Re: [TLS] draft-weimer-tls-previous-certificate-01
Florian Weimer <fweimer@redhat.com> Wed, 28 November 2012 14:37 UTC
Return-Path: <fweimer@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 631CF21F87DE for <tls@ietfa.amsl.com>; Wed, 28 Nov 2012 06:37:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G3n1r0XXOldb for <tls@ietfa.amsl.com>; Wed, 28 Nov 2012 06:37:53 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by ietfa.amsl.com (Postfix) with ESMTP id D8DE921F87AC for <tls@ietf.org>; Wed, 28 Nov 2012 06:37:53 -0800 (PST)
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id qASEbirD029472 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 28 Nov 2012 09:37:44 -0500
Received: from fweimer.str.redhat.com (ovpn-116-29.ams2.redhat.com [10.36.116.29]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id qASEbd80019619 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 28 Nov 2012 09:37:43 -0500
Message-ID: <50B621B3.4000008@redhat.com>
Date: Wed, 28 Nov 2012 15:37:39 +0100
From: Florian Weimer <fweimer@redhat.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: Yoav Nir <ynir@checkpoint.com>
References: <50A21AC4.1050003@redhat.com> <4613980CFC78314ABFD7F85CC302772101C2FC@IL-EX10.ad.checkpoint.com>
In-Reply-To: <4613980CFC78314ABFD7F85CC302772101C2FC@IL-EX10.ad.checkpoint.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] draft-weimer-tls-previous-certificate-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Nov 2012 14:37:54 -0000
On 11/20/2012 02:10 PM, Yoav Nir wrote: > This seems like a lighter-weight alternative to certificate transparency. While we don't get the client-side benefit (the client can't check if some certificate is legitimate), the server will eventually be notified of any certificate out there pretending to be for it. Right. > One thing I don't like about this proposal, is the bandwidth requirements. You're sending a massive chain in the first handshake message, which will likely slow down the whole thing, because the TCP window is still small at this stage. I don't think this will introduce additional network round-trips with reasonably sized chains and the current initial CWND recommendations. However, the bytes themselves take some time to transmit, adding around 50ms at 384kpbs with a medium-sized chain. And this overhead is also present during session resumption. I guess this overhead pretty much kills the idea. 8-( >Wouldn't it make more sense to have the extension send only a hash of the previous chain? In that case, the server would not send anything back if it has already seen this hash. If it hasn't, it will send this extension, and then the client can send the whole chain to the server. > > There's two ways here. First, you can add a new handshake message that contains the previous certificate. But what I would like even better, is if the server response contained a URL, where the client can POST the certificate chain, in a separate connection that does not interfere with the handshake any more than is needed. Interesting idea. It's certainly more difficult to deploy for server operators. But the POST-based indirection would eliminate the mismatch between the maximum extension size in the client hello and the maximum chain size, simplifying the client implementation. On the other hand, the certificate submission will not be protected by the TLS handshake anymore, so a handshake can be successful with the original/genuine certificate, but the previous certificate chain with the spoofed one is never submitted. This would make it simpler for attackers to cover their tracks. -- Florian Weimer / Red Hat Product Security Team
- [TLS] draft-weimer-tls-previous-certificate-01 Florian Weimer
- Re: [TLS] draft-weimer-tls-previous-certificate-01 Martin Rex
- Re: [TLS] draft-weimer-tls-previous-certificate-01 Yoav Nir
- Re: [TLS] draft-weimer-tls-previous-certificate-01 Florian Weimer