IETF Logo Mail Archive

Re: [lamps] Call for adoption for draft-ito-documentsigning-eku

Ryan Sleevi <ryan-ietf@sleevi.com> Wed, 28 July 2021 15:01 UTC

Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BDDC3A141D for <spasm@ietfa.amsl.com>; Wed, 28 Jul 2021 08:01:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.644
X-Spam-Level:
X-Spam-Status: No, score=-1.644 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G-_xXxu7Wjol for <spasm@ietfa.amsl.com>; Wed, 28 Jul 2021 08:01:19 -0700 (PDT)
Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 003AE3A141A for <spasm@ietf.org>; Wed, 28 Jul 2021 08:01:18 -0700 (PDT)
Received: by mail-pl1-f178.google.com with SMTP id q2so2996048plr.11 for <spasm@ietf.org>; Wed, 28 Jul 2021 08:01:18 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TPLPRTHp7ri7V1nUWAsXQD5mJdTGKvl7qPbN3voGJQM=; b=or9quBW3WIfVoYJ0B3ax6swO7VZgnpctmtJPF/MzyxolzfjVFKaj6Sa1D4vBaO53KJ n2pq2Vq/hKQzNGGSDO3lFPQjwsYNPlH3LQUWCmHTar2FaP8AlBSQ6UCi4SnsCbUzKDpp MQpQXi8O9E1pcui6iNTy/ISUPb4PM0DixJNeY0TPZALx6Tp63o8WDcpTyjQ7VqM6xc9C rsgWK1LsqjMH7aXNbfmrxfLOWPXYrO9Kql/aijEkC/ZXucuWFPxHrNI4qvPC1gdpAcXa Do9vD3c0sxxbnQOfYyH6baCTUvSdHnuRw5xWmQFYFP5aFsE477D/FDyGJGTPJUr+5Bfm nKcw==
X-Gm-Message-State: AOAM533Xo6PWUButm/GE9h8fpV3Rdfi+6I4mUKovKqHldX4v8B2od/e8 azBzMXUqCUr8MKWXBM4fz3KnGH17oX4=
X-Google-Smtp-Source: ABdhPJyWXyVAbKUGVsR0tb/qY/y40wGSBakZPmVaVfnsro7bSeUeHplgWPXU6bJDizNJzB4jB/j+PA==
X-Received: by 2002:aa7:8148:0:b029:31b:10b4:f391 with SMTP id d8-20020aa781480000b029031b10b4f391mr185263pfn.69.1627484478136; Wed, 28 Jul 2021 08:01:18 -0700 (PDT)
Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com. [209.85.216.47]) by smtp.gmail.com with ESMTPSA id z5sm8732466pgz.77.2021.07.28.08.01.17 for <spasm@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 28 Jul 2021 08:01:17 -0700 (PDT)
Received: by mail-pj1-f47.google.com with SMTP id a4-20020a17090aa504b0290176a0d2b67aso10486550pjq.2 for <spasm@ietf.org>; Wed, 28 Jul 2021 08:01:17 -0700 (PDT)
X-Received: by 2002:a17:902:d112:b029:12c:2004:981d with SMTP id w18-20020a170902d112b029012c2004981dmr162783plw.29.1627484477204; Wed, 28 Jul 2021 08:01:17 -0700 (PDT)
MIME-Version: 1.0
References: <CD589623-52EE-4958-80AB-73F0CFB3A36E@vigilsec.com> <CAErg=HF_hcXO=9=KJh5EBEov4ybS_8g4xF=cANL9+83UvP0zvQ@mail.gmail.com> <adf86f46-093f-756f-8292-9b5e088f4344@lear.ch> <CAErg=HEUFV2F8R8g8e6yCDKz_e6RebNyB5Zb2Lvgn4oc3BtE-w@mail.gmail.com> <CO6PR14MB4468A7A5EB138542CEBA5D9CEAE99@CO6PR14MB4468.namprd14.prod.outlook.com> <CAErg=HH4aDgju=8C7Neq_4H19EX8S2inNd9fMAMYH3h95S48Rg@mail.gmail.com> <CO6PR14MB44688BC4188063BCA54E80C4EAE99@CO6PR14MB4468.namprd14.prod.outlook.com> <CAErg=HGDA+16N4xhgMvuQz25DqD+_nkiFC+OuAJMkFzYYqFV0w@mail.gmail.com> <2550c1c3-1400-b380-c9ad-dad59286feee@lear.ch>
In-Reply-To: <2550c1c3-1400-b380-c9ad-dad59286feee@lear.ch>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Wed, 28 Jul 2021 11:01:06 -0400
X-Gmail-Original-Message-ID: <CAErg=HGnKMNNyaf-=w+DmqfXg7XYbKD2Ah-WUxf96xNN5Ecikg@mail.gmail.com>
Message-ID: <CAErg=HGnKMNNyaf-=w+DmqfXg7XYbKD2Ah-WUxf96xNN5Ecikg@mail.gmail.com>
To: Eliot Lear <lear@lear.ch>
Cc: Ryan Sleevi <ryan-ietf@sleevi.com>, Tomofumi Okubo <tomofumi.okubo@digicert.com>, LAMPS WG <spasm@ietf.org>, Russ Housley <housley@vigilsec.com>
Content-Type: multipart/alternative; boundary="0000000000002431dc05c83042a3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/MWth-iCO_xkgnkQM1eFsekBbX-A>
Subject: Re: [lamps] Call for adoption for draft-ito-documentsigning-eku
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jul 2021 15:01:24 -0000

On Wed, Jul 28, 2021 at 4:03 AM Eliot Lear <lear@lear.ch> wrote:

> How about the second paragraph:
>
> The LAMPS (Limited Additional Mechanisms for PKIX and SMIME) Working
> Group is chartered to make updates where there is a known constituency
> interested in real deployment and there is at least one sufficiently
> well specified approach to the update so that the working group can
> sensibly evaluate whether to adopt a proposal.
>
> I hope my previous emails sufficiently explained why this document should
not be considered as meeting the bar "sufficiently well specified
approach", and how the definition of "real deployment" in the context of a
multi-stakeholder ecosystem like PKI (CAs, relying parties, users) is
equally questionable.

To be clear: I agree with Deb in the abstract that there is potential value
here in having an approach that can address this demonstrably real-world
use case of CAs misusing emailProtection or codeSigning, so I am supportive
of "something" to indicate in this space that there is a different use
case. My concern remains that it does not require IETF or IANA action to do
so, and the past two decades of real-world implementation experience, as
shown by the running code on billions of devices, has revealed that the
generic approach proposed here is not only not promoting interoperability,
but actively harming it.

For example, the use of id-kp-serverAuth within multiple disparate trust
frameworks, while useful in ensuring a protocol-level binding of the key,
has actively harmed the agility and security improvement of relying
parties. Concretely, consider the case of both payment terminals using IoT
stacks, and only being capable of supporting SHA-1, with those of web
browsers or government systems, requiring 'modern' security such as SHA-2.
These are clearly very distinct use cases, and these use cases impose
protocol constraints that make it "TLS, but not the same TLS". For example,
whether or not a device has generic Internet connectivity or limited
connectivity to a single server, or whether or not both client and server
support OCSP stapling, or even the memory constraints of the device itself,
all impose assumptions and restrictions on the PKI implementation that
meaningfully affect whether or not the private key is "appropriate" for
this case. Similarly, this (present) misguided overlap creates security
risks, by combining disparate client groups (e.g. the IoT payment terminal
and the web browser) onto a single server and PKI, the ability to make
security-positive changes (e.g. the deployment of CT, the migration to
SHA-2) is impaired. These aren't hypothetical. These are lessons from the
real world of deprecations (MD5, SHA1, SHA2), and we shouldn't continue to
pretend they're all just one interoperable family when we know they aren't.

This is clearly something that will result from document signing, as we see
there are a myriad of technical approaches, which then further dictate the
protocol capabilities, which then further dictate the PKI design, such that
there is not a "one size/one key fits all" case. Even seemingly simple
things, such as online verification versus offline verification,
timestamping countersignatures, or legal recognition show the distinction.
This is nothing new to anyone familiar with PKI as practiced: this group
has long been aware, for example, that some digital signatures on documents
may convey a presumption of legal certainty and liability, while others may
not. These are already expressed today as different certificates, with
their own policies and constraints, but also reflect different protocol
assumptions, expectations, and constraints with respect to the "document"
being signed. Pretending they're the same is misleading, at best: document
signing is _not_ a generic case, it is inherently tailored to specific,
distinct communities of relying parties and ISVs, whether those be
communities with jurisdictional overlap (e.g. qualified signatures) or
communities of similarly interested parties (e.g. industry consortia like
the CA/Browser Forum)

The concerns being raised here, regarding multiple certificates, are
demonstrably inconsistent with the existing specification and expectations.
We have and accept policy OIDs precisely to express the need for different
management scopes and authorities, and to allow distinction between
different PKIs, so that relying parties can ensure their needs are met. The
real world demonstrates this is not a barrier to adoption or deployment: we
see virtually every consumer-focused CA offering certificates bearing
multiple policy OIDs reflective of the supervision schemes they take part
of, as well as common policy OIDs for their constituencies of note (e.g.
CA/Browser Forum, ETSI Qualified Certificates, vendor-specific PKIs like
WFA, USB, mFI, or Qi, etc).

Without wanting to misrepresent opinions, it seems the disconnect is that
opponents to distinct EKUs are either not familiar with, or in opposition
to, the deployed reality that both EKUs and policy OIDs _together_ serve to
distinguish PKIs and (collective) protocols. Considering this has been a
part of deployed reality that predates PKIX existing, and has long remained
controversial within the PKIX group, perhaps I should be unsurprised that
we're at the same impasse we were in 2016 [1], 2013 [2], 2009 [3], and 2000
[4]. We equally seem to be rewriting history, contrary to the contemporary
discussions about what EKU was and how it would evolve [5].

While I certainly cannot prevent the adoption of this document, and I'm
aware that I am presently the lone objector, I am very concerned that the
arguments in favor here are simply echoing design mistakes and misguided
beliefs of the 1990s that we should know better in 2021. As an implementer
of relying party software and as someone who has dealt with countless
security issues resulting from the misuse of PKI, is a very clear,
preventable, and avoidable mistake, and this document, and its goals, would
only serve to leave users less secure.

[1] https://mailarchive.ietf.org/arch/msg/pkix/MHwcSWuuzezj4qHuzSmbYeGUbdI/
[2] https://mailarchive.ietf.org/arch/msg/pkix/EzBA2NgSx6zi2CG-D2oKaOBbGvE/
[3] https://mailarchive.ietf.org/arch/msg/pkix/M80kRfzAX9bWcqibV97z4MOMqJI/
[4] https://mailarchive.ietf.org/arch/msg/pkix/QQ4vHlYLyYFYnswc14_jTdHHbLg/
[5] https://mailarchive.ietf.org/arch/msg/pkix/c8aIik0B_7WOaBdGuiURrkvE_h0/

v2.23.0 | Report a Bug | By Email