IETF Logo Mail Archive

Re: [TLS] Trusting self-signed TLS certificates - specifically for HTTPS

Ollie <me@olliejc.uk> Fri, 02 December 2022 06:40 UTC

Return-Path: <me@olliejc.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44BF7C14F737 for <tls@ietfa.amsl.com>; Thu, 1 Dec 2022 22:40:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=olliejc.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oDo9CvvU8Ol8 for <tls@ietfa.amsl.com>; Thu, 1 Dec 2022 22:40:33 -0800 (PST)
Received: from mail-4323.proton.ch (mail-4323.proton.ch [185.70.43.23]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72B84C14F72A for <tls@ietf.org>; Thu, 1 Dec 2022 22:40:33 -0800 (PST)
Date: Fri, 02 Dec 2022 06:40:25 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=olliejc.uk; s=protonmail3; t=1669963229; x=1670222429; bh=ZJBZgMtLHxmvoWlkNecFh/DPlU6y+DN2LdI+7b7INFQ=; h=Date:To:From:Cc:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=p7MITlRXWZGleqF7ZWTQBRh5wYASFFv2/A1u5wm2lbn9Pxd9Uxrcl5j3VHvg1f4Pa Jvi02DjjWpRf4n0/BFLOWBCiTSvgaIMlhQZq9XS+XeKImMHXsr9/Ozb/F8QUPDvaPx UwETMiBth5kKL9GPD02MYBjvtRLkjMyEMP0BAQKZRNsvM0QxQgkGNdX03w6DLzjcnx V37N5jiNKQ9oKSH+B3kXwI6KWqzEGGACZNjfQLPNcXDYzmyJIx62LFJvMGUl3rwxG4 otTAxcCWVYfXp0qZgXNrlmVc24G1ShOXGc0lLPpPVvV1gNWEbgV4RAKJb2aAN9i4F0 v7hMk4guBHQ7w==
To: ietf-dane <ietf-dane@dukhovni.org>
From: Ollie <me@olliejc.uk>
Cc: tls <tls@ietf.org>
Message-ID: <4yMjmvm9CHgt_ZRCbd4naTd5XKOt6dr5IKgY6l6-qgtFBL7aPnHSuPdW_Vz18GM-BRXKLE98BM96N_OtPXMQt7yde0gubFY5SZA-eI9a_Jo=@olliejc.uk>
Feedback-ID: 19765882:user:proton
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="b1_PBaGYJfoQhgBp2XKVaX2I1FplG697R8ztJ4p6Dp4AhU"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/0I3UQfKcPvugL9ffoM9qO4XnNBQ>
Subject: Re: [TLS] Trusting self-signed TLS certificates - specifically for HTTPS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Dec 2022 06:40:38 -0000

> There's nothing to be gained by publishing SCTs in self-issued DANE-EE
> validated certificates. Are you proposing to make SCTs mandatory in
> DANE? Which user agents would insist on such SCTs and why? If not,
> what problem would optionally including them solve?

Yes, primarily for browser user agents.
See below on use cases/problems.

> Note also that the "expiration" date of DANE-EE certificates is ignored,
> the freshness of the key binding is attested via the TLSA record RRSIG,
> rather than the dates in the certificate. The proposed 90-day limits on
> "certificate lifetime" are antithetical to DANE-EE.

Noted and understood, although not sure I agree the certificate expiry should be ignored. What happens if I put a TLSA record for a CA certificate that then traditionally expires? Would user agents be expected to fall-back to using the RRSIG freshness?

> In principle (I am not tracking whether there are extant
implementations), DANE-EE even supports TLS with RFC 7250 "raw public
> keys", where there are no certificate at all!

Huh, interesting - will look into, thanks.

I hadn't come across DNSSEC-Transparency so that probably covers a lot/all of the following, however I think it's worth considering CT log incorporation as that ecosystem is well established and the adoption of self-signed certificates (SSCs) would likely require little revision by monitors/user agents etc.

Consider the following use cases/user stories (U) and how (H) I believe inclusion of SSCs to CT logs can support alongside CA certificates (CACs):

1.U: As a user agent, I want to prevent users from accessing potentially malicious versions of a website so that I can protect users from harm.
1.H: If presented with an SSC the user agent would require TLSA records and a complete DNSSEC chain and for the presence of an SCT for checking a CT log, doing those increases the level of assurance that the presented SSC is valid for the given website. If only one is valid, then some misissuance could have occured and a block or warning could be displayed to the user.

2.U: As a website operator, I want to monitor for certificates (intended to be trusted by user agents) issued for my known domain so that I can look for any misissuance to protect my end users against malicious versions.
2.H: Website operators could implement direct monitoring against a domain to check the presented certificate (SSC or CAC) but what if a different network is presenting something differently to other users - monitoring of CT logs that an SSC has been issued (where as in 1. user agents require to not show warning/block) could alert me to misissuance and that some of my users may be/being targeted by some sort of (person-in-the-middle) attack where I can look to mitigate/notify users.

3.U: As an organisation ("example.com") with many domains and websites, I want to monitor for certificates issued against one of my brands so that I can investigate and look for potentially malicious versions of my websites to mitigate like creating takedown requests or adding to blocklists.
3.H: As with 2., direct monitoring could be done but that relies on me already knowing about an asset or domain. If I could look for "*.example.*" or "example.*" or "exampl3.*" in CT logs (either SSC or CAC) to identify domains I didn't know about previously, I could investigate if they're a potentially malicious version.

4.U: As a website operator, I want to check my certificates for imminent expiry so that I can act on renewing or fixing the automated process before users are presented with an error.
4.H: I could use a monitoring service that looks at CT logs where SSCs or CACs are inventoried and checked for soon-to-be expired certificates, where I'd receive a notification about them.

5.U: As an enterprise with many domains and websites, I want to monitor for certificates issued against my domains so that I can investigate and look for potential shadow IT to ensure compliance and increase efficiencies.
5.H: I could use a monitoring service to identify domains and ensure they're part of my policies (e.g. must be in a CMDB or I only want SSCs or CACs to be used).

Some additional thoughts:
- perhaps we could have "Expect-CT: 2" to designate a SSC vs current "1" for a CAC for user agents to handle differently
- perhaps we could have a CAA flag for no CA but DANE:
example.com. IN CAA 0 issue "; tlsa=1"

Thanks,
Ollie

v2.23.0 | Report a Bug | By Email