Re: [TLS] AIA cert fetching seen as harmful
Nelson B Bolyard <nelson@bolyard.com> Fri, 11 April 2008 18:40 UTC
Return-Path: <tls-bounces@ietf.org>
X-Original-To: tls-archive@ietf.org
Delivered-To: ietfarch-tls-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 92ED63A6AC4; Fri, 11 Apr 2008 11:40:39 -0700 (PDT)
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5C9B33A6B42 for <tls@core3.amsl.com>; Fri, 11 Apr 2008 11:40:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.673
X-Spam-Level:
X-Spam-Status: No, score=-1.673 tagged_above=-999 required=5 tests=[AWL=0.926, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FQoSa++g-qnI for <tls@core3.amsl.com>; Fri, 11 Apr 2008 11:40:37 -0700 (PDT)
Received: from smtprelay.hostedemail.com (smtprelay0193.hostedemail.com [216.40.44.193]) by core3.amsl.com (Postfix) with ESMTP id 96BFE28C135 for <tls@ietf.org>; Fri, 11 Apr 2008 11:40:10 -0700 (PDT)
Received: from emd2-omf01.hostedemail.com (ff-bigip1 [10.5.19.254]) by smtprelay03.hostedemail.com (Postfix) with ESMTP id D0888463EF; Fri, 11 Apr 2008 18:40:32 +0000 (UTC)
X-SpamScore: 50
X-Spamcatcher-Summary: 50, 0, 0, b309ea4b61a795d5, 4f4e0b77b7fdf9f9, nelson@bolyard.com, -, RULES_HIT:152:355:379:599:601:945:967:973:980:988:989:1187:1260:1261:1277:1311:1313:1314:1345:1359:1437:1515:1516:1518:1534:1542:1593:1594:1676:1711:1730:1747:1766:1792:2194:2199:2378:2393:2525:2552:2553:2560:2563:2682:2685:2857:2859:2915:2933:2937:2939:2942:2945:2947:2951:2954:3022:3027:3354:3865:3866:3867:3868:3869:3870:3871:3872:3873:3874:3934:3936:3938:3941:3944:4250:4321:5007:6117:6119:6121: 6122:7652:7679:7904:7974, 0, RBL:none, CacheIP:none, Bayesian:0.5, 0.5, 0.5, Netcheck:none, DomainCache:0, MSF:not bulk, SPF:, MSBL:none, DNSBL:none
X-Spamcatcher-Explanation:
Received: from [192.168.2.5] (c-67-164-81-7.hsd1.ca.comcast.net [67.164.81.7]) (Authenticated sender: nelson@bolyard.com) by emd2-omf01.hostedemail.com (Postfix) with ESMTP; Fri, 11 Apr 2008 18:40:32 +0000 (UTC)
Message-ID: <47FFB01E.1050502@bolyard.com>
Date: Fri, 11 Apr 2008 11:38:22 -0700
From: Nelson B Bolyard <nelson@bolyard.com>
Organization: Network Security Services
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9pre) Gecko/2008041001 NOT Firefox/2.0 SeaMonkey/2.0a1pre
MIME-Version: 1.0
To: Eric Rescorla <ekr@networkresonance.com>
References: <200804101549.m3AFnH5T008818@fs4113.wdf.sap.corp> <47FE39E7.2020209@pobox.com> <47FEB492.6020209@bolyard.com> <20080411010825.8E41750854@romeo.rtfm.com> <47FEBED6.7040105@bolyard.com> <20080411021537.7C6B55085A@romeo.rtfm.com>
In-Reply-To: <20080411021537.7C6B55085A@romeo.rtfm.com>
Cc: tls@ietf.org
Subject: Re: [TLS] AIA cert fetching seen as harmful
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tls-bounces@ietf.org
Errors-To: tls-bounces@ietf.org
Eric Rescorla wrote, On 2008-04-10 19:15: > At Thu, 10 Apr 2008 18:28:54 -0700, > Nelson B Bolyard wrote: >> Eric Rescorla wrote, On 2008-04-10 18:08: >>> At Thu, 10 Apr 2008 17:45:06 -0700, >>> Nelson B Bolyard wrote: >>>> Mike wrote, On 2008-04-10 09:01: >>>> >>>>> This could be made safe with some help from PKIX (if X.509 doesn't >>>>> already support it -- I haven't read RFC 3280 or -bis in a while). >>>>> If root certificates listed constraints on what constitutes a valid >>>>> URL for retrieving issued certificates, then a server could scan >>>>> the combined list from each trusted root to determine if it is safe >>>>> to fetch a client certificate. >>>> Are you all aware of this paper, now making a stir? >>>> >>>> https://www.cynops.de/techzone/http_over_x509.html >>> Yes, Martin cited this paper a few weeks ago. >>> >>>> It claims that fetching CA certs from URLs found in AIA extensions in certs >>>> that have not yet been validated is a vulnerability. At least one browser >>>> organization known to me agrees. >>> How does that organization feel about inline images in HTML pages? >> The problem isn't so much when browsers initiate fetches for certs from >> servers. The major concerns are: >> a) servers fetching URLs from unvetted client auth certs, and >> b) mail clients fetching certs to verify signatures in emails from strangers. >> >> Some email clients, in particular, are good at not fetching remote content >> from html emails, which confirms email addresses to spammers. AIA cert >> fetching weakens their ability to defend against such attempts to validate >> email addresses. >> >> Servers see them selves as similarly weakened. >> >> I'm receiving inquiries about white listing CA URLs for AIA fetching. :( > > I assume these people are up in arms about DKIM, then? No, they're just not doing DKIM. Otherwise they might be. :) With respect to email, their concern is presently limited to S/MIME v3. Their concern is: take an existing S/MIME v3 MUA and upgrade the cert verification library to one that can do AIA cert fetching: vulnerable. But of course, this email concern is a bit off topic for this list. :) _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- [TLS] Implementation survey: Client Certificate U… Pasi.Eronen
- Re: [TLS] Implementation survey: Client Certifica… Rob Dugal
- Re: [TLS] Implementation survey: Client Certifica… Dieter Bratko
- Re: [TLS] Implementation survey: Client Certifica… Martin Rex
- Re: [TLS] Implementation survey: Client Certifica… Peter Gutmann
- Re: [TLS] Implementation survey: Client Certifica… Pasi.Eronen
- Re: [TLS] Implementation survey: Client Certifica… Martin Rex
- Re: [TLS] Implementation survey: Client Certifica… Peter Gutmann
- Re: [TLS] Implementation survey: Client Certifica… Nelson B Bolyard
- Re: [TLS] Implementation survey: Client Certifica… Pasi.Eronen
- Re: [TLS] Implementation survey: Client Certifica… Martin Rex
- Re: [TLS] Implementation survey: Client Certifica… Mike
- Re: [TLS] Implementation survey: Client Certifica… Eric Rescorla
- [TLS] AIA cert fetching seen as harmful Nelson B Bolyard
- Re: [TLS] AIA cert fetching seen as harmful Eric Rescorla
- Re: [TLS] AIA cert fetching seen as harmful Nelson B Bolyard
- Re: [TLS] AIA cert fetching seen as harmful Eric Rescorla
- Re: [TLS] AIA cert fetching seen as harmful Mike
- Re: [TLS] Implementation survey: Client Certifica… Florian Weimer
- Re: [TLS] AIA cert fetching seen as harmful Nelson B Bolyard
- Re: [TLS] AIA cert fetching seen as harmful Nelson B Bolyard
- Re: [TLS] AIA cert fetching seen as harmful Mike