Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security
Santosh Chokhani <SChokhani@cygnacom.com> Thu, 02 January 2014 22:09 UTC
Return-Path: <SChokhani@cygnacom.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53D871ACC88 for <therightkey@ietfa.amsl.com>; Thu, 2 Jan 2014 14:09:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.438
X-Spam-Level:
X-Spam-Status: No, score=-2.438 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S2BSa-4ifsS5 for <therightkey@ietfa.amsl.com>; Thu, 2 Jan 2014 14:09:17 -0800 (PST)
Received: from ipedge1.cygnacom.com (ipedge1.cygnacom.com [216.191.252.12]) by ietfa.amsl.com (Postfix) with ESMTP id D4D6C1AC85E for <therightkey@ietf.org>; Thu, 2 Jan 2014 14:09:16 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.95,593,1384318800"; d="scan'208,217";a="1599364"
Received: from unknown (HELO scygexch10.cygnacom.com) ([10.4.60.26]) by ipedge1.cygnacom.com with ESMTP; 02 Jan 2014 17:09:10 -0500
Received: from SCYGEXCH10.cygnacom.com ([::1]) by scygexch10.cygnacom.com ([fe80::d8df:b0bd:28be:ad62%15]) with mapi id 14.02.0247.003; Thu, 2 Jan 2014 17:09:09 -0500
From: Santosh Chokhani <SChokhani@cygnacom.com>
To: Phillip Hallam-Baker <hallam@gmail.com>, Leif Johansson <leifj@mnt.se>
Thread-Topic: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security
Thread-Index: AQHPCAXa/8Ioig5tGU25kjFTCjkYTJpx/hOA
Date: Thu, 02 Jan 2014 22:09:08 +0000
Message-ID: <4262AC0DB9856847A2D00EF817E8113910E532@scygexch10.cygnacom.com>
References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> <CAMm+LwiMXdEnHqD0y_S-fP6081Tk=A=7-9LsJQhRuawmmmfdTg@mail.gmail.com> <FEFA307D-97E0-4C58-AB43-5B9AB8E8FC70@taoeffect.com> <CAMm+Lwjwww28tV_qvqQVH3xo1xqvjb6z++258+LOqgxWn-Oh9w@mail.gmail.com> <52B88104.9040607@appelbaum.net> <52C2D54F.8000209@comodo.com> <52C45CDC.5020608@appelbaum.net> <96EF8E55-5860-4534-B370-83395C3985D4@vpnc.org> <52C5B67D.4050301@appelbaum.net> <CAMm+LwjMGOTueS_hu+xPTtXkjfEXqUbPeGR=WYP+t48CJdn_3w@mail.gmail.com> <DB4645B1-9247-42ED-83D2-5251538D5D96@mnt.se> <CAMm+Lwh739peDF9MTh55KAvxwZ+eOfHNDArFphP_1gv_Q-1XtQ@mail.gmail.com>
In-Reply-To: <CAMm+Lwh739peDF9MTh55KAvxwZ+eOfHNDArFphP_1gv_Q-1XtQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.60.24.81]
Content-Type: multipart/alternative; boundary="_000_4262AC0DB9856847A2D00EF817E8113910E532scygexch10cygnaco_"
MIME-Version: 1.0
Cc: "therightkey@ietf.org" <therightkey@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>, Jacob Appelbaum <jacob@appelbaum.net>
Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jan 2014 22:09:19 -0000
LTANS WG had produced an RFC (RFC 5698) to protect the relying parties from weak algorithms. If that RFC is implemented on the certificate consuming side, these attacks will be thwarted. From: therightkey [mailto:therightkey-bounces@ietf.org] On Behalf Of Phillip Hallam-Baker Sent: Thursday, January 02, 2014 4:58 PM To: Leif Johansson Cc: therightkey@ietf.org; Paul Hoffman; Jacob Appelbaum Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security On Thu, Jan 2, 2014 at 4:00 PM, Leif Johansson <leifj@mnt.se<mailto:leifj@mnt.se>> wrote: 2 jan 2014 kl. 21:25 skrev Phillip Hallam-Baker <hallam@gmail.com<mailto:hallam@gmail.com>>: > Please don't overstate the results of > the excellent research that you did; doing so diminishes the > research. I'm not overstating anything. I think you don't understand what we actually did if you think that later, patching things will somehow magically stop previously successful attacks... You are confusing people by using a valid attack against the algorithm to argue against the trust model. PKIX is designed on the assumption that the digest algorithm chosen is secure against a second preimage attack. The fundamental flaw in the pkix trust model is that there is no deployable mechanism for limiting the impact of such an attack. That realization should inform future design and that bit is certainly on topic ;-) It is on topic but not limited to PKIX. We have since learned that algorithm agility is not quite the security benefit we once thought as the security of the system is determined by the weakest algorithm you support, not the strongest one you implement. Problem is that I can't see a way to really control this type of attack without a very considerable cost in usability and I think it would constrain other defenses. Anyone using Windows XP in the Enterprise for any purpose other than finding viruses is guilty of security malpractice at this point. It is an obsolete OS that would have been at EOL if lazy sysadmins hadn't begged to keep it. My current solution in my email project is to attempt to require SHA512 for all certificates. But I am not sure that is actually sustainable. -- Website: http://hallambaker.com/
- [therightkey] DNSNMC deprecates Certificate Autho… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Phillip Hallam-Baker
- Re: [therightkey] DNSNMC deprecates Certificate A… Ben Laurie
- Re: [therightkey] DNSNMC deprecates Certificate A… Ali-Reza Anghaie
- Re: [therightkey] DNSNMC deprecates Certificate A… Leif Johansson
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Phillip Hallam-Baker
- Re: [therightkey] DNSNMC deprecates Certificate A… Leif Johansson
- Re: [therightkey] DNSNMC deprecates Certificate A… Phillip Hallam-Baker
- Re: [therightkey] DNSNMC deprecates Certificate A… Leif Johansson
- Re: [therightkey] DNSNMC deprecates Certificate A… Rob Stradling
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Ben Laurie
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Stephen Farrell
- Re: [therightkey] DNSNMC deprecates Certificate A… Ben Laurie
- Re: [therightkey] DNSNMC deprecates Certificate A… Phillip Hallam-Baker
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Paul Lambert
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Ralph Holz
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Jacob Appelbaum
- Re: [therightkey] DNSNMC deprecates Certificate A… Ralph Holz
- Re: [therightkey] DNSNMC deprecates Certificate A… Rob Stradling
- Re: [therightkey] DNSNMC deprecates Certificate A… Jacob Appelbaum
- Re: [therightkey] DNSNMC deprecates Certificate A… Paul Hoffman
- Re: [therightkey] DNSNMC deprecates Certificate A… Jacob Appelbaum
- Re: [therightkey] DNSNMC deprecates Certificate A… Phillip Hallam-Baker
- Re: [therightkey] DNSNMC deprecates Certificate A… Leif Johansson
- Re: [therightkey] DNSNMC deprecates Certificate A… Phillip Hallam-Baker
- Re: [therightkey] DNSNMC deprecates Certificate A… Santosh Chokhani
- Re: [therightkey] DNSNMC deprecates Certificate A… Leif Johansson
- Re: [therightkey] DNSNMC deprecates Certificate A… Paul Hoffman
- Re: [therightkey] DNSNMC deprecates Certificate A… Leif Johansson
- Re: [therightkey] DNSNMC deprecates Certificate A… Ralph Holz
- Re: [therightkey] DNSNMC deprecates Certificate A… Leif Johansson
- Re: [therightkey] DNSNMC deprecates Certificate A… Rob Stradling
- Re: [therightkey] DNSNMC deprecates Certificate A… Ralph Holz
- Re: [therightkey] DNSNMC deprecates Certificate A… Carl Wallace
- Re: [therightkey] DNSNMC deprecates Certificate A… Stephen Farrell
- Re: [therightkey] DNSNMC deprecates Certificate A… Ralph Holz
- Re: [therightkey] algorithm blacklisting Jacob Appelbaum