IETF Logo Mail Archive

Re: [lamps] The problem with EKU for document signing demonstrated

Stefan Santesson <stefan@aaa-sec.com> Tue, 30 November 2021 07:16 UTC

Return-Path: <stefan@aaa-sec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D59AC3A10AE for <spasm@ietfa.amsl.com>; Mon, 29 Nov 2021 23:16:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.749
X-Spam-Level:
X-Spam-Status: No, score=-3.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-1.852, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i4EOxoZ8TN_e for <spasm@ietfa.amsl.com>; Mon, 29 Nov 2021 23:16:52 -0800 (PST)
Received: from smtp.outgoing.loopia.se (smtp.outgoing.loopia.se [93.188.3.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DFA03A10AC for <spasm@ietf.org>; Mon, 29 Nov 2021 23:16:50 -0800 (PST)
Received: from s807.loopia.se (localhost [127.0.0.1]) by s807.loopia.se (Postfix) with ESMTP id 66BC32EB78F3 for <spasm@ietf.org>; Tue, 30 Nov 2021 08:16:46 +0100 (CET)
Received: from s934.loopia.se (unknown [172.22.191.6]) by s807.loopia.se (Postfix) with ESMTP id 5506C2E27F20; Tue, 30 Nov 2021 08:16:46 +0100 (CET)
Received: from s472.loopia.se (unknown [172.22.191.5]) by s934.loopia.se (Postfix) with ESMTP id 500567D470C; Tue, 30 Nov 2021 08:16:46 +0100 (CET)
X-Virus-Scanned: amavisd-new at amavis.loopia.se
Received: from s899.loopia.se ([172.22.191.6]) by s472.loopia.se (s472.loopia.se [172.22.190.12]) (amavisd-new, port 10024) with UTF8LMTP id ldcj2KgTZd0E; Tue, 30 Nov 2021 08:16:45 +0100 (CET)
X-Loopia-Auth: user
X-Loopia-User: mailstore2@aaa-sec.com
X-Loopia-Originating-IP: 90.229.17.25
Received: from [10.0.1.115] (unknown [90.229.17.25]) (Authenticated sender: mailstore2@aaa-sec.com) by s899.loopia.se (Postfix) with ESMTPSA id 17FBD2C8D5D5; Tue, 30 Nov 2021 08:16:45 +0100 (CET)
Content-Type: multipart/alternative; boundary="------------MA4DQLOVM0A44FBmiWFqfEST"
Message-ID: <88c015fe-d3e7-81fb-b6af-9eaf48fb1efa@aaa-sec.com>
Date: Tue, 30 Nov 2021 08:16:44 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Thunderbird/95.0
Content-Language: en-US
To: Ryan Sleevi <ryan-ietf@sleevi.com>
Cc: Carl Wallace <carl@redhoundsoftware.com>, Russ Housley <housley@vigilsec.com>, David von Oheimb <David.von.Oheimb@siemens.com>, Mike Jenkins <m.jenkins.364706@gmail.com>, "spasm@ietf.org" <spasm@ietf.org>, Uri Blumenthal <uri@ll.mit.edu>
References: <786aa041-fcfb-a18e-4651-736f40d8a989@aaa-sec.com> <CAErg=HFdxBZMRxx2AqTXHiXUxjF_c8VHz=Rmh5eSg4QrfavZaQ@mail.gmail.com> <f9f7cc66-432e-97cf-0c58-1e69c0524f21@aaa-sec.com> <96bbfb0d-07b0-770c-656f-3efb9e3761e9@siemens.com> <E059089C-A5E4-46FE-BF5E-F0F2BDE5A34D@vigilsec.com> <1c34c81d-6d1f-0905-c66d-19866ec8bf64@aaa-sec.com> <CAErg=HFRm=OyWWMv8JHwk8P02+uT+2xMvOphxNsKSYxpFMh95w@mail.gmail.com> <9a850141-a503-a6f5-ae66-eed12bb6fcde@aaa-sec.com> <CAErg=HHDMVFw8Cmcvz1Hm7QQ1ZfaNQOrj3QcSVzRjOKwV+xO7Q@mail.gmail.com> <e2f6bbef-1668-005e-73ef-7a0588753047@aaa-sec.com> <CAErg=HHdwdhpDCZnhMhmTwGGiFN=CZm3m73kueOAZG8hZJYshA@mail.gmail.com>
From: Stefan Santesson <stefan@aaa-sec.com>
Organization: 3xA Security AB
In-Reply-To: <CAErg=HHdwdhpDCZnhMhmTwGGiFN=CZm3m73kueOAZG8hZJYshA@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/APjMOVGIoJJ3YE1GBecEewmXEcE>
Subject: Re: [lamps] The problem with EKU for document signing demonstrated
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Nov 2021 07:16:57 -0000

1) One or more EKU = Restricted to those usages

2) One or more EKU + anyExtendedKeyUsage = Suitable for the listed
usages but MAY be used for any purpose

3) No EKU = Unrestricted.


This means that case 2 can be suitable for document signing at the
discretion of the verifier and case 3 is suitable for document signing.
No EKU definition can change that.

There simply is no place for your broad claim that: "Clients MUST reject
documents signed by certificates without this EKU, except if being
operated in a legacy-compatibility mode."

The only way you can change this is by defining a new protocol for
document signing that requires this EKU. But no such generic standard
for document signing exists where such requirement could be stated. And
it would still just affect those who operate under the context of that
standard.


This is what makes document signing fundamentally different from, say
TLS client auth. or Timestamping. In those cases we have distinct
standards that can state requirement on the presence of an EKU.


/Stefan



On 2021-11-30 01:50, Ryan Sleevi wrote:
> That description seems to be in direct conflict with RFC 5280’s
> definition of EKU:
>
> https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12
>
> > Certificate using applications MAY require that the extended key
> usage extension be present and that a particular purpose be indicated
> in order for the certificate to be acceptable to that application.
>
> And
> > Applications that require the presence of a particular purpose MAY
> reject certificates that include the anyExtendedKeyUsage OID but not
> the particular OID expected for the application.
>
> This matches the rough consensus of the IETF, such as RFC 6960 [1],
> and running code [2][3], so perhaps this explains my difficulty in
> understanding the concern/position/objection.
>
> [1] 
> https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.2.2
> [2] 
> https://support.apple.com/en-us/HT210176
> [3] 
> https://docs.microsoft.com/en-us/security/trusted-root/program-requirements
>
> On Mon, Nov 29, 2021 at 7:38 PM Stefan Santesson <stefan@aaa-sec.com>
> wrote:
>
>     "Clients MUST reject documents signed by certificates without this
>     EKU, except if being operated in a legacy-compatibility mode."
>
>
>     That would be fundamentally in conflict with the definition of the
>     EKU extension. A certificate without EKU extension is not
>     restricted and a standard defining an EKU can only define its
>     meaning withing the context defined by the EKU extension itself.
>
>     It certainly has no mandate to regulate the behavior of
>     implementations that do not implement this standard (don't use
>     this EKU).
>
>     /Stefan
>
>
>
>     On 2021-11-30 01:04, Ryan Sleevi wrote:
>>     Then I’m not sure the point you’re making?
>>
>>     Russ highlighted that the sooner we can specify, the sooner that
>>     relying party applications can look to transition. Rich pointed
>>     out that this transition is predominantly for X and Y to sort out
>>     - the CAs issuing the certificates and the software verifying it.
>>
>>     There’s good reason to require the EKU present, and it’s
>>     precisely what EKU was designed for. There doesn’t seem anything
>>     inherently wrong in the spec spelling out the transition - that
>>     is, that clients MUST reject documents signed by certificates
>>     without this EKU, except if being operated in a
>>     legacy-compatibility mode.
>>
>>     We certainly don’t need the spec to detail what, exactly, that
>>     legacy date is - the UTF8String transition failures of PKIX show
>>     that - but that doesn’t seem to be an argument against.
>>
>>     This is why I’m struggling to follow your concern: it’s unclear
>>     if you oppose any transition at all, based on the reply to Russ,
>>     if you only oppose the draft mentioning any transition (e.g. as
>>     part of security considerations or as outlined above), or
>>     something else entirely. It’s still possible to write a MUST
>>     (with one exception), without resorting to a SHOULD (with
>>     unbounded exceptions), and it’s still possible to have a MUST
>>     with a transition.
>>
>>     On Mon, Nov 29, 2021 at 6:34 PM Stefan Santesson
>>     <stefan@aaa-sec.com> wrote:
>>
>>         Ryan,
>>
>>         You say the same as I:
>>
>>         "Y are free to change their requirements at any time"
>>
>>         In other words, the standard will not mandate that Y MUST
>>         reject the signature.
>>
>>         This is fine with me.
>>
>>         /Stefan
>>
>>
>>         On 2021-11-30 00:23, Ryan Sleevi wrote:
>>>
>>>
>>>         On Mon, Nov 29, 2021 at 6:09 PM Stefan Santesson
>>>         <stefan@aaa-sec.com> wrote:
>>>
>>>             Russ,
>>>
>>>             Without (or before) making any objections, I would like
>>>             to understand what "transition" this is.
>>>
>>>             If this is a transition towards -> Documents signed with
>>>             a cert where this EKU is not present, MUST be rejected,
>>>             then I would be worried.
>>>
>>>         It's unclear why this is problematic, and hopefully you can
>>>         be more explicit here.
>>>
>>>         The scenarios boil down to:
>>>         - X controls the issuing pipeline (e.g. the CA)
>>>         - Y controls the validation pipeline (e.g. the software vendor)
>>>         - Z controls the signing pipeline (e.g. you, the document
>>>         signer)
>>>
>>>         The certificates that Z is using have a lifetime dictated by
>>>         X, and a profile dictated by Y. X and Y are free to change
>>>         their requirements at any time; we see this regularly,
>>>         whether a software vendor requiring conformance to a
>>>         particular profile, or a policy authority dictating such
>>>         certificates conform to a profile. This is generally done
>>>         independent of Z, and the certificates that Z uses have
>>>         natural replacement cycles, in addition to any unusual
>>>         replacements.
>>>
>>>         Why should Z have any bearing on X or Y?
>>>
>>>         If Y decides to reject such signatures, and X doesn't issue
>>>         certificates with the EKU, isn't that primarily an issue
>>>         between X and Y? It doesn't impact how Z functions at all.
>>>
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm

v2.23.0 | Report a Bug | By Email