IETF Logo Mail Archive

Re: [TLS] Root certificates in server certificate chains

Marsh Ray <marsh@extendedsubset.com> Wed, 01 September 2010 03:57 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4053D3A69E7 for <tls@core3.amsl.com>; Tue, 31 Aug 2010 20:57:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.118
X-Spam-Level:
X-Spam-Status: No, score=-2.118 tagged_above=-999 required=5 tests=[AWL=0.481, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eNPvg2atxc6V for <tls@core3.amsl.com>; Tue, 31 Aug 2010 20:57:37 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 167793A694A for <tls@ietf.org>; Tue, 31 Aug 2010 20:57:37 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1OqeSd-000G24-Dp; Wed, 01 Sep 2010 03:58:07 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id E079160A4; Wed, 1 Sep 2010 03:58:05 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX19UTfDFbrZ1MxmzFH4LZHqh8qMuhCqonO0=
Message-ID: <4C7DCF4E.1040508@extendedsubset.com>
Date: Tue, 31 Aug 2010 22:58:06 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.11) Gecko/20100713 Thunderbird/3.0.6
MIME-Version: 1.0
To: ryan-ietftls@sleevi.com
References: <2eda4b7b6eb5c5a0a61b2caf2c7d97bf.squirrel@webmail.sleevi.com>
In-Reply-To: <2eda4b7b6eb5c5a0a61b2caf2c7d97bf.squirrel@webmail.sleevi.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] Root certificates in server certificate chains
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Sep 2010 03:57:38 -0000

On 08/31/2010 09:25 PM, Ryan Sleevi wrote:
>> From: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] On Behalf Of
> Marsh Ray
>>
>> To make it easier for users to "Permanently store this exception"?  :-P
>
> What about the edge case of a server requesting a client certificate from
> a trusted list of CAs, for which the client does not have the trusted root
> in their list.

I've tried to do that in some software and some client libraries really 
didn't want to cooperate. For this system we did everything we could, 
including opening paid support incidents with vendors, in order to avoid 
having to add our cert to the client's trusted roots because it 
represented an unnecessary expansion of scope and privilege for our 
little application-specific PKI scheme.

> This would apply both to 'simple' authentication
> (Root->Intermediate->EE) and to the more complex scenario of bridge CAs,
> where the client may have Root A->Intermediate->EE, but the server has
> Root B->Intermediate'->EE, where Intermediate' is the cross-certified
> certificate.
>
> If the client feeds in the list supplied by the server into the list of
> certificates to consider when building/evaluating a path to one of the
> specified trusted CAs (as NSS does implicitly, AFAICT, and which OpenSSL,
> Secure Transport, and SChannel all support), then the end-user should be
> able to successfully build a path that contains one of the server
> requested CAs.

OK, so I'm an end user. I have a pop up dialog box with a yellow warning 
triangle. It has a bunch of words on it I don't understand. Or I thought 
I understood these words but they don't make any sense to me now. Words 
like: "credentials", "client", "server", "certificate", "authority", and 
"authentication".

It is clear though that I am being presented with a choice of great 
consequence. Probably if I make the wrong choice my computer will get 
infected again and I'll have to endure being spoken to condescendingly 
by my 14 year old nephew who's the family computer whiz. So:

"Do you wish to allow the use of your user certificate client 
authentication credentials for building a path that contains one of the 
certifying authorities requested by the server? Note: You will not be 
prompted again for this session unless make a clear cookie cache."
   * Click "OK" to spin the barrel and pull the trigger.
   * Click "Cancel" to definitely not succeed.

Which one should I choose? Why?

What does it mean when you suggest that I "successfully build a path 
that contains one of the server requested CAs"?

Oh I get it now. You're saying I should insert my card into the reader 
the bank gave me and enter my PIN when I see the bank's logo...

> Of course, such an implementation puts the onus on the clients to do this,
> and there are alternatives that you could configure at the server (eg: by
> specifying a request for Intermediate/Intermediate', rather than Root B),
> but it seems valid/useful use case.
> It can also act as a hint to the client of how much of the chain they need
> to send. Consider if the client had EE->Intermediate->Root A->Root
> A'->Root B, and the server indicated trust for Root A. If the client sent
> EE->Intermediate->Root A->Root A' in their response, some servers that
> have limited/partial implementation of the RFC 3280 path building
> algorithms may have trouble building/validating the client certificate, as
> they may only check the final certificate in the chain/final certificate's
> issuer against their list of trust anchors, ignoring the fact that Root A
> occurred earlier. This was the case with OpenSSL for a time, and with NSS
> prior to libpkix integration, though I believe support for this scenario
> has been improved in subsequent versions in the case of the former, and
> certainly in the case of the latter.

If you're saying that this scheme is too complicated for mere mortal 
application developers (like me) to implement securely more than half 
the time, I think I'm convinced. The scary thing is that if I read your 
description enough times I start to feel like I understand it. But 
probably I don't.

This took how many years for OpenSSL and NSS to get right? Those guys 
are the full-time pros, what hope is there for the rest of us?

So sorry for the hang-ups in this email, I'm certainly not trying to 
give anybody static about it. I think your technical explanation is 
probably just fine.

But I just can't shake the feeling that there has got to be a better way 
out there somehow. Well, maybe not. Authentication and trust really are 
hard and deeply complicated problems.

- Marsh

v2.23.0 | Report a Bug | By Email