Re: [TLS] [certid] fyi: paper on compelled, certificate creation attack and applicable appliance
Marsh Ray <marsh@extendedsubset.com> Thu, 25 March 2010 17:42 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 42F5D3A6B6F for <tls@core3.amsl.com>; Thu, 25 Mar 2010 10:42:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.131
X-Spam-Level: *
X-Spam-Status: No, score=1.131 tagged_above=-999 required=5 tests=[BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LPQxIhgsDqiM for <tls@core3.amsl.com>; Thu, 25 Mar 2010 10:42:52 -0700 (PDT)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id 20F0C3A6B31 for <tls@ietf.org>; Thu, 25 Mar 2010 10:40:29 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1Nur34-000NHI-Qv; Thu, 25 Mar 2010 17:40:50 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 433C76048; Thu, 25 Mar 2010 17:40:48 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1/9xDakdjOVB30zTajTGy+gMAkLAj1ck/Y=
Message-ID: <4BABA01E.7080808@extendedsubset.com>
Date: Thu, 25 Mar 2010 12:40:46 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100216 Thunderbird/3.0.2
MIME-Version: 1.0
To: ArkanoiD <ark@eltex.net>
References: <4BAA7F31.5050706@KingsMountain.com> <20100325041402.GA6222@eltex.net>
In-Reply-To: <20100325041402.GA6222@eltex.net>
X-Enigmail-Version: 1.0.1
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org, =JeffH <Jeff.Hodges@KingsMountain.com>
Subject: Re: [TLS] [certid] fyi: paper on compelled, certificate creation attack and applicable appliance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Mar 2010 17:42:53 -0000
On 3/24/2010 11:14 PM, ArkanoiD wrote: > Well, that's quite obvious that PKI in the "big internet" as we know > it is just a card house True, but there are lots of card houses in compsec in the sense that flipping just one bit the right way results in a complete compromise. Predicting whether or not that single bit logic will prove to be robust or fragile in actual deployed systems is an art form that designers are still learning. This is as much a social-political-economic-human issue as a technical one. I don't see what the big worry is about a CA being "compromised" by some government. It looks to me like many of the trusted roots installed by typical software are pseudo-governmental entities (e.g., post offices) in the first place. http://support.apple.com/kb/HT3580 > Below is a list of trusted root certificates which are pre-installed > with the iPhone 3.0 software. > Subject Name > Country Name : US > Organization Name : U.S. Government There's nothing subversive about that, it's totally out in the open. > if *ANY* CA we trust get compromised or mailicious, it is all > flawed. >From the perspective of the https server, that understates it a bit. Because the https server cannot independently prove the absence of a mitm, he must rely on the client to do a good job of this. Thus, the web server ends up transitively trusting _every_ trusted root cert in _every_ client which connects. Remember the README for PGP? Trusting a key is not the same as trusting the key's owner. Trust is not necessarily transferable; I have a friend who I trust not to lie. He's a gullible person who trusts the President not to lie. That doesn't mean I trust the President not to lie. This is just common sense. If I trust Alice's signature on a key, and Alice trusts Charlie's signature on a key, that does not imply that I have to trust Charlie's signature on a key. -- Philip Zimmerman Transitive trust in this case has brought about the near-complete failure of the original mission of PKI in ssl (allowing you to shop online). The only reason that the world isn't up-in-arms about it is that 59% of PCs are pwned by malware already, making the slightly more complicated mitm attack unnecessary. However, there are important uses of SSL/TLS other than end user web browsers. These are probably better off with just the minimal number of trusted roots on the clients. But if you're going to the trouble of reconfiguring your clients anyway, why not just set up your own private CA? IMHO, the $B+ certificate industry needs to work harder at improving their actual effective security value than it currently does if they want the world to continue fund their existence. > There is nothing we can do besides examining chain of trust manually > and watching for certificate changes. We could implement our protocols such that the remote peer is required to satisfy multiple chains of trust. When a chain is only as strong as its weakest link, it's best to have several of them (in a redundant configuration). > The TOFU technology described > there is quite obvious, i always wondered why ssh has it and browsers > do not. In theory, SSH's approach is inferior to SSL's PKI. In practice it's not inferior only to the extent that the user is good at scrutinizing the new keys he gets presented. If you want that behavior in a web browser, just delete all your trusted root certs and add a persistent explicit trust whenever you see a cert the first time. (I have tried this in Firefox) - Marsh
- Re: [TLS] fyi: paper on compelled, certificate cr… Yoav Nir
- [TLS] fyi: paper on compelled, certificate creati… =JeffH
- Re: [TLS] fyi: paper on compelled, certificate cr… Yoav Nir
- Re: [TLS] [certid] fyi: paper on compelled, certi… ArkanoiD
- Re: [TLS] [certid] fyi: paper on compelled, certi… Marsh Ray
- Re: [TLS] fyi: paper on compelled, certificate cr… Adam Langley
- Re: [TLS] [certid] fyi: paper on compelled, certi… Daniel Kahn Gillmor
- Re: [TLS] [certid] fyi: paper on compelled, certi… Ben Laurie
- Re: [TLS] [certid] fyi: paper on compelled, certi… ArkanoiD
- Re: [TLS] [certid] fyi: paper on compelled, certi… Story Henry
- Re: [TLS] [certid] fyi: paper on compelled, certi… Story Henry
- Re: [TLS] [certid] fyi: paper on compelled, certi… ArkanoiD