IETF Logo Mail Archive

Re: [TLS] [Uta] OCSP in RFC7525bis

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 21 January 2022 14:52 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C8493A2258; Fri, 21 Jan 2022 06:52:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.306
X-Spam-Level:
X-Spam-Status: No, score=-1.306 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=rsEEqcOL; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=1PILutwN
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8wkJGRDz4WqQ; Fri, 21 Jan 2022 06:52:08 -0800 (PST)
Received: from che.mayfirst.org (unknown [162.247.75.117]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12E463A2247; Fri, 21 Jan 2022 06:52:06 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1642776724; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=mgl3GYh/zSLDD3wDMD1mfMjUdcWCaAZFDWkHEFmbqok=; b=rsEEqcOL9jAoLpcdTBtpRPadZiBEIJo4JVX7aH+2DhlMnT81YlOjKWXtWyPZ0WIBjVDrW 4XaUuA6SIyhd4RuCw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1642776724; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=mgl3GYh/zSLDD3wDMD1mfMjUdcWCaAZFDWkHEFmbqok=; b=1PILutwN0xRhliELHpnrd0VKSHBUSJI/aZkq/mgBrnM9TSB97uAqEz5FQC4wHxIu5NSAN Qe+eGMx9qE/4HMSWLEoc4hSS6x4OOj3285n9XlO5pTCr4wy7uFVXSjjRq6QSK0Ol+EdKfIb YyorZH3vRj73oyv1nnwV66Oy45unfco/IHo/ukt6veeANiTMnQqGFPboJgjJl9kL+KpIVkg JftZUc4WLLA2LeW1tL1Jwpjmev59px6lWXi4j31WIm2KHqsVW446ofaGyrIQNhjuKqY6D9/ maQHppUhi4mrYazo2rHRlhbdwEdMH+mkXJ9hG6YZ3M/zA9v11GFETFLF91CA==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 0EAA9F9AC; Fri, 21 Jan 2022 09:52:03 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 086ED2043A; Fri, 21 Jan 2022 09:48:50 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
Cc: Yaron Sheffer <yaronf.ietf@gmail.com>, "uta@ietf.org" <uta@ietf.org>, "tls@ietf.org" <tls@ietf.org>
In-Reply-To: <CAErg=HEFO-0oWVd6VDF-thU2-XRua1AsY2z35XbskVXU2PaVOg@mail.gmail.com>
References: <8E44314F-58A4-8F46-951D-1DBD24B5361E@hxcore.ol> <87sfth934u.fsf@fifthhorseman.net> <CAErg=HEFO-0oWVd6VDF-thU2-XRua1AsY2z35XbskVXU2PaVOg@mail.gmail.com>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Fri, 21 Jan 2022 09:48:49 -0500
Message-ID: <87pmol87qm.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/SYy0k1M6o_s22M5ndB6XZvyOgDo>
Subject: Re: [TLS] [Uta] OCSP in RFC7525bis
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jan 2022 14:52:20 -0000

Hi Ryan--

I share your skepticism, but i'm still trying to salvage something
useful -- for the purpose of defending against CA malfeasance -- from
the mechanisms we have available.

On Thu 2022-01-20 23:51:22 -0500, Ryan Sleevi wrote:
> There are good reasons that clients have not, and potentially will never,
> support Must-Staple, whether it be for the technical reasons that many
> servers are unfit to support it, or for policy reasons, such as wanting to
> be careful about the security policies of their products, and how much of
> that is outsourced to CAs.

If certificate validation is the process of confirming what a CA says,
then a CA that has said "this certificate should not be considered valid
unless you also have a reasonable proof of freshness" is pretty
unequivocal.  maybe the MUST should be "MUST NOT accept unless a
reasonable proof of freshness is available, for example a stapled OCSP
response"?

Of course a client is free to ignore what the CA says and accept the
certificate anyway.  But once you're ignoring what the CA actually wrote
and signed in the certificate, you're on your own.

https://datatracker.ietf.org/doc/html/rfc7633#section-4.2.3.1 only says
"SHOULD" here, but then it's a bit fuzzy about the exceptional cases for
the "SHOULD".  the first paragraph of exception is "if it has some other
proof of freshness", and the second paragraph is "if you'd fallback to
cleartext anyway" -- does the final caveat of "MUST NOT distinguish that
connection as secure" refer to both cases, or just the latter?

> The choice about whether to require stapling or not _is_ a policy
> decision relevant not only to server operators, but also relying
> parties, and can be easily abused by CAs if given that lever.

What kind of abuse are you anticipating here?  can you spell it out in
more detail?

> Given the concerning practices already seen with respect to
> revocation, which are detrimental to the security goals of both server
> operators and end users, a full-throated MUST seems a bit incompatible
> with the notion of allowing policy flexibility.

Do you think that a MUST validate the intended DNS name against the sAN
in the certificate is also incompatible with the noton of allowing
policy flexibility?

> For example, in a world where a client delivers revocation information
> out of band, as nearly every major web browser does today (as one
> example), "must staple" is of questionable benefit.

do major web browsers deliver revocation out of band for end entity
certificates?  My impression was that most CRLSets would only be updated
and pushed for known-compromised CA certs (intermediate or root) and
very widely-visited end entities.  I don't think a small end entity will
benefit from CRLSet distributions, but i'd love to be wrong.

> Without wanting to detract too much from the core question of the thread,
> how does this address the routing gap? The adversary at the routing layer
> just redirects the host being validated to control the key that way, and
> simply interrupts the nameserver during the CAA check. In the threat model
> you're concerned about (Web PKI), DNSSEC is soft-fail, particularly for CAA
> checks.

If DNSSEC is soft-fail for the CA verifying CAA checks, then i agree
this is insufficient.  The letsencrypt implementation is apparently at
least logging the info about DNSSEC signatures.

   https://github.com/letsencrypt/boulder/issues/2700

Do you think that DNSSEC should be soft-fail for CAA checks, or should
we urge the CAs to be more strict here?  Perhaps that would be another
recommendation.

> The assumption here for this model to hold is that the CAA information is
> infallibly guaranteed to be delivered to the CA (it is not), and that the
> CA will properly adhere to it for all threats that are concerning (they do
> not).

I agree that CAs are not guaranteed to follow the policy guidelines.
However, a server operator can choose a CA that it believes *will*
follow this guidance, and use a CAA record to indicate that all other
CAs would be misissuing if they grant a cert for the operator's name.
Then they can use CT to identify the misissuing CA, and use, uh,
political(?) channels to try to get that CA taken down for failing to
meet the BR.  That's where the CRLSet comes in, right?

This is a teetering chain of ugly dependencies.  I'm not very happy with
it.  But i don't see what the alternative is in the current landscape if
we want folks to be better protected against misissued certificates.

> Without those properties, this doesn't provide any value, and that
> rather significantly undermines the argument for the MUST for
> Must-Staple being made for clients/relying parties.

I don't see why it undermines the MUST for RP's supporting Must-Staple.

fwiw, this whole revocation system seems much closer to "so complex
there are no obvious problems" than "so simple that there are obviously
no problems" :(

   --dkg

v2.23.0 | Report a Bug | By Email