[TLS]Re: Trust Anchor Negotiation Surveillance Concerns and Risks
Dennis Jackson <ietf@dennis-jackson.uk> Tue, 23 July 2024 15:01 UTC
Return-Path: <ietf@dennis-jackson.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDE6EC16943C for <tls@ietfa.amsl.com>; Tue, 23 Jul 2024 08:01:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dennis-jackson.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HuiWh0RLx08F for <tls@ietfa.amsl.com>; Tue, 23 Jul 2024 08:01:32 -0700 (PDT)
Received: from mout-p-101.mailbox.org (mout-p-101.mailbox.org [80.241.56.151]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57B93C15793B for <tls@ietf.org>; Tue, 23 Jul 2024 08:01:29 -0700 (PDT)
Received: from smtp2.mailbox.org (smtp2.mailbox.org [10.196.197.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4WT0j10DHmz9snV for <tls@ietf.org>; Tue, 23 Jul 2024 17:01:25 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dennis-jackson.uk; s=MBO0001; t=1721746885; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=pucl3MvFaFC0/Xxv5A+/QlHZ2coj8FjgXHZso/i2a4s=; b=biBMQfmUFTNSWthr70OUbGvmFYPX0iHqDp46L2qOmsw1fApjbBV7X2eUGiMRZb9vBOo6lG 9NVVEE3ZCOI3CqtQ2wsJOziQuitPiYkLhJRo7m0nIEuvUJUaR2yh7GCWu4fjKDUEn5AfjW 4cH5wA/l+vt4g8JVAtgw9QzIc10snJed8OwTN12KFiBQcfiAygtgWUdjXr/7rEZOoYvGoA 2GSLQyUkrvD6EqT68+VxRUZgoJCHtcdeGAGxZm2avuR+7PdL0k6IIlSb0Z/Aahvfgr+LAY lxZ7t/qBkcWMiMoBj0aaVrqAc6SNINEWXpTms8XpF6PkPgTkjw4wUNn9QW7FQg==
Content-Type: multipart/alternative; boundary="------------07mtfoqjt2eNeVfylvE6E2Pk"
Message-ID: <d751b4c1-fef2-4bf8-a6a6-46d4801c8aef@dennis-jackson.uk>
Date: Tue, 23 Jul 2024 08:01:21 -0700
MIME-Version: 1.0
To: tls@ietf.org
References: <CACsn0cmhsh-zeJOaa7xy_2crxgvhAF=nK9FqWxxf1dB2SMhMyQ@mail.gmail.com> <Zpu0reBpH3dtFYdf@LK-Perkele-VII2.locald> <CADQzZqtsj272Gt771Ef=VhS2+WvWKkct0Jx1=wmyS7kTu0ds1w@mail.gmail.com> <CAF8qwaB3VuWSYTi-gH99+N_cgi1ZAdMpzhrSE4=KTD5xbQMwXA@mail.gmail.com> <CADQzZqtyCQwQR2WPrBdqGGUm_tvZ7Akra5z9vqJ30x9vWBtxew@mail.gmail.com> <CAF8qwaDt-vhUb-E48874QLKe-YOc3xzC4VsArzYf_BGREz0+QQ@mail.gmail.com> <CADQzZqvw0Phv1oa--C6HSZJpKkG899v36g-xXrwyiKpM8cyYJw@mail.gmail.com> <254e0d54-7438-4666-8a0b-1ddf431e65d4@dennis-jackson.uk> <CADQzZqupwoqLbJNEU4RgA+G983_a34g-MmHsJN=XZygjLtDUkw@mail.gmail.com> <5f23bc91-b0a4-4ba4-add8-e920ca9c7784@dennis-jackson.uk> <Zp6y2ImjHI1R0oy6@LK-Perkele-VII2.locald> <5a942952-09e1-4aab-b321-cb05ea9c9528@dennis-jackson.uk> <A4DA0C3B-5ED3-4A2B-8CAE-B0B1ED862F29@akamai.com>
Content-Language: en-US
From: Dennis Jackson <ietf@dennis-jackson.uk>
In-Reply-To: <A4DA0C3B-5ED3-4A2B-8CAE-B0B1ED862F29@akamai.com>
Message-ID-Hash: XCGUDR4YRVLSHKVBIR5ZHS6R2JROXTXG
X-Message-ID-Hash: XCGUDR4YRVLSHKVBIR5ZHS6R2JROXTXG
X-MailFrom: ietf@dennis-jackson.uk
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Re: Trust Anchor Negotiation Surveillance Concerns and Risks
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/oTS_5x0ZrSQPhLD0espK67HtBos>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
On 22/07/2024 16:06, Salz, Rich wrote: > I agree adding a new API for T.E. which applications could opt in to > would be fine. But could T.E. ever be enabled by default without > breaking the existing API and requiring application changes? > > Yes it could. For example, you’d have to add meta-data identifying the > ‘directory of certs’ that are typically used so that it could become a > named trust store. Assume that’s a fixed filename, like > “trust-store-id.txt” or something. Then when you specify that > directory (e.g., via [1]) it could look for the fixed filename and > send that identifying information. > I agree that having a library like OpenSSL auto-discover the necessary metadata in the system root store is definitely possible. My concern is about breakage with the other parts of the API exposed to applications which will prevent T.E. from being able to be offered by default - meaning applications will have to opt-in via a new API. The Trust Expression's extension is trying to convey accurate information about which certificates are acceptable (which is controlled by the application) and may change the certificate which is received (which is visible to the application). So I don't see how Trust Expression's could be enabled by default without breaking applications or the semantics of the Trust Expression's extension. Some examples: * Some applications will set their own certificate verification callback (SSL_CTX_set_cert_verify_callback). A Trust Expression's label cannot be sent with these connections because OpenSSL doesn't know what the policy is going to be that the application applies. Sending the T.E. label is informing the serve 'I will accept any certificate suitable for this root store'. * Some applications will use the default certificate verifier in OpenSSL, but then access the certificate chain via SSL_get_peer_cert_chain or similar functions for getting specific metadata. The application might then do further checks which OpenSSL is unaware of. If so, the Trust Expression's label from the system store cannot be used without making the label inaccurate. * Some applications will do use the default checks on the certificate, but access the certificate chain to consume / log / display the information elsewhere. It's likely these functions are going to expect a 'normal' X.509 cert chain but one of the use cases of Trust Expressions is to enable non-X509 certificate payloads or shorter chains. I think the second and third cases are particularly critical. OpenSSL cannot know during the handshake whether the application is going to later call SSL_get_peer_cert_chain / SSL_get_peer_certificate and then make a decision about whether to tear down the connection. For example, the application may do its own pinning and check whether the issuer is acceptable. In this case, if OpenSSL sent the Trust Expression extension with the label by default, it would be actively harmful, since the Trust Expression extension is telling the server "I will accept any cert valid in this root store" but in actuality the application is performing pinning. This would make the extension useless for the proposed use cases around handling pinning gracefully and giving server's confidence to migrate CAs. So my conclusion is that TLS libraries are never going to be able to offer T.E. by default. Instead applications would have to opt in, which seems like a major barrier to adoption outside of browsers. Happy to be corrected if there are some wrinkles here, but Hyrum's law seems pretty harsh for the existing TLS library APIs. Best, Dennis
- [TLS]Trust Anchor Negotiation Surveillance Concer… Devon O'Brien
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Rob Sayre
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Nick Harper
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… David Adrian
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Rob Sayre
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Salz, Rich
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Nick Harper
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… David Benjamin
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Watson Ladd
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Mike Shaver
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… David Benjamin
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Ilari Liusvaara
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Ilari Liusvaara
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Salz, Rich
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Dennis Jackson
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Mike Shaver
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… David Benjamin
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Mike Shaver
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Devon O'Brien
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Dennis Jackson
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Mike Shaver
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Dennis Jackson
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Ilari Liusvaara
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Dennis Jackson
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Salz, Rich
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Dennis Jackson
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Salz, Rich
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Dennis Jackson
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Salz, Rich
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Watson Ladd
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Salz, Rich
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Rob Sayre
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… Dennis Jackson
- [TLS]Re: Trust Anchor Negotiation Surveillance Co… David Benjamin