IETF Logo Mail Archive

Re: [TLS] Certificate validation can of worms

mrex@sap.com (Martin Rex) Mon, 07 April 2014 22:43 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AA551A028B for <tls@ietfa.amsl.com>; Mon, 7 Apr 2014 15:43:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.552
X-Spam-Level:
X-Spam-Status: No, score=-6.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GWLz3kFp0zAb for <tls@ietfa.amsl.com>; Mon, 7 Apr 2014 15:43:49 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 1F9741A080D for <tls@ietf.org>; Mon, 7 Apr 2014 15:43:42 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id s37MhT94005000 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 8 Apr 2014 00:43:29 +0200 (MEST)
In-Reply-To: <534320A2.5030208@comodo.com>
To: Rob Stradling <rob.stradling@comodo.com>
Date: Tue, 08 Apr 2014 00:43:29 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20140407224329.4A71F1ACAA@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/9UksDPK8ix-ufVxkwzkXdxAsjeA
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Certificate validation can of worms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Apr 2014 22:43:54 -0000

Rob Stradling wrote:
> Martin Rex wrote:
>> 
>> There is *NO* such requirement (to look at EKU) anywhere in rfc5246
>> and rfc2818.  The EKU processing within the PKIX certificate path validation
>> applies only to path certificates, not to the leaf certificate (because the
>> certificate path validation is context-free, i.e. independent of the
>> actual usage of the certificate.
> 
> Martin, how about RFC6125?
> 
> "Representation and Verification of Domain-Based Application Service
>   Identity within Internet Public Key Infrastructure Using X.509 (PKIX)
>       Certificates in the Context of Transport Layer Security (TLS)
> ...
> 1.4.  Applicability
> 
>     This document does not supersede the rules for certificate issuance
>     or validation provided in [PKIX].  Therefore, [PKIX] is authoritative
>     on any point that might also be discussed in this document.
>     Furthermore, [PKIX] also governs any certificate-related topic on
>     which this document is silent, including but not limited to
>     certificate syntax, certificate extensions such as name constraints
>     and extended key usage, and handling of certification paths."

I do not see any specific requirements listed in the quoted paragraph
(not even a MAY).   PKIX deals with the black box called "certificate
path validation" (within which EKU-processing is defined), and with
requirements for "conforming CAs" which issue X.509v3 certs (of which
there seem to exist very few, if any, considering how much junk
X.509v3 certificates are floating around.

Could it be that GoDaddy is issuing Server certs that aren't valid ASN.1 DER ?

Their ASN.1 DER encoder doesn't seen to implement "BOOLEAN DEFAULT FALSE"
correctly:

BasicConstraints ::= SEQUENCE {
     cA                      BOOLEAN DEFAULT FALSE,
     pathLenConstraint       INTEGER (0..MAX) OPTIONAL }



> 
> <snip>
> > Did you notice that the id-kp-serverAuth that is defined in rfc5280
> > is strictly limited to HTTP-over-TLS anyway, so would not apply to
> > XMPP-over-TLS, SIP-over-TLS, SMTP-over-TLS and whathaveyou.
> 
> You mean the "-- TLS WWW server authentication" comment in section 
> 4.2.1.12?  Or something else?
> 
> Would you be happier if "WWW " wasn't in that comment?


This isn't about happiness.  If this OID has any meaning at all, then this
limitation "TLS WWW server authentication" will be an integral part of it.

An implementation of TLS will be looking here:
  http://tools.ietf.org/html/rfc2246#page-38
when checking KeyUsage of the Server Certificate, and *NOT* in PKIX.

And a TLS client that implements rfc2818 (HTTP-over-TLS) will look
exactly at rfc2818 for any checks that the client will do on the
Server certificate, and again *NOT* in PKIX.


> 
> >> Similarly, certificate policies and policy constrains extensions should
> >> be processed by the client and if the require explicit policy state
> >> variable get turned on and the path is not valid for some policy,
> >> it must be rejected.
> >
> > PolicyOIDs are completely meaningless for HTTP-over-TLS.
> > Is there *ANY* X-over-TLS specification that gives a meaning
> > to any policy OIDs?
> 
> Yes.  The CA/Browser Forum EV SSL Guidelines and Baseline Requirements.

Ah--yes, the fancy Gui/chrome thingy for EV/OV/DV certs.
programmatic clients don't look at CAB Forum baseline requirements
(except maybe when looking for excuses to give to unhappy customers).


-Martin

v2.23.0 | Report a Bug | By Email