IETF Logo Mail Archive

Re: [TLS] Comment on draft-thomson-tls-sic-00

"Martin Thomson" <mt@lowentropy.net> Mon, 22 April 2019 23:07 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28D7F120168 for <tls@ietfa.amsl.com>; Mon, 22 Apr 2019 16:07:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=v3LimzH1; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=s5i8p+oc
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xuWVNCTZOa6K for <tls@ietfa.amsl.com>; Mon, 22 Apr 2019 16:07:34 -0700 (PDT)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B71121200B1 for <tls@ietf.org>; Mon, 22 Apr 2019 16:07:34 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 9760521ADD; Mon, 22 Apr 2019 19:07:32 -0400 (EDT)
Received: from imap2 ([10.202.2.52]) by compute1.internal (MEProxy); Mon, 22 Apr 2019 19:07:32 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type; s=fm2; bh=AhL5ilBKHxnbIro0IB+r3JA5sJnB wuhgikMa8LJfDyk=; b=v3LimzH1f6bVSEz76uUANyjPwxa1gY/R9dq7dYTlMPQA 0YtEWAEfV/l0jSfGVwlID2f0dPfxwrxF//TCEshRFdZqN1d0igbKyF2uJHZblovn SGq6pdu9ijfLBjtr1NlrmgFck6cYEg7woBN0b4o6K8RguiYnqV+/nu8523SrC9J9 Ln2ZTrduRMdItWoALCPy3Xh92u6C+q44HgSEhLzcddqwEl/MhORoqbssUEF7x7te 0v3r2nDPZe4YguJmC4AQckrc/GeVbxexxgo0HgkH5AQIfYjSWmxTBvZFU3ExZDAc jMJEgZRtxUQn5G1t3gE2tCZhwj/K4IsBpxU7IeEv7g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=AhL5il BKHxnbIro0IB+r3JA5sJnBwuhgikMa8LJfDyk=; b=s5i8p+oc69SbppnDarywB4 zBRpnQyFStmJn9p+rROal3kU91Q6BQuEgtDe4xUoaGSoBgkoj/+9yO0G82Uv12qT /LFpVGqgP7FqKYVYINmBuVvDpIfaJWj/QjpDyd/7vsQEQ89/ioIEFYevFrKqMFNf ZHD1bawBk3mx4dZXRNjafcPWdUuSV34uylh4BQbPWJm3H5r710U6/+Isvwo3tzsT DjsJDtLk9ohcZ/cfJ9R9WnbhblGW5ljllXusjuA4TFKj01tp9sgrld9eLFg9wAmK J3Gki/Oz/fYmdGvBL05yhKpFZoVsBAYpN1QKGq/DfvTuXm0Pa6htXTAsfqcpA0nA ==
X-ME-Sender: <xms:NEm-XLTIPrnaq5Q2Grzf5Cf_jHoVZlIrApFB13Gw9jr4U_ZXA6s8ZA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduuddrgeejgddutdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedfofgrrhht ihhnucfvhhhomhhsohhnfdcuoehmtheslhhofigvnhhtrhhophihrdhnvghtqeenucffoh hmrghinhepihgvthhfrdhorhhgnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhho figvnhhtrhhophihrdhnvghtnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:NEm-XM69uKjkTsmKf_uxyKbYxt_Gd3LzlvtFWSiF3xRMYD5pVKGD-Q> <xmx:NEm-XIT5TPbQ4KiDMN3ekI4T3Q_3sQG6GG4G-xZ_4hdJQT_NxOCZpw> <xmx:NEm-XBl1aTG82e726AYFmhlHOX3Fho-C6O9qMJKrrfLoCPlUpTKYfA> <xmx:NEm-XHlYZsUpkC9C6uyj1V2oRd8mjxKs2BWnoL5gXdWEl5nsi5wWxw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 0274A7C539; Mon, 22 Apr 2019 19:07:31 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.6-443-g918f9d3-fmstable-20190416v3
Mime-Version: 1.0
X-Me-Personality: 92534000
Message-Id: <b99c03e8-a3b9-49e9-a87d-51b02ecf886d@www.fastmail.com>
In-Reply-To: <CACykbs3cS_9YWD5EavNpj=1N8iJwLZMXOW9Hm-gUVAjJcej+PQ@mail.gmail.com>
References: <AC987170-3F9F-4682-B49B-872B9028692F@ericsson.com> <745ED9FE-9C31-4687-BD64-836155A28AEC@ericsson.com> <3C099064-52D9-49C3-9180-A01FBDEE876A@ericsson.com> <523c1d42-c4bb-4206-b9be-bcec93973424@www.fastmail.com> <CACykbs3cS_9YWD5EavNpj=1N8iJwLZMXOW9Hm-gUVAjJcej+PQ@mail.gmail.com>
Date: Mon, 22 Apr 2019 19:07:34 -0400
From: Martin Thomson <mt@lowentropy.net>
To: Jonathan Hoyland <jonathan.hoyland@gmail.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/nc16Vce2bK4cM-3ntgUZNSTpJxg>
Subject: Re: [TLS] Comment on draft-thomson-tls-sic-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Apr 2019 23:07:37 -0000

Yes, digesting the chain is likely to fail.  The set of "intermediates" that are included are not a strictly deterministic set.  Counter-signing of trust anchors and other such practices mean that the client and server wouldn't be able to agree to the point that a digest would be reliable.

There are two things that you might want agreement on here, if you want agreement about anything.

1. Agreement on what was put into the handshake messages, or the contents of a Certificate message.

2. Agreement on what the certification path is.

If the server omits intermediates, then we still get agreement on the content of the message, but whether we agree on the identity of the intermediate that the client ultimately uses is what you are concerned with.  However, if we look at the second, we already lack TLS transcript protection for the full certification path because trust anchors are in practice (and by recommendation) omitted from the Certificate message anyway.  This proposal just moves that one step further down the chain.

So your question is more of a general question with TLS.  If we don't include certain elements of the certification path in the handshake transcript, how do we know that the client and server agree on how the server identity was validated?

The current answer, which might not seem satisfactory, is that there is no agreement or understanding.  The various ways in which certification paths are recovered (see AIA chasing, missing intermediates) and then constructed is something of a mystery.  In practice, people shove certificates into Certificate until the clients they care about accept the chain.

And I would contend that agreeing on how authentication is performed is not entirely necessary[1].  The decision about whether a peer identity is valid is made by each participant independently.  The information in Certificate is input to that process, but not the only input.  We might also have other things, like pinned keys or CT policies, that also read on that decision.

--Martin

[1] We do, as much as possible, try to even this out, but the fact is that there are a number of subtle differences in client requirements.

On Mon, Apr 15, 2019, at 19:09, Jonathan Hoyland wrote:
> Hi Martin,
> 
> Could you comment on how the client and server know they agree on the 
> certificate chain?
> Would it be possible for the client and server to resolve the 
> certificate chain down two distinct paths, for example in the case of 
> cross signed certificates?
> 
> If so, is there a security risk here, as in, does it matter if the 
> client and server disagree on the chains? 
> Could an attacker perform some shenanigans with disjoint roots of 
> trust, or by finding paths with differing policy constraints (if that 
> even makes sense)?
> 
> Would it help anything if the server included a digest of the 
> certificate chain in its EncryptedExtensions?
> 
> Regards,
> 
> Jonathan
> 
> On Thu, 11 Apr 2019 at 03:58, Martin Thomson <mt@lowentropy.net> wrote:
> > On Sat, Mar 30, 2019, at 06:05, John Mattsson wrote:
> >  > And one more....
> >  > 
> >  > "The 0xTBD flag can only be send in a ClientHello or CertificateRequest 
> >  > message. Endpoints that receive a value of 1 in any other handshake 
> >  > message MUST generate a fatal illegal_parameter alert."
> >  > 
> >  > This goes against draft-nir-tls-tlsflags
> >  > 
> >  > "A server that supports this extension and also supports at least one 
> >  > of the flag-type features that use this extension and that were 
> >  > declared by the ClientHello extension SHALL send this extension with 
> >  > the intersection of the flags it supports with the flags declared by 
> >  > the client."
> >  > 
> >  > I assume the sic sic extension should be sent in EncryptedExtensions.
> > 
> >  I think that this is a problem in draft-nir-tls-tlsflags. Extensions in ClientHello are "answered" in two places: EncryptedExtensions and Certificate. The requirement that the flag be echoed creates a problem in that context.
> > 
> >  We could define separate "Handshake flags" and "Certificate flags", but that complicates things.
> > 
> >  If you look at extension usage, you see that not all "flags" are echoed. In this case, a requirement to echo would just increase the size of Certificate for no good reason - the extension can be omitted completely.
> > 
> >  We should only require the presence of the flag where it carries semantics. The requirement should be stated as
> > 
> >  Implementations MUST NOT set flags in extension responses if the remote
> >  endpoint did not send the corresponding flag in extension requests. Upon
> >  receiving a flag that is incorrectly set, an endpoint MUST abort the handshake
> >  with an "unsupported_extension" [?] alert.
> > 
> >  Mirroring the language from RFC 8446.
> > 
> >  _______________________________________________
> >  TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email