Re: [TLS] Certificate validation can of worms
Phillip Hallam-Baker <hallam@gmail.com> Tue, 08 April 2014 13:39 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 029511A03DF for <tls@ietfa.amsl.com>; Tue, 8 Apr 2014 06:39:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level:
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F8-aogOO6bih for <tls@ietfa.amsl.com>; Tue, 8 Apr 2014 06:39:13 -0700 (PDT)
Received: from mail-bk0-x232.google.com (mail-bk0-x232.google.com [IPv6:2a00:1450:4008:c01::232]) by ietfa.amsl.com (Postfix) with ESMTP id D461C1A03D9 for <tls@ietf.org>; Tue, 8 Apr 2014 06:39:12 -0700 (PDT)
Received: by mail-bk0-f50.google.com with SMTP id w10so265426bkz.9 for <tls@ietf.org>; Tue, 08 Apr 2014 06:39:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=bQ2hBQFHxXvFjOFB+mH+ryBVu5PLYEKXnUHrsVXWq8A=; b=DPru992tlMYhb1uNWb2mCgjOBOaeZpWl3uUth9W9PABo2YHj19PhK86oYtww/9Qrc0 oT775/vLhE+rPaBCgz6H1yuWFzcPxJ3KHdA+XFyu3AG0QFFg3ACo0TW2CYnDvgMHz7D0 xZfv2/s3xi5VUXzsDkdcA1CHVKIjiPVVRfaEwv0sN/w44FhTaBrFEHT5u4U+wfE0VzoP /Rq2upascSxzImyzlIP6fcuM/h57xEdqQYpJpb0kqiUIsgWKT1Zig6hUZBGI9srdSXWk oB7KEEKI4JA7RwKYhj9jUcErAOJnL4QibYfGWQrfxTU+N8y8uVx/K0BH6mqaEzWKn0kl U6pg==
MIME-Version: 1.0
X-Received: by 10.112.46.225 with SMTP id y1mr2819964lbm.12.1396964352064; Tue, 08 Apr 2014 06:39:12 -0700 (PDT)
Received: by 10.112.234.229 with HTTP; Tue, 8 Apr 2014 06:39:11 -0700 (PDT)
In-Reply-To: <1396944418.11019.10.camel@dhcp-2-127.brq.redhat.com>
References: <534320A2.5030208@comodo.com> <20140407224329.4A71F1ACAA@ld9781.wdf.sap.corp> <CACsn0ckKEMTWMH=0+=Bbp8djnKtbawkcVeEujnonBB_8ND03_Q@mail.gmail.com> <1396944418.11019.10.camel@dhcp-2-127.brq.redhat.com>
Date: Tue, 08 Apr 2014 09:39:11 -0400
Message-ID: <CAMm+Lwjqv0nib0JRXO87ZckjiDhzkhJM2JwmBs=5P3hQchkg1w@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
Content-Type: text/plain; charset="ISO-8859-1"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/X5AGP6fvMGoHDoGDlgYUjmsd8zk
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Certificate validation can of worms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Apr 2014 13:39:18 -0000
On Tue, Apr 8, 2014 at 4:06 AM, Nikos Mavrogiannopoulos <nmav@redhat.com> wrote: > On Mon, 2014-04-07 at 18:20 -0700, Watson Ladd wrote: > >> > And a TLS client that implements rfc2818 (HTTP-over-TLS) will look >> > exactly at rfc2818 for any checks that the client will do on the >> > Server certificate, and again *NOT* in PKIX. >> >> This is really a problem with RFC2818. The whole idea of X509v3 is >> that you should be able to issue certificates that have meaning beyond >> assertions of identity, such as for use as code-signing. But because >> implementations don't respect the PKIX standard, we can't do that. > > I think PKIX is far from being described as standard. It looks more than > a set of rules that the implementer is expected to distill and select > the relevant ones, as most of the described rules are legacy baggage > (e.g. DN comparison rules that assume that the DN is copied by a > secretary that introduces case changes and alters spaces, rather than a > memcpy). > > PKIX's requirements are pretty strange to put it mildly. One example are > the key purposes that Martin described. Another is the name constraints > which is optional to implement for DNS or e-mails (that everyone uses), > and mandatory for DistinguishedNames (that no-one uses); then it becomes > an issue when people realize that no-one implements name constraints > (and the only certificates that I've seen that contained constraints, > had syntactical errors in them). There are much more issues in PKIX (and > Peter Gutmann is much better in providing a good overview). We certainly > need something better than rfc5280. Name constraints are in use today. They are supported in all the browsers with the possible exception of OSX (which I am told is fixed but I have not checked). The issue with Name Constraints is that the Industry has rejected the IETF specification which requires that a Name Constraint be marked 'break backwards compatibility' aka the 'critical bit'. This requirement is stupid and wrong and so the industry has decided to override RFC5280 on this point and the correct specification as far as the industry is concerned is that the setting of the critical bit is at the option of the issuing CA. If IETF produces rubbish specifications we will ignore them. The requirement to mark the certificate critical enabled the NSA attack on Microsoft in the Flame malware attack. Marking the bit critical makes it impossible to issue a certificate with that extension as about half a billion deployed devices don't support name constraints. The consensus model does not really work when a specification has been poisoned by an attacker who can block changes to correct the spec. Fortunately IETF specifications are not definitive, industry practice is. The industry consensus on this point is unanimous: name constraints need not be marked critical. Industry consensus is also unanimous that RSA1024 is inadequate for any form of PKI infrastructure use including for ZSKs. So right now DNSSEC is not adequately deployed in the ICANN root or in .com in a form that can be considered fit for purpose. So the idea that the world is going to move to a DANE validity chain is rather peculiar. Fixing this situation requires a minor configuration change next time the keys are rolled. So don't take this as an argument against DNSSEC per se. I think it is just indicative of the reason why having ICANN in charge of global PKI is not exactly a sound proposition. -- Website: http://hallambaker.com/
- [TLS] Certificate validation can of worms Watson Ladd
- Re: [TLS] Certificate validation can of worms Yan Zhu
- Re: [TLS] Certificate validation can of worms Peter Gutmann
- Re: [TLS] Certificate validation can of worms Nico Williams
- Re: [TLS] Certificate validation can of worms Watson Ladd
- Re: [TLS] Certificate validation can of worms Kurt Roeckx
- Re: [TLS] Certificate validation can of worms Nico Williams
- Re: [TLS] Certificate validation can of worms Nico Williams
- Re: [TLS] Certificate validation can of worms Kemp, David P.
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Santosh Chokhani
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Rob Stradling
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Watson Ladd
- Re: [TLS] Certificate validation can of worms Nikos Mavrogiannopoulos
- Re: [TLS] Certificate validation can of worms Phillip Hallam-Baker
- Re: [TLS] Certificate validation can of worms Watson Ladd
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Santosh Chokhani
- Re: [TLS] Certificate validation can of worms Nico Williams
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Phillip Hallam-Baker
- Re: [TLS] Certificate validation can of worms Santosh Chokhani
- Re: [TLS] Certificate validation can of worms Santosh Chokhani
- Re: [TLS] Certificate validation can of worms Santosh Chokhani