Re: [TLS] Ideas for TLS 1.3: Server key continuity and certificate reporting
"Ryan Sleevi" <ryan-ietftls@sleevi.com> Mon, 13 January 2014 19:06 UTC
Return-Path: <ryan-ietftls@sleevi.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EF821ADF48 for <tls@ietfa.amsl.com>; Mon, 13 Jan 2014 11:06:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PA78KfKxlEfi for <tls@ietfa.amsl.com>; Mon, 13 Jan 2014 11:06:50 -0800 (PST)
Received: from homiemail-a107.g.dreamhost.com (caiajhbdcbbj.dreamhost.com [208.97.132.119]) by ietfa.amsl.com (Postfix) with ESMTP id 2DCD81ADF30 for <tls@ietf.org>; Mon, 13 Jan 2014 11:06:50 -0800 (PST)
Received: from homiemail-a107.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a107.g.dreamhost.com (Postfix) with ESMTP id 0DA782007F125; Mon, 13 Jan 2014 11:06:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=message-id :in-reply-to:references:date:subject:from:to:cc:reply-to :mime-version:content-type:content-transfer-encoding; s= sleevi.com; bh=AtUIaZnMLWHJMfnbIfUH7gsJikQ=; b=jhA9yPffo5UPcI8OU gN1f7x+jaavXcQhuqooRtcBA1iwKNaXUh/JjbypRiECMFi49+3jztn8ajoZbqy3t LEFEWKOHl2vQeZFqMS9KXADTpV7kx6ou/acE+dSxpVUtSxaIy0W9bd4O2JN9CbEo Uw/G54Upq6bDXuDr5ZwUpyBB7A=
Received: from webmail.dreamhost.com (caiajhbihbdd.dreamhost.com [208.97.187.133]) (Authenticated sender: ryan@sleevi.com) by homiemail-a107.g.dreamhost.com (Postfix) with ESMTPA id 3E0862007F11C; Mon, 13 Jan 2014 11:06:37 -0800 (PST)
Received: from 173.8.157.162 (proxying for 173.8.157.162) (SquirrelMail authenticated user ryan@sleevi.com) by webmail.dreamhost.com with HTTP; Mon, 13 Jan 2014 11:06:38 -0800
Message-ID: <38b58a333ac7c9fcce0669261c1f121c.squirrel@webmail.dreamhost.com>
In-Reply-To: <1389632514.16063.91.camel@lapkaie>
References: <1389371947.30279.56.camel@lapkaie> <52D07ED1.1020002@net.in.tum.de> <1389632514.16063.91.camel@lapkaie>
Date: Mon, 13 Jan 2014 11:06:38 -0800
From: Ryan Sleevi <ryan-ietftls@sleevi.com>
To: Kai Engert <kaie@kuix.de>
User-Agent: SquirrelMail/1.4.21
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: tls@ietf.org
Subject: Re: [TLS] Ideas for TLS 1.3: Server key continuity and certificate reporting
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: ryan-ietftls@sleevi.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jan 2014 19:06:52 -0000
On Mon, January 13, 2014 9:01 am, Kai Engert wrote: > On Sa, 2014-01-11 at 00:14 +0100, Ralph Holz wrote: > > I am not sure what "real" attacker you are adressing, > > During many informal chats, people have repeatedly told me, they have no > trust in certificate authorities (CAs). > > I accept the fact that (as of today) we need trusted third parties to > make Internet security for the masses of users simple. Nevertheless, I'm > worried, too. > > The speculation that some CAs might be willing to issue false > certificates for MITM purposes might be true. I would like us to > implement technology that allows to confirm or to negate the > speculation. > > There are three possibilities: > > Speculation (a) All CAs issueing certificates for the public Internet > are trustworthy. None of them would ever sign a false certificate. If it > happens, it was an accident, and such certificates get immediately > revoked, and all private keys are immediately destroyed, to ensure that > nobody could abuse the certificates with clients that don't do strict > revocation checking. > > Speculation (b) All CAs issueing certificates for the public Internet > might secretly issue false certificates for MITM purposes for one > motivation or the other, for example if they are being compelled by the > government or other powers related to their place of operation, or > because of blackmail or corruption or undercover agents within their > organization. > > Speculation (c) Neither (a) nor (b) is true. Rather most are > trustworthy, but some might secretly issue false certificates. > > > The certificate validation that is usually combined with TLS relies on > the assumption that (a) is true. > > If everyone of you agreed that (b) were true, we could drop my reporting > proposal, but we would also have to stop using TLS immediately, and > design a system that enforces multiple assertions from different parties > and technologies prior to trusting any TLS connection. > > > My proposal is based on my opinion that (c) is the most realistic > speculation. > > If we were able to identify all CAs that might issue false certificates, > we would be able to remove them from all software that ships with a list > of trusted CAs. > > My proposal to introduce a reporting mechanism for server certificates > is intended to identify all CAs that aren't trustworthy. > > (My second proposal to introduce key continuity checks was a quick > follow up idea, which could be dropped independently, if it turned out > as not working as described.) If (c) is your goal, what, if any, advantages are there over RFC 6962? All I can see are disadvantages. Incorporating into TLS 1.3: - Only provides herd immunity for clients that adopt TLS 1.3 CT protects all clients, past and present. - Effectively requires online checking capabilities for TLS servers (about legitimacy of reports), otherwise simply logging reports can become a DoS vector. CT allows offline processing, by either the server operator acting as a log monitor, or - better yet, by outsourcing the work itself to a log monitor. - Requires adoption by server operators (in the hundreds of millions) CT only requires the adoption of user agents (in the tens to hundreds) and CAs - which, depending on your preferred counting metric (hi Phil!), ranges from ~1000 or fewer. The problem 9c) is one that CT is uniquely designed to address, so I don't see the need for protocol changes to support an alternative reporting mechanism, unless there can be demonstrated significant advantage. And I don't think "saves CA's $X dollars" to be a significant advantage, when it would require server operators spend "$(X*Y) dollars" to implement TLS 1.3 to kinda gain protection but only with clients and only if it's not a state actor.
- [TLS] Ideas for TLS 1.3: Server key continuity an… Kai Engert
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Alyssa Rowan
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Kai Engert
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Kai Engert
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Paul Hoffman
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Kai Engert
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Trevor Perrin
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Daniel Kahn Gillmor
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Kai Engert
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Ralph Holz
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Paul Hoffman
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Watson Ladd
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Paul Hoffman
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Trevor Perrin
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Paul Hoffman
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Kai Engert
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Kai Engert
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Kai Engert
- Re: [TLS] Ideas for TLS 1.3: Server key continuit… Ryan Sleevi