[TLS] Enforcing keyUsage restrictions (was Re: Safe ECC usage)
Brian Smith <brian@briansmith.org> Sat, 12 October 2013 00:51 UTC
Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76F2C11E81B7 for <tls@ietfa.amsl.com>; Fri, 11 Oct 2013 17:51:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gf++UoO6Q8-Q for <tls@ietfa.amsl.com>; Fri, 11 Oct 2013 17:51:23 -0700 (PDT)
Received: from mail-qe0-f52.google.com (mail-qe0-f52.google.com [209.85.128.52]) by ietfa.amsl.com (Postfix) with ESMTP id 58DA911E81A8 for <tls@ietf.org>; Fri, 11 Oct 2013 17:51:20 -0700 (PDT)
Received: by mail-qe0-f52.google.com with SMTP id w7so3702003qeb.25 for <tls@ietf.org>; Fri, 11 Oct 2013 17:51:19 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to:cc :content-type; bh=RHEpcAjQWl6Mv9hH3UD76NO5GSnsZPJ2QLBvRWV/S+w=; b=inOzBZa2iPgPzPHMSypvSBma1lYXYRaWMUa5LOmktwBzQ+t30Mh3J1aDDG1V3LGUoJ nSYic1GmHopNNoJLPUFuETim9/T7yYhcCDqU7Hmlob1EqDjvWIUkraKCDPrABY2KnfHP Z9gTSolmZqO7G/vZWCzjdcWcEwIrY0OEfHN/XUz/X+GPAj3G9SzeV6720WjPknmcpvw1 qCbTanEqj8JIR1a0hy2ihYmBe8QATCrpKIqEh8oy0vibP+hV7o85M8gZseGbtI+XUNiz d4MAyGe13f8z/ERP/FwbtJX15jWrkae0uSBXs0JICeTe+TNBptxavZbdtfaTNBk1MP3c hdvQ==
X-Gm-Message-State: ALoCoQlDFXFpSInm0CFgjoM5D3XGKe7zh9hrGc3r8WBPsD9OTqtdmyjCKjuTymEgBobTfkLnYOUx
MIME-Version: 1.0
X-Received: by 10.224.40.138 with SMTP id k10mr7372115qae.67.1381539079822; Fri, 11 Oct 2013 17:51:19 -0700 (PDT)
Received: by 10.224.38.5 with HTTP; Fri, 11 Oct 2013 17:51:19 -0700 (PDT)
X-Originating-IP: [63.245.219.50]
Date: Fri, 11 Oct 2013 17:51:19 -0700
Message-ID: <CAFewVt5SQC_1QTiN+C0m9prk1AOkXybUZS5vDwgNZSxKtAZ5dA@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Content-Type: text/plain; charset="UTF-8"
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: [TLS] Enforcing keyUsage restrictions (was Re: Safe ECC usage)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Oct 2013 00:51:32 -0000
On Thu, Oct 3, 2013 at 5:23 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote: > My code, in its default configuration, strictly enforces keyUsage. From this > I've found that both applications and CAs can set these bits more or less at > random, including completely illogical settings like keyAgreement for RSA > keys. I've also found, through trial-and-error, that many applications > completely ignore them and use the keys in whatever way they feel appropriate > (the situation for PKCS #12 files in particular is so bad that after fighting > it for awhile I had to turn off checking of keyUsage entirely). So this isn't > a case of copying an RSA template, it's broken software generating them and > equally broken software ignoring them. Software based on NSS's libssl has a pretty liberal interpretation of keyUsage, and this is something I'd like to correct in Firefox soon. In particular, I want to encourage CAs to offer ECDSA SSL certificates only with the digitalSignature bit set, and to provide the option to their customers to request RSA certificates with only the digitalSignature bit set. This should provide defense-in-depth from server misconfiguration for websites that want to switch exclusively to ephemeral key exchange. If you have any more specific information you could share regarding your experience with attempting strict(er) KU enforcement, it would be great if you could share it. (Not just Peter, but everybdoy.) Cheers, Brian -- Mozilla Networking/Crypto/Security (Necko/NSS/PSM)
- [TLS] Enforcing keyUsage restrictions (was Re: Sa… Brian Smith
- Re: [TLS] Enforcing keyUsage restrictions (was Re… Santosh Chokhani
- Re: [TLS] Enforcing keyUsage restrictions (was Re… Manuel Pégourié-Gonnard
- Re: [TLS] Enforcing keyUsage restrictions (was Re… Peter Gutmann
- Re: [TLS] Enforcing keyUsage restrictions (was Re… Martin Rex
- Re: [TLS] Safe ECC usage Yaron Sheffer