Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security

Ralph Holz <holz@net.in.tum.de> Fri, 03 January 2014 17:19 UTC

Return-Path: <holz@net.in.tum.de>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 252DD1ADFEC for <therightkey@ietfa.amsl.com>; Fri, 3 Jan 2014 09:19:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.55
X-Spam-Level:
X-Spam-Status: No, score=-3.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, HELO_EQ_DE=0.35] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mIsRgLziIToM for <therightkey@ietfa.amsl.com>; Fri, 3 Jan 2014 09:19:51 -0800 (PST)
Received: from smtp.serverkommune.de (serverkommune.de [176.9.61.43]) by ietfa.amsl.com (Postfix) with ESMTP id 2F9E41ADFDC for <therightkey@ietf.org>; Fri, 3 Jan 2014 09:19:51 -0800 (PST)
Received: by smtp.serverkommune.de (Postfix, from userid 5001) id 9933E8057E; Fri, 3 Jan 2014 18:19:43 +0100 (CET)
Received: from [192.168.178.34] (ex6.serverkommune.de [176.9.61.43]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.serverkommune.de (Postfix) with ESMTPSA id C8CF880258; Fri, 3 Jan 2014 18:19:42 +0100 (CET)
Message-ID: <52C6F12E.4060902@net.in.tum.de>
Date: Fri, 03 Jan 2014 18:19:42 +0100
From: Ralph Holz <holz@net.in.tum.de>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Carl Wallace <carl@redhoundsoftware.com>, Leif Johansson <leifj@mnt.se>, therightkey@ietf.org
References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> <CAMm+LwiMXdEnHqD0y_S-fP6081Tk=A=7-9LsJQhRuawmmmfdTg@mail.gmail.com> <FEFA307D-97E0-4C58-AB43-5B9AB8E8FC70@taoeffect.com> <CAMm+Lwjwww28tV_qvqQVH3xo1xqvjb6z++258+LOqgxWn-Oh9w@mail.gmail.com> <52B88104.9040607@appelbaum.net> <52C2D54F.8000209@comodo.com> <52C45CDC.5020608@appelbaum.net> <96EF8E55-5860-4534-B370-83395C3985D4@vpnc.org> <52C5B67D.4050301@appelbaum.net> <A8E9A208-35FA-495F-8130-C08545011B59@vpnc.org> <52C6A819.4040509@mnt.se> <52C6B9F9.7010304@net.in.tum.de> <52C6C966.3090606@mnt.se> <52C6EF76.4090106@net.in.tum.de> <CEEC5A24.C9BE%carl@redhoundsoftware.com>
In-Reply-To: <CEEC5A24.C9BE%carl@redhoundsoftware.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.97.8 at ex6
X-Virus-Status: Clean
Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jan 2014 17:19:53 -0000

Hi,

>> Tell me something new. ;-) Although in fact, the whole thing goes much
>> deeper. A broken hash algorithm means root cert-like compromise as it
>> means the capacity to imitate a correct signature by a root cert. There
>> is no fix for this but blacklisting. Not in any model with TTPs, by the
>> way.
> 
> You mean blacklisting the algorithm, right?

Ultimately, yes. That's what Moz etc. did, but you cannot force CAs to
switch to new algorithms at once. New root certs have to be added to the
root stores, new certs issued for existing customers, etc. Thus the
grace period until 2011.

In the meantime, all you can do is blacklist known-rogue certs.
Alternatively, pull the root cert from which MD5 signatures were issued.
As the MD5 attack still had considerable cost (for the hobby blackhat,
not a 3-letter agency), it was deemed that this must suffice for a while.

Ralph

-- 
Ralph Holz
I8 - Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
Phone +49.89.289.18043
PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF