Re: [TLS] [tls13-spec] relax certificate_list ordering requirements to match current practice (#169)
mrex@sap.com (Martin Rex) Tue, 12 May 2015 18:54 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4433F1AD366 for <tls@ietfa.amsl.com>; Tue, 12 May 2015 11:54:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.551
X-Spam-Level:
X-Spam-Status: No, score=-6.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oUBWc4jSv7JV for <tls@ietfa.amsl.com>; Tue, 12 May 2015 11:54:13 -0700 (PDT)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E27C1A8887 for <tls@ietf.org>; Tue, 12 May 2015 11:54:13 -0700 (PDT)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id D1DD82A8D5; Tue, 12 May 2015 20:54:10 +0200 (CEST)
X-purgate-ID: 152705::1431456850-00005316-5150F627/0/0
X-purgate-size: 4043
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 6FEE641369; Tue, 12 May 2015 20:54:10 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 648121B2EB; Tue, 12 May 2015 20:54:10 +0200 (CEST)
In-Reply-To: <c2b5934953cfee668cd0335c234f0177.squirrel@webmail.dreamhost.com>
To: ryan-ietftls@sleevi.com
Date: Tue, 12 May 2015 20:54:10 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20150512185410.648121B2EB@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/T2dc1Rg79pRIXqwT1nKtgz3Ye4Y>
Cc: "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
Subject: Re: [TLS] [tls13-spec] relax certificate_list ordering requirements to match current practice (#169)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2015 18:54:16 -0000
Ryan Sleevi wrote: > On Tue, May 12, 2015 6:14 am, Martin Rex wrote: > > Huh? I never described anything like that "normative checking". > > "Up to 2013 our SSL implementation has been hard failing TLS handshakes > with TLS peers that are sending garbled or incomplete chains." > > This, in context, and combined with your follow-up qualifiers, suggested a > level of checking beyond RFC 5280. Actually, no, I never did suggest anything like that. I'm simply following standards in an obvious and straightforward fashion. The relevant snippets from PKIX rfc5280, section 6: >From Section 6.2 Using the Path Validation Algorithm: While each certification path begins with a specific trust anchor, there is no requirement that all certification paths validated by a particular system share a single trust anchor. The selection of one or more trusted CAs is a local decision. A system may provide any one of its trusted CAs as the trust anchor for a particular path. The inputs to the path validation algorithm may be different for each path. The inputs to the "Basic Path Validation" algorithm in rfc5280, section 6.1 are described with: https://tools.ietf.org/html/rfc5280#page-73 To meet this goal, the path validation process verifies, among other things, that a prospective certification path (a sequence of n certificates) satisfies the following conditions: (a) for all x in {1, ..., n-1}, the subject of certificate x is the issuer of certificate x+1; (b) certificate 1 is issued by the trust anchor; (c) certificate n is the certificate to be validated (i.e., the target certificate); and (d) for all x in {1, ..., n}, the certificate was valid at the time in question. A certificate MUST NOT appear more than once in a prospective certification path. When the trust anchor is provided in the form of a self-signed certificate, this self-signed certificate is not included as part of the prospective certification path. Information about trust anchors is provided as inputs to the certification path validation algorithm (Section 6.1.1). Since the TLS Certificate handshake message is *REQUIRED* to supply the certificate chain in order, it is only necessary to determine whether any issuer(!) on that list of ordered certificates is recognized as a locally available trust anchor, and then provide that trust anchor plus the certificates up to the one issued by the recognized trust anchor straight to the "Basic Path Validation" function. > >> rfc4158 is a pretty complex and dumb idea. AND, it is *NOT* a standard. >> It is explicitly ignored by PKIX (rfc5280). > > Only to the extent that RFC 5280 Section 6 deals specifically with the > validation of a given certification path, while leaving out of scope (but > acknowledged rather extensively throughout the documentation, especially > for extensions) the building/discovery of said paths. X.509 would require an omniscient trusted directory to perform certificate path discovery, and the Certificate Path Validation algorithm in rfc5280 section 6.1 clearly rules out AIA chasing as a permissible approach for certificate path discovery, because this approach would be clearly insecure and irresponsible. > > Indeed, Section 3.2 calls out some of the complexities and acknowledgement > that inherent in the PKI is the possibility of multiple certification > paths. Section 6.2 further acknowledges this. > > Merely I think it's a mistake and misleading to suggest that RFC 4158 is > an interesting side-note in the history of PKI, when in fact it describes > the behaviour of some of the largest (by end-user) clients out there > (Windows' CryptoAPI, Mozilla's NSS in various flavours, Java's > JCA/CertPath APIs). Sounds like plenty of security holes to exploit and many frantic patch days to come. -Martin
- Re: [TLS] [tls13-spec] relax certificate_list ord… Salz, Rich
- Re: [TLS] [tls13-spec] relax certificate_list ord… Ryan Sleevi
- Re: [TLS] [tls13-spec] relax certificate_list ord… Andrei Popov
- Re: [TLS] [tls13-spec] relax certificate_list ord… Salz, Rich
- Re: [TLS] [tls13-spec] relax certificate_list ord… Salz, Rich
- Re: [TLS] [tls13-spec] relax certificate_list ord… Ben Laurie
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Watson Ladd
- Re: [TLS] [tls13-spec] relax certificate_list ord… Nikos Mavrogiannopoulos
- Re: [TLS] [tls13-spec] relax certificate_list ord… Ryan Sleevi
- Re: [TLS] [tls13-spec] relax certificate_list ord… Ryan Sleevi
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Ryan Sleevi
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Yoav Nir
- Re: [TLS] [tls13-spec] relax certificate_list ord… Daniel Kahn Gillmor
- Re: [TLS] [tls13-spec] relax certificate_list ord… Santosh Chokhani
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Viktor Dukhovni
- Re: [TLS] [tls13-spec] relax certificate_list ord… Yoav Nir
- Re: [TLS] [tls13-spec] relax certificate_list ord… Dave Garrett
- Re: [TLS] [tls13-spec] relax certificate_list ord… Dave Garrett
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Ryan Sleevi
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex
- Re: [TLS] [tls13-spec] relax certificate_list ord… Ryan Sleevi
- Re: [TLS] [tls13-spec] relax certificate_list ord… Fabrice Gautier
- Re: [TLS] [tls13-spec] relax certificate_list ord… Brian Smith
- Re: [TLS] [tls13-spec] relax certificate_list ord… Yoav Nir
- Re: [TLS] [tls13-spec] relax certificate_list ord… Viktor Dukhovni
- Re: [TLS] [tls13-spec] relax certificate_list ord… Peter Gutmann
- Re: [TLS] [tls13-spec] relax certificate_list ord… Santosh Chokhani
- Re: [TLS] [tls13-spec] relax certificate_list ord… Martin Rex