Re: [TLS] Root certificates in server certificate chains
Marsh Ray <marsh@extendedsubset.com> Wed, 01 September 2010 03:57 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4053D3A69E7 for <tls@core3.amsl.com>; Tue, 31 Aug 2010 20:57:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.118
X-Spam-Level:
X-Spam-Status: No, score=-2.118 tagged_above=-999 required=5 tests=[AWL=0.481, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eNPvg2atxc6V for <tls@core3.amsl.com>; Tue, 31 Aug 2010 20:57:37 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 167793A694A for <tls@ietf.org>; Tue, 31 Aug 2010 20:57:37 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1OqeSd-000G24-Dp; Wed, 01 Sep 2010 03:58:07 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id E079160A4; Wed, 1 Sep 2010 03:58:05 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX19UTfDFbrZ1MxmzFH4LZHqh8qMuhCqonO0=
Message-ID: <4C7DCF4E.1040508@extendedsubset.com>
Date: Tue, 31 Aug 2010 22:58:06 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.11) Gecko/20100713 Thunderbird/3.0.6
MIME-Version: 1.0
To: ryan-ietftls@sleevi.com
References: <2eda4b7b6eb5c5a0a61b2caf2c7d97bf.squirrel@webmail.sleevi.com>
In-Reply-To: <2eda4b7b6eb5c5a0a61b2caf2c7d97bf.squirrel@webmail.sleevi.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] Root certificates in server certificate chains
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Sep 2010 03:57:38 -0000
On 08/31/2010 09:25 PM, Ryan Sleevi wrote: >> From: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] On Behalf Of > Marsh Ray >> >> To make it easier for users to "Permanently store this exception"? :-P > > What about the edge case of a server requesting a client certificate from > a trusted list of CAs, for which the client does not have the trusted root > in their list. I've tried to do that in some software and some client libraries really didn't want to cooperate. For this system we did everything we could, including opening paid support incidents with vendors, in order to avoid having to add our cert to the client's trusted roots because it represented an unnecessary expansion of scope and privilege for our little application-specific PKI scheme. > This would apply both to 'simple' authentication > (Root->Intermediate->EE) and to the more complex scenario of bridge CAs, > where the client may have Root A->Intermediate->EE, but the server has > Root B->Intermediate'->EE, where Intermediate' is the cross-certified > certificate. > > If the client feeds in the list supplied by the server into the list of > certificates to consider when building/evaluating a path to one of the > specified trusted CAs (as NSS does implicitly, AFAICT, and which OpenSSL, > Secure Transport, and SChannel all support), then the end-user should be > able to successfully build a path that contains one of the server > requested CAs. OK, so I'm an end user. I have a pop up dialog box with a yellow warning triangle. It has a bunch of words on it I don't understand. Or I thought I understood these words but they don't make any sense to me now. Words like: "credentials", "client", "server", "certificate", "authority", and "authentication". It is clear though that I am being presented with a choice of great consequence. Probably if I make the wrong choice my computer will get infected again and I'll have to endure being spoken to condescendingly by my 14 year old nephew who's the family computer whiz. So: "Do you wish to allow the use of your user certificate client authentication credentials for building a path that contains one of the certifying authorities requested by the server? Note: You will not be prompted again for this session unless make a clear cookie cache." * Click "OK" to spin the barrel and pull the trigger. * Click "Cancel" to definitely not succeed. Which one should I choose? Why? What does it mean when you suggest that I "successfully build a path that contains one of the server requested CAs"? Oh I get it now. You're saying I should insert my card into the reader the bank gave me and enter my PIN when I see the bank's logo... > Of course, such an implementation puts the onus on the clients to do this, > and there are alternatives that you could configure at the server (eg: by > specifying a request for Intermediate/Intermediate', rather than Root B), > but it seems valid/useful use case. > It can also act as a hint to the client of how much of the chain they need > to send. Consider if the client had EE->Intermediate->Root A->Root > A'->Root B, and the server indicated trust for Root A. If the client sent > EE->Intermediate->Root A->Root A' in their response, some servers that > have limited/partial implementation of the RFC 3280 path building > algorithms may have trouble building/validating the client certificate, as > they may only check the final certificate in the chain/final certificate's > issuer against their list of trust anchors, ignoring the fact that Root A > occurred earlier. This was the case with OpenSSL for a time, and with NSS > prior to libpkix integration, though I believe support for this scenario > has been improved in subsequent versions in the case of the former, and > certainly in the case of the latter. If you're saying that this scheme is too complicated for mere mortal application developers (like me) to implement securely more than half the time, I think I'm convinced. The scary thing is that if I read your description enough times I start to feel like I understand it. But probably I don't. This took how many years for OpenSSL and NSS to get right? Those guys are the full-time pros, what hope is there for the rest of us? So sorry for the hang-ups in this email, I'm certainly not trying to give anybody static about it. I think your technical explanation is probably just fine. But I just can't shake the feeling that there has got to be a better way out there somehow. Well, maybe not. Authentication and trust really are hard and deeply complicated problems. - Marsh
- [TLS] Root certificates in server certificate cha… 1.41421
- Re: [TLS] Root certificates in server certificate… Peter Sylvester
- Re: [TLS] Root certificates in server certificate… Matt McCutchen
- Re: [TLS] Root certificates in server certificate… Marsh Ray
- Re: [TLS] Root certificates in server certificate… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] Root certificates in server certificate… Matt McCutchen
- Re: [TLS] Root certificates in server certificate… Ryan Sleevi
- Re: [TLS] Root certificates in server certificate… Marsh Ray
- Re: [TLS] Root certificates in server certificate… Marsh Ray
- Re: [TLS] Root certificates in server certificate… Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] Root certificates in server certificate… Marsh Ray
- Re: [TLS] Root certificates in server certificate… Matt McCutchen
- Re: [TLS] Root certificates in server certificate… Matt McCutchen
- Re: [TLS] Root certificates in server certificate… Matt McCutchen
- Re: [TLS] Root certificates in server certificate… Marsh Ray
- Re: [TLS] Root certificates in server certificate… Martin Rex
- Re: [TLS] Root certificates in server certificate… Marsh Ray
- Re: [TLS] Root certificates in server certificate… Matt McCutchen
- Re: [TLS] Root certificates in server certificate… Peter Gutmann
- Re: [TLS] Root certificates in server certificate… Kyle Hamilton