[Trans] Mutability of Certificate Signatures
Andrew Ayer <agwa@andrewayer.name> Mon, 29 May 2017 02:10 UTC
Return-Path: <agwa@andrewayer.name>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 587AD127419 for <trans@ietfa.amsl.com>; Sun, 28 May 2017 19:10:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.698
X-Spam-Level:
X-Spam-Status: No, score=0.698 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewayer.name
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gxAE-vYUg-KQ for <trans@ietfa.amsl.com>; Sun, 28 May 2017 19:10:31 -0700 (PDT)
Received: from alcazar.beanwood.com (alcazar.beanwood.com [IPv6:2600:3c00:e000:6c::1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9014127078 for <trans@ietf.org>; Sun, 28 May 2017 19:10:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=andrewayer.name; s=beanwood20160511; t=1496023830; bh=iWp43rtHfNvUhL/YfUSUHOwLq4jm1SUrNqmMqIU/QZ0=; h=Date:From:To:Subject; b=ZTWBGn4FuSVM5WkRXbmmyEfQ9wq7tdDJulT9BleiLsyyzgiuDHDqEgYYQ36rUO4ci 91y9FVpCarBPht0dwG+weqvFuLqOWbH+hjklgmP42xOrawn6x4CL3gX76mYa44DeQw 7xQ9e0yFnZm/Mer1hFrFz2TwQtMkZLdZNeYJk1/s00bzSjd4bO+mFAQ6HY+W+SgJ/c JJer7uN4mZqKIvcnC5c9NhKkjJZa3RSNO/1DIsZqKUa6rXACwW3ptvUCDzQS3386p3 ZTpsI5rbNr6j9OkgJcFEG2Qzc6hpVV21KQb77TPmewxO7cc88THfS60NM4mx8tG0p9 gCyfuKpzh4Vuw==
Date: Sun, 28 May 2017 19:10:28 -0700
From: Andrew Ayer <agwa@andrewayer.name>
To: trans@ietf.org
Message-Id: <20170528191028.20f285073eea33a3f23b6b5a@andrewayer.name>
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/FWJW8412WuF7iLTUaLnjuePSq2o>
Subject: [Trans] Mutability of Certificate Signatures
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 May 2017 02:10:32 -0000
In RFC6962-bis, the input to the Merkle Tree leaf hash includes the TBSCertificate and the hash of the issuer key. The certificate signature is not included in the leaf hash. Consequentially, it is possible for a log to alter or remove the signature without violating the append-only property of the log. The tree's root hash would remain the same, and the log could still produce valid inclusion proofs for the corresponding SCT. This enables the following attack: if a misissued certificate is included in a log, an attacker could compromise or collude with the log operator to alter or remove the certificate's signature. Then the log no longer contains cryptographic proof that the CA misissued the certificate. The CA indicated by issuer_key_hash could plausibly claim that it didn't issue the certificate. Meanwhile, the log operator could claim the invalid signature came from a submitter, and blame its presence on a bug in the log's certificate acceptance code, something which has already happened with two RFC6962 logs and was not considered sufficiently bad by Chrome to warrant distrust[1]. Note that this problem also exists in RFC6962 with pre-certificates, but not with certificates as the Merkle Tree leaf hash includes the full certificate. This could be fixed without changing the protocol by adding language that says that if a log cannot produce a full (pre-)certificate with a valid signature that matches the TBSCertificate and issuer_key_hash in the Merkle Tree leaf, then it must be considered misbehavior equivalent to violating the append-only property. However, it seems unfortunate that we can't simply rely on the Merkle Tree to ensure the immutability of crucial data - that is the whole point of a Merkle Tree, after all. Auditors would need to perform an additional, complicated step. Furthermore, if a log has a legitimate bug that causes certificates with invalid signatures to be accepted by accident, the log would have to be distrusted. Unfortunately, we can't simply include a whole pre-certificate in the Merkle Tree leaf hash, as it is impossible to reconstruct from the final certificate. (We could put the pre-certificate signature in an extension in the final certificate, but that seems undesirable.) Any thoughts? Since this is a correctness issue, I think it needs a resolution before RFC6962-bis is finalized. Regards, Andrew [1] https://groups.google.com/a/chromium.org/forum/#!topic/ct-policy/Itoq0YUZTlA
- [Trans] Mutability of Certificate Signatures Andrew Ayer
- Re: [Trans] Mutability of Certificate Signatures Eran Messeri
- Re: [Trans] Mutability of Certificate Signatures Andrew Ayer
- Re: [Trans] Mutability of Certificate Signatures Eran Messeri
- Re: [Trans] Mutability of Certificate Signatures Andrew Ayer
- Re: [Trans] Mutability of Certificate Signatures Rob Stradling
- Re: [Trans] Mutability of Certificate Signatures Andrew Ayer
- Re: [Trans] Mutability of Certificate Signatures Eran Messeri
- Re: [Trans] Mutability of Certificate Signatures Andrew Ayer
- Re: [Trans] Mutability of Certificate Signatures Rob Stradling