IETF Logo Mail Archive

Re: [lamps] New drafts available - non-composite hybrid authentication, and binding certs

"David A. Cooper" <david.cooper@nist.gov> Wed, 23 March 2022 18:27 UTC

Return-Path: <david.cooper@nist.gov>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA4183A18F0 for <spasm@ietfa.amsl.com>; Wed, 23 Mar 2022 11:27:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.98
X-Spam-Level:
X-Spam-Status: No, score=0.98 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FAKE_REPLY_A1=3.091, FROM_GOV_DKIM_AU=-0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xJ0ZproA6BE1 for <spasm@ietfa.amsl.com>; Wed, 23 Mar 2022 11:27:33 -0700 (PDT)
Received: from GCC02-DM3-obe.outbound.protection.outlook.com (mail-dm3gcc02on20709.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d04::709]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED0553A0D25 for <spasm@ietf.org>; Wed, 23 Mar 2022 11:27:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dEynU/eFZSE8OjzWiY2VOdPYpqOrA4WtSVUZmED2mZuF4f8NXpqH2J0lzt3oU8he+tx4kPrM64FX9H/tB4s6Q3E88ukVrtAwzqgTgExepalIb+O9Ddo/kjTjgBspdhXW5mXDLVQiJhtUSF4sBSQkqsqZn4OuGJteCJyGr6SE3OElZGJVsrvigjzte+5yptUapi+TBisbPa171Rlz7wjUihNcHJn/hVzKxOKknYBGiFVkL4cAB8FiIRnIjj0r7HQL3jZCJMRGqvQUs52iv3J+S5ogc0dMG2dhDoCYg2cbIbNgm/03hY6uGNMRQjdlu4O57bS3UrSvujBGsItSmZzp6w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=lPJx19lKiM8boCG9k8Ewy5tAaGT2CGJvQAgA4EyvoqI=; b=Z+LFMSAsl5ftpV40ONVyw1n5HhYvYsZZIPld9mrXqdBdpi0krMQOGqMeKfMZlJHWnm3mB7oplR/n6TiV4f4ZfBlJE+3wOChBVwt0p+5ZU02xw4RCeX6HSs7dN8MxrijVOEqE44auTF6YKvYZ/kR6k6AJot6s+ghlrM26AllrBs2JgC1YjFMaWAmJtcNuCnGbNiMz8qSjYPbTt3LeTy/kCt1bqslJJL2QVUbOysfQvA3cQ71vbDORELfwTJWwKFothsZY4m55VVa0uQvyLTKcXw5zHv4dS7Gg3neIyA8KZJDp6Lf/Nl/vRhcxKvzY//Fc8K1uX2fOJBnJnXv+NKLe4w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 129.6.18.29) smtp.rcpttodomain=ietf.org smtp.mailfrom=nist.gov; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nist.gov; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lPJx19lKiM8boCG9k8Ewy5tAaGT2CGJvQAgA4EyvoqI=; b=lh3wbhlyNQooxuT+QQFWK6ieaYXcUq5rfSKJGMFr5/xaFuAScEyVzLEiBxPB0p6cGUahVlU/BxDH1WBzsE4SnuC+ap0KMn/QmrTiDx1vMNvafL7LLnIxgWNuIOkjcBPFxVzoy6Mw1I9v9Z5fnivychLX1cOIdeoHc4Fmoq6p0M4=
Received: from BL0PR0901CA0022.namprd09.prod.outlook.com (2603:10b6:208:1c0::32) by SA9PR09MB5581.namprd09.prod.outlook.com (2603:10b6:806:4e::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5081.17; Wed, 23 Mar 2022 18:27:26 +0000
Received: from DM3GCC02FT033.eop-gcc02.prod.protection.outlook.com (2a01:111:f400:7d04::202) by BL0PR0901CA0022.outlook.office365.com (2603:10b6:208:1c0::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5102.16 via Frontend Transport; Wed, 23 Mar 2022 18:27:26 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 129.6.18.29) smtp.mailfrom=nist.gov; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nist.gov;
Received-SPF: Pass (protection.outlook.com: domain of nist.gov designates 129.6.18.29 as permitted sender) receiver=protection.outlook.com; client-ip=129.6.18.29; helo=smtp1.nist.gov;
Received: from smtp1.nist.gov (129.6.18.29) by DM3GCC02FT033.mail.protection.outlook.com (10.97.8.212) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5102.17 via Frontend Transport; Wed, 23 Mar 2022 18:27:24 +0000
Received: from [129.6.223.159] ([129.6.223.159]) by smtp1.nist.gov with Microsoft SMTPSVC(10.0.14393.4169); Wed, 23 Mar 2022 14:27:23 -0400
Content-Type: multipart/alternative; boundary="------------J0kGOs05CxowepPSS4ErtxWx"
Message-ID: <6afc6468-d020-e40b-965e-3a1d90821c0c@nist.gov>
Date: Wed, 23 Mar 2022 14:27:23 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.7.0
Content-Language: en-US
To: "spasm@ietf.org" <spasm@ietf.org>
From: "David A. Cooper" <david.cooper@nist.gov>
X-OriginalArrivalTime: 23 Mar 2022 18:27:23.0672 (UTC) FILETIME=[A3F5C180:01D83EE3]
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 031de64e-a7ba-45a8-f829-08da0cfac708
X-MS-TrafficTypeDiagnostic: SA9PR09MB5581:EE_
X-Microsoft-Antispam-PRVS: <SA9PR09MB55811049DE839BB3E81D6835FE189@SA9PR09MB5581.namprd09.prod.outlook.com>
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: j29eQHRp0JGOt+Q1iRw9fAI8o+ukJObTY+qlXhjmJCGLSYhKxIIBf2suS3eQlUYNSTJfN0P8vOiEMrz6TL4xap2IkNTRMflTN5SeJD6Fnvs8mG3bIGNyuUwCno200aIsNXKYF2I9cNJ0QxZicF2pIEpqXyTe5p6NxytksA/vP7mMyO5XeYLgIhpIq1g83QfL7MTgKluRbmKvc91oUVkY2hxSq65pAJmarGdF51zgeSYpvFVzspwZyj2GrDT5ajkiOHhBhxt8TEC6VbkeGGXLQFpOTGZwrkPQbsoGVNykYeRvt61dtBJ7l/oCn7/U7PP4XqbV2qyxWYytxwrzC9NR0adpcRG+/lcUNv9C0o3+D5X8cuNRTlB4BkW1IFsW2Ibemp5YOSX9+G0IIYds3yBOyi/IoLWqQy5IBIi0MpJ9nNFbiIl82EJNTRY8XzajuxczPesow/gYIXDQ+dZC50zEWpY7UFGXKQKIUTyjWzrJuNhstkdLeBAxzmxv8ktyGd9y63IoyYzgx8JWcvz2nPRD+dpAINHH9467jnRM1L3akNAditpZsL0rz9/sGU2YFdfLOMOJeodaeZeoJOuqNk8zvw2FKRbiVQhYuId9luvimm/nc5vtH8tu8L7KwysOuSder+84HwCQ4Dx0kB9nym+oiBqm0BGocPmNjZwGVv6h2uhoDOjQzvS5ySV9m/Rpxax1Yv1lVzmLygASxdsEueKd0yOz7x+fjD88g5zdFmSeHOi6FLP7XkaSk2vlyMlIxmuDUO3DVQs6SQEsrE0JuCZrgogG6P2zM/tjLz6bX5Vtn3I=
X-Forefront-Antispam-Report: CIP:129.6.18.29; CTRY:US; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:smtp1.nist.gov; PTR:smtp1.nist.gov; CAT:NONE; SFS:(13230001)(4636009)(46966006)(36840700001)(40470700004)(33964004)(5660300002)(82310400004)(53546011)(8936002)(36860700001)(8676002)(966005)(30864003)(6706004)(31696002)(316002)(6916009)(166002)(356005)(70206006)(508600001)(7636003)(86362001)(7596003)(83380400001)(336012)(36756003)(426003)(956004)(31686004)(82960400001)(2906002)(186003)(2616005)(26005)(66574015)(40460700003)(47076005)(43740500002); DIR:OUT; SFP:1102;
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Mar 2022 18:27:24.6176 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 031de64e-a7ba-45a8-f829-08da0cfac708
X-MS-Exchange-CrossTenant-Id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=2ab5d82f-d8fa-4797-a93e-054655c61dec; Ip=[129.6.18.29]; Helo=[smtp1.nist.gov]
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: TreatMessagesAsInternal-DM3GCC02FT033.eop-gcc02.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA9PR09MB5581
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/5YEMl-qHAmSeMdhlStb-Ch4URnU>
Subject: Re: [lamps] New drafts available - non-composite hybrid authentication, and binding certs
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2022 18:27:38 -0000

I have some concerns about the bindingRequest attribute.

Section 3.1 says that the signature field in RequesterCertificate 
"provides evidence that the requesting entity owns this certificate." 
However, "the signature field contains a digital signature over 
IssuerAndSerialNumber." So, what evidence does the CA have that the 
requesting entity created the signature and didn't just copy a signature 
that was previously generated by the actual owner of the certificate?

Perhaps a solution that would produce stronger evidence would be for the 
signature field to contain a digital signature over a SEQUENCE of 
<domain separation string>, <information about other certificate>, and 
<subject public key that appears in this CSR>. The <domain separation 
string> could be some simple string such as "CSR bindingRequest" that 
would provide an extra layer of assurance that the signature was created 
for this purpose.

Given that the "RA should only allow previously issued certificate(s) to 
be indicated in the bindingRequest attribute, the  <information about 
other certificate> could be the other certificate rather than just one 
piece of it (e.g., issuerAndSerialNumber or subjectPublicKeyInfo). This 
would avoid concerns such as those expressed by Ryan. The bindingRequest 
attribute could still just include certID, as that field is just a hint 
to help the RA and CA identify the correct certificate. Similarly, the 
BoundCertificates extension could contain hash of Certificate rather 
than hash of IssuerAndSerialNumber.

For the BoundCertificates extension, is there any reason to allow a 
different hash algorithm to be used for each bound certificate? If not, 
then a few bytes could be saved in the case in which the extension 
includes more than one hash by changing to syntax to:

    BoundCertificates ::= SEQUENCE {

             hashAlgorithm     AlgorithmIdentifier,

             hashValues          SEQUENCE of OCTET STRING

    }

A few more bytes could be saved by requiring the hash algorithm to be 
same as the one used to sign the certificate.

On Tue, Mar 22, 2022 at 7:11 PMryan-ietf@sleevi.com  wrote:
> Could you explain the rationale a bit more for the IssuerAndSerialNumber
> construction?
>
> It won't necessarily unambiguously identify a certificate, in the absence
> of a global directory. Within a multi-stakeholder PKI (like those deployed
> on the Internet today), it's possible for two distinct entities to have the
> same encoded issuer value, but be in possession of distinct keys. The path
> algorithms involved in X.509 and PKIX are able to resolve this (by virtue
> of signature checking to resolve which issuing CA), which also applies to
> OCSP responses, but it seems like it wouldn't apply here.  Broadly, the
> assumption of X.509v3 that Issuer and Serial Number would be globally
> unique and unambiguous didn't hold, as previous communications in the IETF
> with the ITU revealed [1][2][3], and that Distinguished Names aren't, well,
> Distinguished. Is there reason not to use a stronger binding (e.g. the hash
> of the certificate being referenced)?
>
> If two certificates, A and B, both identify the same Subject ("Subject
> Foo"), but with different keys and numbering schemes, it seems that if a
> bound certificate was issued to entity C, with IssuerAndSerial of "Subject
> Foo":1 (referring to A), that B could issue a malicious certificate bearing
> that same serial number, and have it be accepted as legitimate for C.
>
> That said, I do feel I must be missing an important use case, because I'm
> not fully sure I see the utility in this. Is it fair to say that the
> assumption is that both certificates (the original and the bound
> certificate) are participants in the same PKI hierarchy and same set of PKI
> policies? If they weren't, it seems like the issuance of the
> BoundCertificate may introduce operational considerations for the
> renewal/replacement of the target/original certificate, in that replacement
> of the original would necessitate issuing a new bound certificate. Wouldn't
> that unintentionally affect the security considerations/agility of the
> target/original certificate, in unanticipated and perhaps harmful ways?
> Minimally, it seems such chains of binding would have to be ordered from
> "slowest to fastest to replace", to mitigate, and that seems like a
> relevant security consideration.
>
> [1]https://www.ietf.org/proceedings/70/minutes/pkix.htm
> [2]https://www.ietf.org/proceedings/70/slides/pkix-4.pdf
> [3]https://datatracker.ietf.org/liaison/375/
> On Tue, Mar 22, 2022 at 2:16 PMaebecke@uwe.nsa.gov  wrote:
>
> > Hi LAMPS,
> >
> >   Two new drafts related to PQ migration are available here (note- these
> > drafts are an update to the talk we gave at IETF112 in November) :
> > https://datatracker.ietf.org/doc/draft-becker-guthrie-cert-binding-for-multi-auth/
> >  and
> > https://datatracker.ietf.org/doc/draft-becker-guthrie-noncomposite-hybrid-auth/
> >
> >
> >
> > The noncomposite-hybrid-auth-00 draft is an informational draft that gives
> > a general overview of hybrid authentication, and details the solution space
> > of what we are calling non-composite type hybrid solutions for
> > authentication.
> >
> > The cert-binding-for-multi-auth-00 draft defines a new CSR attribute,
> > bindingRequest, and a new X.509 certificate extension, BoundCertificates,
> > which together provide additional assurance that multiple certificates
> > (used in non-composite hybrid authentication) each belong to the same end
> > entity.
> >
> >   Please feel free to provide any comments and feedback!
> >
> >   Regards,
> >   Alie Becker + coauthors Rebecca Guthrie, Mike Jenkins
> >
> >   ----
> >   Alison Becker, PhD
> >   Center for Cybersecurity Standards
> >   National Security Agency
> > _______________________________________________
> > Spasm mailing list
> > Spasm@ietf.org
> > https://www.ietf.org/mailman/listinfo/spasm
> >

v2.8.7 | Report a Bug | By Email