Re: [TLS] Certificate validation can of worms
Yan Zhu <yan@eff.org> Sat, 05 April 2014 01:49 UTC
Return-Path: <yan@eff.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 995991A0226 for <tls@ietfa.amsl.com>; Fri, 4 Apr 2014 18:49:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.012
X-Spam-Level:
X-Spam-Status: No, score=-2.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 681CvZ8Z1NT3 for <tls@ietfa.amsl.com>; Fri, 4 Apr 2014 18:49:05 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) by ietfa.amsl.com (Postfix) with ESMTP id 50D301A01E1 for <tls@ietf.org>; Fri, 4 Apr 2014 18:49:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Type:In-Reply-To:References:Subject:To:MIME-Version:From:Date:Message-ID; bh=sBNd1yPriIPxsRPoSy3jc8wsbYrUZKLneFDvJHLo140=; b=kJoAaDrw2UUTvW7+ZMUPbDhYO5evEo5hulqhKadfwIVQV1iPTtvFKSxMOtVg/p6Eo2ZpMlyG4FJ+Wd8dh7/G9AwgLK7ScWgcP5WSh+xjomMkM0ut+s0whkjDnZNvQBZltZGhVREQDINzVEJ2vXG8AYm805S6OQYvJuIl4NJtzUo=;
Received: ; Fri, 04 Apr 2014 18:49:00 -0700
Message-ID: <533F6106.5000308@eff.org>
Date: Fri, 04 Apr 2014 18:48:54 -0700
From: Yan Zhu <yan@eff.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.4.0
MIME-Version: 1.0
To: Watson Ladd <watsonbladd@gmail.com>, "tls@ietf.org" <tls@ietf.org>
References: <CACsn0ckFoqQ=hwp=Wxjjrt6LavLoKSUCyBCp=TvWvJ3DsuhUsw@mail.gmail.com>
In-Reply-To: <CACsn0ckFoqQ=hwp=Wxjjrt6LavLoKSUCyBCp=TvWvJ3DsuhUsw@mail.gmail.com>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="s8RbiIDpMHJA6b6CI0i79HXXlMAmQiDrJ"
Received-SPF: skipped for local relay
Received-SPF: skipped for local relay
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/flJMmKFIoIIXY2-7SnPJLpCQh-4
Subject: Re: [TLS] Certificate validation can of worms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Apr 2014 01:49:09 -0000
On 04/04/2014 06:35 PM, Watson Ladd wrote: > Dear all, > https://www.cs.utexas.edu/~shmat/shmat_oak14.pdf contains tests of > many TLS implementations. Interestingly all tested implementations > contain errors, and all but OpenSSL erroneous accepts. Cryptlib was > not tested, because it doesn't validate certificates. > > At the core of these issues is the complexity of certificate > validation. Things for this committee to consider: > > 1: How will DANE make this worse? > 2: Is this really the best we can do? What features of X509 led to > these problems? > 3: This focused on server authentication. How does client authentication fare? In case anyone wants to investigate these questions, the code used in that study to generate mutated certificates is at https://github.com/sumanj/frankencert. (You will need a corpus of certificates to start from; the mirrors of EFF's SSL Observatory scan results seem to all be unavailable at the moment, but that should be fixed soon.) -Yan > 4: Did this actually cover everything? > > Sincerely, > Watson Ladd > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- Yan Zhu <yan@eff.org> Staff Technologist Electronic Frontier Foundation https://www.eff.org 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x134
- [TLS] Certificate validation can of worms Watson Ladd
- Re: [TLS] Certificate validation can of worms Yan Zhu
- Re: [TLS] Certificate validation can of worms Peter Gutmann
- Re: [TLS] Certificate validation can of worms Nico Williams
- Re: [TLS] Certificate validation can of worms Watson Ladd
- Re: [TLS] Certificate validation can of worms Kurt Roeckx
- Re: [TLS] Certificate validation can of worms Nico Williams
- Re: [TLS] Certificate validation can of worms Nico Williams
- Re: [TLS] Certificate validation can of worms Kemp, David P.
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Santosh Chokhani
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Rob Stradling
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Watson Ladd
- Re: [TLS] Certificate validation can of worms Nikos Mavrogiannopoulos
- Re: [TLS] Certificate validation can of worms Phillip Hallam-Baker
- Re: [TLS] Certificate validation can of worms Watson Ladd
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Santosh Chokhani
- Re: [TLS] Certificate validation can of worms Nico Williams
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Martin Rex
- Re: [TLS] Certificate validation can of worms Phillip Hallam-Baker
- Re: [TLS] Certificate validation can of worms Santosh Chokhani
- Re: [TLS] Certificate validation can of worms Santosh Chokhani
- Re: [TLS] Certificate validation can of worms Santosh Chokhani