IETF Logo Mail Archive

Re: [therightkey] [pkix] Proposal for working on PKIX revocation open issues

Phillip Hallam-Baker <phill@hallambaker.com> Sun, 16 November 2014 20:30 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 855651A1AF1 for <therightkey@ietfa.amsl.com>; Sun, 16 Nov 2014 12:30:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xONaDyOkLOdA for <therightkey@ietfa.amsl.com>; Sun, 16 Nov 2014 12:30:00 -0800 (PST)
Received: from mail-la0-x230.google.com (mail-la0-x230.google.com [IPv6:2a00:1450:4010:c03::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C000E1A1AEB for <therightkey@ietf.org>; Sun, 16 Nov 2014 12:29:59 -0800 (PST)
Received: by mail-la0-f48.google.com with SMTP id s18so3502322lam.35 for <therightkey@ietf.org>; Sun, 16 Nov 2014 12:29:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=rGBSmXEksA/ho8nQkSJsSA+cQ0shOJNGdST+fqo6TqY=; b=h3T9Wt83M0BVVRl5Vr52yXZn3Uy4xgEw4nNjSWB51tdA93dV7zOL5Y8WON9e9Vp1qd GOhS7Gs1IN99uxrXEnBjLiDBfjx9R0TLgyiUSw3ppLCLxLmBMPVlTKe3dnOGilXpM/G2 anPeKklSgdxhcRjEkjUMXRwADsTY+6uh+MPVg3nWjahm+o5zUkLEwfNu/nd39DDK3/k0 54yuV6hvoU1+FhkK/weOwO6bmXfh6mneXffpiCryPONP7eJVQEbEX5plg3XU27tgk9pw KYKENVNs6BCn0jR0QcJORA880lOjNxgaty/9soEMwNDW0gYMgodrDjxQz3u5S2QfWvOS QVdw==
MIME-Version: 1.0
X-Received: by 10.152.204.70 with SMTP id kw6mr5240400lac.85.1416169798115; Sun, 16 Nov 2014 12:29:58 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.34.212 with HTTP; Sun, 16 Nov 2014 12:29:58 -0800 (PST)
In-Reply-To: <004501d001ce$8c669c10$a533d430$@icloud.com>
References: <5466AF87.2050307@gmail.com> <CAMm+Lwg30tb+yFxVMG3qJ=_fjVT=ASqUmaf9gH8wpUhUGxgf6A@mail.gmail.com> <004501d001ce$8c669c10$a533d430$@icloud.com>
Date: Sun, 16 Nov 2014 15:29:58 -0500
X-Google-Sender-Auth: fMveUO-Ty-QFdrlAnQ2qTeu4FKE
Message-ID: <CAMm+LwjWZuKrPQYnjkLJn19nnuBTCzrSn7B+BVfAftCm4jtR=Q@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Trevor Freeman <trevor.freeman99@icloud.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/therightkey/lLxKw1aOzFXYagR5Hha9nSxTME8
Cc: Massimiliano Pala <massimiliano.pala@gmail.com>, "therightkey@ietf.org" <therightkey@ietf.org>
Subject: Re: [therightkey] [pkix] Proposal for working on PKIX revocation open issues
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Nov 2014 20:30:01 -0000

On Sun, Nov 16, 2014 at 1:53 PM, Trevor Freeman
<trevor.freeman99@icloud.com> wrote:
> Hi Max,
>
> I think we first need a consensus of the unmitigated threats this work would
> look to address. That would help assess the technical options. Top of my
> list of unmitigated threats would be compromised CA issuing  user
> certificates outside of the normal process e.g. attackers use some tool to
> sign the certificate direly using the CA key so no log exists of the
> issuance.

Seriously?

How often does this happen?

How often does an administrator sell a machine without zeroing the
hard drive where a live key is stored? How often does a corrupt admin
sell a private key? How often does a machine without a TPM with a cert
get rooted?


End entity breach is a daily occurrence.

> For example, if there is consensus on that as a threat to be addressed, OCSP
> does not help much in that you want a "known to be good" assertion, not a
> "know to be bad" assertion that revocation checking provides. Certificate
> reissuance has been long been cited as an alternative to revocation in that
> you get a restatement of the goodness which is what you need, but it does
> tax the CAs. If you are targeting server validation scenarios, then a Valid
> Certificate List which was similar to CRLs but a list of good certificates
> could scale much better as Phil points out. Given we know all too well what
> does not work well with CRLs, we should be able to avoid the mistakes i.e.
> use hashs to identify certificates not issue\serial number, mandate support
> for partitions etc., etc.

I much prefer using hash based mechanisms to issuer/serial. But in a
pinch, I will use hash of the issuer/serial :)

v2.23.0 | Report a Bug | By Email