Re: [lamps] WG Last call: draft-ietf-lamps-hash-of-root-key-cert-extn

Russ Housley <housley@vigilsec.com> Wed, 07 November 2018 11:38 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05CBD129619 for <spasm@ietfa.amsl.com>; Wed, 7 Nov 2018 03:38:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lhbIUZIPREko for <spasm@ietfa.amsl.com>; Wed, 7 Nov 2018 03:38:11 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5412D1277C8 for <spasm@ietf.org>; Wed, 7 Nov 2018 03:38:11 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 22E7A300AA5 for <spasm@ietf.org>; Wed, 7 Nov 2018 06:38:09 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id OuprjQpLlwoG for <spasm@ietf.org>; Wed, 7 Nov 2018 06:38:08 -0500 (EST)
Received: from dhcp-8a9b.meeting.ietf.org (dhcp-8a9b.meeting.ietf.org [31.133.138.155]) by mail.smeinc.net (Postfix) with ESMTPSA id 22E2D3004FE; Wed, 7 Nov 2018 06:38:06 -0500 (EST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <01ba01d475cb$8ef10cc0$acd32640$@augustcellars.com>
Date: Wed, 7 Nov 2018 06:38:04 -0500
Cc: SPASM <spasm@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2B5D295E-4CB0-450E-BF90-31C66F18AD49@vigilsec.com>
References: <BN6PR14MB1106CF89BEC31A9D837A3A5383F30@BN6PR14MB1106.namprd14.prod.outlook.com> <014401d47581$5fe919d0$1fbb4d70$@augustcellars.com> <7104A92B-DC98-4E58-A50A-D470E8E4A0B9@vigilsec.com> <016001d4758c$67daa2c0$378fe840$@augustcellars.com> <0871B813-F7BE-470D-AE97-6F5B62CDA7C3@vigilsec.com> <019601d475b9$578c9ea0$06a5dbe0$@augustcellars.com> <E77C61DD-E953-438A-A020-319F74C656BD@vigilsec.com> <01ba01d475cb$8ef10cc0$acd32640$@augustcellars.com>
To: Jim Schaad <ietf@augustcellars.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/46zfra5BCbtI03cRgB4Hm8ClnYc>
Subject: Re: [lamps] WG Last call: draft-ietf-lamps-hash-of-root-key-cert-extn
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Nov 2018 11:38:13 -0000

Jim:

I think I have two comments from you that have not yet been resolved.  Here is the text for the Security Considerations that I propose to address them:

   The Root CA needs to ensure that the public key in the next
   generation certificate is as strong or stronger than the key that it
   is replacing.

   The Root CA needs to employ a hash function that is resistant to
   preimage attacks [RFC4270].  A first-preimage attack against the hash
   function would allow an attacker to find another input that results
   published hash value.  For the attack to be successful, the input
   would have to be a valid SubjectPublicKeyInfo that contains the
   public key that corresponds to a private key known to the attacker.
   A second-preimage attack becomes possible once the Root CA releases
   the next generation public key, which makes the input to the hash
   function becomes available to the attacker and everyone else.  Again,
   the attacker needs to find a valid SubjectPublicKeyInfo that contains
   the public key that corresponds to a private key known to the
   attacker.

Russ