IETF Logo Mail Archive

Re: [TLS] Certificate validation can of worms

Santosh Chokhani <SChokhani@cygnacom.com> Wed, 09 April 2014 15:01 UTC

Return-Path: <SChokhani@cygnacom.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BEF51A0383 for <tls@ietfa.amsl.com>; Wed, 9 Apr 2014 08:01:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.173
X-Spam-Level:
X-Spam-Status: No, score=-2.173 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wA41dSuLjrL4 for <tls@ietfa.amsl.com>; Wed, 9 Apr 2014 08:01:38 -0700 (PDT)
Received: from ipedge1.cygnacom.com (ipedge1.cygnacom.com [216.191.252.12]) by ietfa.amsl.com (Postfix) with ESMTP id DAF0C1A0390 for <tls@ietf.org>; Wed, 9 Apr 2014 08:01:37 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.97,826,1389762000"; d="scan'208";a="2572120"
Received: from unknown (HELO scygexch10.cygnacom.com) ([10.4.60.26]) by ipedge1.cygnacom.com with ESMTP; 09 Apr 2014 11:01:35 -0400
Received: from SCYGEXCH10.cygnacom.com ([::1]) by scygexch10.cygnacom.com ([::1]) with mapi id 14.02.0247.003; Wed, 9 Apr 2014 11:01:34 -0400
From: Santosh Chokhani <SChokhani@cygnacom.com>
To: "mrex@sap.com" <mrex@sap.com>
Thread-Topic: [TLS] Certificate validation can of worms
Thread-Index: Ac9UBI7wP8Z5efIqQg2ahHeBtf2x5A==
Date: Wed, 09 Apr 2014 15:01:33 +0000
Message-ID: <4262AC0DB9856847A2D00EF817E8113917947B@scygexch10.cygnacom.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.60.117.6]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/ZnkwGoh5C4Wji8mJMCor5ELVchY
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Certificate validation can of worms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Apr 2014 15:01:42 -0000

Martin,

TLS probably is not a good forum to have this debate.  It seems like PKIX discussion.  We should drop it.  Here are my final comments on it.

On EKU, while the RFC may not say it, it seems to be a proper thing to do and the RFC for TLS should be revised.

On policies, as I mentioned, regardless of what the protocol or application does, there is a possibility of path not being valid.

On name constraints, Annex G is informative.  I also do not see why you need to mix path building and path validation  You can always have multiple paths even without name constraints and some of them will be valid and others will not be due to other reasons.

Inhibit policy mapping is a tool used to reject cross certificates.  The mechanism is useful when you only want to trust enterprise certificates.

-----Original Message-----
From: Martin Rex [mailto:mrex@sap.com] 
Sent: Tuesday, April 08, 2014 3:33 PM
To: Santosh Chokhani
Cc: mrex@sap.com; Watson Ladd; tls@ietf.org
Subject: Re: [TLS] Certificate validation can of worms

Santosh Chokhani wrote:
> 
> The EKU is generally only applies to the leaf certificate (per X.509 
> and RFC 5280) and is not involved in path processing.

EKU applies *ONLY* to higher layer protocols where the higher layer protocol specifies behaviour for a list of EKUs.  For TLS, such specification simply do not exist.

Potentially, there is something in the CABrowser Forum Baseline requirements.  But I'm not a Browser implementor, so I don't know and don't care.  I'm a maintainer of a TLS library and application level wrapper to TLS for programmatic use.


> 
> While TLS applications may or may not be able to set policies, the 
> interactions among policy related extensions and path validation state 
> machine can make the path invalid if the policy intersection is null 
> and the require explicit policy flag has been turned on.

Aside from what the CABForum & Browser folks may have defined to create fancy GUI chrome, I'm not currently aware of any X-over-TLS spec that gives meaning to policies.  So the easiest approach is to entirely ignore them -- during path validation as well as on the end entity certs.


> 
> Path building need not be tied to path validation.  That is your choice.
> Name constraints for the hierarchical name form types are not a mess 
> as you say.

To me, the idea behind X.509 11/2008 Appendix G.3.3 looks like a pretty big mess, and it requires an iterative approach of building a certification path, failing, building an alternative path and succeeding, and this is where the whole name constraints processing becomes out of scope of PKIX/rfc5280.


> 
> I see lot of misunderstandings and exaggerations about problems in 
> X.509 and RFC 5280 and folks with incorrect implementations having an axe to grind.

I see a huge amount of needless complexity


A while ago I had an inquiry from a governmental customer because our library rejected their "pretty" certificate chains on the TLS server cert.
They had a critical policy constraints extension in one of their path CA certs

  https://tools.ietf.org/html/rfc5280#section-4.2.1.11

with the field "inhibitPolicyMapping" present(!)

To me, this particular extension looks like a pretty stupid design flaw.

-Martin

v2.23.0 | Report a Bug | By Email