Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security

Ralph Holz <holz@net.in.tum.de> Fri, 03 January 2014 17:12 UTC

Return-Path: <holz@net.in.tum.de>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9B081ADFDC for <therightkey@ietfa.amsl.com>; Fri, 3 Jan 2014 09:12:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.55
X-Spam-Level:
X-Spam-Status: No, score=-1.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OL4-9NF5vMcG for <therightkey@ietfa.amsl.com>; Fri, 3 Jan 2014 09:12:31 -0800 (PST)
Received: from smtp.serverkommune.de (serverkommune.de [176.9.61.43]) by ietfa.amsl.com (Postfix) with ESMTP id B7D711ADFD4 for <therightkey@ietf.org>; Fri, 3 Jan 2014 09:12:31 -0800 (PST)
Received: by smtp.serverkommune.de (Postfix, from userid 5001) id 1F81A80480; Fri, 3 Jan 2014 18:12:23 +0100 (CET)
Received: from [192.168.178.34] (ex6.serverkommune.de [176.9.61.43]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.serverkommune.de (Postfix) with ESMTPSA id 5B9BA80246; Fri, 3 Jan 2014 18:12:22 +0100 (CET)
Message-ID: <52C6EF76.4090106@net.in.tum.de>
Date: Fri, 03 Jan 2014 18:12:22 +0100
From: Ralph Holz <holz@net.in.tum.de>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Leif Johansson <leifj@mnt.se>, therightkey@ietf.org
References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> <CAMm+LwiMXdEnHqD0y_S-fP6081Tk=A=7-9LsJQhRuawmmmfdTg@mail.gmail.com> <FEFA307D-97E0-4C58-AB43-5B9AB8E8FC70@taoeffect.com> <CAMm+Lwjwww28tV_qvqQVH3xo1xqvjb6z++258+LOqgxWn-Oh9w@mail.gmail.com> <52B88104.9040607@appelbaum.net> <52C2D54F.8000209@comodo.com> <52C45CDC.5020608@appelbaum.net> <96EF8E55-5860-4534-B370-83395C3985D4@vpnc.org> <52C5B67D.4050301@appelbaum.net> <A8E9A208-35FA-495F-8130-C08545011B59@vpnc.org> <52C6A819.4040509@mnt.se> <52C6B9F9.7010304@net.in.tum.de> <52C6C966.3090606@mnt.se>
In-Reply-To: <52C6C966.3090606@mnt.se>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.97.8 at ex6
X-Virus-Status: Clean
Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jan 2014 17:12:34 -0000

Hi,

> Assumes you run an updated browser, right?

I think the cert was blacklisted immediately after the publication/talk,
that means at least 4 years ago. At least in IE, the auto-update may
have helped. Not sure about the Fox.

There really is nothing we can do for users that haven't updated since.
Any 2nd Web site they may visit may exploit those old vehicles.

> Blacklisting isn't part of the PKIX trust model, but a band-aid used to
> fix the lack of deployed/able revocation.

Tell me something new. ;-) Although in fact, the whole thing goes much
deeper. A broken hash algorithm means root cert-like compromise as it
means the capacity to imitate a correct signature by a root cert. There
is no fix for this but blacklisting. Not in any model with TTPs, by the way.

Ralph

-- 
Ralph Holz
I8 - Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
Phone +49.89.289.18043
PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF