IETF Logo Mail Archive

Re: [TLS] [pkix] New version of Multiple OCSP mode of Certificate

Martin Rex <mrex@sap.com> Thu, 05 August 2010 13:54 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BD96B3A6B11; Thu, 5 Aug 2010 06:54:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.762
X-Spam-Level:
X-Spam-Status: No, score=-9.762 tagged_above=-999 required=5 tests=[AWL=0.487, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iBl1S-z7m0kq; Thu, 5 Aug 2010 06:54:18 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by core3.amsl.com (Postfix) with ESMTP id A6D1A3A6B2E; Thu, 5 Aug 2010 06:54:03 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id o75DsXOp012075 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 5 Aug 2010 15:54:33 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201008051354.o75DsVbk013839@fs4113.wdf.sap.corp>
To: tmiller@mitre.org
Date: Thu, 05 Aug 2010 15:54:31 +0200
In-Reply-To: <17FD76C1ECD0AB49817637E21809ABF908A316DF81@IMCMBX2.MITRE.ORG> from "Miller, Timothy J." at Aug 5, 10 08:39:33 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: pkix@ietf.org, tls@ietf.org
Subject: Re: [TLS] [pkix] New version of Multiple OCSP mode of Certificate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Aug 2010 13:54:19 -0000

Miller, Timothy J. wrote:
> 
> You have yet to propose an alternative.  Absent an alternative,
> I'd support a security note to the effect that path construction
> modules should be careful to treat retrieved data as potentially
> unsafe until validated.

The TLS architecture requires a server to send the client a complete
certificate chain, omitting at most the self-signed root certificate,
and it permits clients to perform certificate path validation only
on the server-supplied chain.

There currently is a proposal for having the server provide 
OCSP responses for not just his own end entity cert, but also
for all intermediate CA certs so that the client does not
have to go chasing down certificate revocation information.

If you look at the certificate path validation algorithm as it
is described in rfc-5280, it is _NOT_ allowed to parallelize
the OCSP requests for a certificate chain during path validation
(in case you're using the AIA-information to locate the OCSP responder),
but instead, for security, you need to validate the certificate
individually and sequentially from the trust anchor down to the
end entity cert to determine wether a certificate is trusted,
before you use any information from such a peer-supplied cert
to perform public key crypto operations or access network resources
described in the unverified cert (AIA-OCSP or CRL-DPs).

n.    attributes check
      signature verification
      revocation check
n+1.  attributes check
      signature verification
      revocation check
n+2 ...


So in order to make the facility to have the server provide all
OCSP responses necessary for the revocation checking in the client's
certificate path validation work efficiently and reliably, the client
should hint the server about its trust anchors whenever the server
has multiple certificate chains to choose from for the server
Certificate handshake message.

There is also no problem when the network resouces that the
entity performing the certificate path validation queries,
are preconfigured or pre-trusted, instead of being arbitrary
creations of a potential attacker.  And a RootCA that contemplates
bridging with other PKIs should definitely set up a repository
for bridge CA certificate and could list that in its own trust
anchor certificate.  That would allow certificate and trust anchor
managment in a pull / update-on-demand style.


-Martin

v2.23.0 | Report a Bug | By Email