IETF Logo Mail Archive

Re: [TLS] Root certificates in server certificate chains

"Blumenthal, Uri - 0668 - MITLL" <uri@ll.mit.edu> Wed, 01 September 2010 03:05 UTC

Return-Path: <prvs=68602c451d=uri@ll.mit.edu>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 341B33A6A0B for <tls@core3.amsl.com>; Tue, 31 Aug 2010 20:05:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.246
X-Spam-Level:
X-Spam-Status: No, score=-6.246 tagged_above=-999 required=5 tests=[AWL=0.352, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HOZSBLgYPpmv for <tls@core3.amsl.com>; Tue, 31 Aug 2010 20:05:20 -0700 (PDT)
Received: from mx1.ll.mit.edu (MX1.LL.MIT.EDU [129.55.12.45]) by core3.amsl.com (Postfix) with ESMTP id B8E963A69FA for <tls@ietf.org>; Tue, 31 Aug 2010 20:05:20 -0700 (PDT)
Received: from LLE2K7-HUB01.mitll.ad.local (LLE2K7-HUB01.mitll.ad.local) by mx1.ll.mit.edu (unknown) with ESMTP id o8135lCW012346; Tue, 31 Aug 2010 23:05:47 -0400
From: "Blumenthal, Uri - 0668 - MITLL" <uri@ll.mit.edu>
To: "'marsh@extendedsubset.com'" <marsh@extendedsubset.com>
Date: Tue, 31 Aug 2010 23:05:49 -0400
Thread-Topic: [TLS] Root certificates in server certificate chains
Thread-Index: ActJf1bsYRVC2OaGQN2oQmPcZIRJ+gAAyOFb
In-Reply-To: <4C7DBD9B.5060009@extendedsubset.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.0.10011, 1.0.148, 0.0.0000 definitions=2010-09-01_01:2010-09-01, 2010-09-01, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=5.0.0-1005130000 definitions=main-1008310189
Message-Id: <20100901030520.B8E963A69FA@core3.amsl.com>
Cc: "'tls@ietf.org'" <tls@ietf.org>
Subject: Re: [TLS] Root certificates in server certificate chains
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Sep 2010 03:05:22 -0000

Probability (greater than 1/2^80) comes into play when you need to make a decision based on incomplete information - and responses like "call back when you have your form DD-xxxx and token YYY in hand, until then take a hike" are not acceptable.

Re. How can an unattended system know - by the virtue and power of flexible dynamic and complex policy that takes these aspects into consideration. The required complexity of such policies is one reason they now exist mostly in theory. I personally think such complex policies are inevitable, but their time (and our ability to deal with them) hasn't come yet. In fact we still have problems with simplistic policies. 

We can discuss home-grown CA offline if you wish. 

--
Regards,
Uri

----- Original Message -----
From: Marsh Ray [mailto:marsh@extendedsubset.com]
Sent: Tuesday, August 31, 2010 10:42 PM
To: Blumenthal, Uri - 0668 - MITLL
Cc: 'tls@ietf.org' <tls@ietf.org>
Subject: Re: [TLS] Root certificates in server certificate chains

On 08/31/2010 09:15 PM, Blumenthal, Uri - 0668 - MITLL wrote:
> Sending root cert makes sense for Trust model based on computed
> probabilities - which does not exist today except in research
> papers.

IMHO introducing into a secure protocol discussion any probability 
greater than about 1/2^80 represents a dangerous logical fallacy.

Attacks are not statistical like meteor strikes and earthquakes.

Attackers are real smart people in practice. The attacker controls many 
of the variables of your system and likely is is more comfortable 
operating in its corner cases and failure modes than the legitimate 
parties are.

> The idea is - you verify as much as practical, and decide how much
> you trust the requester regarding his request.

How does that work for unattended systems that need to authenticate one 
another? How does can the system possibly know how many dependencies 
will be built upon the secure authenticated channel it establishes? Can 
the designer know this? Can even the user?

> E.g. consider two questions: "can I use your phone?" and "can I use
> your car?"

Either one could be used to rob a bank or make a drug deal and I could 
end up answering some difficult questions from the police. In practice, 
I am required by law to insure the car because eventual disaster is a 
near statistical certainty. Also in practice, big-time crime is 
committed over phones.

> Oh, and the current trust model has little room for root cert as a
> part of the transmitted chain. Although - a home-grown CA, a bunch of
> pals establishing a  TLS-protected Web chat site...? No need to get
> VeriSign involved... Why not?

Because everyone who accepts the home-grown CA becomes silently 
vulnerable to having their online banking credentials stolen when it 
turns out that the home-grown CA wasn't being professionally maintained 
after all:

http://www.google.com/search?hl=en&q=%22begin+rsa+private+key%22+site%3Apastebin.com

- Marsh

v2.23.0 | Report a Bug | By Email