IETF Logo Mail Archive

Re: [TLS] Certificate validation can of worms

mrex@sap.com (Martin Rex) Mon, 07 April 2014 21:31 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9229A1A047A for <tls@ietfa.amsl.com>; Mon, 7 Apr 2014 14:31:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.552
X-Spam-Level:
X-Spam-Status: No, score=-6.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3uwg-TtngwEX for <tls@ietfa.amsl.com>; Mon, 7 Apr 2014 14:31:01 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 62D1B1A02D7 for <tls@ietf.org>; Mon, 7 Apr 2014 14:31:01 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id s37LUpAo023613 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 7 Apr 2014 23:30:51 +0200 (MEST)
In-Reply-To: <4262AC0DB9856847A2D00EF817E811391789E8@scygexch10.cygnacom.com>
To: Santosh Chokhani <SChokhani@cygnacom.com>
Date: Mon, 07 Apr 2014 23:30:51 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20140407213051.8B5E11ACAA@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/4aHCuJoVH5AL9m1GfJdNthrJ2VE
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Certificate validation can of worms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Apr 2014 21:31:07 -0000

Santosh Chokhani wrote:
>
> While I am still reading the cited paper , the EKU if present should be
> very relevant.  The client should reject the server certificate if server
> authentication or anhyExtendedKeyUsage is not present.

There is *NO* such requirement (to look at EKU) anywhere in rfc5246
and rfc2818.  The EKU processing within the PKIX certificate path validation
applies only to path certificates, not to the leaf certificate (because the
certificate path validation is context-free, i.e. independent of the
actual usage of the certificate.

KeyUsage is different, processing KeyUsage is explicitly described in
rfc2246/rfc4346/rfc5246.

Did you notice that the id-kp-serverAuth that is defined in rfc5280
is strictly limited to HTTP-over-TLS anyway, so would not apply to
XMPP-over-TLS, SIP-over-TLS, SMTP-over-TLS and whathaveyou.



>
> Similarly, certificate policies and policy constrains extensions should
> be processed by the client and if the require explicit policy state
> variable get turned on and the path is not valid for some policy,
> it must be rejected.

PolicyOIDs are completely meaningless for HTTP-over-TLS.
Is there *ANY* X-over-TLS specification that gives a meaning 
to any policy OIDs?


>
> Finally, name constraint is very relevant.

name constraints will be missing from a PKIX minimum requirements RP.
And considering how broken the _definitions_ are, and how broken
some of the CA software is that is creating them, simply ignoring
name constraints seems like the only sane behaviour.


>
> The certificate must be rejected if any of the name forms in a
> certificate in the path violate name constraint state variable
> values at that point in the path.

name constraints are a HUGE mess.  PKIX does not really describe
their processing at all, and neither gives an indication that when
*ANY* name constraints are used that name constraints on distinguished
names will have to be used as well, otherwise creating security problems
for the permissible CRL signer logic.

When looking at how X.509 describes processing of name constraints in
the example section, you may realize that it talks about iteratively
trying to build certification pathes and checking whether name constraints
work from them.  Ooops.  building a certification path is declared out
of scope by rfc5280, so logically, this spills the baby with the bathtub
and makes name constraints in PKIX/rfc5280 optional in its entirety,
because something that needs a feature that has been explicitly declared
out of scope can never be a mandatory part of the spec.


-Martin

v2.23.0 | Report a Bug | By Email