IETF Logo Mail Archive

Re: [TLS] Certificate Transparency for Client certificate in MTLS handshake

Mohit Sahni <mohit06jan@gmail.com> Mon, 10 May 2021 13:43 UTC

Return-Path: <mohit06jan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEA943A1D5F for <tls@ietfa.amsl.com>; Mon, 10 May 2021 06:43:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g1OzSLZVmzzU for <tls@ietfa.amsl.com>; Mon, 10 May 2021 06:43:49 -0700 (PDT)
Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26F733A1D5D for <tls@ietf.org>; Mon, 10 May 2021 06:43:48 -0700 (PDT)
Received: by mail-io1-xd2a.google.com with SMTP id z24so14803810ioi.3 for <tls@ietf.org>; Mon, 10 May 2021 06:43:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=jUIvktUHteyLKwg4b4QlEW53UiccTl3ho0YFhzr9NRs=; b=ZnNImm3gZGRjU5eOM4Y0EmCnlJDSe7DHFtzWeTeqiLjd1VQgbUB1K6gXJmuCLgy0sc tXicGq1jd3FSz9qbbkLkJerDwVHziv+S4blxZWVrFdxtw2hJOMr0KQz+Unt8rcyktrHI 8VsI1VN6hjdBG27z11nhO4O8ZU+z9xoWrxG0nK7g7X1OfIU6+CtDgitsEw5AOW/WMZAO f0uwZ7nu3rzktx3daHTxw2W84w9c5BYpOhlx3Ys09w3GbrjdeDX7+vO05QuAzZ0Mg6nm U0cy+KbqzDoFgMcUIDXXkT8pb53K7rSODI0sOb5YE7PJaKQFcEeiKDEp0ETW5SCP23L5 Np2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=jUIvktUHteyLKwg4b4QlEW53UiccTl3ho0YFhzr9NRs=; b=aJPkJgI4tJofz98n/5UeNYN/1tRPB1zEZORsoURG8ETJM726Uq007b8vfAyT6UFMZA yqdGp8U2mqaiD53dQiqpi4glG02FaAYtUUqjNf2P11CtZmk50+wkB49jYSlErMCLkEnK dgDQ34zMWV9BSW1rDjiihY6qDN2ysujuFBdaXRT+4RTs7oisBODUI6l4HBq+trSr2VKC hZCRiWVRvUIGwQvEUZsseK3iUqiZNPdAwr1rz3qhrAa+f5yz48uILqFXujbgflZhq6yn M/z7YW4hhidgSCswGdxVAkseyjx5aenZnuchhwe+RVD7G0iBR45WaEcVGosAH61AQegw FHFA==
X-Gm-Message-State: AOAM5323Y0t2s+E/hyoCQn0bH5pK3qjDgIdCxwZJTit3iRAa/3wvcnGk Wvyb8BSC00sdSa6upesVbGeAfkCzUPNULXqk475TuGQPopI=
X-Google-Smtp-Source: ABdhPJx4oRqi1/LrfQe7YjOYn5Km6UR5BwSIlMapzEdHNyixH4aZtROBSXte+iqahMPd6bRzLCKiYeSC6xTHJJCPdaY=
X-Received: by 2002:a05:6638:3814:: with SMTP id i20mr19001455jav.85.1620654226948; Mon, 10 May 2021 06:43:46 -0700 (PDT)
MIME-Version: 1.0
References: <CAEpwuw2tBLn-7b1YBXf3YfS4WXM-JrKbfHsQPt=_H4FYKYdmVQ@mail.gmail.com> <CAErg=HHmM649hqqb2xrqnE2YM2Ks88dOT-FRkmGmMcyjL88Fxw@mail.gmail.com>
In-Reply-To: <CAErg=HHmM649hqqb2xrqnE2YM2Ks88dOT-FRkmGmMcyjL88Fxw@mail.gmail.com>
From: Mohit Sahni <mohit06jan@gmail.com>
Date: Mon, 10 May 2021 06:43:35 -0700
Message-ID: <CAEpwuw3mzdGt7UWJF7o4Z+ShgPJ4_0todsV56QENBZOv2hwJqQ@mail.gmail.com>
To: Ryan Sleevi <ryan-ietftls@sleevi.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Sef8pCa6Qg3pHYGkZurHunwx2hQ>
Subject: Re: [TLS] Certificate Transparency for Client certificate in MTLS handshake
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 May 2021 13:43:54 -0000

Hi Ryan,
Thanks for answering my question in a lot of detail. I asked this
question in the context of a private PKI for client certificates. You
can assume a scenario where the client certificates are issued to
users/devices in an organization from a self service portal by the
organization's existing private PKI for 1000s of users under different
domains (multiple CAs).

What I get from your answer is that using CT for client certificates
makes sense when:

1) There is an existing private PKI.
2) There are multiple CAs issuing the client certificates.
3) The PKI uses non Web PKI (non public) CT log servers and auditors.

I don't agree with your comment about following the same priority
preferences that exist for server certificates, the [2] and [3] makes
more sense when reversed or kept at an equal priority in the context
of client certificates. Here is my reasoning:
In the server PKI, it is practically easier to make changes in the web
servers to support [2]  (i.e. sending the SCT extension by pre
fetching the data from the CA) but it may not be that easier to
implement it on 100s of thousands of client devices. Imagine a large
cell phone manufacturer implementing [2] for all the devices that they
have sold in the last 10 years.

Thanks,
Mohit

Server certificate priority list:
[1] Ideally, embedded within the (client) certificate itself
[2] If not embedded, then included as part of the TLS handshake (which
TLS 1.3 makes it possible for clients to send such information, and
surely no one would be building new mTLS on TLS 1.2 given the issues
with client certs in 1.2)
[3] Optionally, embedded in the OCSP response, although virtually no
client mTLS implementation supports OCSP stapling correctly, which is
also a TLS 1.3 thing


On Sun, May 9, 2021 at 3:20 PM Ryan Sleevi <ryan-ietftls@sleevi.com> wrote:
>
>
>
> On Sun, May 9, 2021 at 1:14 PM Mohit Sahni <mohit06jan@gmail.com> wrote:
>>
>> Hello TLS WG,
>>
>> RFC6962 only talks about support of CT to verify the server
>> certificates, however while working on zero trust services that
>> require MTLS for each connection, I realized that enabling CT for
>> client certificates can make the TLS handshakes with Mutual TLS more
>> secure. (I don't want to go into details of how CT can make it more
>> secure as those benefits are already mentioned in RFC6962).
>
>
> Question: Are you assuming existing Certificate Transparency logs (i.e. for Web PKI), or are you standing up custom logs?
>
> I'm not aware of any client implementations that allow custom logs, so I think it's reasonable to take implicit that you're discussing Web PKI, in which case, using MTLS like this unquestionably is *less* secure and actively harmful to security, due to the significant fragility in mTLS (e.g. a lack of automation on the client side, a lack of robust verification on a server side). This is why, for example, there have been discussions about forbidding serverAuth certificates from the Web PKI being used for clientAuth, due to the associated harms.
>
> Assuming you are discussing a private PKI, then I would say the justifications of 6962 are things you can address early on with the PKI design (i.e. avoiding the multi-party PKI that the Web PKI has). So it should not be taken for granted that CT is the "right" solution.
>
> However, going further, and if we assume a private PKI, with a multi-stakeholder scenario that makes 6962 useful for your case (i.e. implying the PKI design is already problematic), then there's not a way for the server to indicate its expectations of the client's certificate being logged, and this is arguably a feature, not a bug, since "being logged" is a nonsensical phrase without understanding the server's set of logs. Indeed, the "right" way to do this is to follow the same priority preferences that exist for server certificates, namely:
>
> 1) Ideally, embedded within the (client) certificate itself
> 2) If not embedded, then included as part of the TLS handshake (which TLS 1.3 makes it possible for clients to send such information, and surely no one would be building new mTLS on TLS 1.2 given the issues with client certs in 1.2)
> 3) Optionally, embedded in the OCSP response, although virtually no client mTLS implementation supports OCSP stapling correctly, which is also a TLS 1.3 thing
>
> However, again, going back to first principles: If your goal is to repurpose existing PKIs, such as Web PKI, for client certificates, then that's fundamentally flawed on many levels, and has the risk of creating both operational issues for you and your clients, and in doing so, creating security issues for the broader ecosystem of users relying on the Web PKI for servers. If your goal is to establish a new PKI for such purposes, then there are plenty of approaches early on in the design that can avoid the set of considerations that directly lead to CT, and while there's still an indirect benefit, it may be that you find the simplicity of a secure, private PKI avoids the need entirely.

v2.23.0 | Report a Bug | By Email