Re: [TLS] [pkix] New version of Multiple OCSP mode of Certificate
"Miller, Timothy J." <tmiller@mitre.org> Thu, 05 August 2010 12:39 UTC
Return-Path: <tmiller@mitre.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7B21D3A697B; Thu, 5 Aug 2010 05:39:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lmE6Rn27-YYO; Thu, 5 Aug 2010 05:39:05 -0700 (PDT)
Received: from smtp-bedford.mitre.org (smtp-bedford.mitre.org [129.83.20.191]) by core3.amsl.com (Postfix) with ESMTP id 36F1F3A69AC; Thu, 5 Aug 2010 05:39:05 -0700 (PDT)
Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o75CdZa4007310; Thu, 5 Aug 2010 08:39:35 -0400
Received: from imchub1.MITRE.ORG (imchub1.mitre.org [129.83.29.73]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o75CdYMs007297; Thu, 5 Aug 2010 08:39:34 -0400
Received: from IMCMBX2.MITRE.ORG ([129.83.29.205]) by imchub1.MITRE.ORG ([129.83.29.73]) with mapi; Thu, 5 Aug 2010 08:39:34 -0400
From: "Miller, Timothy J." <tmiller@mitre.org>
To: "'mrex@sap.com'" <mrex@sap.com>, Nicolas Williams <Nicolas.Williams@oracle.com>
Date: Thu, 05 Aug 2010 08:39:33 -0400
Thread-Topic: [TLS] [pkix] New version of Multiple OCSP mode of Certificate
Thread-Index: Acs0OgIpEw7jzJ6lQVSm/9sPXT7KDwAYQDuQ
Message-ID: <17FD76C1ECD0AB49817637E21809ABF908A316DF81@IMCMBX2.MITRE.ORG>
References: <20100805001137.GE5213@oracle.com> from "Nicolas Williams" at Aug 4, 10 07:11:38 pm <201008050103.o7513F15000806@fs4113.wdf.sap.corp>
In-Reply-To: <201008050103.o7513F15000806@fs4113.wdf.sap.corp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "pkix@ietf.org" <pkix@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] [pkix] New version of Multiple OCSP mode of Certificate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Aug 2010 12:39:11 -0000
You have yet to propose an alternative. Absent an alternative, I'd support a security note to the effect that path construction modules should be careful to treat retrieved data as potentially unsafe until validated. -- Tim >-----Original Message----- >From: Martin Rex [mailto:mrex@sap.com] >Sent: Wednesday, August 04, 2010 8:03 PM >To: Nicolas Williams >Cc: mrex@sap.com; yngve@opera.com; pkix@ietf.org; Miller, Timothy J.; >tls@ietf.org >Subject: Re: [TLS] [pkix] New version of Multiple OCSP mode of >Certificate > >Nicolas Williams wrote: >> >> On Thu, Aug 05, 2010 at 01:07:22AM +0200, Martin Rex wrote: >> > Yngve N. Pettersen wrote: >> > > The kind of crafted URLs you are concerned about can also be >injected by >> > > way of OCSP and CRL URLs, and OCSP is AFAICT actually supported by >more >> > > clients than AIA CA. >> > >> > That is incorrect. The path validation algorithm checks >cryptographic >> > correctness and certificate (attribute) validity starting at a trust >> > anchor first, and ONLY when that succeeds, CRLs and OCSP is checked. >> >> That's true of path _validation_. It's not necessarily true of path >> _construction_ (see RFC4158). That is, if you start with an EE cert >you >> might have to go find the intermediate CA certs. > >I don't know rfc4158, but I don't see how a standardization level >should marginalize a severe security problem. The TLS renegotation >problem was not less severe by working-as-specified and being >commonly implemented in the installed base. :-/ > >And I see a big difference in a user trying to manually and interatively >construct a certification path and consciously deciding to include >individual, not necessarily pre-trusted sources of information -- >as long as it is not possible for an attacker to entice this >construction to perform accesses to arbitrary resources without >limits and entirely without critical consent and interaction of >the entity doing the path construction. > > >While the relative ordering of 6.1.3 a1, a2, a3 makes a lot of sense >security-wise, I'm confused to see a4 as the last check instead of >the first(!) one. Comparison of the issuer field should be a memcmp() >on a ASN.1 DER encoded DName, and it looks odd to suggest doing a likely >expensive public key operation before a trivial memcmp() without >a rationale (I can not currently think of a rationale for this). > >http://tools.ietf.org/html/rfc5280#section-6.1.3 > > >> >> > So when doing path validation correctly, you never access untrusted >> > CRL and OCSP resources. >> >> If you're building a path from the target to the anchor then you'll >> probably want to prune paths as soon as possible by validating >> intermediate CA certs as soon as possible. > >Validating in the form of pruning "expired" or otherwise clearly >inappropriate certs based on "cheap" plausibility checks on certificate >attributes? Maybe to a limited extent. Public key crypto operation >with untrusted keying material or even worse, network access based >on URIs from untrusted sources -- certainly not without explicit >user/operator confirmation! > >For the case of TLS, however, it has always been a clear requirement >for each communication peer to build and send one own's certificate >in a complete and corretly ordered sequence, optionially omitting >at most the self-signed root certificate at the end of that chain. >So really, a server with a certificate from a fancy briged CA should >definitely, similar to the "server name indication" get a TLS >ClientHello extension defined and have the client provide hints >about the trust anchors if the server is unable to send a certificate >chain acceptable to the client's certificate path validation >algorithm as-is without such information. > > >-Martin
- [TLS] New version of Multiple OCSP mode of Certif… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] New version of Multiple OCSP mode of Ce… Adam Langley
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve Nysaeter Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve N. Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Adam Langley
- Re: [TLS] New version of Multiple OCSP mode of Ce… Brian Smith
- Re: [TLS] New version of Multiple OCSP mode of Ce… Brian Smith
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve N. Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Rob Stradling
- Re: [TLS] New version of Multiple OCSP mode of Ce… Rob Stradling
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve Nysaeter Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Peter Gutmann
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve Nysaeter Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Brian Smith
- Re: [TLS] New version of Multiple OCSP mode of Ce… Peter Gutmann
- Re: [TLS] New version of Multiple OCSP mode of Ce… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Rob Stradling
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve Nysaeter Pettersen
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Yngve Nysaeter Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Martin Rex
- Re: [TLS] New version of Multiple OCSP mode of Ce… Adam Langley
- Re: [TLS] New version of Multiple OCSP mode of Ce… Martin Rex
- Re: [TLS] New version of Multiple OCSP mode of Ce… Martin Rex
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] New version of Multiple OCSP mode of Ce… Marsh Ray
- Re: [TLS] New version of Multiple OCSP mode of Ce… Martin Rex
- Re: [TLS] New version of Multiple OCSP mode of Ce… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Miller, Timothy J.
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Marsh Ray
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Miller, Timothy J.
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Miller, Timothy J.
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Rob Stradling
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Miller, Timothy J.
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Dr Stephen Henson
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Miller, Timothy J.
- Re: [TLS] [pkix] Accessing arbitrary AIA URLs Matt McCutchen