IETF Logo Mail Archive

Re: [TLS] [Uta] OCSP in RFC7525bis

Ryan Sleevi <ryan-ietf@sleevi.com> Fri, 21 January 2022 04:52 UTC

Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91C883A1A20; Thu, 20 Jan 2022 20:52:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YN9M46o1wz2l; Thu, 20 Jan 2022 20:52:35 -0800 (PST)
Received: from mail-vk1-f181.google.com (mail-vk1-f181.google.com [209.85.221.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 146F33A1A1F; Thu, 20 Jan 2022 20:52:35 -0800 (PST)
Received: by mail-vk1-f181.google.com with SMTP id w17so788661vko.9; Thu, 20 Jan 2022 20:52:34 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YH+6ctkxlDS6Iy6kG/wBgSrbAbHNo25TDdXA12rZ+7s=; b=6blHlxJ4i7PBND3LOnS07nD95pMkpnHPopGStX76RMTnxSPY9kFTq8SftfOMn2oY9X heaW+ICcwTJ8L5wAZtsr6S6OvGtXXMgnME+OfivvQp9R781y59VOJH3EIUT7Nj18qpML qAjq0AsBADVBfGkJQlDvbyR9XKBg2Qsqwut8b8DkhnE8M0hOm/Ee4B7XZSdDlT3MmN0r XGI2y5s06U7XzioO6fxej+taYUzCYQMWkKnBeY2vNOyGFO2E0oHZXO6Z+niZGhh9o3sk MacHVdcN1u/JkyuwFF1CF65vg8eb+AUx9vMty3ojRA8JqLa33jVW61n+icUOxIDiRkU4 25xw==
X-Gm-Message-State: AOAM532HkSB+WsoSOKjtqnb4z80+52BRpeLz1e9ZnwpRc5n1Cdx2D6km 6TQhbl5HKtYbxuqzB9eRTkDJGkUBKcM=
X-Google-Smtp-Source: ABdhPJwvMO/0er2Ch4V4JQzVGgc6pWvoYsAWkcfFYPxWx/KAQKNpSM91/x+gazi6vo3EUa3MqIic5g==
X-Received: by 2002:a1f:5c4d:: with SMTP id q74mr921814vkb.9.1642740753523; Thu, 20 Jan 2022 20:52:33 -0800 (PST)
Received: from mail-vk1-f173.google.com (mail-vk1-f173.google.com. [209.85.221.173]) by smtp.gmail.com with ESMTPSA id e14sm978920vsu.3.2022.01.20.20.52.32 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 20 Jan 2022 20:52:33 -0800 (PST)
Received: by mail-vk1-f173.google.com with SMTP id m131so4896020vkm.7; Thu, 20 Jan 2022 20:52:32 -0800 (PST)
X-Received: by 2002:a05:6122:7d3:: with SMTP id l19mr871852vkr.35.1642740752705; Thu, 20 Jan 2022 20:52:32 -0800 (PST)
MIME-Version: 1.0
References: <8E44314F-58A4-8F46-951D-1DBD24B5361E@hxcore.ol> <87sfth934u.fsf@fifthhorseman.net>
In-Reply-To: <87sfth934u.fsf@fifthhorseman.net>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Thu, 20 Jan 2022 23:51:22 -0500
X-Gmail-Original-Message-ID: <CAErg=HEFO-0oWVd6VDF-thU2-XRua1AsY2z35XbskVXU2PaVOg@mail.gmail.com>
Message-ID: <CAErg=HEFO-0oWVd6VDF-thU2-XRua1AsY2z35XbskVXU2PaVOg@mail.gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: Yaron Sheffer <yaronf.ietf@gmail.com>, "uta@ietf.org" <uta@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000005ed9905d6106303"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/dJWstnjUsiyWgO-BKgA5ALSDHig>
Subject: Re: [TLS] [Uta] OCSP in RFC7525bis
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jan 2022 04:52:40 -0000

On Thu, Jan 20, 2022 at 10:31 PM Daniel Kahn Gillmor <dkg@fifthhorseman.net>
wrote:

> This sounds a lot like a "SHOULD BUT WE KNOW YOU WONT".  Why would a
> client deliberately fail a connection when the problem might be a flaw
> with an unrelated network service or a client-specific routing failure?
>
> I think we can definitely explicitly recommend:
>
>  A) clients MUST require valid stapled OCSP response when encountering a
>     certificate with "must staple" extension.  (this is just following
>     the specs, but i don't think it's as widely supported as it should
>     be; maybe we need some public naming/shaming?)
>

Isn't this also a "MUST, BUT WE KNOW YOU WON'T AND PROBABLY SHOULDN'T"?

There are good reasons that clients have not, and potentially will never,
support Must-Staple, whether it be for the technical reasons that many
servers are unfit to support it, or for policy reasons, such as wanting to
be careful about the security policies of their products, and how much of
that is outsourced to CAs. The choice about whether to require stapling or
not _is_ a policy decision relevant not only to server operators, but also
relying parties, and can be easily abused by CAs if given that lever. Given
the concerning practices already seen with respect to revocation, which are
detrimental to the security goals of both server operators and end users, a
full-throated MUST seems a bit incompatible with the notion of allowing
policy flexibility. For example, in a world where a client delivers
revocation information out of band, as nearly every major web browser does
today (as one example), "must staple" is of questionable benefit.


> So the right set of fixes to defend against all these kinds of attacks
> are:
>
> - enable DNSSEC for your zone
>
> - signal in your DNS (e.g. via CAA, RFC 8659) that you only want a
>   specific set of CAs to issue certificates in your zone (CAA doesn't
>   explicitly describe an option to require that the CA use must-staple,
>   but it looks like any CA could declare a CAA parameter that would
>   offer that guidance.  for example:
>   https://github.com/letsencrypt/boulder/issues/5903)
>
> - ensure that your account with those CAs requires must-staple (either
>   with your CA's preferred CAA parameter, or some other way)
>
> - monitor CT logs for certificates that violate your CAA policy
>
> This should close all the gaps that i can see, making the whole chain as
> strong as your control over what gets signed by your zone's DNSSEC
> signing key (and your CA's adherence to CAA policy, of course).
>

Without wanting to detract too much from the core question of the thread,
how does this address the routing gap? The adversary at the routing layer
just redirects the host being validated to control the key that way, and
simply interrupts the nameserver during the CAA check. In the threat model
you're concerned about (Web PKI), DNSSEC is soft-fail, particularly for CAA
checks.

The assumption here for this model to hold is that the CAA information is
infallibly guaranteed to be delivered to the CA (it is not), and that the
CA will properly adhere to it for all threats that are concerning (they do
not). Without those properties, this doesn't provide any value, and that
rather significantly undermines the argument for the MUST for Must-Staple
being made for clients/relying parties.

v2.23.0 | Report a Bug | By Email