IETF Logo Mail Archive

Re: [TLS] [pkix] New version of Multiple OCSP mode of Certificate

"Miller, Timothy J." <tmiller@mitre.org> Wed, 04 August 2010 20:33 UTC

Return-Path: <tmiller@mitre.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9877D3A6994; Wed, 4 Aug 2010 13:33:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R0RmCDhzTk1e; Wed, 4 Aug 2010 13:33:23 -0700 (PDT)
Received: from smtp-bedford.mitre.org (smtp-bedford.mitre.org [129.83.20.191]) by core3.amsl.com (Postfix) with ESMTP id A722C3A6959; Wed, 4 Aug 2010 13:33:23 -0700 (PDT)
Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o74KXrQW006209; Wed, 4 Aug 2010 16:33:53 -0400
Received: from imchub1.MITRE.ORG (imchub1.mitre.org [129.83.29.73]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o74KXrvr006201; Wed, 4 Aug 2010 16:33:53 -0400
Received: from IMCMBX2.MITRE.ORG ([129.83.29.205]) by imchub1.MITRE.ORG ([129.83.29.73]) with mapi; Wed, 4 Aug 2010 16:33:52 -0400
From: "Miller, Timothy J." <tmiller@mitre.org>
To: "'mrex@sap.com'" <mrex@sap.com>
Date: Wed, 04 Aug 2010 16:33:51 -0400
Thread-Topic: [pkix] [TLS] New version of Multiple OCSP mode of Certificate
Thread-Index: Acs0D3XnMxiX12DvSiSOYhaMFZ42dgABLw5Q
Message-ID: <17FD76C1ECD0AB49817637E21809ABF908A316DF7F@IMCMBX2.MITRE.ORG>
References: <17FD76C1ECD0AB49817637E21809ABF908A316DF7D@IMCMBX2.MITRE.ORG> from "Miller, Timothy J." at Aug 4, 10 03:31:50 pm <16961_1280951931_4C59C67A_16961_3492_1_201008041958.o74JwjlN012045@fs4113.wdf.sap.corp>
In-Reply-To: <16961_1280951931_4C59C67A_16961_3492_1_201008041958.o74JwjlN012045@fs4113.wdf.sap.corp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "pkix@ietf.org" <pkix@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] [pkix] New version of Multiple OCSP mode of Certificate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Aug 2010 20:33:26 -0000

See my other message.  The problem here is TLS does not admit of PKIs with more complex pathing requirements or inter-relationships.

-- Tim


>-----Original Message-----
>From: Martin Rex [mailto:mrex@sap.com]
>Sent: Wednesday, August 04, 2010 2:59 PM
>To: Miller, Timothy J.
>Cc: mrex@sap.com; yngve@opera.com; pkix@ietf.org; tls@ietf.org
>Subject: Re: [pkix] [TLS] New version of Multiple OCSP mode of
>Certificate
>
>Miller, Timothy J. wrote:
>>
>> >As far as the AIA vulnerability is concerned, you're 0wnd as soon
>> >as your software connects to the crafted URL in the crafted server
>> >certificate.  It doesn't matter that whether you discard the reply
>> >and abort the original browser connection at that point.  If you're
>> >attacked, that URL is often not going to result in a certificate
>anyway.
>>
>> First, real browsers already allow mixed content frames with silent
>> renegotiation *and* late-binding of request authentication, and you're
>> worried about exploiting AIA retrieval?
>
>There is a significant difference between being vulnerable to a content
>from a site one has chosen to access through HTTPS and being vulnerable
>to an arbitrary active attacker on every connect.
>
>>
>> Second, having identified a problem behavior, what's the fix?
>> Path discovery is critically important in bridged PKIs, so if
>> chasing AIAs is a Bad Thing, what do we do instead?
>
>I don't know who invented the concept of automatic AIA retrieval, but
>my personal intuition points to the S/Mime camp.  S/Mime is notoriously
>broken as far as the inclusion of certificates is concerned (being a
>heritage from PKCS#7).
>
>SSL & TLS on the other hand have had the clear requirement to send only
>complete certification chains from the beginning.  So there this issue
>does not exist unless the server is misconfigured and the server PKI
>software is defective because it does not refuse to perform SSL
>handshakes
>with incomplete certificate chains, something that the SSL & TLS specs
>have never allowed and which is fairly trivial for the server software,
>the credential management part in particular, to verify and report
>to the admin upfront when setting up that server.
>
>>
>> >How about warning on first encounter and offer the User to download
>> >and memorize the intermediate cert -- or to NOT download?
>>
>> I fail to see how this improves the situation, since we already know
>> users are ill-equipped to make these decisions anyway.
>
>
>This is a clear TLS protocol violation, so if anything deserves
>a scary page to be presented to a user, this is such a situation.
>
>>
>> In addition, components without a UI do what?
>
>Fail unconditionally.  That is the only safe reaction, and since
>it is a clear TLS protocol violation, it is quite appropriate.
>
>
>>
>> >As previously described, the certificate path validation algorithm
>> >specified in rfc-5280 works from the trust anchor downwards to
>> >the End Entity cert, and will reliably protect you from accessing
>> >OCSP or CRL information from untrusted/unverified certificates.
>>
>> Only when the pool used by the PVM contains all the certificates
>> identified in the path.  When the pool is incomplete, or the protocol
>> provides no path (e.g., CMS allows SignedData to elide any and all
>> certificates if the relying party can be expected to have *or
>discover*
>> them), what does the PVM do?
>
>S/Mime and CMS are foobar.  An implementation of TLS should not try
>to work around design flaws of a non-TLS protocol in such an insecure
>and questionable fashion.
>
>The sitation for TLS is clear, the server needs to provide a full
>certificate chain and may omit only the self-signed root.
>
>There is more flexibility in the TLS protocol (although not explicitly
>written out) for verifying the client certificate.  The
>CertificateRequest     handshake message includes a list of
>certification authorities which
>the server indicates to trust (i.e. being able to verify certs issued
>by these CAs), so the client could build a certificate chain up to
>one of the certification authorities announced by the server.
>
>
>PKIs with bridge CAs are not natively supported by TLS for the server
>certificate.  Adding support would be possible through a ClientHello
>extension where the client announces the names of those bridge CAs.
>
>>
>> Failing is "safe" from a security standpoint, but I'd contend that
>> if you put that into a real system it would simply fail to meet any
>> practical definition of the term "functional."
>
>AIA is a pretty dangerous idea designed to work around design flaws
>of an installed base of PKCS#7/CMS/SMime.  Ignoring the security
>implications of such a hack is a bad idea, in particular for protocols
>that originally do not suffer from such a design flaw.  And doing it
>in a secretive fashion out of sight from the user of the technology
>is a particularly bad idea!
>
>
>-Martin

v2.23.0 | Report a Bug | By Email