Re: [TLS] [Uta] OCSP in RFC7525bis
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 21 January 2022 03:30 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3310B3A16E3; Thu, 20 Jan 2022 19:30:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=BKGno7jj; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=w+i+YZ9P
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0tpC4rM0GTj3; Thu, 20 Jan 2022 19:30:49 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03C043A16E2; Thu, 20 Jan 2022 19:30:48 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1642735845; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=NuSbXP0pGMxqidRLEPNrWWtnKs0JudQhUwsJ3cDd2Xg=; b=BKGno7jjSSSztLRYo3dxRdCnbGK+zdOM0CcCsjyDp+hw8ZIsmI4GPnV22CfZaJe7CDkYz tfonvuZlHdoMd0iDw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1642735845; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=NuSbXP0pGMxqidRLEPNrWWtnKs0JudQhUwsJ3cDd2Xg=; b=w+i+YZ9PYfzRqrPK4fONbnhX9YE9VwFmHFH6cDSLrcrrmjSCvzhznoJGCJ6S9iqSfvJ+1 iFTl1B0S5/mcvIvNTOsJigfaj9A277Y3pPutvpbRzaBDcfH/EKycfNaNZGQ3StgekSD8sLp FxVPyXkAHIFxwfL3dhgULjkKxt1kFGJuXzvbR81wjJ3Eoy9afxvlOpXGOwinP9jpPex3A9l UA7pvgW4eZgqn5lYxBpjLU3cSZ+zqoP8Cg/BDrkgJHrKfQfIfuEGpmjJgL/vqB/nH+6KioD YncMT+ZDGT2oilMFEMKne5ZwNYaXtnrrxPWknoIep0hKDFOnd7/a9hbhx7dQ==
Received: from fifthhorseman.net (unknown [IPv6:2001:470:1f07:60d:841d:2bce:26c3:59c6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id D8838F9AC; Thu, 20 Jan 2022 22:30:45 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 391FF204CF; Thu, 20 Jan 2022 22:30:42 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Yaron Sheffer <yaronf.ietf@gmail.com>, "uta@ietf.org" <uta@ietf.org>, "tls@ietf.org" <tls@ietf.org>
In-Reply-To: <8E44314F-58A4-8F46-951D-1DBD24B5361E@hxcore.ol>
References: <8E44314F-58A4-8F46-951D-1DBD24B5361E@hxcore.ol>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Thu, 20 Jan 2022 22:30:41 -0500
Message-ID: <87sfth934u.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/pqOASYLcyX1o5zBw4Ep78cDyj5w>
Subject: Re: [TLS] [Uta] OCSP in RFC7525bis
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jan 2022 03:30:52 -0000
On Wed 2022-01-19 16:57:07 +0200, Yaron Sheffer wrote:
> * Add a SHOULD-level requirement (for TLS 1.3 implementations,
> possibly also TLS 1.2 implementations) to fail the handshake if the
> OCSP response is missing or invalid. (As far as we can tell, RFC 8446
> is silent on this.)
This sounds a lot like a "SHOULD BUT WE KNOW YOU WONT". Why would a
client deliberately fail a connection when the problem might be a flaw
with an unrelated network service or a client-specific routing failure?
I think we can definitely explicitly recommend:
A) clients MUST require valid stapled OCSP response when encountering a
certificate with "must staple" extension. (this is just following
the specs, but i don't think it's as widely supported as it should
be; maybe we need some public naming/shaming?)
I'm less sure about, but could be convinced of:
B) server operators SHOULD use certificates with "must staple"
extension.
Figuring out how to properly incentivize (B) is the hard part.
It looks a lot like the "you should adopt DNSSEC" argument. Most
sysadmins find that unconvincing, because they hear it as "your network
services need this additional point of failure".
Plus, adopting this for your own certificates only helps in the event of
secret key theft that the legit admin notices -- she can then respond by
revoking the key and trusting the OCSP responder to not issue valid OCSP
responses.
As Victor rightly points out, a more likely threat model today is that
the adversary spoofs your DNS or your routing, and uses that spoofing to
get one of the ACME providers (e.g., let's encrypt) to issue new
certificates entirely.
So the right set of fixes to defend against all these kinds of attacks
are:
- enable DNSSEC for your zone
- signal in your DNS (e.g. via CAA, RFC 8659) that you only want a
specific set of CAs to issue certificates in your zone (CAA doesn't
explicitly describe an option to require that the CA use must-staple,
but it looks like any CA could declare a CAA parameter that would
offer that guidance. for example:
https://github.com/letsencrypt/boulder/issues/5903)
- ensure that your account with those CAs requires must-staple (either
with your CA's preferred CAA parameter, or some other way)
- monitor CT logs for certificates that violate your CAA policy
This should close all the gaps that i can see, making the whole chain as
strong as your control over what gets signed by your zone's DNSSEC
signing key (and your CA's adherence to CAA policy, of course).
--dkg
- [TLS] OCSP in RFC7525bis Yaron Sheffer
- Re: [TLS] OCSP in RFC7525bis Hanno Böck
- Re: [TLS] OCSP in RFC7525bis Mohit Sahni
- Re: [TLS] [Uta] OCSP in RFC7525bis Salz, Rich
- Re: [TLS] [Uta] OCSP in RFC7525bis Nick Sullivan
- Re: [TLS] [Uta] OCSP in RFC7525bis Eric Rescorla
- Re: [TLS] [Uta] OCSP in RFC7525bis Viktor Dukhovni
- Re: [TLS] [EXTERNAL] Re: [Uta] OCSP in RFC7525bis Andrei Popov
- Re: [TLS] OCSP in RFC7525bis Hannes Tschofenig
- Re: [TLS] OCSP in RFC7525bis Hanno Böck
- Re: [TLS] OCSP in RFC7525bis Yaron Sheffer
- Re: [TLS] OCSP in RFC7525bis Ryan Sleevi
- Re: [TLS] [Uta] OCSP in RFC7525bis Daniel Kahn Gillmor
- Re: [TLS] [Uta] OCSP in RFC7525bis Ryan Sleevi
- Re: [TLS] [Uta] OCSP in RFC7525bis Daniel Kahn Gillmor
- Re: [TLS] [Uta] OCSP in RFC7525bis Salz, Rich
- Re: [TLS] [Uta] OCSP in RFC7525bis Daniel Kahn Gillmor
- Re: [TLS] [Uta] OCSP in RFC7525bis Viktor Dukhovni
- Re: [TLS] [Uta] OCSP in RFC7525bis Ryan Sleevi
- Re: [TLS] [Uta] OCSP in RFC7525bis Ryan Sleevi
- Re: [TLS] [Uta] OCSP in RFC7525bis Viktor Dukhovni
- Re: [TLS] [Uta] OCSP in RFC7525bis Eric Rescorla
- Re: [TLS] [Uta] OCSP in RFC7525bis Daniel Kahn Gillmor
- Re: [TLS] OCSP in RFC7525bis Hannes Tschofenig
- Re: [TLS] OCSP in RFC7525bis John Mattsson
- Re: [TLS] OCSP in RFC7525bis Daniel Kahn Gillmor
- Re: [TLS] [Uta] OCSP in RFC7525bis Ryan Sleevi
- Re: [TLS] [Uta] OCSP in RFC7525bis John Mattsson
- Re: [TLS] [Uta] OCSP in RFC7525bis Hubert Kario
- Re: [TLS] [Uta] OCSP in RFC7525bis Ryan Sleevi
- Re: [TLS] [Uta] OCSP in RFC7525bis Hubert Kario