Re: [therightkey] [pkix] Proposal for working on PKIX revocation open issues
Trevor Freeman <trevor.freeman99@icloud.com> Mon, 17 November 2014 17:07 UTC
Return-Path: <trevor.freeman99@icloud.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9043D1A702C for <therightkey@ietfa.amsl.com>; Mon, 17 Nov 2014 09:07:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HUXN3Mc63EHc for <therightkey@ietfa.amsl.com>; Mon, 17 Nov 2014 09:07:41 -0800 (PST)
Received: from mr11p24im-asmtp002.me.com (mr11p24im-asmtp002.me.com [17.110.78.42]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0C2B1A6FED for <therightkey@ietf.org>; Mon, 17 Nov 2014 09:07:41 -0800 (PST)
Received: from Den (c-67-183-152-156.hsd1.wa.comcast.net [67.183.152.156]) by mr11p24im-asmtp002.me.com (Oracle Communications Messaging Server 7.0.5.33.0 64bit (built Aug 27 2014)) with ESMTPSA id <0NF700FH00WR5L50@mr11p24im-asmtp002.me.com> for therightkey@ietf.org; Mon, 17 Nov 2014 17:07:41 +0000 (GMT)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.13.68,1.0.28,0.0.0000 definitions=2014-11-17_02:2014-11-15,2014-11-17,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1408290000 definitions=main-1411170132
From: Trevor Freeman <trevor.freeman99@icloud.com>
To: 'Phillip Hallam-Baker' <phill@hallambaker.com>
References: <5466AF87.2050307@gmail.com> <CAMm+Lwg30tb+yFxVMG3qJ=_fjVT=ASqUmaf9gH8wpUhUGxgf6A@mail.gmail.com> <004501d001ce$8c669c10$a533d430$@icloud.com> <CAMm+LwjWZuKrPQYnjkLJn19nnuBTCzrSn7B+BVfAftCm4jtR=Q@mail.gmail.com>
In-reply-to: <CAMm+LwjWZuKrPQYnjkLJn19nnuBTCzrSn7B+BVfAftCm4jtR=Q@mail.gmail.com>
Date: Mon, 17 Nov 2014 09:07:33 -0800
Message-id: <007601d00288$fb9d9240$f2d8b6c0$@icloud.com>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="----=_NextPart_000_0077_01D00245.ED7A5240"
X-Mailer: Microsoft Outlook 14.0
Thread-index: AQFUCYhQhiaGoOJda7G7bFU0mLLbLQH/JSjNAeWTIu4CP5lorJ0r3AMQ
Content-language: en-us
Archived-At: http://mailarchive.ietf.org/arch/msg/therightkey/DzU_U4NoHiMoW1yaE-q0BGQAGfk
Cc: 'Massimiliano Pala' <massimiliano.pala@gmail.com>, therightkey@ietf.org
Subject: Re: [therightkey] [pkix] Proposal for working on PKIX revocation open issues
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Nov 2014 17:07:44 -0000
Obviously more that you think otherwise folks would not be working on CTJ -----Original Message----- From: therightkey [mailto:therightkey-bounces@ietf.org] On Behalf Of Phillip Hallam-Baker Sent: Sunday, November 16, 2014 12:30 PM To: Trevor Freeman Cc: Massimiliano Pala; therightkey@ietf.org Subject: Re: [therightkey] [pkix] Proposal for working on PKIX revocation open issues On Sun, Nov 16, 2014 at 1:53 PM, Trevor Freeman < <mailto:trevor.freeman99@icloud.com> trevor.freeman99@icloud.com> wrote: > Hi Max, > > I think we first need a consensus of the unmitigated threats this work > would look to address. That would help assess the technical options. > Top of my list of unmitigated threats would be compromised CA issuing > user certificates outside of the normal process e.g. attackers use > some tool to sign the certificate direly using the CA key so no log > exists of the issuance. Seriously? How often does this happen? How often does an administrator sell a machine without zeroing the hard drive where a live key is stored? How often does a corrupt admin sell a private key? How often does a machine without a TPM with a cert get rooted? End entity breach is a daily occurrence. > For example, if there is consensus on that as a threat to be > addressed, OCSP does not help much in that you want a "known to be > good" assertion, not a "know to be bad" assertion that revocation > checking provides. Certificate reissuance has been long been cited as > an alternative to revocation in that you get a restatement of the > goodness which is what you need, but it does tax the CAs. If you are > targeting server validation scenarios, then a Valid Certificate List > which was similar to CRLs but a list of good certificates could scale > much better as Phil points out. Given we know all too well what does not work well with CRLs, we should be able to avoid the mistakes i.e. > use hashs to identify certificates not issue\serial number, mandate > support for partitions etc., etc. I much prefer using hash based mechanisms to issuer/serial. But in a pinch, I will use hash of the issuer/serial :) _______________________________________________ therightkey mailing list <mailto:therightkey@ietf.org> therightkey@ietf.org <https://www.ietf.org/mailman/listinfo/therightkey> https://www.ietf.org/mailman/listinfo/therightkey
- [therightkey] Proposal for working on PKIX revoca… Dr. Massimiliano Pala
- Re: [therightkey] [pkix] Proposal for working on … Stephen Farrell
- Re: [therightkey] [pkix] Proposal for working on … Massimiliano Pala
- Re: [therightkey] [pkix] Client-side OCSP staplin… Massimiliano Pala
- Re: [therightkey] [pkix] Proposal for working on … Paul Hoffman
- Re: [therightkey] [pkix] Proposal for working on … Phillip Hallam-Baker
- Re: [therightkey] [pkix] Proposal for working on … Trevor Freeman
- Re: [therightkey] [pkix] Proposal for working on … Phillip Hallam-Baker
- Re: [therightkey] Proposal for working on PKIX re… Ben Laurie
- Re: [therightkey] Proposal for working on PKIX re… Nico Williams
- Re: [therightkey] Proposal for working on PKIX re… Jeremy.Rowley
- Re: [therightkey] [pkix] Proposal for working on … Trevor Freeman
- Re: [therightkey] [pkix] Proposal for working on … Phillip Hallam-Baker
- Re: [therightkey] [pkix] Proposal for working on … Nico Williams
- Re: [therightkey] [pkix] Proposal for working on … Tony Arcieri
- Re: [therightkey] [pkix] Proposal for working on … Phillip Hallam-Baker
- Re: [therightkey] [pkix] Proposal for working on … Tony Arcieri
- Re: [therightkey] [pkix] Proposal for working on … Rob Stradling
- Re: [therightkey] [pkix] Proposal for working on … Nico Williams