Re: [TLS] [pkix] New version of Multiple OCSP mode of Certificate
"Miller, Timothy J." <tmiller@mitre.org> Wed, 04 August 2010 20:33 UTC
Return-Path: <tmiller@mitre.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9877D3A6994; Wed, 4 Aug 2010 13:33:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R0RmCDhzTk1e; Wed, 4 Aug 2010 13:33:23 -0700 (PDT)
Received: from smtp-bedford.mitre.org (smtp-bedford.mitre.org [129.83.20.191]) by core3.amsl.com (Postfix) with ESMTP id A722C3A6959; Wed, 4 Aug 2010 13:33:23 -0700 (PDT)
Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o74KXrQW006209; Wed, 4 Aug 2010 16:33:53 -0400
Received: from imchub1.MITRE.ORG (imchub1.mitre.org [129.83.29.73]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o74KXrvr006201; Wed, 4 Aug 2010 16:33:53 -0400
Received: from IMCMBX2.MITRE.ORG ([129.83.29.205]) by imchub1.MITRE.ORG ([129.83.29.73]) with mapi; Wed, 4 Aug 2010 16:33:52 -0400
From: "Miller, Timothy J." <tmiller@mitre.org>
To: "'mrex@sap.com'" <mrex@sap.com>
Date: Wed, 04 Aug 2010 16:33:51 -0400
Thread-Topic: [pkix] [TLS] New version of Multiple OCSP mode of Certificate
Thread-Index: Acs0D3XnMxiX12DvSiSOYhaMFZ42dgABLw5Q
Message-ID: <17FD76C1ECD0AB49817637E21809ABF908A316DF7F@IMCMBX2.MITRE.ORG>
References: <17FD76C1ECD0AB49817637E21809ABF908A316DF7D@IMCMBX2.MITRE.ORG> from "Miller, Timothy J." at Aug 4, 10 03:31:50 pm <16961_1280951931_4C59C67A_16961_3492_1_201008041958.o74JwjlN012045@fs4113.wdf.sap.corp>
In-Reply-To: <16961_1280951931_4C59C67A_16961_3492_1_201008041958.o74JwjlN012045@fs4113.wdf.sap.corp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "pkix@ietf.org" <pkix@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] [pkix] New version of Multiple OCSP mode of Certificate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Aug 2010 20:33:26 -0000
See my other message. The problem here is TLS does not admit of PKIs with more complex pathing requirements or inter-relationships. -- Tim >-----Original Message----- >From: Martin Rex [mailto:mrex@sap.com] >Sent: Wednesday, August 04, 2010 2:59 PM >To: Miller, Timothy J. >Cc: mrex@sap.com; yngve@opera.com; pkix@ietf.org; tls@ietf.org >Subject: Re: [pkix] [TLS] New version of Multiple OCSP mode of >Certificate > >Miller, Timothy J. wrote: >> >> >As far as the AIA vulnerability is concerned, you're 0wnd as soon >> >as your software connects to the crafted URL in the crafted server >> >certificate. It doesn't matter that whether you discard the reply >> >and abort the original browser connection at that point. If you're >> >attacked, that URL is often not going to result in a certificate >anyway. >> >> First, real browsers already allow mixed content frames with silent >> renegotiation *and* late-binding of request authentication, and you're >> worried about exploiting AIA retrieval? > >There is a significant difference between being vulnerable to a content >from a site one has chosen to access through HTTPS and being vulnerable >to an arbitrary active attacker on every connect. > >> >> Second, having identified a problem behavior, what's the fix? >> Path discovery is critically important in bridged PKIs, so if >> chasing AIAs is a Bad Thing, what do we do instead? > >I don't know who invented the concept of automatic AIA retrieval, but >my personal intuition points to the S/Mime camp. S/Mime is notoriously >broken as far as the inclusion of certificates is concerned (being a >heritage from PKCS#7). > >SSL & TLS on the other hand have had the clear requirement to send only >complete certification chains from the beginning. So there this issue >does not exist unless the server is misconfigured and the server PKI >software is defective because it does not refuse to perform SSL >handshakes >with incomplete certificate chains, something that the SSL & TLS specs >have never allowed and which is fairly trivial for the server software, >the credential management part in particular, to verify and report >to the admin upfront when setting up that server. > >> >> >How about warning on first encounter and offer the User to download >> >and memorize the intermediate cert -- or to NOT download? >> >> I fail to see how this improves the situation, since we already know >> users are ill-equipped to make these decisions anyway. > > >This is a clear TLS protocol violation, so if anything deserves >a scary page to be presented to a user, this is such a situation. > >> >> In addition, components without a UI do what? > >Fail unconditionally. That is the only safe reaction, and since >it is a clear TLS protocol violation, it is quite appropriate. > > >> >> >As previously described, the certificate path validation algorithm >> >specified in rfc-5280 works from the trust anchor downwards to >> >the End Entity cert, and will reliably protect you from accessing >> >OCSP or CRL information from untrusted/unverified certificates. >> >> Only when the pool used by the PVM contains all the certificates >> identified in the path. When the pool is incomplete, or the protocol >> provides no path (e.g., CMS allows SignedData to elide any and all >> certificates if the relying party can be expected to have *or >discover* >> them), what does the PVM do? > >S/Mime and CMS are foobar. An implementation of TLS should not try >to work around design flaws of a non-TLS protocol in such an insecure >and questionable fashion. > >The sitation for TLS is clear, the server needs to provide a full >certificate chain and may omit only the self-signed root. > >There is more flexibility in the TLS protocol (although not explicitly >written out) for verifying the client certificate. The >CertificateRequest handshake message includes a list of >certification authorities which >the server indicates to trust (i.e. being able to verify certs issued >by these CAs), so the client could build a certificate chain up to >one of the certification authorities announced by the server. > > >PKIs with bridge CAs are not natively supported by TLS for the server >certificate. Adding support would be possible through a ClientHello >extension where the client announces the names of those bridge CAs. > >> >> Failing is "safe" from a security standpoint, but I'd contend that >> if you put that into a real system it would simply fail to meet any >> practical definition of the term "functional." > >AIA is a pretty dangerous idea designed to work around design flaws >of an installed base of PKCS#7/CMS/SMime. Ignoring the security >implications of such a hack is a bad idea, in particular for protocols >that originally do not suffer from such a design flaw. And doing it >in a secretive fashion out of sight from the user of the technology >is a particularly bad idea! > > >-Martin
- [TLS] New version of Multiple OCSP mode of Certif… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] New version of Multiple OCSP mode of Ce… Adam Langley
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve Nysaeter Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve N. Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Adam Langley
- Re: [TLS] New version of Multiple OCSP mode of Ce… Brian Smith
- Re: [TLS] New version of Multiple OCSP mode of Ce… Brian Smith
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve N. Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Rob Stradling
- Re: [TLS] New version of Multiple OCSP mode of Ce… Rob Stradling
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve Nysaeter Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Peter Gutmann
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve Nysaeter Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Brian Smith
- Re: [TLS] New version of Multiple OCSP mode of Ce… Peter Gutmann
- Re: [TLS] New version of Multiple OCSP mode of Ce… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Rob Stradling
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve Nysaeter Pettersen
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Yngve Nysaeter Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Martin Rex
- Re: [TLS] New version of Multiple OCSP mode of Ce… Adam Langley
- Re: [TLS] New version of Multiple OCSP mode of Ce… Martin Rex
- Re: [TLS] New version of Multiple OCSP mode of Ce… Martin Rex
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] New version of Multiple OCSP mode of Ce… Marsh Ray
- Re: [TLS] New version of Multiple OCSP mode of Ce… Martin Rex
- Re: [TLS] New version of Multiple OCSP mode of Ce… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Miller, Timothy J.
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Marsh Ray
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Miller, Timothy J.
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Miller, Timothy J.
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Rob Stradling
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Miller, Timothy J.
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Dr Stephen Henson
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Miller, Timothy J.
- Re: [TLS] [pkix] Accessing arbitrary AIA URLs Matt McCutchen