IETF Logo Mail Archive

Re: [TLS] Certificate validation can of worms

Santosh Chokhani <SChokhani@cygnacom.com> Mon, 07 April 2014 20:58 UTC

Return-Path: <SChokhani@cygnacom.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F14761A0237 for <tls@ietfa.amsl.com>; Mon, 7 Apr 2014 13:58:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wex3pKiEOSBj for <tls@ietfa.amsl.com>; Mon, 7 Apr 2014 13:58:06 -0700 (PDT)
Received: from ipedge1.cygnacom.com (ipedge1.cygnacom.com [216.191.252.12]) by ietfa.amsl.com (Postfix) with ESMTP id 5C9991A07BF for <tls@ietf.org>; Mon, 7 Apr 2014 13:57:58 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.97,813,1389762000"; d="scan'208";a="2552000"
Received: from unknown (HELO scygexch10.cygnacom.com) ([10.4.60.26]) by ipedge1.cygnacom.com with ESMTP; 07 Apr 2014 16:57:52 -0400
Received: from SCYGEXCH10.cygnacom.com ([::1]) by scygexch10.cygnacom.com ([::1]) with mapi id 14.02.0247.003; Mon, 7 Apr 2014 16:57:51 -0400
From: Santosh Chokhani <SChokhani@cygnacom.com>
To: "mrex@sap.com" <mrex@sap.com>, Watson Ladd <watsonbladd@gmail.com>
Thread-Topic: [TLS] Certificate validation can of worms
Thread-Index: AQHPUG9nRS10t5Ha0EyLKsoi0FgTh5sG4JsA///FM+A=
Date: Mon, 07 Apr 2014 20:57:51 +0000
Message-ID: <4262AC0DB9856847A2D00EF817E811391789E8@scygexch10.cygnacom.com>
References: <CACsn0ckFoqQ=hwp=Wxjjrt6LavLoKSUCyBCp=TvWvJ3DsuhUsw@mail.gmail.com> <20140407202318.97EA41ACAA@ld9781.wdf.sap.corp>
In-Reply-To: <20140407202318.97EA41ACAA@ld9781.wdf.sap.corp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.60.24.117]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/M3aEo8HYihYK6YYK1iristAO-Xw
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Certificate validation can of worms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Apr 2014 20:58:11 -0000

While I am still reading the cited paper , the EKU if present should be very relevant.  The client should reject the server certificate if server authentication or anhyExtendedKeyUsage is not present.  Similarly, certificate policies and policy constrains extensions should be processed by the client and if the require explicit policy state variable get turned on and the path is not valid for some policy, it must be rejected.  Finally, name constraint is very relevant.  The certificate must be rejected if any of the name forms in a certificate in the path violate name constraint state variable values at that point in the path.

-----Original Message-----
From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Martin Rex
Sent: Monday, April 07, 2014 4:23 PM
To: Watson Ladd
Cc: tls@ietf.org
Subject: Re: [TLS] Certificate validation can of worms

Watson Ladd wrote:
>
> https://www.cs.utexas.edu/~shmat/shmat_oak14.pdf contains tests of 
> many TLS implementations. Interestingly all tested implementations 
> contain errors, and all but OpenSSL erroneous accepts. Cryptlib was 
> not tested, because it doesn't validate certificates.

That paper seems to contain a few flawed assumptions on what characteristics is to be expected from implementations of
X.509 or PKIX, and on which specific checks a TLS client is supposed to do.

As much as some may dislike this, the extendedKeyUsage in an end entity certificate is completely irrelevant for TLS (rfc2246/rfc4346/rfc5246)
as well as HTTP-over-TLS (rfc2818).   I don't know whether there currently
exists _any_ X-over-TLS protocol specification that addresses EKU.

There seem to be very few protocols that specify requirements for the EKU value in the end entity cert (such as OCSP: rfc2560 & bis) and timestamps (rfc3161).

Similar for certificate policies and policy constraints.  They're completely irrelevant for any X-over-TLS, and it would be unwise to assume that they are not simply ignored.


Implementing name constraints (other than Distinguished Name) is a mere option.  The usage of a subjectAltName name constraint alone (i.e. without a Distinguished name name constraints to go with it) as depicted in Fig. 1 can be a security problem for CRL checking because any CRL signer whose certificate can be verified under the same trust anchor is specified to be an acceptable CRL signer.


-Martin

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email