Re: [TLS] [pkix] New version of Multiple OCSP mode of Certificate
Martin Rex <mrex@sap.com> Thu, 05 August 2010 01:02 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 17C423A66B4; Wed, 4 Aug 2010 18:02:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.737
X-Spam-Level:
X-Spam-Status: No, score=-9.737 tagged_above=-999 required=5 tests=[AWL=0.512, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8UYgwcZ9iZZc; Wed, 4 Aug 2010 18:02:53 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by core3.amsl.com (Postfix) with ESMTP id 7B3553A6407; Wed, 4 Aug 2010 18:02:52 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id o7513HqJ013464 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 5 Aug 2010 03:03:22 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201008050103.o7513F15000806@fs4113.wdf.sap.corp>
To: Nicolas.Williams@oracle.com
Date: Thu, 05 Aug 2010 03:03:15 +0200
In-Reply-To: <20100805001137.GE5213@oracle.com> from "Nicolas Williams" at Aug 4, 10 07:11:38 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal06
X-SAP: out
Cc: pkix@ietf.org, tmiller@mitre.org, tls@ietf.org
Subject: Re: [TLS] [pkix] New version of Multiple OCSP mode of Certificate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Aug 2010 01:02:55 -0000
Nicolas Williams wrote: > > On Thu, Aug 05, 2010 at 01:07:22AM +0200, Martin Rex wrote: > > Yngve N. Pettersen wrote: > > > The kind of crafted URLs you are concerned about can also be injected by > > > way of OCSP and CRL URLs, and OCSP is AFAICT actually supported by more > > > clients than AIA CA. > > > > That is incorrect. The path validation algorithm checks cryptographic > > correctness and certificate (attribute) validity starting at a trust > > anchor first, and ONLY when that succeeds, CRLs and OCSP is checked. > > That's true of path _validation_. It's not necessarily true of path > _construction_ (see RFC4158). That is, if you start with an EE cert you > might have to go find the intermediate CA certs. I don't know rfc4158, but I don't see how a standardization level should marginalize a severe security problem. The TLS renegotation problem was not less severe by working-as-specified and being commonly implemented in the installed base. :-/ And I see a big difference in a user trying to manually and interatively construct a certification path and consciously deciding to include individual, not necessarily pre-trusted sources of information -- as long as it is not possible for an attacker to entice this construction to perform accesses to arbitrary resources without limits and entirely without critical consent and interaction of the entity doing the path construction. While the relative ordering of 6.1.3 a1, a2, a3 makes a lot of sense security-wise, I'm confused to see a4 as the last check instead of the first(!) one. Comparison of the issuer field should be a memcmp() on a ASN.1 DER encoded DName, and it looks odd to suggest doing a likely expensive public key operation before a trivial memcmp() without a rationale (I can not currently think of a rationale for this). http://tools.ietf.org/html/rfc5280#section-6.1.3 > > > So when doing path validation correctly, you never access untrusted > > CRL and OCSP resources. > > If you're building a path from the target to the anchor then you'll > probably want to prune paths as soon as possible by validating > intermediate CA certs as soon as possible. Validating in the form of pruning "expired" or otherwise clearly inappropriate certs based on "cheap" plausibility checks on certificate attributes? Maybe to a limited extent. Public key crypto operation with untrusted keying material or even worse, network access based on URIs from untrusted sources -- certainly not without explicit user/operator confirmation! For the case of TLS, however, it has always been a clear requirement for each communication peer to build and send one own's certificate in a complete and corretly ordered sequence, optionially omitting at most the self-signed root certificate at the end of that chain. So really, a server with a certificate from a fancy briged CA should definitely, similar to the "server name indication" get a TLS ClientHello extension defined and have the client provide hints about the trust anchors if the server is unable to send a certificate chain acceptable to the client's certificate path validation algorithm as-is without such information. -Martin
- [TLS] New version of Multiple OCSP mode of Certif… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] New version of Multiple OCSP mode of Ce… Adam Langley
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve Nysaeter Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve N. Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Adam Langley
- Re: [TLS] New version of Multiple OCSP mode of Ce… Brian Smith
- Re: [TLS] New version of Multiple OCSP mode of Ce… Brian Smith
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve N. Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Rob Stradling
- Re: [TLS] New version of Multiple OCSP mode of Ce… Rob Stradling
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve Nysaeter Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Peter Gutmann
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve Nysaeter Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Brian Smith
- Re: [TLS] New version of Multiple OCSP mode of Ce… Peter Gutmann
- Re: [TLS] New version of Multiple OCSP mode of Ce… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Rob Stradling
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve Nysaeter Pettersen
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Yngve Nysaeter Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Martin Rex
- Re: [TLS] New version of Multiple OCSP mode of Ce… Adam Langley
- Re: [TLS] New version of Multiple OCSP mode of Ce… Martin Rex
- Re: [TLS] New version of Multiple OCSP mode of Ce… Martin Rex
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] New version of Multiple OCSP mode of Ce… Marsh Ray
- Re: [TLS] New version of Multiple OCSP mode of Ce… Martin Rex
- Re: [TLS] New version of Multiple OCSP mode of Ce… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Miller, Timothy J.
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Marsh Ray
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Miller, Timothy J.
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Miller, Timothy J.
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Rob Stradling
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Miller, Timothy J.
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Dr Stephen Henson
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Miller, Timothy J.
- Re: [TLS] [pkix] Accessing arbitrary AIA URLs Matt McCutchen