IETF Logo Mail Archive

Re: [TLS] [pkix] New version of Multiple OCSP mode of Certificate

Nicolas Williams <Nicolas.Williams@oracle.com> Thu, 05 August 2010 01:55 UTC

Return-Path: <Nicolas.Williams@oracle.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 239953A6784; Wed, 4 Aug 2010 18:55:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.492
X-Spam-Level:
X-Spam-Status: No, score=-6.492 tagged_above=-999 required=5 tests=[AWL=0.106, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zTXEbYGEUnyC; Wed, 4 Aug 2010 18:55:53 -0700 (PDT)
Received: from rcsinet10.oracle.com (rcsinet10.oracle.com [148.87.113.121]) by core3.amsl.com (Postfix) with ESMTP id E4E8C3A68DE; Wed, 4 Aug 2010 18:55:52 -0700 (PDT)
Received: from acsinet15.oracle.com (acsinet15.oracle.com [141.146.126.227]) by rcsinet10.oracle.com (Switch-3.4.2/Switch-3.4.2) with ESMTP id o751uLdh030875 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 5 Aug 2010 01:56:22 GMT
Received: from acsmt353.oracle.com (acsmt353.oracle.com [141.146.40.153]) by acsinet15.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id o74LfZPI022722; Thu, 5 Aug 2010 01:56:19 GMT
Received: from abhmt002.oracle.com by acsmt353.oracle.com with ESMTP id 467377271280973290; Wed, 04 Aug 2010 18:54:50 -0700
Received: from oracle.com (/129.153.128.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 04 Aug 2010 18:54:49 -0700
Date: Wed, 04 Aug 2010 20:54:44 -0500
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: Martin Rex <mrex@sap.com>
Message-ID: <20100805015444.GF5213@oracle.com>
References: <20100805001137.GE5213@oracle.com> <201008050103.o7513F15000806@fs4113.wdf.sap.corp>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <201008050103.o7513F15000806@fs4113.wdf.sap.corp>
User-Agent: Mutt/1.5.20 (2010-03-02)
X-Source-IP: acsmt353.oracle.com [141.146.40.153]
X-Auth-Type: Internal IP
X-CT-RefId: str=0001.0A090207.4C5A1A44.016A:SCFMA4539814,ss=1,fgs=0
Cc: pkix@ietf.org, tmiller@mitre.org, tls@ietf.org
Subject: Re: [TLS] [pkix] New version of Multiple OCSP mode of Certificate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Aug 2010 01:55:54 -0000

On Thu, Aug 05, 2010 at 03:03:15AM +0200, Martin Rex wrote:
> Nicolas Williams wrote:
> > 
> > On Thu, Aug 05, 2010 at 01:07:22AM +0200, Martin Rex wrote:
> > > Yngve N. Pettersen wrote:
> > > > The kind of crafted URLs you are concerned about can also be injected by  
> > > > way of OCSP and CRL URLs, and OCSP is AFAICT actually supported by more  
> > > > clients than AIA CA.
> > > 
> > > That is incorrect.  The path validation algorithm checks cryptographic
> > > correctness and certificate (attribute) validity starting at a trust
> > > anchor first, and ONLY when that succeeds, CRLs and OCSP is checked.
> > 
> > That's true of path _validation_.  It's not necessarily true of path
> > _construction_ (see RFC4158).  That is, if you start with an EE cert you
> > might have to go find the intermediate CA certs.
> 
> I don't know rfc4158, but I don't see how a standardization level
> should marginalize a severe security problem.  The TLS renegotation
> problem was not less severe by working-as-specified and being
> commonly implemented in the installed base.  :-/

FYI, RFC4158 is Informational.  But surely you can see that it's easier
to build validation paths from the ee cert to a trust anchor than it is
to do it the opposite way.  If you don't want to use AIA then you need a
directory where you can find the intermediate CA certs.  But for a
sufficiently large/complex PKI that might require keeping a large
databse in sync across many orgs, that is, not trivial.

The point is that using AIA is simpler than not.  In traditional PKIs,
and with your peer sending you their cert chain, (see below) there
should be no need to use AIA.

What can be done to improve the AIA situation is to constraint AIA URLs
such that, for example, they cannot specify arbitrary port numbers, and
to very few URL schemes (HTTP and LDAP should suffice).  Yes, this means
you could cause a relying party to attempt an HTTP GET from or LDAP
search on random servers.  As you say, the best option is to have the
peer send you a cert chain that you can validate from the root to the EE
cert (that way you're never following untrusted URLs).  But will your
peers be able to do that if you have a complex PKI?

> And I see a big difference in a user trying to manually and
> interatively construct a certification path and consciously deciding
> to include individual, not necessarily pre-trusted sources of
> information -- as long as it is not possible for an attacker to entice
> this construction to perform accesses to arbitrary resources without
> limits and entirely without critical consent and interaction of the
> entity doing the path construction.

I would like to agree about interaction, but... what's the user to do
with a prompt about whether to follow a given AIA URL??  They're only
going to answer "yes".

One option might be to implement SCVP (RFC5055) -- SCVP servers can
cache path consturction results effectively enough to minimize the
impact of AIA attacks.

> > If you're building a path from the target to the anchor then you'll
> > probably want to prune paths as soon as possible by validating
> > intermediate CA certs as soon as possible.
> 
> Validating in the form of pruning "expired" or otherwise clearly
> inappropriate certs based on "cheap" plausibility checks on certificate
> attributes?  Maybe to a limited extent.  Public key crypto operation
> with untrusted keying material or even worse, network access based
> on URIs from untrusted sources -- certainly not without explicit
> user/operator confirmation!

The whole point is to establish trust by establishing a path to a
trust anchor.  Eventually you'll know if the EE cert and the
intermediate CA certs are valid, or that the EE cert is not valid, or
that no valid path can be constructed, or that some intermediate CA
cert is invalid (if you're constructing a path then you'll stop when you
find an invalid intermediate CA cert and run out of path construction
options).

> For the case of TLS, however, it has always been a clear requirement
> for each communication peer to build and send one own's certificate
> in a complete and corretly ordered sequence, optionially omitting
> at most the self-signed root certificate at the end of that chain.

If you have a non-traditional PKI then the path sent by the peer may
only be partially helpful.  (Though in that case you probably won't be
using AIA but instead searching a directory or configuration.)

> So really, a server with a certificate from a fancy briged CA should
> definitely, similar to the "server name indication" get a TLS
> ClientHello extension defined and have the client provide hints
> about the trust anchors if the server is unable to send a certificate
> chain acceptable to the client's certificate path validation
> algorithm as-is without such information.

Yes.

Nico
--

v2.23.0 | Report a Bug | By Email