-Mailer: Mozilla 4.79 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
CC: ejnorman@doit.wisc.edu, ietf-pkix@imc.org, ietf-smime@imc.org
Subject: Re: Request change in son-of-rfc2633
References: <200310290337.h9T3bu208738@cs.auckland.ac.nz>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="------------ms58E8539260192E6D326EA0C4"
Sender: owner-ietf-smime@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-ID: <ietf-smime.imc.org>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
Anyone who "reads the PKIX tea leaves" and thinks that it's fine to skip name chaining checks in path validation needs to have their eyes checked. RFC 3280 says in many places that name chaining MUST be checked. In section 6.1: To meet this goal, the path validation process verifies, among other things, that a prospective certification path (a sequence of n certificates) satisfies the following conditions: (a) for all x in {1, ..., n-1}, the subject of certificate x is the issuer of certificate x+1; In section 6.1.3: (a) Verify the basic certificate information. The certificate MUST satisfy each of the following: [...] (4) The certificate issuer name is the working_issuer_name. In section 4.1.2.6: If the subject is a CA (e.g., the basic constraints extension, as discussed in 4.2.1.10, is present and the value of cA is TRUE), then the subject field MUST be populated with a non-empty distinguished name matching the contents of the issuer field (section 4.1.2.4) in all certificates issued by the subject CA. RFC 2459 and X.509 both agree with this. Whatever PKI topology you use, there's no need to break name chaining. I'm sure that some customers have created PKIs where name chaining doesn't hold, but that's an error on the customer's part. You can't just turn off critical security checks to keep them happy. What's next? Don't bother checking the signature on certificates. That takes too much time! If somebody has implemented path validation without name chaining checks, then they haven't implemented it according to IETF or X.509 standards. In fact, they may have opened themselves and their customers up to security holes and perhaps even legal liability. CAs have every right to expect that certificates will be validated according to standards. Users also have a reasonable expectation of this. If someone deliberately violates the standards in a way that opens up security holes, that sounds like gross negligence to me. This reminds me of Microsoft's decision to not check the Basic Constraints extension, treating every certificate as a CA certificate. This decision, presumably made in to please a customer, resulted in a HUGE security hole. I hope that Microsoft (and anyone else who has skipped required parts of the path validation algorithm for the sake of convenience) will see that security cannot be second to user convenience. If there's a serious problem with the specs, then let's fix them. But don't just bypass things because you find it convenient. Forgive me my rant. I'm just outraged that somebody would play fast and loose with security this way. Thanks, Steve Peter Gutmann wrote: > > [Cross-posted back to S/MIME, where the thread started] > > Eric Norman <ejnorman@doit.wisc.edu> writes: > > >Is there a claim (#1 above) that you can have the DN in the subject of a > >parent's (signer's) certificate be different from (as in different bunch of > >bytes) the DN in the issuer of one of its offspring and yet the chain is > >still valid because the xKIDs match? > > Sure, in a spaghetti PKI (I'm using that as a generic term for a PKI that > violates the original X.509 design, i.e. with re-parenting, arbitrary cross- > certification, etc etc where issuers no longer match subjects). For example > MS apparently implemented chaining by sKID in Windows because of user demand > for this when the users broke chaining by issuer name through spaghetti PKI > design practices, and various other implementations no doubt do similar > things, depending on how they've read the PKIX tea leaves. > > Peter.
- Request change in son-of-rfc2633 Jim Schaad
- Re: Request change in son-of-rfc2633 Russ Housley
- Re: Request change in son-of-rfc2633 Peter Gutmann
- RE: Request change in son-of-rfc2633 Blake Ramsdell
- RE: Request change in son-of-rfc2633 Peter Gutmann
- RE: Request change in son-of-rfc2633 Blake Ramsdell
- RE: Request change in son-of-rfc2633 Peter Gutmann
- RE: Request change in son-of-rfc2633 Blake Ramsdell
- RE: Request change in son-of-rfc2633 Russ Housley
- RE: Request change in son-of-rfc2633 Blake Ramsdell
- RE: Request change in son-of-rfc2633 Russ Housley
- RE: Request change in son-of-rfc2633 Peter Gutmann
- RE: Request change in son-of-rfc2633 Peter Gutmann
- RE: Request change in son-of-rfc2633 Peter Gutmann
- RE: Request change in son-of-rfc2633 Russ Housley
- RE: Request change in son-of-rfc2633 Peter Gutmann
- Re: Request change in son-of-rfc2633 Steve Hanna
- RE: Request change in son-of-rfc2633 Santosh Chokhani
- Re: Request change in son-of-rfc2633 Peter Gutmann
- Re: Request change in son-of-rfc2633 Peter Gutmann