[TLS] Enforcing keyUsage restrictions (was Re: Safe ECC usage)

Brian Smith <brian@briansmith.org> Sat, 12 October 2013 00:51 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76F2C11E81B7 for <tls@ietfa.amsl.com>; Fri, 11 Oct 2013 17:51:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gf++UoO6Q8-Q for <tls@ietfa.amsl.com>; Fri, 11 Oct 2013 17:51:23 -0700 (PDT)
Received: from mail-qe0-f52.google.com (mail-qe0-f52.google.com [209.85.128.52]) by ietfa.amsl.com (Postfix) with ESMTP id 58DA911E81A8 for <tls@ietf.org>; Fri, 11 Oct 2013 17:51:20 -0700 (PDT)
Received: by mail-qe0-f52.google.com with SMTP id w7so3702003qeb.25 for <tls@ietf.org>; Fri, 11 Oct 2013 17:51:19 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to:cc :content-type; bh=RHEpcAjQWl6Mv9hH3UD76NO5GSnsZPJ2QLBvRWV/S+w=; b=inOzBZa2iPgPzPHMSypvSBma1lYXYRaWMUa5LOmktwBzQ+t30Mh3J1aDDG1V3LGUoJ nSYic1GmHopNNoJLPUFuETim9/T7yYhcCDqU7Hmlob1EqDjvWIUkraKCDPrABY2KnfHP Z9gTSolmZqO7G/vZWCzjdcWcEwIrY0OEfHN/XUz/X+GPAj3G9SzeV6720WjPknmcpvw1 qCbTanEqj8JIR1a0hy2ihYmBe8QATCrpKIqEh8oy0vibP+hV7o85M8gZseGbtI+XUNiz d4MAyGe13f8z/ERP/FwbtJX15jWrkae0uSBXs0JICeTe+TNBptxavZbdtfaTNBk1MP3c hdvQ==
X-Gm-Message-State: ALoCoQlDFXFpSInm0CFgjoM5D3XGKe7zh9hrGc3r8WBPsD9OTqtdmyjCKjuTymEgBobTfkLnYOUx
MIME-Version: 1.0
X-Received: by 10.224.40.138 with SMTP id k10mr7372115qae.67.1381539079822; Fri, 11 Oct 2013 17:51:19 -0700 (PDT)
Received: by 10.224.38.5 with HTTP; Fri, 11 Oct 2013 17:51:19 -0700 (PDT)
X-Originating-IP: [63.245.219.50]
Date: Fri, 11 Oct 2013 17:51:19 -0700
Message-ID: <CAFewVt5SQC_1QTiN+C0m9prk1AOkXybUZS5vDwgNZSxKtAZ5dA@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Content-Type: text/plain; charset=UTF-8
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: [TLS] Enforcing keyUsage restrictions (was Re: Safe ECC usage)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Oct 2013 00:51:32 -0000

On Thu, Oct 3, 2013 at 5:23 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
> My code, in its default configuration, strictly enforces keyUsage.  From this
> I've found that both applications and CAs can set these bits more or less at
> random, including completely illogical settings like keyAgreement for RSA
> keys.  I've also found, through trial-and-error, that many applications
> completely ignore them and use the keys in whatever way they feel appropriate
> (the situation for PKCS #12 files in particular is so bad that after fighting
> it for awhile I had to turn off checking of keyUsage entirely).  So this isn't
> a case of copying an RSA template, it's broken software generating them and
> equally broken software ignoring them.

Software based on NSS's libssl has a pretty liberal interpretation of
keyUsage, and this is something I'd like to correct in Firefox soon.
In particular, I want to encourage CAs to offer ECDSA SSL certificates
only with the digitalSignature bit set, and to provide the option to
their customers to request RSA certificates with only the
digitalSignature bit set. This should provide defense-in-depth from
server misconfiguration for websites that want to switch exclusively
to ephemeral key exchange.

If you have any more specific information you could share regarding
your experience with attempting strict(er) KU enforcement, it would be
great if you could share it. (Not just Peter, but everybdoy.)

Cheers,
Brian
-- 
Mozilla Networking/Crypto/Security (Necko/NSS/PSM)