IETF Logo Mail Archive

Re: [TLS] security considerations for draft-rescorla-tls-subcerts

Subodh Iyengar <subodh@fb.com> Sun, 02 April 2017 00:15 UTC

Return-Path: <prvs=5265204691=subodh@fb.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69C2B1274D0 for <tls@ietfa.amsl.com>; Sat, 1 Apr 2017 17:15:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.719
X-Spam-Level:
X-Spam-Status: No, score=-2.719 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fb.com header.b=Tr4uIvw1; dkim=pass (1024-bit key) header.d=fb.onmicrosoft.com header.b=GsIfVEkP
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3UevFe2l6OB5 for <tls@ietfa.amsl.com>; Sat, 1 Apr 2017 17:15:01 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D832E127071 for <tls@ietf.org>; Sat, 1 Apr 2017 17:14:59 -0700 (PDT)
Received: from pps.filterd (m0109333.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v3205wZM021326; Sat, 1 Apr 2017 17:14:56 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=facebook; bh=CqiLmDVP2OQglsCUBcBvozr+RGAmOFAS3+0aOiLgxqk=; b=Tr4uIvw1KQCi3BPngekOnovj7Vg/G9LgWX3lnqGEa2ABWXV+1gxg0pkb97L6qijMltzF 6Fy5BsqLSoH+P0aB9h8YQf6dDCxHBCGJVR/NQaHAJhe6+zICRdCtnf+Kh4moJQMO27tW 6EvGiMJSmSbMTLUcM3w/PktiHuFkVcDpOGk=
Received: from mail.thefacebook.com ([199.201.64.23]) by mx0a-00082601.pphosted.com with ESMTP id 29j87x1mp3-5 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 01 Apr 2017 17:14:56 -0700
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (192.168.54.28) by o365-in.thefacebook.com (192.168.16.24) with Microsoft SMTP Server (TLS) id 14.3.319.2; Sat, 1 Apr 2017 17:14:00 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.onmicrosoft.com; s=selector1-fb-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=CqiLmDVP2OQglsCUBcBvozr+RGAmOFAS3+0aOiLgxqk=; b=GsIfVEkP7NBZRVSX9FZhQW+tv9ewmhB7UipHj0ri1w0DO0uy/H9nhRkLs0JMVnV1tMCkS0aIHbN5V6O/wksu0qTLqh1JAWucjkvPCkg7NnTIbA3w3rfSRPDSmjj9KAjV1h2L0cRHN6lYWovf+D1f3yWNC6XUr8DNrq81lcqevYY=
Received: from MWHPR15MB1455.namprd15.prod.outlook.com (10.173.234.145) by MWHPR15MB1456.namprd15.prod.outlook.com (10.173.234.146) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1005.10; Sun, 2 Apr 2017 00:13:59 +0000
Received: from MWHPR15MB1455.namprd15.prod.outlook.com ([10.173.234.145]) by MWHPR15MB1455.namprd15.prod.outlook.com ([10.173.234.145]) with mapi id 15.01.1005.016; Sun, 2 Apr 2017 00:13:59 +0000
From: Subodh Iyengar <subodh@fb.com>
To: Brian Sniffen <bsniffen@akamai.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] security considerations for draft-rescorla-tls-subcerts
Thread-Index: AQHSqaBOocVmAQvSZkGxKH7FNtBXA6GxLuRe
Date: Sun, 02 Apr 2017 00:13:58 +0000
Message-ID: <MWHPR15MB1455F0758BE196CAB4BDF8BDB6360@MWHPR15MB1455.namprd15.prod.outlook.com>
References: <m27f362zxm.fsf@dhcp-89ad.meeting.ietf.org>
In-Reply-To: <m27f362zxm.fsf@dhcp-89ad.meeting.ietf.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: akamai.com; dkim=none (message not signed) header.d=none;akamai.com; dmarc=none action=none header.from=fb.com;
x-originating-ip: [25.173.47.4]
x-microsoft-exchange-diagnostics: 1; MWHPR15MB1456; 7:hqO1M+3lThxNfRHkipOyuWvuyu/ZmYtJd3qX8UA7BL/MSqpxRgOwlf+GphEU/3LmpmF/yP8w9X+zO9ojtpKyvItHxY12AxHcGNkmdCafZGl7jdpWuNTXrJ8Zefi+FEEptQYNKWkBj+HVyjKD1qScfQWx1UNe8Oamrg18KEzZQtx6SlBGzAhoweyjmI8qJPViDXFvTNnHqB/2bI1ijsoZKEWXj15E707spz/LKGYZlJ5PIhJuCqS3ne/GQ13cJnLilayZmFYoxG1BbBCevM2bz4h7zf7F89fRjXu2fd/sTdVYEdHjRbt4Sq4seTFu825qqiiCfKA87bITGzuRGSbEUw==; 20:XDNQ0lBPb6ysvORelMo58VDRjCt6NaeOyCe/n8bw0jxGatRuWEPoJft68GjizWTwFbS8K7nMlX39dr512zoVEr3tnriD/tbn8JwWi+xsS+wA2J5WcafL8Uvz5NYbUqQ3wdyicjLPEiVg+Kyz9Ewhn+ijfjnPacIOs2DY3AayjBs=
x-ms-office365-filtering-correlation-id: 0d156368-79e8-460b-fb97-08d4795d28e7
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(201703131423075)(201703031133081)(201702281549075); SRVR:MWHPR15MB1456;
x-microsoft-antispam-prvs: <MWHPR15MB14560077550C43A38C577B29B6090@MWHPR15MB1456.namprd15.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(10436049006162)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040450)(601004)(2401047)(8121501046)(5005006)(93006095)(93001095)(3002001)(10201501046)(6041248)(201703131423075)(201702281528075)(201703061421075)(20161123560025)(20161123555025)(20161123564025)(20161123562025)(6072148); SRVR:MWHPR15MB1456; BCL:0; PCL:0; RULEID:; SRVR:MWHPR15MB1456;
x-forefront-prvs: 02652BD10A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39850400002)(39400400002)(39410400002)(39840400002)(39450400003)(377454003)(2906002)(50986999)(77096006)(74316002)(6506006)(15650500001)(25786009)(6436002)(230783001)(2900100001)(53546009)(86362001)(575784001)(2501003)(33656002)(606005)(81166006)(7736002)(54356999)(76176999)(2950100002)(3846002)(102836003)(6116002)(122556002)(3660700001)(8936002)(55016002)(66066001)(53936002)(7906003)(189998001)(3280700002)(5660300001)(6246003)(38730400002)(229853002)(7696004)(6306002)(8676002)(54896002)(9686003)(236005); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR15MB1456; H:MWHPR15MB1455.namprd15.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_MWHPR15MB1455F0758BE196CAB4BDF8BDB6360MWHPR15MB1455namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Apr 2017 00:13:58.8381 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR15MB1456
X-OriginatorOrg: fb.com
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-04-01_18:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/-XwcHKnUUta2S1s76H0JzI1wvGs>
Subject: Re: [TLS] security considerations for draft-rescorla-tls-subcerts
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Apr 2017 00:15:04 -0000

Thanks for your question Brian.

The motivation behind delegated credentials is to create a more reasonable deployment model for short lived credentials.

Even without delegated credentials service owners can request short lived certificates from their certificate authorities and deploy them to their remote servers. Having experience running some reasonably large services and also speaking to others who run big services, this presents several challenges:

* Keeping the site up would now involve contacting the CA more frequently than before (assuming you're not using OCSP stapling). Even though CAs have good infrastructure, the processes for automatic renewal introduces the risk of greater errors. Since these errors are across multiple parties these would be very hard to diagnose, so people would tend to not have a hard dependency on this system. It is much easier to debug and recover from failures if a service owner could control the issuance of short lived material with the CA's permission.
* Short lived certificates would go into CT logs, and there were several concerns raised about the increase in the size of the CT logs.
* A reasonable deployment model would call for private keys to never traverse the network. Not everyone should be allowed to contact the CA directly to renew the certificate automatically, so deploying short lived certificates would mean that you would have to proxy CSRs from the end hosts via some trusted infrastructure. This adds some additional moving parts.

This led us to think of whether we could deploy short lived credentials with another approach. Once you can deploy short lived credentials we found several use cases for these:

* Removing private keys from currently trusted hosts and keeping them in even more secure locations. In this way you could increase security by moving keys from places they currently exist.
* You could make a security / performance by giving delegated credentials to your less trusted locations where you could make the tradeoff that if one of these is stolen it's valid only for a very short period of time.

I'm not too familiar with the cloud provider to service owner trust model, but your idea of giving the cloud provider a delegated credential instead of a longer lived certificate key sounds great.

Delegated credentials bounds time, however if used with other mechanisms you can make security protections even more robust. For example you could give your cloud provider a delegated credential bound to a certificate with a different origin. If you find that something bad has happened you can stop routing traffic to that origin as well.

Hopefully this clears things up.

Subodh
________________________________
From: TLS <tls-bounces@ietf.org> on behalf of Brian Sniffen <bsniffen@akamai.com>
Sent: Thursday, March 30, 2017 2:54:29 PM
To: tls@ietf.org
Subject: [TLS] security considerations for draft-rescorla-tls-subcerts

I'm trying to understand the adversary model in which Delegated
Credentials are helpful.  It seems like if you weren't going to sign off
on a cloud service provider getting a certificate before, you *probably*
shouldn't let them have a delegated credential now---but if you were
going to do so, *and* you don't believe revocation works (wise!), now
you can offer a delegated credential and be safer?

That corresponds to an adversary who can compromise a cloud service and
learn the customers' private keys---but can only do so rarely.  Now
instead of having ~ 1 year of use of your certificate, that adversary
has a few days of use of your credential.  But if the cloud service
is regularly breached, you're as bad off as before (but no worse?)

It sounds like the first years of delegated credentials will see them
used in tandem with split systems (Lurk, Akamai and Cloudflare's various patented
approaches)---then the primary benefit of delegated credentials is lower
latency for session establishment.

But maybe the idea is to avoid the first circumstance and emphasize that
these are for the second case.  Authors, can you describe what you have
in mind?

Thanks,
Brian

--
Brian Sniffen
Akamai Technologies

_______________________________________________
TLS mailing list
TLS@ietf.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=DwICAg&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=q03hxbJ9kVRM2fXxXl_8ByxjamwOvDX09DvM_ASPC_o&s=04enApSPuKlAuxTNPBOwVcenAvEku4aZrZ1LgyPQqRk&e=

v2.23.0 | Report a Bug | By Email