IETF Logo Mail Archive

Re: [Trans] Goals and generic mis-issuance fgramework

Santosh Chokhani <schokhani@cygnacom.com> Tue, 28 October 2014 02:09 UTC

Return-Path: <schokhani@cygnacom.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6F5F1A871D for <trans@ietfa.amsl.com>; Mon, 27 Oct 2014 19:09:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O2ily-QrZhp8 for <trans@ietfa.amsl.com>; Mon, 27 Oct 2014 19:09:44 -0700 (PDT)
Received: from ipedge2.cygnacom.com (ipedge2.cygnacom.com [216.191.252.27]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D7B91A6FBC for <trans@ietf.org>; Mon, 27 Oct 2014 19:09:41 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.04,800,1406606400"; d="scan'208,217";a="2493658"
Received: from unknown (HELO scygexch10.cygnacom.com) ([10.4.60.26]) by ipedge2.cygnacom.com with ESMTP; 27 Oct 2014 22:09:40 -0400
Received: from SCYGEXCH10.cygnacom.com ([::1]) by scygexch10.cygnacom.com ([::1]) with mapi id 14.03.0195.001; Mon, 27 Oct 2014 22:09:40 -0400
From: Santosh Chokhani <schokhani@cygnacom.com>
To: Rick Andrews <Rick_Andrews@symantec.com>, Russ Housley <housley@vigilsec.com>, Steve Kent <kent@bbn.com>
Thread-Topic: [Trans] Goals and generic mis-issuance fgramework
Thread-Index: AQHP5Ab2FAjCsOwr9kS2LsAemu1e1pw51z8AgAeOSQCAA4FJgP//90vg
Date: Tue, 28 Oct 2014 02:09:39 +0000
Message-ID: <4262AC0DB9856847A2D00EF817E81139243728@scygexch10.cygnacom.com>
References: <5436FC38.1070201@bbn.com> <544B0DD62A64C1448B2DA253C011414607D2BA8687@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM> <93CB5AEA-4672-48D1-8477-DF5DE3D143CE@vigilsec.com> <544B0DD62A64C1448B2DA253C011414607D375BE52@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
In-Reply-To: <544B0DD62A64C1448B2DA253C011414607D375BE52@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.60.24.66]
Content-Type: multipart/alternative; boundary="_000_4262AC0DB9856847A2D00EF817E81139243728scygexch10cygnaco_"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/5B23rTBLSj358-kLmx-favBDZyQ
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] Goals and generic mis-issuance fgramework
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Oct 2014 02:09:50 -0000

Relying parties relying on the checks made by log server may be problematic if both do not have the same trust store if the initialization variables are different.

My primary motivation in log doing checks is nip the problem in the bud and reduce the probability of relying parties having to decide on exceptions.  The relying parties still should validate the certification path.

From: Trans [mailto:trans-bounces@ietf.org] On Behalf Of Rick Andrews
Sent: Monday, October 27, 2014 6:33 PM
To: Russ Housley; Steve Kent
Cc: trans@ietf.org
Subject: Re: [Trans] Goals and generic mis-issuance fgramework

Russ, comments inline.

-Rick

From: Trans [mailto:trans-bounces@ietf.org] On Behalf Of Russ Housley
Sent: Saturday, October 25, 2014 10:01 AM
To: Rick Andrews; Steve Kent
Cc: trans@ietf.org<mailto:trans@ietf.org>
Subject: Re: [Trans] Goals and generic mis-issuance fgramework

Steve and Rick:


1. Certificate Transparency Goals and Mechanisms

The goals of Certificate Transparency (CT) are threefold: detection, deterrence, and enabling remediation of mis-issuance of certificates. The initial focus of CT is the Web PKI context, (The Web PKI context refers to the use of a set of Certification Authorities (CAs) that issue X.509 certificates to web servers to enable TLS-protected access by clients [cite WPKOPS?].) In the future, it is anticipated that addition *additional*operational contexts may be supported. As a result, mis-issuance is defined in an fashion that accommodates a range of types of certificates used in a range of contexts.

CT supports detection of mis-issuance using logs of certificates, populated by the CAs that issue them or by the Subjects of certificates. Monitors (described in Section X) are the primary elements of the CT system that check certificates for syntactic and semantic mis-issuance, on behalf of Subjects. A Monitor may be operated by a third party on behalf of Subjects, or may be operated by a Subject on its own behalf. (The latter is referred to as "self-monitoring".) Logs may optionally perform syntactic checks for some classes of certificates, but a log is not required to offer certificate checking.
The first sentence needs to be more broad, since anyone can send a cert to a log. But it's most likely to be the CAs or the Subjects, so I would suggest "CT supports detection of mis-issuance using logs of certificates, populated by the CAs that issue them, by the Subjects of certificates, or by anyone with knowledge of the entire certificate chain.".

Can't anyone build the certificate chain?  Since the logs are posting the supported trust anchors, anyone can build a chain for the end entity certificate.

[Rick] In most cases, yes. If someone has access to the server configured with that certificate, they can do a TLS handshake and get the chain in nearly all cases. We see some web servers that are missing the intermediate CA cert, and some browsers (IE, for example) will follow the AIA extension (if it's in the cert) and fetch the intermediate. Any client can do that too. But if the CA didn't put an AIA extension in the cert and you can't find a server with that cert, it might not be possible to find the intermediate CA cert. And without the intermediate (or intermediates!) the log won't accept it.

To enable Monitors (and, optionally, logs) to perform an appropriate set of checks, the (pre-) a CCID MUST be provided to a log when a certificate is submitted by a CA or Subject. This CCID MUST appear in the log entry and in the SCT generated by the log. By providing the CCID in logs and SCTs, both Monitors and clients are empowered to perform applicable checks based on the certificate class asserted by the CA or Subject.
Hmm... Since anyone can send a cert to a log, the first sentence must reflect that. But that makes me wonder what should happen if the "Reporter" (I don't want to introduce a new role) sends the wrong CCID? (By "wrong" I mean it's a valid CCID, but it's not the one that the CA would associate with the cert.) Or sends the cert multiple times with different CCIDs? I guess Monitors would have to expect multiple entries for a given certificate in a given log, with different CCIDs. I'm not sure if 6962-bis imposes any uniqueness constraint that this might violate.

Alternatively, a log could check to see if the reported certificate is already present, and if so, return the older entry to the party that reports the certificate.  I seem to recall reading this idea at some point, buy I admit I did not look into the current I-D to see if that was where i read it.
[Rick] RFC 6962 and bis-04 say "If the log has previously seen the certificate, it MAY return the same SCT as it returned before." But this would have to be expanded to say "If the log has previously seen the certificate and CCID, it MAY return the same SCT as it returned before." It's a bit more complex, since the log server may not support the CCID or any checking, in which cases it would always log the entry with CCID =1 that indicates "This log does not perform syntax checks", or CCID=2 that indicates "This log does not support syntax checks for the asserted CCID".


A log MUST generate a Syntax Verification Value (SVV) for the certificate, and include the SVV in the log entry and in the SCT.
The LVV *SVV* is *a* value specified by this document (see Section Z) that indicates whether or not the log performed applicable syntactic checks, and whether the (pre-) certificate passed of *or* failed the checks. Although it is anticipated that new certificate classes will arise over time, the set of log actions with respect to syntax checking appears to be well-defined and thus need not be represented in an IANA registry. Each SCT issued by a log MUST include an SVV.


Value Interpretation
0                 The CCID value was 0, so not *no* checks were performed
1                 This log does not perform syntax checks
2                 This log does not support syntax checks for the asserted CCID
3                 This log performed the syntax checks for the asserted CCID, and the certificate passed
4                 This log performed the syntax checks for the asserted CCID, and the certificate failed

No other SVV values are defined by this RFC.

If the log performs some validation checks, are you suggesting that a relying party can leverage the work already done by the log?  If so, it puts the log checking at a different place in the certificate validation than I was imagining.
[Rick] Yes, a relying party could leverage the work already done by the log server, if the RP trusted it. Google would probably advise against this, since they have been pretty consistent in saying that CT doesn't require you to trust anyone including the log server.

v2.23.0 | Report a Bug | By Email