IETF Logo Mail Archive

Re: [stir] Questions about stir-certificates

Sean Turner <sean@sn3rd.com> Fri, 10 November 2017 02:17 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31FE6129413 for <stir@ietfa.amsl.com>; Thu, 9 Nov 2017 18:17:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.409
X-Spam-Level:
X-Spam-Status: No, score=-0.409 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_03_06=1.592, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EXffyZSmvVYr for <stir@ietfa.amsl.com>; Thu, 9 Nov 2017 18:17:40 -0800 (PST)
Received: from mail-pg0-x230.google.com (mail-pg0-x230.google.com [IPv6:2607:f8b0:400e:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 428A712940E for <stir@ietf.org>; Thu, 9 Nov 2017 18:17:40 -0800 (PST)
Received: by mail-pg0-x230.google.com with SMTP id z184so893413pgd.13 for <stir@ietf.org>; Thu, 09 Nov 2017 18:17:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=312dNMuRlqQIsiC8EFy8Z09FS/jDX7ixKotjJ3A5P6g=; b=S+hEfp8xHngJzoGQjefGVJMdYa50JaAJJHWqYcDqRozLV8Xez0JXOAAc/5Swja6gF6 3c11i9MulwqN31rIF612msyPjDcqtYHE5hdbRGK5xpMNAgJhbbdE7yBWjDR/cG9G82GW PY4uwjDGhiAi1I8OlQNSeAb3MVjpCwfwGKHc0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=312dNMuRlqQIsiC8EFy8Z09FS/jDX7ixKotjJ3A5P6g=; b=t8YKPZZ4R5bvRx8DOZzz8h9pN5rQouC6DFmDn6AXt0QUfFi65N47pAwenqLR6VqkUx ql8K2syEY9+4NrTH70SMrv1d1ZFN0/LyJtWBoNYvzRz0mX9QFPLJIyRcdloLQjdCJtCh C29cKWsQPKuYssV3riZvwOAkt6Ud9GVB25z42euPXRoRddQQWKGQBaMjiDI4j5FYBXq7 N1sljk3czJUxp5jLQdC22FYcW1oAWA6q7yV7PXGOU1xAnMJjH/Y4fv1qa54QGNgCMOUy Ue6gHM/Pxsq86IVk9P5f3V4N5bdniIveH6Wlqbti6N/rO3RmDk++2e8b1GR8OolJUUX0 /Q3g==
X-Gm-Message-State: AJaThX4SD1gnhPgxdhbSxTFoDd1COdv1gdXlBTwypKUXTeoE3A/M4yGA 677hn39A3iSiNrZXEpEtIMPThy89XDc=
X-Google-Smtp-Source: ABhQp+TWB1EvoxiNP/0t/EcQlPG4HmQzvrI+bYsG8nOW78eydmGPkTrQzK9hLFRX7KdPmGtCz+SysQ==
X-Received: by 10.84.128.73 with SMTP id 67mr2408302pla.96.1510280259778; Thu, 09 Nov 2017 18:17:39 -0800 (PST)
Received: from [5.5.33.14] (vpn.snozzages.com. [204.42.252.17]) by smtp.gmail.com with ESMTPSA id x7sm3094440pgb.65.2017.11.09.18.17.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Nov 2017 18:17:39 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <CABkgnnUNmwT_-atKHzOATOJ4SPhsC1+Gy0Q_6XLtGo7owgE-kQ@mail.gmail.com>
Date: Thu, 09 Nov 2017 16:25:40 -0500
Cc: "Peterson, Jon" <jon.peterson@team.neustar>, "stir@ietf.org" <stir@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <5398BEAA-B532-4F4D-980C-43F6FB3584A8@sn3rd.com>
References: <D60E0087.1EEE44%jon.peterson@neustar.biz> <CABkgnnV41djmwJ2A8WkLv1Qu_zxAKPb8EJnuoFS1Zeog3momyQ@mail.gmail.com> <E4972898-9912-456F-92E5-1A6022B26A85@sn3rd.com> <CABkgnnUNmwT_-atKHzOATOJ4SPhsC1+Gy0Q_6XLtGo7owgE-kQ@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/kJNZ-qndS-6wBNeXKFwdLLUP34s>
Subject: Re: [stir] Questions about stir-certificates
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Nov 2017 02:17:42 -0000

<rant>
I have a GH repo but trying to deal with these during AUTH48 seems to render the GH repo out-of-date.
</rant>


> On Oct 30, 2017, at 23:51, Martin Thomson <martin.thomson@gmail.com> wrote:
> 
> On Tue, Oct 31, 2017 at 12:37 PM, Sean Turner <sean@sn3rd.com> wrote:
>> Since s10.1 points to s9 where the constraints are I would assume that implementers would know to apply the constraints the same way.  But, if I put on my “where’s that explicit statement" hat on - it’s not there.  So, I get your point.  How about we add the following to the end of the 2nd paragraph in s10.1:
>> 
>>  As with the certificate extension defined in Section 9, a URI dereferenced
>>  from an end entity certificate will indicate the TNs which the caller has
>>  been authorized; a URI  dereferenced from a CA certificate will limit the
>>  the set of TNs for certification paths that include this certificate.
>> 
>> I think that this also addresses mixing the two ways to constrain the caller, i.e., the CA had an AIA and the EE had the certificate extension.  BUT, I’m not sure that we should really do that because it could get complicated.  Maybe whatever way the CA is constrained, i.e., with the TN Authorization List extension or the AIA, is the way the EE MUST be constrained?
> 
> Having the two match might not make sense if you consider the
> possibility for an operator to run their own subordinate CA.  I think
> that it would be reasonable for that CA to be constrained to the set
> of numbers that operator has, but if the EE cert has to match exactly
> it would prevent the operator from creating more narrowly constrained
> EE certs.

Ah here I wasn’t talking about the constraints themselves.  I was referring to the mechanism used, i.e., if the CA constrains with AIA the signer needs to also use an AIA, and vice versa.

>> When I read your comment and when I talked about Jon, I didn’t equate on the critical path with the extension being critical.  We’re certainly not suggesting that AIA be made critical.  I think the outline of certificate usage in s4 points to s10.1 for additional requirements, but I can see how it might not be that clear.  Maybe we add the following to the end of the 2nd paragraph in s10.1 after the new text above:
>> 
>>  Verifiers MUST support the AIA extension.
> 
> I think that you are looking for MUST use.

So I get your point, but here I think that if it’s MUST support then it must use so how about we change the above suggestion to:

 As with the certificate extension defined in Section 9, a URI dereferenced
 from an end entity certificate will indicate the TNs which the caller has
 been authorized.  Verifiers MUST support the AIA extension and  the
 dereferenced URI  from a CA certificate limits the the set of TNs for
 certification paths that include this certificate.

For whatever reason the “MUST use” phrase is throwing me off, but I think the above answers the mail.


>>> For that to work, you need an MTI retrieval mechanism and format.  I
>>> assume that this is just a DER-encoded TNAuthList.  You probably want
>>> to write that down.  And then someone will end up asking whether you
>>> have a media type for it.
>> 
>> I think the format is already there in s10.1:
>> 
>>  The document returned by dereferencing that
>>  URI will contain the complete TN Authorization List (see Section 9)
>>  for the certificate.
> 
> That's the format, mostly, though it probably needs to say that it's
> the actual DER encoding of that structure so that it's crisp.  The
> retrieval mechanism is needed too.  I assume that HTTPS will work,
> with all the usual things regarding server authentication and so forth
> (2818 and all that).  RFC 5280 talks about using LDAP and other things
> that I don't think you want.

HTTPs is the only choice from later in s10.1:

 When the “id-ad-stirTNList” accessMethod is used, the accessLocation
 MUST be an HTTPS URI.

>> And ugh media types … sure how about this:
>> 
>>  Type name: application
>> 
>>  Subtype name: tnauthlist+der
>> 
>>  Required parameters: None.
>> 
>>  Optional parameters: None.
>> 
>>  Encoding considerations: Binary.
>> 
>>  Security considerations:  See Section 12 of this specification.
>> 
>>  Interoperability considerations:
>> 
>>     The TN Authorization List inside this media type MUST be DER-encoded
>>     TNAuthorizationList.
>> 
>>  Published specification: This specification.
>> 
>>  Applications that use this media type:
>> 
>>     Applications that support [draft-ietf-stir-certificates] certificates.
>> 
>>  Fragment identifier considerations: N/A
>> 
>>  Additional information:
>> 
>>     Magic number(s): None
>>     File extension(s): None
>>     Macintosh File Type Code(s): None
>> 
>>  Person & email address to contact for further information:
>> 
>>     Sean Turner <sean@sn3rd.com>
>> 
>>  Intended usage: COMMON
>> 
>>  Restrictions on usage: none
>> 
>>  Author: Sean Turner <sean@sn3rd.com>
>> 
>>  Change controller: The IESG <iesg@ietf.org>
>> 
>> 
>> Notes:
>> 
>> 1. I don’t have to be the POC.
>> 2. +der is there in case in some later time you want to say use +json
> 
> +anything is a rathole you don't want to dig for yourself.  If you
> need a JSON variant, then I'm sure that it would be easy to define
> application/tnauthlist+json, but a bare name will avoid all sorts of
> headaches.  I just recently went through the trouble involved with RFC
> 8091 and have no wish to inflict that on others.

OMG so glad to hear that you’ve also felt this pain ;)  I’m more than happy to not do +der.

>> 3. when we’re happy with this I’ll get the ball rolling to get the review started
>> 
>>> And then there is the privacy story with these sorts of things.  Big
>>> lists of AIA are probably OK (K-anonymity with large K), but I can
>>> imagine the CA being able to use this as a way to track calls.  Not
>>> serious here because lists are generally long, but it was a problem
>>> with CRLs and OCSP on the web, so it's worth a brief mention at least.
>> 
>> I think this is addressed in s10.
> 
> 
> Not really.  I assume that you refer to:
> 
>  Delivering the entire list of telephone numbers associated with a
>  particular certificate will divulge to STIR verifiers information
>  about telephone numbers other than the one associated with the
>  particular call that the verifier is checking.
> 
> Which says that a verifier will learn that a particular EE or CA can
> also speak for a particular set of telephone numbers.  The risk here
> is that with a sufficiently small set of numbers in the AIA document,
> the CA (or whoever hosts the AIA doc) learns that a particular
> verifier is terminating a call from one of those numbers.  Caching
> isn't an effective defense if you care about that.  (This is one
> reason that stapling is a big deal, but OCSP responses are signed and
> can therefore be stapled, whereas you are not offering any way to
> avoid this lookup being necessary.)
> 
> You could avoid the problem by having the AIA be a reference to a
> larger certificate (that is, one that contains the complete TNAuthList
> and no AIA), which would allow you to attach a signature to the AIA.
> Then it becomes possible to avoid the lookup at the cost of a larger
> certificate that has to be updated more often.

I was actually thinking about this bit:

 Acquiring online status
 information for certificates has the potential to disclose private
 information [RFC7528] if proper precautions are not taken.

I’ll synch with Jon to come up with some appropriate considerations.

>> A couple of things:
>> 
>> 1. The count text has not been updated since we added “*" and “#” and I’m thinking that count was only supposed to apply to the parts of the TN that are not related to the “*" and “#”.
>> 
>> 2. To answer your question: yes it’s the number plus the next 9 and overflows should be prohibited.
>> 
>> How about the following for #2 in s9:
>> 
>> 2.  Telephone numbers can be listed in a range (in the
>>     TelephoneNumberRange format), which consists of a starting
>>      telephone number and then an integer count of numbers within the
>>      range, where the valid boundaries of ranges may vary according to
>>      national policies.  count has the following constraints: overflow into
>>      more digits isn’t permitted, e.g., “123” + 100 is not allowed; count
>>      only applies to the telephone number and not to digits associated
>>      with “*” or “#”.
>> 
>> In the above I am not sure the words a quite right.
> 
> Does "not to digits associated with “*” or “#”" mean?
> 
> a. a count can't be used with a number that includes either "*" or "#"
> b. a count applies to the numerical value preceding any "*" or "#"
> b. a count applies to the numerical value after the final "*" or "#",
> if any are present
> c. something else
> 
> (a) seems right to me.  I can see a case for describing a range of
> extensions, but it probably makes sense to disavow that use case and
> have the bare number asserted on its own.  Thus, I would say:
> 
>> national policies.  A count is added to the numeric value of the telephone number.  A count cannot cause the telephone number to increase in length, thus "123" + 100 is not valid.  A number that includes "*" or "#" cannot be included in TelephoneNumberRange.
> 
> That suggests a different grammar might be useful, so maybe you really
> do mean b.

I’ll respond to this bit in the bit that you and Paul picked up.

spt

v2.23.0 | Report a Bug | By Email