Re: [TLS] [tls13-spec] relax certificate_list ordering requirements to match current practice (#169)

mrex@sap.com (Martin Rex) Wed, 13 May 2015 18:12 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F2891ACD7B for <tls@ietfa.amsl.com>; Wed, 13 May 2015 11:12:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.951
X-Spam-Level:
X-Spam-Status: No, score=-5.951 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, J_CHICKENPOX_31=0.6, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2T8zo1dHQWDE for <tls@ietfa.amsl.com>; Wed, 13 May 2015 11:12:22 -0700 (PDT)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B7331ACD86 for <tls@ietf.org>; Wed, 13 May 2015 11:12:15 -0700 (PDT)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id 96A74446B2; Wed, 13 May 2015 20:12:13 +0200 (CEST)
X-purgate-ID: 152705::1431540733-00005316-29E8C384/0/0
X-purgate-size: 1336
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 7496C421EA; Wed, 13 May 2015 20:12:13 +0200 (CEST)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 690401B2F3; Wed, 13 May 2015 20:12:13 +0200 (CEST)
In-Reply-To: <A052A1F5-C178-4187-ADC9-11D2AE0E69A0@gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Date: Wed, 13 May 2015 20:12:13 +0200 (CEST)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20150513181213.690401B2F3@ld9781.wdf.sap.corp>
From: mrex@sap.com (Martin Rex)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/qwn9eG3TEcU0lZuDwri7SWSLeIM>
Cc: "TLS@ietf.org \(tls@ietf.org\)" <tls@ietf.org>
Subject: Re: [TLS] [tls13-spec] relax certificate_list ordering requirements to match current practice (#169)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 May 2015 18:12:24 -0000

Yoav Nir wrote:
> 
>> Brian Smith <brian@briansmith.org> wrote:
>> 
>> When you fetch CRLs or OCSP responses, you are using a URL that has been
>> authenticated by a trusted issuer, assuming you do revocation checking
>> from the root to the end-entity, which is the safer way of doing it.
>> Whereas, in AIA cert fetching you are making a request to an
>> unauthenticated URL. That is quite a big difference, because it is
>> much harder to get a CA to sign a certificate with your chosen OCSP URL
>> than it is to just forge your own certificate with whatever
>> AIA caIssuers URL you want to have.
>>   [...]
>> Consequently, we shouldn't accept AIA cert fetching as good or even
>> reasonable behavior based on analogies to revocation information fetching.
> 
> I see. I understand the difference, I just don?t think it matters.
>   [...]
> I agree that this increases the attack surface, but what kinds of
> attacks are we talking about?


In the TLS WG, we do not need to defer PKIX specifications for dangerous
behaviour, because such behaviour was already proposed in the very first
TLS extensions document (rfc3546), and equipped with security considerations
that give a glimpse at the attackers vast possibilities from such a facility.

https://tools.ietf.org/html/rfc3546#section-6.3


-Martin