Re: [TLS] [tls13-spec] relax certificate_list ordering requirements to match current practice (#169)
mrex@sap.com (Martin Rex) Tue, 12 May 2015 22:30 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8660A1A90AA for <tls@ietfa.amsl.com>; Tue, 12 May 2015 15:30:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.751
X-Spam-Level:
X-Spam-Status: No, score=-4.751 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, J_CHICKENPOX_32=0.6, J_CHICKENPOX_34=0.6, J_CHICKENPOX_66=0.6, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VdlPrfB2mpdG for <tls@ietfa.amsl.com>; Tue, 12 May 2015 15:30:38 -0700 (PDT)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 727D51AD356 for <tls@ietf.org>; Tue, 12 May 2015 15:30:36 -0700 (PDT)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id CBF582AA0B; Wed, 13 May 2015 00:30:34 +0200 (CEST)
X-purgate-ID: 152705::1431469834-0000413A-03064581/0/0
X-purgate-size: 5144
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id B7A0E413F8; Wed, 13 May 2015 00:30:34 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id ACC2C1B2EB; Wed, 13 May 2015 00:30:34 +0200 (CEST)
In-Reply-To: <D93C8958-BF9C-447D-916D-ED52D39056B7@gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Date: Wed, 13 May 2015 00:30:34 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20150512223034.ACC2C1B2EB@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/OEMrOewQPQ6kKb3qhff37XNVUo8>
Cc: "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
Subject: Re: [TLS] [tls13-spec] relax certificate_list ordering requirements to match current practice (#169)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2015 22:30:41 -0000
Yoav Nir wrote: > >> Martin Rex <mrex@sap.com> wrote: >> >> Yoav Nir wrote: >>> >>>> But a machine/automata/algorithm that will automatically download objects >>>> from URLs from still-untrusted data provided by the peer is definitely >>>> insecure and irresponsible. >>> >>> In that sense, how is AIA different from revocation checking? >>> Whether you use CRLs or OCSP, you?re following a URL in the >>> (still untrusted or at least possibly revoked) certificate >>> to retrieve an object. >> >> Possibly revoked? yes. >> >> Untrusted? *NO*. Look at the algorithm in rfc5280 again. > > In case a CA mis-issues a certificate, such as when giving someone > who is decidedly not Microsoft a certificate for www.microsoft.com, > what it should do is to revoke that certificate. Yes. So what? When you use the AIA OCSP or CRLDP information from a certificate during certificate path validation, you do this only after you have verified the CA signature on the certificate, which confirms that the CA placed this information in the certificate. Whether the entity who controls the private key is really the one who the CA thought he was or whom the Subject/SAN identifies, is not yet relevant. > > That's the only way to un-emit the certificate other than patch all > relying parties. So as long as you haven't checked revocation, > the certificate is not only potentially revoked (someone stole my > private key), it's also potentially mis-issued. Correct. but the issues that you listed do not make the OCSP responder location and CRLDP info within that certificate untrustworthy. In case that you wonder what happens if a CA is more throughly compromised, i.e. that someone manages not only to get certs mis-issued under a false identity, but also with arbitrary attributes in them -- well, this is something that the folks who invented X.509 claimed that it can not possibly happen, because they did not design their approach to distribute the CRL&OCSP distribution info to account for this (or they would have had to distribute this information through the CA certificate rather than through the end-entity certificate. If you have or suspect that kind of CA breach (e.g. DigiNotar), then your only course of action is to immediately and completely nuke the entire PKI (i.e. revoke the CA certificate, respond to all issuer&serial requests for that issuer to your OCSP responder with "revoked". > > I think the section you quote below says that. > You haven't done path validation until you've checked revocation > for every certificate. I believe the enumeration to be an _ordered_ list, because it uses numbers rather than bullets. I realize that there are folks who have issues with doing stuff properly "in order". Now there is one obvious defect in that list/order. item number (4) should really be number (1). This is not a security issue to do (4) last rather than first, but it is an obvious usability issue to anyone with experience in customer support. In the wild, you will often find cause that are non-malicious why an out-of-order certificate chain finds its way into the Basic Path Validation function. I assume that the weird TLS servers that Ryan is setting up send their bogus heaps of certs with non-malicious intent. If that happens for the below ordering of operations - you needlessly waste lots of CPU cycles in a asymmetric crypto operation that will predictably fail - you will typically get an error that says "digital signature verification failure", because a digital signature verification fails here. - this failure will typically preempt all further checking, and the fact that working_issuer_name differs from the issuer of the current cert may get totally lost. When doing customer support, it is vital to know that a certificate path validation failure happend because the peer sent junk instead of a well-formed certification path in the TLS Certificate handshake message, and that the digital signature verification failure is not a data corruption or attack. > >> https://tools.ietf.org/html/rfc5280#section-6.1.3 >> >> 6.1.3. Basic Certificate Processing >> >> >> The basic path processing actions to be performed for certificate i >> (for all i in [1..n]) are listed below. >> >> (a) Verify the basic certificate information. The certificate >> MUST satisfy each of the following: >> >> (1) The signature on the certificate can be verified using >> working_public_key_algorithm, the working_public_key, and >> the working_public_key_parameters. >> >> (2) The certificate validity period includes the current time. >> >> (3) At the current time, the certificate is not revoked. This >> may be determined by obtaining the appropriate CRL >> (Section 6.3), by status information, or by out-of-band >> mechanisms. >> >> (4) The certificate issuer name is the working_issuer_name. >> -Martin
- Re: [TLS] [tls13-spec] relax certificate_list ord… Salz, Rich
- Re: [TLS] [tls13-spec] relax certificate_list ord… Ryan Sleevi
- Re: [TLS] [tls13-spec] relax certificate_list ord… Andrei Popov
- Re: [TLS] [tls13-spec] relax certificate_list ord… Salz, Rich
- Re: [TLS] [tls13-spec] relax certificate_list ord… Salz, Rich
- Re: [TLS] [tls13-spec] relax certificate_list ord… Ben Laurie
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Watson Ladd
- Re: [TLS] [tls13-spec] relax certificate_list ord… Nikos Mavrogiannopoulos
- Re: [TLS] [tls13-spec] relax certificate_list ord… Ryan Sleevi
- Re: [TLS] [tls13-spec] relax certificate_list ord… Ryan Sleevi
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Ryan Sleevi
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Yoav Nir
- Re: [TLS] [tls13-spec] relax certificate_list ord… Daniel Kahn Gillmor
- Re: [TLS] [tls13-spec] relax certificate_list ord… Santosh Chokhani
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Viktor Dukhovni
- Re: [TLS] [tls13-spec] relax certificate_list ord… Yoav Nir
- Re: [TLS] [tls13-spec] relax certificate_list ord… Dave Garrett
- Re: [TLS] [tls13-spec] relax certificate_list ord… Dave Garrett
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Ryan Sleevi
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Ryan Sleevi
- Re: [TLS] [tls13-spec] relax certificate_list ord… Fabrice Gautier
- Re: [TLS] [tls13-spec] relax certificate_list ord… Brian Smith
- Re: [TLS] [tls13-spec] relax certificate_list ord… Yoav Nir
- Re: [TLS] [tls13-spec] relax certificate_list ord… Viktor Dukhovni
- Re: [TLS] [tls13-spec] relax certificate_list ord… Peter Gutmann
- Re: [TLS] [tls13-spec] relax certificate_list ord… Santosh Chokhani
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex