IETF Logo Mail Archive

Re: [lamps] Martin Duke's Discuss on draft-ietf-lamps-cmp-updates-20: (with DISCUSS and COMMENT)

"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Wed, 01 June 2022 18:05 UTC

Return-Path: <hendrik.brockhaus@siemens.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17D2BC1527AF; Wed, 1 Jun 2022 11:05:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=siemens.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nXpXVx1wKkU4; Wed, 1 Jun 2022 11:05:44 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on0606.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe02::606]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F15E8C14792E; Wed, 1 Jun 2022 11:05:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hsiFTQZN3NDfBTP4qlXFaFF0L54mNTqHG5PBF8Y27yuh8+URAlP3fIUzCQWRibNNEKaQB/NgE+PO2BF4VAnMm6a2D1GZgz3h1IAhrzbjxfFrU0hSky4QwnFPNu6la00bnRSOw97fWl3Io5kVxivMrpn8paPZ7B8RmG5OM+74162Z8/fNvshmeLUQROqN3cG3DFrJjgQlAMV3sQP1D9Ci5kMKsaT1BE+yUqo+3onYLOF8Q1p/zDJQX0QNUqHoZJt+ctr3QBhXsp0DuoSZ27on5OShLNL/IQ1ktulshWli3I90W+/AA+tUlchKbalYL/vYXcdSC/1DQNuMqjBMwtuZvQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=QrSIaHUMYy6MjxzXABYRt2FvbPGVanxdDfyGOWUWZvw=; b=LsvbUo1/6bbK9nq5Yw423m8HV0rajNqgMRX2hUHjqQvOWdfD5oSaTvTzlDCw/ocb4RUobltuJOvJp0IwEfcbU1C8DE52RsqPUSdSc8BdfPGVzTYHtEn8MJhNnZ0SRYofibpA3g0HROR8Gp5gZQTHtdpZb5/Xy+C9Vnw8o191FV0gdnYD0XqA/B2Zx2JlzXzX1OEfKOnWpXT0cYVeUwK1bejNBhhp/ZXeW2yfHe+hj0y0OYqVNmv81/tT16OGsrH/L9dlzq4iHjHES8IY2bPo2Au0N4ADFZ+vt5ENTGOIlO5mq8XG/Y7T5PZEpvJoH7IsdqgXvdJsYJ1iVHP58q6zZQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QrSIaHUMYy6MjxzXABYRt2FvbPGVanxdDfyGOWUWZvw=; b=TpzAxTSylcAZW2lHT2pRy2hUxsiPflJHO7549trmFza8dWyODrtqD+KfjRsuYeIN9j6rSM9zueXz9295UEzWOFzby63KIpCxKZb1wxecnC77lNoEQ17bqll2khSWrIXIHBxSj3c/yTJBb5ufRA2BonZW/r/I1HDrXAUEIr2KyJR9qKxnshn4ylniDif9lP2Zmk7DfysXlfEfsr8nJXoKE5cjAXkjlMjU2zQA9wkLkP6raPplMCQEdTQP6hcy2vE18wrGSgYFTiKv3vJWDMb84b3+Z1RgwbEnyD1B5Qio5HjVp26FmeYijIfUMFJpS5Z51/hf+xFrWZZCKPgplehIZQ==
Received: from GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:150:7d::8) by VI1PR10MB2687.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:803:df::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5293.13; Wed, 1 Jun 2022 18:05:39 +0000
Received: from GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM ([fe80::f97d:3f6e:909d:fbd6]) by GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM ([fe80::f97d:3f6e:909d:fbd6%4]) with mapi id 15.20.5314.012; Wed, 1 Jun 2022 18:05:39 +0000
From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: Martin Duke <martin.h.duke@gmail.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-lamps-cmp-updates@ietf.org" <draft-ietf-lamps-cmp-updates@ietf.org>, "lamps-chairs@ietf.org" <lamps-chairs@ietf.org>, "spasm@ietf.org" <spasm@ietf.org>, "housley@vigilsec.com" <housley@vigilsec.com>
Thread-Topic: [lamps] Martin Duke's Discuss on draft-ietf-lamps-cmp-updates-20: (with DISCUSS and COMMENT)
Thread-Index: AQHYddofl5qpfmITEkOYq8OHTS5zLK061WPQ
Date: Wed, 01 Jun 2022 18:05:39 +0000
Message-ID: <GV2PR10MB62103F308D384905F55E1C38FEDF9@GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM>
References: <165410326059.36213.15687292037240868456@ietfa.amsl.com>
In-Reply-To: <165410326059.36213.15687292037240868456@ietfa.amsl.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2022-06-01T18:05:37Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=4fae6e7c-1b8d-4ff6-9e9d-b0658cce1a7a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0
document_confidentiality: Restricted
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6e82892b-39f1-40b1-4364-08da43f95625
x-ms-traffictypediagnostic: VI1PR10MB2687:EE_
x-microsoft-antispam-prvs: <VI1PR10MB268745607171AAF25DD7851FFEDF9@VI1PR10MB2687.EURPRD10.PROD.OUTLOOK.COM>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2QFb/xcKRiXVXnwVed5fqYGr2PG7TZVsyryLhrrmB17aSZrs4C5JgrqXnvru6R9zpc6XMKSGmSY1CIdwdu1QoxHNE9rviwtcfo8KLqNuqxLblb/pVMAI5GIuOmGFGCG0AdzvjCizqim101D9h/CumUVc19cItOQgnYUdinnEoqdxSXU3RqVmsBk2uQ3TngzJhoNI5KCnm7jT6wzRz+6Ba0BeZhmZIL2QKPoegjej39GZemYxoYBeqllavEIvRdFrRzSJ6+e0tZR1xoY1SMOd3tIveuLQqO+AVl/1weSU0yegosKuZq2o1EF1hw4807TfAVo6hYEb0KJKMnid2HhbiTt0HmTwMPWMXn0/G3WO2p0gRPi7YCMO6SeA+9Km8WDAobK2vTwH4hyTvmThb6sWrLDiHEuB18f7xHKHNCMqUKjhp1kszkweg+OnA1Oe+U/6kgad9a+HT5ZhrytSNMl0vizCaXTLN+XrPEiPbZDvkUO6bbobwJq/Cg8gxGW8TFcxaaYaavBf+4YfTp0BcHpsyY8nmX70EUCG/xFHtbjx3Dbw2gyNVDpbGOT/bAtCRMPAS2Rlvb3tVUnY2gC8Yfw9h3Lk4iXB/SUFsNEwTu1Su0Q3ZQX7UOiai0h1AFiz0QDQMNSzoWA8b9S11plfpLQ1oIqdY2gQx/XSjxeJJosL0hN4Nhlv76NrQtZeMGjuShz8kX0Dri0TwhoVwslLP70DKQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(38100700002)(86362001)(186003)(38070700005)(71200400001)(122000001)(55016003)(76116006)(64756008)(66556008)(5660300002)(66446008)(4326008)(66946007)(66476007)(52536014)(8936002)(83380400001)(7696005)(9686003)(8676002)(2906002)(110136005)(33656002)(54906003)(6506007)(26005)(508600001)(82960400001)(15650500001)(316002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: BLtdjC41qwl9NZ+gjmKAoiY0m25y//c0obXJ3kJqsrIsjBbpfaKulK9WwMJll7q309/WmYu/Gd6/v6uKH7hUEVfTo/0dWSUmdhGVMOYQJuKcSMji7/+9Sr0ScW8hmUAtVOJNchel361oSEA88o2HiRZGWypzg6zgQDf57qm9MRbvQX+fikCPm8m+v9hwFI62S2h40K2Szu1R3OIqW61R12pguV89okT2IuIYlyPdQjgAULzhBD9FDBE4Qg4YT8rxgn4Wd7mVFM51F8EvmhSP+7GebURJDuXOn+3IW9DuJwsQmHJ6HjmKBdIDiQOH+KVWajKQJwZdrSXWG5mDrq45QGYRibA9tDBwfD7Iz/x8pd/ucpDx6c9QAURI5qjXsgHeYaNaxO+lk9wIQJjR+Q09HbTNaytQ+x+G93+mNVKPjQx94EOYvtcQaJfMhJjkzf/+WKGEyt9f63U6F8hKTzd/iTa3gbjJD15q3ZGyNfPhA3kQp/cl41jRN2xf7zFC0LgLPxSlw9B3YipumoI9COtE5AtAmdlQdImx/eIZeoPzQv4KXEb+BNe/voHTZ5dhRhG+dLWfkn/6YZTXk8gGsjPi5zaUGclJbNP3sPRWVu4XnZjspw1Drq76Jh6YIO6DvTzGS0od2dvD9r0DX9y2S9HmhxJDt39IoRSW3mZWwXa81vpl2h8AyX2VjP5RADzihvYQitltsClbvHGBSSAj6gIIwXRSVR8ZWOkqmVgM6Atdfj5ogXRwg+NOJAWwN6caBS3uSh0KTeMWjAL8Xn+Hh6m57QaXAFHbf7Vqf0moCNy6l55ucBo1Tph3nbhiPCfXE5uUv0AHOP9Gat7DNyoyskw5zJAbhkcVk7UXBkqxickLcKUXzrSCwSRGuqTAIP7C74LwJ4kSi/eN0o7gOu7EWBYwKWPeWTkqeNMafLYXEoDh0rawT0s3zz93XLsPxQjjslp9HyDWhNIfLPydT8Q1JjY+L6OZt5aaOQFnAuAldQ3UxMZRUPbNfA9Mu0kWKhE8C6M+pCXjQI/A2VZgIazNLjaGn2uXC4K9taiN4JIt7Txyo3WFe6VdUptGrWxM1UdFOiDTqboGSSksMb0PoqEAVSIQJTipI2CgIKWDsprUPh/aHaMpPRMAJ2tvqide0VfcZGmyrAvsSXdV+Ddd+nmrbfLUoRnFpACVE3m17ORihIYUvSdtbCP6tf/TYctxVMdIp0S4EHM/lXLBg+6K7kRSsL4fHkUwaLyp/Br4K9bkSp1I0cTX4RePJaGBos7YxNr1dwebQXfepUncxRYOewXeEZ7mPlVMCcyZ+W81f0hmg2xvXznjnRcTv+6n84R+yZKZchfcaGQ0S5t09LmhSJJ1leFIu1UHB/x/FzGJTii9bFLNUQvVC8VDpp5mvqStSX5xkKUdZ0v6LjLVnBJuZEstyjJp21kuxfBtzxRVCbN+q5u7I07Dh/5Kv3LyNgMmD1Np/LkLUeXaTWNedRD6dD9DVjy0lef1kvaT+ejaAm1ICJRc2ZGz+rWnnyUHk/T82qsWlYHBcdxvV79Z3UKvma3vGK44ytOVAXM10uKTQz54hICuA4DgRuZyUMR+Q6QO6BGy/KsDlX/ZAOfzSGM41xQO5Fnt/Os/vOrthPRir+N8j2579gKIhh6EJJwjkHOvIMpHhxYsi1VfcaKl8o/RpYO0FHWjube4DgugDQT0F17GdiaYI9boaGHKuY76vx0AokPn1Z/FYEFzQEedlBS9NP8ywQ+G8u1EMTwILoz44GX9la0pXsE=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 6e82892b-39f1-40b1-4364-08da43f95625
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Jun 2022 18:05:39.7078 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: X8zSfgFqc7UGdQBL1TS4Hhn5QyXGIJRkfRNx3Q/SsbxHUTCwEdV29EJAo60BTdHiU8KWE7HUp8el2DLg2KSm8BB4dET2XJxqtQ+tlM80ZiY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR10MB2687
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/8V8nUDhd2HAiPrdDGx1HRgLwIs4>
Subject: Re: [lamps] Martin Duke's Discuss on draft-ietf-lamps-cmp-updates-20: (with DISCUSS and COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jun 2022 18:05:48 -0000


> Von: Spasm <spasm-bounces@ietf.org> Im Auftrag von Martin Duke via
> Datatracker
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> As far as I can tell, CMP provides multiple optional levels of encryption and
> authentication to protect its messages and components of that message.
> However,
> I gather that the transport substrate is allowed to be HTTP without TLS.
> 
> Given that, how does this protocol defend against version downgrade attacks? If
> an on-path attacker responds to a client message with an error message
> requiring an older version, do all configurations of CMP detect the
> intervention?

There are only two changes to the ASN.1 syntax that require a V3 indication. To offer maximum backward compatibility with existing implementations the WG decided to go with an approach regarding version handling like with CMS. Therefore, we only use V3 for EnvelopedData and hashAlg filed in CertConf messages. The version handling is described in Section 2.20.

As CMP V3 does not resolve weaknesses of CMP V2, I do not see the risk of downgrade attacks. In addition all CMP messages should be either signature- or MAC-protected.

Hendrik

v2.23.0 | Report a Bug | By Email