IETF Logo Mail Archive

Re: [lamps] Call for adoption for draft-ito-documentsigning-eku

Deb Cooley <debcooley1@gmail.com> Thu, 29 July 2021 00:44 UTC

Return-Path: <debcooley1@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8310A3A077A for <spasm@ietfa.amsl.com>; Wed, 28 Jul 2021 17:44:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.846
X-Spam-Level:
X-Spam-Status: No, score=-1.846 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1RasXxVAgwxw for <spasm@ietfa.amsl.com>; Wed, 28 Jul 2021 17:44:04 -0700 (PDT)
Received: from mail-qk1-x735.google.com (mail-qk1-x735.google.com [IPv6:2607:f8b0:4864:20::735]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80F3E3A0785 for <spasm@ietf.org>; Wed, 28 Jul 2021 17:44:04 -0700 (PDT)
Received: by mail-qk1-x735.google.com with SMTP id o13so4207515qkk.9 for <spasm@ietf.org>; Wed, 28 Jul 2021 17:44:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BFWS0Y7VgQoARQvVgdUpBi3lZdKBp0ShSm7ilET8Q6o=; b=pJmwVaAUnkb6zECR1woVp8zzSwMNQPdordS7MX4sF8JyajSLf/BiOPfBdvYIDeXKa2 h0CC2w761TqIjz0kWJe0Qrx8EeQeuysefrkTjORIyLMeLdlwU7jU7oIKSp92m/IGTgvU BV1ot7GcvOxJyUhnh/vQOmhbHkL9hQgglyz3bSpBS3MOKpzu9ZwS5oOvUbYywaVT61cA xGDukNjeBWNmWZ9QSkBRo4/XnkIYlXyX4NSOtmWTE/DXyndNcHIzlBAzU6q2PSV14MYO X6WlI/93SG42lJsaqBVGz/0/uBQFJy3mjeDbMEhsdpjbRvaOCQ1XJdPf9bjI9dsUsl4A SVWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BFWS0Y7VgQoARQvVgdUpBi3lZdKBp0ShSm7ilET8Q6o=; b=CeqdBsq/rCTn0qxDy8J+4ELJYr304ceT2a/Gt4v/kf6P8BNZigzinZzWnYu4Ic7thx 0+nOMifnT60Ms82UAzUXQaHwL4KmLMQTCnrUVX1ccg7ET1AV4juEBYnaI4kAgT9mDWqZ BBfH5KNnmOj95uluqEdoiPmYeh2vaSYQNZc5N3r6/BZ/AUsBtRPfjGTm6qoGGBUUInwb 2mGcpj/fCfOVjhPwUoTzOpf/agaNa2wnWGIJYVmTczV32W7XR+7a29pL8yUP6DYE4sfx YGLLIj7ZnVUqHSyDFOzvZbXg//u++eEbyWn+GKe4VXJUwacX2lAj/Dh6rQiOJV3ZUo3k PoOQ==
X-Gm-Message-State: AOAM533X+f31E0KaezEn/QFrfQgqIL85xGcXkluhniE7LiPXWrH+shym yhHyX8BWDzHcixlSRt1LR7s7fsEJHkixrzOTuQ==
X-Google-Smtp-Source: ABdhPJzjYNB0IbT5KcwRXZpyDgEO4ciPZK4gGDm1+cyD1pBIdFxcekhQ9M9z8EucaM2Vr70nmQt3GVoavERiRK9I3X0=
X-Received: by 2002:a37:a20d:: with SMTP id l13mr2490732qke.83.1627519442408; Wed, 28 Jul 2021 17:44:02 -0700 (PDT)
MIME-Version: 1.0
References: <CD589623-52EE-4958-80AB-73F0CFB3A36E@vigilsec.com> <CAErg=HF_hcXO=9=KJh5EBEov4ybS_8g4xF=cANL9+83UvP0zvQ@mail.gmail.com> <adf86f46-093f-756f-8292-9b5e088f4344@lear.ch> <CAErg=HEUFV2F8R8g8e6yCDKz_e6RebNyB5Zb2Lvgn4oc3BtE-w@mail.gmail.com> <CO6PR14MB4468A7A5EB138542CEBA5D9CEAE99@CO6PR14MB4468.namprd14.prod.outlook.com> <CAErg=HH4aDgju=8C7Neq_4H19EX8S2inNd9fMAMYH3h95S48Rg@mail.gmail.com> <CO6PR14MB44688BC4188063BCA54E80C4EAE99@CO6PR14MB4468.namprd14.prod.outlook.com> <CAErg=HGDA+16N4xhgMvuQz25DqD+_nkiFC+OuAJMkFzYYqFV0w@mail.gmail.com> <2550c1c3-1400-b380-c9ad-dad59286feee@lear.ch> <CAErg=HGnKMNNyaf-=w+DmqfXg7XYbKD2Ah-WUxf96xNN5Ecikg@mail.gmail.com> <CAErg=HFVx5JTog5_aWOrx3vAm5o=LxHfwxEqkVM8FifYCm2P+A@mail.gmail.com> <CAGgd1OdcLujCJQOaTGvS_Hkqg1=pUP-5Mu=06kqkrgFU3fVG5g@mail.gmail.com> <CAErg=HGL-s2v9=5J64GnaaFxWN4QYWMUnDRPcpC0DN5XgM1-yw@mail.gmail.com>
In-Reply-To: <CAErg=HGL-s2v9=5J64GnaaFxWN4QYWMUnDRPcpC0DN5XgM1-yw@mail.gmail.com>
From: Deb Cooley <debcooley1@gmail.com>
Date: Wed, 28 Jul 2021 20:43:51 -0400
Message-ID: <CAGgd1OemU0qX1Wsmx7YPMTiexKz9hmhKj3c89iT3BcrahiUP8A@mail.gmail.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
Cc: LAMPS WG <spasm@ietf.org>, "Cooley, Dorothy E" <decoole@nsa.gov>
Content-Type: multipart/alternative; boundary="0000000000003ada0a05c83866de"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/zxXf-GUIiyM67ArNIXMbCiSV3dA>
Subject: Re: [lamps] Call for adoption for draft-ito-documentsigning-eku
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jul 2021 00:44:10 -0000

Thanks for that. I'd be lying if I said I'd read all the references....

I'm not sure that we (by this I mean US DOD) need this per se, at least
I've not heard it asked for.  I suspect we (again DOD) are doing this today
merely w/ the DS KU (and maybe a timestamp piece).

What I'd really like to avoid is to have to add a bazillion EKUs to a
signing certificate just to handle Adobe, or whatever the application is du
jour.  I know that some people like to make this complicated, but I'd
really like it to be easy to understand (I know, stop laughing, we are well
past that point).

I guess that makes two things that worry me -
1.  mis-use of the code signing EKU (which certainly doesn't have a working
group or RFC to define it either) and
2.  having to deal w/ a bazillion EKUs because US DOD uses every blasted
application in the world (maybe I'll retire before then).

Deb Cooley
decoole@nsa.gov



On Wed, Jul 28, 2021 at 3:40 PM Ryan Sleevi <ryan-ietf@sleevi.com> wrote:

>
>
> On Wed, Jul 28, 2021 at 2:53 PM Deb Cooley <debcooley1@gmail.com> wrote:
>
>> Just to push on this a little more (apologies).  What do you believe is
>> the correct path forward?  Abuse of the code signing EKU is worrying.
>>
>
> The context behind this request is the CA/Browser Forum is working to
> specify S/MIME policies, and are similarly interested in fixing these
> abuses. I am, without a doubt, 100% on board with this. I just see it as a
> matter of domain-specific policy, rather than IETF coordination.
>
> Concretely: I would see vendors that are targeting specific signature
> protocols to have EKUs for those protocols. For example, ETSI ESI TC has a
> suite of specifications that the European Union has granted the presumption
> of legal recognition (in certain cases) or
> mandatory-to-implement/interoperate assumptions (e.g. for public services).
> These are PAdES, CAdES, XAdES, and collectively describe signature
> requirements for PDF, CMS, and XML. Nothing would prevent ETSI ESI from
> using its OID arc (0.4) to assign an EKU to indicate "Used in conjunction
> with the ETSI ESI document signing specifications" - with the assumption
> here is that ETSI ESI TC will ensure that these distinct formats do not
> permit cross-format attacks that allow for confused deputy (of which there
> have been many [1]).
>
> In implementation practice, EKUs effectively operate as substitutes for
> certificatePolicies. Whether we hate that or not - and the past debate has
> been clear there's folks in both camps - that's the implementation reality.
> For example, to have a certificate successfully validate with
> 'id-kp-serverAuth' on a macOS system, you need to comply with Apple's
> certificate policies. This doesn't matter whether you're a CA included by
> default in the OS, or something locally configured in the Enterprise: any
> application using Apple's cryptographic libraries has to comply with the
> policies if they assert the particular EKU, that EKU is required to use
> their TLS client libraries, and that's a net-positive for users. [2].
> Sometimes, these changes only apply to CAs included in their software by
> default [3], but other times, it's system wide.
>
> In practice, the EKU is used to indicate compliance, or non-compliance, to
> a particular certificate profile, defined by the vendor of the relying
> party application. This is true for major trust store vendors like
> Microsoft, Apple, Google, Mozilla, and across different protocols: Google's
> GMail has its policies [4], just like Adobe has their AATL [5]. The EKU is
> enforced at the protocol level, but equally, it implies and reflects
> compliance with policy.
>
> In the browser space, the CA/Browser Forum exists to help coordinate the
> interpretation of 'id-kp-serverAuth' as it applies to browsers, and to
> reduce the risk of conflicts in those profile requirements. There's nothing
> preventing similar groups - such as ETSI (in the case of the *AdES family)
> or the CA/Browser Forum (in a hypothetical document signing chartered
> working group) to do the same, with an EKU specific to their constituency
> to reflect the "I intend to use it with this {protocol}, which has {these
> policy assumptions in the PKI design}". Yes, in a perfect world, this would
> have used certificatePolicies, with client libraries requiring end-entity
> certificates asserting a particular policy, and validating that policy is
> in the effective policy set, and that EKU is purely a protocol indicator:
> but that's not the world we ended up at.
>
> The issue with the IETF defining a generic EKU here is that we don't have
> a "Document Signing Protocol WG" that defines the format and semantics of
> what a signed document is, in the way we have a TLS WG or an IPSEC WG or a
> Kerberos WG. Within those WGs, we do see efforts at preventing
> cross-protocol and cross-format confusion, and we also see the use of
> multiple certificates and keys when appropriate, and including new EKUs as
> needed, when possible. For example, TLS Delegated Credentials work
> proposes... an additional certificate for servers to obtain to express
> further restrictions on private key usage [6]. This was due to needing to
> work around the fact that few TLS client implementations outside of
> browsers robustly support features like those in RFC 4158 [7], and the TLS
> WG had to work around that legacy, as otherwise, EKU would have been
> appropriate.
>
> Concretely: ETSI could easily allocate OIDs for PAdES, CAdES, and XADeS. I
> haven't done the protocol analysis to know if there's cross-format attacks,
> so it could be three OIDs, or it could be a singular OID if they are
> robustly secured, indicating compliance with the ETSI specifications and
> the eIDAS policy framework. Adobe could similarly take a lead here, with
> respect to PDF signing, and say "This EKU is used for PDFs according to
> this {Adobe, ISO} specification and the AATL policy". If the CA/Browser
> Forum was chartered for this (it presently is not, but that, like all
> charters, is changable), it could also define an EKU to say "This EKU is
> used in conjunction with {these document signing protocols} and the
> CA/Browser Forum policy". CAs that, say, meet the requirements of all three
> organizations, could easily assert all three EKUs in a single certificate,
> provided that they (and relying parties) have analyzed for
> cross-protocol/cross-format attacks. But we can't pretend they're the same
> constituencies: even where there's overlap (and there's plenty of 2-of-3
> and 3-of-3 overlap in these examples), they are still fundamentally
> different use cases and policy authorities.
>
> [1] https://pdf-insecurity.org/index.html
> [2] https://support.apple.com/en-us/HT210176
> [3] https://support.apple.com/en-us/HT211025
> [4] https://support.google.com/a/answer/7300887?hl=en
> [5] https://helpx.adobe.com/acrobat/kb/approved-trust-list2.html
> [6]
> https://datatracker.ietf.org/doc/html/draft-ietf-tls-subcerts-10#section-4.2
> [7] https://datatracker.ietf.org/doc/html/rfc4158
>

v2.23.0 | Report a Bug | By Email