Re: [TLS] Verifying X.509 Certificate Chains out of order

Martin Rex <Martin.Rex@sap.com> Tue, 07 October 2008 10:49 UTC

Return-Path: <tls-bounces@ietf.org>
X-Original-To: tls-archive@ietf.org
Delivered-To: ietfarch-tls-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 572253A699F; Tue, 7 Oct 2008 03:49:09 -0700 (PDT)
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4C88B3A6980 for <tls@core3.amsl.com>; Tue, 7 Oct 2008 03:49:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.854
X-Spam-Level:
X-Spam-Status: No, score=-5.854 tagged_above=-999 required=5 tests=[AWL=0.395, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BjkAGzpGyNuA for <tls@core3.amsl.com>; Tue, 7 Oct 2008 03:49:07 -0700 (PDT)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 040023A69C0 for <tls@ietf.org>; Tue, 7 Oct 2008 03:49:06 -0700 (PDT)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id m97An6G6003533; Tue, 7 Oct 2008 12:49:06 +0200 (MEST)
From: Martin Rex <Martin.Rex@sap.com>
Message-Id: <200810071049.m97An3Gt010285@fs4113.wdf.sap.corp>
To: pgut001@cs.auckland.ac.nz (Peter Gutmann)
Date: Tue, 7 Oct 2008 12:49:03 +0200 (MEST)
In-Reply-To: <E1Kn3EI-0008Id-Cc@wintermute01.cs.auckland.ac.nz> from "Peter Gutmann" at Oct 7, 8 04:27:22 pm
MIME-Version: 1.0
X-Scanner: Virus Scanner virwal07
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Verifying X.509 Certificate Chains out of order
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tls-bounces@ietf.org
Errors-To: tls-bounces@ietf.org

Peter Gutmann wrote:
> 
> Martin Rex <Martin.Rex@sap.com>; writes:
> 
> >Looking at the official protocol spec, the possibility to send an empty list
> >of certificate_authorities in the CertificateRequest message was introduced
> >as a purely optional feature with TLS v1.1. It was _NOT_ previously allowed
> >to send an empty list in the SSL v3 and TLS v1.0 specifications!
> 
> Yes it is.  The minimum length 3 can be used to encode a zero-length ASN.1
> SEQUENCE (using BER encoding), there's nothing there that says it has to
> contain anything.  I've been sending this in my certRequest for, oh, about 10
> years now without running into any problems.
> 
> (Having said that, since client certs are so rarely used if there were
> problems it's unlikely you'd ever see them, but in any case it's worked fine
> so far).

The problems aren't that obvious, because hardly anyone has been
using client certificates so far.   We've been using SSL client certs
for Single Sign-On with WebBrowsers for 8 years and 10k+ users, and
we've run into various interop problems with many implementations.

The semantics for an empty list were not defined in SSLv3 and TLSv1.0,
so there's nothing in the spec that says an empty list is allowed.
So the behaviour is at best "implementation defined", but it is definitely
not standardized.

> 
> >I think it is a pretty dumb engineering decision to create an implementation
> >of SSL/TLS where it is possible to configure the Server to request a client
> >Certificate and NO MEANS to configure the list of certificate_authorities for
> >the ClientRequest message
> 
> Why?

Blindly relying on a feature that is at best "implementation defined"
is pretty much always a dumb engineering decision.


> The reason I never bothered to implement this is because I can't see any
> use for it, if a server asks for a cert from the client then the client will
> either use whatever cert it has for that server or respond "no-cert".  Even in
> the unlikely situation that the client has multiple certs all intended for SSL
> client auth (most users have zero certs for SSL client auth), unless every one
> of them is specially chosen to be from a different CA then specifying the CA
> name will have the same effect as specifying no CA name.

The situation that you describe as "unlikely" is the situation that is
going to be the norm when SSL client certs start getting used in a
serious fashion.

Lets try to explain the behaviour of a server not sending
a certificate_authorities list for common people:                
                                                                   
You walk up to a restaurant for a dinner.  The guard at the door   
tells you that you need a membership card in order to enter and    
hands you a form to fill in and prove your membership    however he
refuses to tell you which membership he will consider acceptable.  
Actually    he promises you that if you happen to pick one that    
is not acceptable, he will send you away with a painful kick in    
the butt.                                                          


Look at X509 certificates as you look at credit cards, customer cards,
membership cards and all the other plastic that populates your wallet.
There is never going to be just one, because each issuer want to retain
his very own authority to revoke his card -- and that should not interfere
with the validity of any of the other cards.

In the Web-Browser scenario, where the SSL protocol was born, that
kind of use and the availability of multiple SSL client cert has
been a design feature from the beginning.


Another serious problem of the "server sends nothing" approach is
that it requires the client to blindly perform an expensive public key
operation and this may incur the overhead/incovenience of prompting
the user to insert a hardware token and/or enter a PIN to authorize
a private key operation -- which can be entirely avoided if the
server announces what CAs it trusts and there is no match to
the credentials available to the client.


-Martin


_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls