Re: [TLS] Certificate validation can of worms
Nico Williams <nico@cryptonector.com> Sat, 05 April 2014 21:01 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2C4F1A02D1 for <tls@ietfa.amsl.com>; Sat, 5 Apr 2014 14:01:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Level:
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rxzDAfsiDF73 for <tls@ietfa.amsl.com>; Sat, 5 Apr 2014 14:01:08 -0700 (PDT)
Received: from homiemail-a63.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id DF3101A02D8 for <tls@ietf.org>; Sat, 5 Apr 2014 14:01:08 -0700 (PDT)
Received: from homiemail-a63.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a63.g.dreamhost.com (Postfix) with ESMTP id DCDBF2F4060; Sat, 5 Apr 2014 14:01:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=uO+wfWof7gvgEX oR0p1CFnH1Pho=; b=DWW+RgWx2QoBnoa3JVbzw8/yVNf0duAOvmnwX4n4Wpjd+1 +Xq03GB/ZNXdBVbTIqgKtZLc6/uzojUmhNy4KLPrqEZvJA+FBsD8xETI6e4GqSfV WI+hav7Xs1EpS/Szf8Vg4tCtFQyjHdcUBuo/aRH6or9AGlm07LkcZrH7+qVO8=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a63.g.dreamhost.com (Postfix) with ESMTPA id 9622F2F401C; Sat, 5 Apr 2014 14:01:03 -0700 (PDT)
Date: Sat, 05 Apr 2014 16:01:02 -0500
From: Nico Williams <nico@cryptonector.com>
To: Watson Ladd <watsonbladd@gmail.com>
Message-ID: <20140405210100.GD2727@localhost>
References: <CACsn0ckFoqQ=hwp=Wxjjrt6LavLoKSUCyBCp=TvWvJ3DsuhUsw@mail.gmail.com> <CAK3OfOgidRuVC5WFqDAjZsbq_GBs7Jm2cRkAeeQ=t6GL_NTSyg@mail.gmail.com> <CACsn0ckVvU09GB7tPtH0a4yPmvVCQebLmDcsgRJ6aeV7zRYGbQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CACsn0ckVvU09GB7tPtH0a4yPmvVCQebLmDcsgRJ6aeV7zRYGbQ@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/V4ySh8OZkaS_VNIettou4cE-ZzA
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Certificate validation can of worms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Apr 2014 21:01:13 -0000
On Fri, Apr 04, 2014 at 10:15:39PM -0700, Watson Ladd wrote: > On Fri, Apr 4, 2014 at 9:17 PM, Nico Williams <nico@cryptonector.com> wrote: > > Let's take #2 first. Here's two entrants: > > > > - x.509 naming is impossibly difficult to deal with (see RFC4514); > > > > - stapled OCSP is how it should have been from day one -- CRLs add a ton of > > complexity > > You are ignoring the reason we have CRLs in the first place: stapled > OCSP assumes all devices are globally connected and so can get OCSP. This is the off-line infrastructure argument. If you have the same freshness policy for CRLs and [stapled] OCSP then you have the same on-line/off-line trade-off but with the on-line infrastructure access burden moved from the RP's shoulders to the presenter's. In terms of mechanics, stapled OCSP Response validation is simpler than CRL checking, and its operational characteristics are *much* better (just ask the DoD). > Furthermore, neither naming nor OCSP/CRLs were involved in this > research, although the complexity may have lead to corners being cut > in the rest of the code. What TLS/PKIX libraries have historically implemented naming constraints correctly, or at all? Naming constraint usage and enforcement are critical for PKI, so that a CA compromise in -say- the Netherlands doesn't affect anyone outside its purview. With DNS the naming constraints were always there, so DNSSEC gets them for free. OTOH, DNS is lousy for representing some types of names -- IP addresses, for example. But for the things we desperately need strong security for, namely server/service names, DNS is perfect. DNS is perfect for host/domain naming because it's what won for host/domain naming, so it's what we all use for host/domain naming. x.400/500-style naming was a horrible, useless mess from day one, and we're still stuck with x.500-style naming for TLS server certs, with kludgy conventions layered on top. The research you linked didn't deal with naming. That doesn't mean naming isn't a problem for PKI. You asked, I answered :) > > Back to #1: DNSSEC is a PKI, but with better naming and fewer root CAs. > > We're going to need CT for DNSSEC. > > Well, you're assuming that all implementations will agree on DNSSEC > validity. Even if they do, DANE connects to the X509 ecosystem. This I'm not sure what you mean by "agree on DNSSEC validity". If you mean "agree to place high value on DNSSEC", no, I'm not assuming that. Still, assuming that [we have any significant reliance on DNSSEC (and why wouldn't we for at least some things)] for Internet security, doesn't it stand to reason that, being a PKI, DNSSEC will need to address transparency? Even if we don't replace the TLS server PKI with DANE... generic PKI problems -as opposed to x.509/PKIX-specific ones- will surely apply to DNSSEC. > raises the problem of validating the parts between the TLS connection > and the link to DANE. Hmm? What are the problems here? DANE specifies this "link" in detail. And if DANE "certificate usage 3" cuts out the PKIX world almost completely. > >> 3: This focused on server authentication. How does client authentication > >> fare? > > > > Very differently. For user authentication I think something more like > > Persona (still PK, but not Internet-scale PKI) is better. We really need a > > standard account & device enrollment protocol to make user PK work well -- > > then we can land wherever on the PKI..web-of-trust..ad-hoc spectrum the > > market likes best. > > Enrollment and accounts are secondary to making sure everyone agrees > on what a valid certificate looks like. If you don't have that, you Certificate validation is a sine qua non for PKI, no doubt, at least for _servers_/_services_. For users it's different since you might just do TOFU enrollment and only match on public keys (or the public key of a user's private "root CA"). Therefore, and considering the extremely low penetration of PKI for user authentication in TLS, I think certificate validation is not really all that relevant to the user authentication side of things. Depending on how one chooses to use PK (not necessarily I) for user authentication, certificate validation can be a separable [non-]problem. One could publish user name/public key pairings in the DNS[SEC] and enroll user accounts in domains which then act as CAs/IdPs, in which case "certificate validation" becomes relevant again. But in any case, account/device enrollment is a big deal if you want to use PK for user authentication in a scalable and reusable way. > can't trust the results of authentication. This research analyzed Why do you assume that PKI is the only way to use PK? > server certificates only. It didn't have user certificates to play > with. Furthermore, if X509 implementors got this wrong, how do we get > it right? By simplifying. I'm not saying DNS is simple, but the ugly parts of it are not really relevant to the cryptographic security side of things, while the ugly parts of PKIX are (see above). In particular DNS naming is trivial, and so are name constraint expression and checking. Nico --
- [TLS] Certificate validation can of worms Watson Ladd
- Re: [TLS] Certificate validation can of worms Yan Zhu
- Re: [TLS] Certificate validation can of worms Peter Gutmann
- Re: [TLS] Certificate validation can of worms Nico Williams
- Re: [TLS] Certificate validation can of worms Watson Ladd
- Re: [TLS] Certificate validation can of worms Kurt Roeckx
- Re: [TLS] Certificate validation can of worms Nico Williams
- Re: [TLS] Certificate validation can of worms Nico Williams
- Re: [TLS] Certificate validation can of worms Kemp, David P.
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Santosh Chokhani
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Rob Stradling
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Watson Ladd
- Re: [TLS] Certificate validation can of worms Nikos Mavrogiannopoulos
- Re: [TLS] Certificate validation can of worms Phillip Hallam-Baker
- Re: [TLS] Certificate validation can of worms Watson Ladd
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Santosh Chokhani
- Re: [TLS] Certificate validation can of worms Nico Williams
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Phillip Hallam-Baker
- Re: [TLS] Certificate validation can of worms Santosh Chokhani
- Re: [TLS] Certificate validation can of worms Santosh Chokhani
- Re: [TLS] Certificate validation can of worms Santosh Chokhani