IETF Logo Mail Archive

Re: [therightkey] [pkix] Proposal for working on PKIX revocation open issues

Trevor Freeman <trevor.freeman99@icloud.com> Mon, 17 November 2014 17:07 UTC

Return-Path: <trevor.freeman99@icloud.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9043D1A702C for <therightkey@ietfa.amsl.com>; Mon, 17 Nov 2014 09:07:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HUXN3Mc63EHc for <therightkey@ietfa.amsl.com>; Mon, 17 Nov 2014 09:07:41 -0800 (PST)
Received: from mr11p24im-asmtp002.me.com (mr11p24im-asmtp002.me.com [17.110.78.42]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0C2B1A6FED for <therightkey@ietf.org>; Mon, 17 Nov 2014 09:07:41 -0800 (PST)
Received: from Den (c-67-183-152-156.hsd1.wa.comcast.net [67.183.152.156]) by mr11p24im-asmtp002.me.com (Oracle Communications Messaging Server 7.0.5.33.0 64bit (built Aug 27 2014)) with ESMTPSA id <0NF700FH00WR5L50@mr11p24im-asmtp002.me.com> for therightkey@ietf.org; Mon, 17 Nov 2014 17:07:41 +0000 (GMT)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.13.68,1.0.28,0.0.0000 definitions=2014-11-17_02:2014-11-15,2014-11-17,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1408290000 definitions=main-1411170132
From: Trevor Freeman <trevor.freeman99@icloud.com>
To: 'Phillip Hallam-Baker' <phill@hallambaker.com>
References: <5466AF87.2050307@gmail.com> <CAMm+Lwg30tb+yFxVMG3qJ=_fjVT=ASqUmaf9gH8wpUhUGxgf6A@mail.gmail.com> <004501d001ce$8c669c10$a533d430$@icloud.com> <CAMm+LwjWZuKrPQYnjkLJn19nnuBTCzrSn7B+BVfAftCm4jtR=Q@mail.gmail.com>
In-reply-to: <CAMm+LwjWZuKrPQYnjkLJn19nnuBTCzrSn7B+BVfAftCm4jtR=Q@mail.gmail.com>
Date: Mon, 17 Nov 2014 09:07:33 -0800
Message-id: <007601d00288$fb9d9240$f2d8b6c0$@icloud.com>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="----=_NextPart_000_0077_01D00245.ED7A5240"
X-Mailer: Microsoft Outlook 14.0
Thread-index: AQFUCYhQhiaGoOJda7G7bFU0mLLbLQH/JSjNAeWTIu4CP5lorJ0r3AMQ
Content-language: en-us
Archived-At: http://mailarchive.ietf.org/arch/msg/therightkey/DzU_U4NoHiMoW1yaE-q0BGQAGfk
Cc: 'Massimiliano Pala' <massimiliano.pala@gmail.com>, therightkey@ietf.org
Subject: Re: [therightkey] [pkix] Proposal for working on PKIX revocation open issues
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Nov 2014 17:07:44 -0000

Obviously more that you think otherwise folks would not be working on CTJ

 

-----Original Message-----
From: therightkey [mailto:therightkey-bounces@ietf.org] On Behalf Of Phillip
Hallam-Baker
Sent: Sunday, November 16, 2014 12:30 PM
To: Trevor Freeman
Cc: Massimiliano Pala; therightkey@ietf.org
Subject: Re: [therightkey] [pkix] Proposal for working on PKIX revocation
open issues

 

On Sun, Nov 16, 2014 at 1:53 PM, Trevor Freeman <
<mailto:trevor.freeman99@icloud.com> trevor.freeman99@icloud.com> wrote:

> Hi Max,

> 

> I think we first need a consensus of the unmitigated threats this work 

> would look to address. That would help assess the technical options. 

> Top of my list of unmitigated threats would be compromised CA issuing  

> user certificates outside of the normal process e.g. attackers use 

> some tool to sign the certificate direly using the CA key so no log 

> exists of the issuance.

 

Seriously?

 

How often does this happen?

 

How often does an administrator sell a machine without zeroing the hard
drive where a live key is stored? How often does a corrupt admin sell a
private key? How often does a machine without a TPM with a cert get rooted?

 

 

End entity breach is a daily occurrence.

 

> For example, if there is consensus on that as a threat to be 

> addressed, OCSP does not help much in that you want a "known to be 

> good" assertion, not a "know to be bad" assertion that revocation 

> checking provides. Certificate reissuance has been long been cited as 

> an alternative to revocation in that you get a restatement of the 

> goodness which is what you need, but it does tax the CAs. If you are 

> targeting server validation scenarios, then a Valid Certificate List 

> which was similar to CRLs but a list of good certificates could scale 

> much better as Phil points out. Given we know all too well what does not
work well with CRLs, we should be able to avoid the mistakes i.e.

> use hashs to identify certificates not issue\serial number, mandate 

> support for partitions etc., etc.

 

I much prefer using hash based mechanisms to issuer/serial. But in a pinch,
I will use hash of the issuer/serial :)

 

_______________________________________________

therightkey mailing list

 <mailto:therightkey@ietf.org> therightkey@ietf.org

 <https://www.ietf.org/mailman/listinfo/therightkey>
https://www.ietf.org/mailman/listinfo/therightkey

v2.23.0 | Report a Bug | By Email