IETF Logo Mail Archive

Re: [TLS] Revocation and authentication of raw public key (was: AD review of draft-ietf-tls-oob-pubkey)

Trevor Perrin <trevp@trevp.net> Fri, 26 April 2013 01:59 UTC

Return-Path: <trevp@trevp.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DC8A21F970F for <tls@ietfa.amsl.com>; Thu, 25 Apr 2013 18:59:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Erpq5ZAXlZkY for <tls@ietfa.amsl.com>; Thu, 25 Apr 2013 18:59:27 -0700 (PDT)
Received: from mail-lb0-f180.google.com (mail-lb0-f180.google.com [209.85.217.180]) by ietfa.amsl.com (Postfix) with ESMTP id B8A5321F96C5 for <tls@ietf.org>; Thu, 25 Apr 2013 18:59:26 -0700 (PDT)
Received: by mail-lb0-f180.google.com with SMTP id t11so3359709lbi.11 for <tls@ietf.org>; Thu, 25 Apr 2013 18:59:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=HaycBSPp0fTrzz1WG/9PJX4bl9gg/UhVzREEOz3ifl4=; b=VnOP2u0ouLCpGo+YrLNhwG46aWcVyz43jOYoxWdZPkqEX2leriz4LLmN7iQW2EipZk FkknuavkbySIg9lxfxZ+ws/PMg/YPVBRhgop4LFelbkpZX4y8LeZBhh0B+9Uz4j/MA4u sLt/SvTlya28Y1O5PqWknrdUue+rTzFXcRw0TgdIDuAgUC8f5VZqPWiaheUf6jMSX47D Z4iZS2XxNwGNsaSaSmR2V0F37rfixuAJVp7awIUugf30RbwrvoGiS5nrUeK15H6+K1AV wD2k2apjDupJKFXivV/qNtC396EbUn2l51JX9A7iH5oq0cQy7GZpw53ieMjm2gmvYxOM meNg==
MIME-Version: 1.0
X-Received: by 10.112.150.228 with SMTP id ul4mr8760911lbb.132.1366941565628; Thu, 25 Apr 2013 18:59:25 -0700 (PDT)
Received: by 10.114.62.47 with HTTP; Thu, 25 Apr 2013 18:59:25 -0700 (PDT)
X-Originating-IP: [66.215.127.122]
In-Reply-To: <46A1DF3F04371240B504290A071B4DB63D718516@szxeml558-mbx.china.huawei.com>
References: <516D5ADE.3050506@ieca.com> <46A1DF3F04371240B504290A071B4DB63D715C65@szxeml558-mbx.china.huawei.com> <2A0EFB9C05D0164E98F19BB0AF3708C7B311446B@USMBX1.msg.corp.akamai.com> <46A1DF3F04371240B504290A071B4DB63D716CC2@szxeml558-mbx.china.huawei.com> <alpine.LFD.2.10.1304230916340.509@bofh.nohats.ca> <46A1DF3F04371240B504290A071B4DB63D718516@szxeml558-mbx.china.huawei.com>
Date: Thu, 25 Apr 2013 18:59:25 -0700
Message-ID: <CAGZ8ZG3kd6Af74-vezxbp-QkdPn7vRqR2LC=iXyOvGGQUeTBiQ@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: Bert Greevenbosch <Bert.Greevenbosch@huawei.com>
Content-Type: multipart/alternative; boundary="047d7b342d2872c53d04db39e2cc"
X-Gm-Message-State: ALoCoQnhge2p692GXbGmSOfMdPcTWxZPfz1QUsR156TzEpzuiKHEx3PlnU4ZCDHAlapABTrX5h+J
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Revocation and authentication of raw public key (was: AD review of draft-ietf-tls-oob-pubkey)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Apr 2013 01:59:28 -0000

Hi Bert,

You may be interested in TACK [1].

TACK allows a client to verify a server's identity based on client
knowledge of a "TACK signing key" which signs the server's TLS key(s).
 These signatures are presented in the TLS handshake along with an
expiration time and revocation info for earlier signatures.

This enables the server operator to use a "more-secure" offline signing key
to revoke and replace the "more-exposed" TLS keys, akin to your OCSP-lite
proposal.

TACK was designed to be compact and simple to verify, and requires no X.509
certs, so it would work well with draft-ietf-tls-oob-pubkey.


Trevor


[1] http://datatracker.ietf.org/doc/draft-perrin-tls-tack/



On Thu, Apr 25, 2013 at 1:19 AM, Bert Greevenbosch <
Bert.Greevenbosch@huawei.com> wrote:

> Hi Paul,
>
> Thank you for your feedback.
>
> Indeed an OSCP-lite responder would be similar to a Trust Authority (TA)
> in that it is a third party that can confirm or invalidate a raw public key.
>
> My concern is, that when omitting the certificate and especially the TA,
> anyone can generate a raw public key. Now indeed there are multiple ways to
> tackle this problem though out-of-band mechanisms; an example in CoAP is
> given by a barcode scanner that is used to physically scan the public key.
> In that case the trust lies in the fact that the barcode is considered
> authentic.
>
> Nevertheless, when you do automatic exchange as defined in
> draft-ietf-tls-oob-pubkey, you need something that authenticates the key.
> This holds even more as a Certification Authority signature that
> authenticates the certificate is not available.
>
> <quote>
> For instance, using DNS(SEC) with raw keys there is only B and C. When
> B loses trust in their key, they simple remove it from DNS(SEC) to
> communicate this to A. The same applies to SSHFP records in DNS(SEC)
> or ActiveDirectory.
>
> ...
>
> Using TLS raw keys from DNSSEC, The RRSIG/TTL and DNS trust anchors can
> tune the behaviour of when TLS raw keys are valid or not. No OCSP variant
> is neccessary. The same is true for content based on ActiveDirectory/LDAP
> or Radius/Diameter where there is already a central control mechanism
> for relaying this information.
> </quote>
>
> I understand that you mean B loses its trust in its own key? Then yes, as
> a good citizen B could communicate this through these means. And if B is
> bad and it is found out, then the DNS(SEC) can remove B's key. If B never
> was to be trusted, the DNS(SEC) would not be able to provide its key. In
> all these cases the DNS(SEC) is the third party providing authentication
> and revocation.
>
> Also, in a client/server model, I am not sure if the client's raw public
> key can be verified with DNS(SEC). Does a client normally have a DNS entry,
> e.g. a name that can be looked up through DNS? In TLS, the client provides
> its complete certificate chain, which is for the server to verify. Part of
> this verification normally is revocation checking, e.g. through OCSP or CRL
> lists. Does that mean that when using DNS(SEC) as the out-of-band
> authentication mechanism of the raw public key, each client needs to be
> registered with the DNS(SEC)?
>
> <quote>
> OCSP was only needed before because there were three parties. While it
> is still possible an out of band method to validate TLS keys to require
> three parties, any revocation list mechanism should be part of the out
> of band method specification. I am not sure what out of band method this
> OCSP-lite case covers. If there is a specification of that out of band
> method, then that specification should perhaps include this OCSP-lite
> specification as part of it.
> </quote>
>
> Indeed that is the idea. The OCSP-lite is an out-of-band method for
> authentication of the raw public key in itself. The advantage of the
> OCSP-lite approach is that it does not need DNS(SEC) to establish secure
> communication. This may especially be useful for endpoints that do not have
> a domain name, and are directly identified by their IP address. Goal of
> OCSP-lite is to keep verification for the client as easy as possible, i.e.
> put most of the burden on the OCSP-lite responder.
>
> What do you think?
>
> Best regards,
> Bert
>
>
> -----Original Message-----
> From: Paul Wouters [mailto:paul@nohats.ca]
> Sent: 2013年4月23日 21:28
> To: Bert Greevenbosch
> Cc: Salz, Rich; Sean Turner; tls@ietf.org
> Subject: Re: [TLS] Revocation and authentication of raw public key (was:
> AD review of draft-ietf-tls-oob-pubkey)
>
> On Tue, 23 Apr 2013, Bert Greevenbosch wrote:
>
> > I think name-to-key association is half of the problem, whereas
> revocation is the second half. SSH seems to focus on the first half,
> whereas OCSP-lite focuses mainly on the second half.
>
> Revocation is only required in the indirect path. That is, supplier A
> signs something for consumer B, and enduser C needs to verify B. Now A
> needs a method to tell C about revocation of B.
>
> When you use raw public keys, the authentication happens out of band. If
> there are no three players, with two of them talking only indirectly,
> no OCSP-like mechanism is required.
>
> For instance, using DNS(SEC) with raw keys there is only B and C. When
> B loses trust in their key, they simple remove it from DNS(SEC) to
> communicate this to A. The same applies to SSHFP records in DNS(SEC)
> or ActiveDirectory.
>
> OCSP was only needed before because there were three parties. While it
> is still possible an out of band method to validate TLS keys to require
> three parties, any revocation list mechanism should be part of the out
> of band method specification. I am not sure what out of band method this
> OCSP-lite case covers. If there is a specification of that out of band
> method, then that specification should perhaps include this OCSP-lite
> specification as part of it.
>
> I don't see a value of specifying a generic revocation method. I see
> danger in such a specification if it _introduces_ a third player where
> there should not be one for a specific out of band authentication
> method.
>
> Using TLS raw keys from DNSSEC, The RRSIG/TTL and DNS trust anchors can
> tune the behaviour of when TLS raw keys are valid or not. No OCSP variant
> is neccessary. The same is true for content based on ActiveDirectory/LDAP
> or Radius/Diameter where there is already a central control mechanism
> for relaying this information.
>
> Paul
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email