IETF Logo Mail Archive

Re: [TLS] Certificate validation can of worms

Watson Ladd <watsonbladd@gmail.com> Tue, 08 April 2014 16:05 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CFBC1A049F for <tls@ietfa.amsl.com>; Tue, 8 Apr 2014 09:05:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q-wF-BDnNlLE for <tls@ietfa.amsl.com>; Tue, 8 Apr 2014 09:05:37 -0700 (PDT)
Received: from mail-yk0-x229.google.com (mail-yk0-x229.google.com [IPv6:2607:f8b0:4002:c07::229]) by ietfa.amsl.com (Postfix) with ESMTP id 5C33C1A03DF for <tls@ietf.org>; Tue, 8 Apr 2014 09:05:27 -0700 (PDT)
Received: by mail-yk0-f169.google.com with SMTP id 142so992369ykq.14 for <tls@ietf.org>; Tue, 08 Apr 2014 09:05:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=qDqFAGrzHaenkODzJCWxr6HonzxcRjRaexju+ocv8RE=; b=rOobCUOWoz1FSI2RPkLqU2wdPiuYHY9oNnGLiFJg8QVYUn6jo2N0Wcic9aGmBUfqgN 0r1rs7DBgZwLMAWe4XVLDTfaVKFAUBoKiHUYrRUEq1k0QHDUtsrEap1Rd2FT9Klg0Zp/ Y6KoEiWp3Bak+zOH26zoMRie8bomJiq0DuWtgkAjOaR9OBFhGcTeGlao0LdATEzd1RH/ 7OjMufmKATPDXlRmJsPShe+J/T/j3oVqdaVvt3W23v9vKe83OZBueHPOQBBewor/XDmD 1Y3P0rwtai87hcUHv1ujKktwnjN10+5kNLJOxJ8c9Oqu+++tY99GlTjmol/RIjHSJxOI SjFQ==
MIME-Version: 1.0
X-Received: by 10.236.139.70 with SMTP id b46mr6408771yhj.63.1396973127144; Tue, 08 Apr 2014 09:05:27 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Tue, 8 Apr 2014 09:05:26 -0700 (PDT)
In-Reply-To: <CAMm+Lwjqv0nib0JRXO87ZckjiDhzkhJM2JwmBs=5P3hQchkg1w@mail.gmail.com>
References: <534320A2.5030208@comodo.com> <20140407224329.4A71F1ACAA@ld9781.wdf.sap.corp> <CACsn0ckKEMTWMH=0+=Bbp8djnKtbawkcVeEujnonBB_8ND03_Q@mail.gmail.com> <1396944418.11019.10.camel@dhcp-2-127.brq.redhat.com> <CAMm+Lwjqv0nib0JRXO87ZckjiDhzkhJM2JwmBs=5P3hQchkg1w@mail.gmail.com>
Date: Tue, 08 Apr 2014 09:05:26 -0700
Message-ID: <CACsn0ck8OP+qThaVVVBF29FQ6krZUvC12B4ymHx61+qxMzAZNQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/A3X4-c_oKu49Dw-ZadKB14O1Rk8
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Certificate validation can of worms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Apr 2014 16:05:46 -0000

On Tue, Apr 8, 2014 at 6:39 AM, Phillip Hallam-Baker <hallam@gmail.com> wrote:
> On Tue, Apr 8, 2014 at 4:06 AM, Nikos Mavrogiannopoulos <nmav@redhat.com> wrote:
>> On Mon, 2014-04-07 at 18:20 -0700, Watson Ladd wrote:
>>
>>> > And a TLS client that implements rfc2818 (HTTP-over-TLS) will look
>>> > exactly at rfc2818 for any checks that the client will do on the
>>> > Server certificate, and again *NOT* in PKIX.
>>>
>>> This is really a problem with RFC2818. The whole idea of X509v3 is
>>> that you should be able to issue certificates that have meaning beyond
>>> assertions of identity, such as for use as code-signing. But because
>>> implementations don't respect the PKIX standard, we can't do that.
>>
>> I think PKIX is far from being described as standard. It looks more than
>> a set of rules that the implementer is expected to distill and select
>> the relevant ones, as most of the described rules are legacy baggage
>> (e.g. DN comparison rules that assume that the DN is copied by a
>> secretary that introduces case changes and alters spaces, rather than a
>> memcpy).
>>
>> PKIX's requirements are pretty strange to put it mildly. One example are
>> the key purposes that Martin described. Another is the name constraints
>> which is optional to implement for DNS or e-mails (that everyone uses),
>> and mandatory for DistinguishedNames (that no-one uses); then it becomes
>> an issue when people realize that no-one implements name constraints
>> (and the only certificates that I've seen that contained constraints,
>> had syntactical errors in them). There are much more issues in PKIX (and
>> Peter Gutmann is much better in providing a good overview). We certainly
>> need something better than rfc5280.
>
> Name constraints are in use today. They are supported in all the
> browsers with the possible exception of OSX (which I am told is fixed
> but I have not checked).
>
> The issue with Name Constraints is that the Industry has rejected the
> IETF specification which requires that a Name Constraint be marked
> 'break backwards compatibility' aka the 'critical bit'. This
> requirement is stupid and wrong and so the industry has decided to
> override RFC5280 on this point and the correct specification as far as
> the industry is concerned is that the setting of the critical bit is
> at the option of the issuing CA.
>
> If IETF produces rubbish specifications we will ignore them.
>
> The requirement to mark the certificate critical enabled the NSA
> attack on Microsoft in the Flame malware attack. Marking the bit
> critical makes it impossible to issue a certificate with that
> extension as about half a billion deployed devices don't support name
> constraints.

?? Flame was a MD5 collision. Nothing saves you from that one.

>
> The consensus model does not really work when a specification has been
> poisoned by an attacker who can block changes to correct the spec.
> Fortunately IETF specifications are not definitive, industry practice
> is. The industry consensus on this point is unanimous: name
> constraints need not be marked critical.

Which makes them useless: the point of name constraints is that I can
issue a name constrained certificate without issuing a global
intermediate CA certificate. If the extension is not marked critical,
then I've issued a global intermediate CA certificate for those who
don't check it, and so need to be just as strict as if it was an
intermediate CA certificate, so I might as well not bother with the
constraint.

>
>
> Industry consensus is also unanimous that RSA1024 is inadequate for
> any form of PKI infrastructure use including for ZSKs. So right now
> DNSSEC is not adequately deployed in the ICANN root or in .com in a
> form that can be considered fit for purpose. So the idea that the
> world is going to move to a DANE validity chain is rather peculiar.
>
> Fixing this situation requires a minor configuration change next time
> the keys are rolled. So don't take this as an argument against DNSSEC
> per se. I think it is just indicative of the reason why having ICANN
> in charge of global PKI is not exactly a sound proposition.

No, this one is IETF. The spec for ECDSA in DNSSEC is only from 2012.
As a result there wasn't an alternative when the root zone was being
signed. Furthermore, changing the root key is an interesting exercise.

Sincerely,
Watson Ladd
>
> --
> Website: http://hallambaker.com/



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email