Re: [Trans] defining "mis-issuance"
Stephen Kent <kent@bbn.com> Mon, 29 September 2014 14:50 UTC
Return-Path: <kent@bbn.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A59E91A8757 for <trans@ietfa.amsl.com>; Mon, 29 Sep 2014 07:50:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.986
X-Spam-Level:
X-Spam-Status: No, score=-4.986 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uG0uQKTz9hXl for <trans@ietfa.amsl.com>; Mon, 29 Sep 2014 07:50:18 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F2CF1A6FAD for <trans@ietf.org>; Mon, 29 Sep 2014 07:50:18 -0700 (PDT)
Received: from dommiel.bbn.com ([192.1.122.15]:41368 helo=comsec.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1XYcHJ-0000Xz-3C for trans@ietf.org; Mon, 29 Sep 2014 10:50:17 -0400
Message-ID: <542971A7.7030700@bbn.com>
Date: Mon, 29 Sep 2014 10:50:15 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: "trans@ietf.org" <trans@ietf.org>
References: <542477E3.8070304@bbn.com> <544B0DD62A64C1448B2DA253C011414607D1628D70@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
In-Reply-To: <544B0DD62A64C1448B2DA253C011414607D1628D70@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
Content-Type: multipart/alternative; boundary="------------040306090403070606050203"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/IKbe9VosnIO8SGnaeShwmYqB0Q4
Subject: Re: [Trans] defining "mis-issuance"
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Sep 2014 14:50:21 -0000
Rick, Thanks for taking the time to review my initial cut at an Appendix. I have made changes to reflect all of the typos you noted. > Also, although I like the idea of log servers rejecting > syntactically-invalid certificates, that may create problems for CAs > because the CABF requirements have changed over time and will likely > change in the future. Any changes would have to be rolled out to log > servers and browsers in time to prevent rejection of a valid certificate. > Your observation about the need to coordinate CABF requirements changes with what log servers would check gave me an idea. Why not have the add (pre-cert) chain to log request specify whether the cert being added is to be checked against DV or EV specs, and note the version of the DV/EV spec to be used? This would make it easy for the log to know which set of checks to employ. Since each log needs to advertise a set of data about itself anyway (e.g., what root CAs it supports), it could also advertise the set of specs against which it is prepared to check submissions. This way a CA or Subject would know whether the log was prepared to accept a chain for checking under the selected criteria. Note that a Monitor could not perform checks as easily, because it does not interact directly with the entity submitting the log request. I think that argues for logs performing these checks. > > *A.2 Semantic Verification of a Certificate * > > Nonetheless, a Monitor can "protect" specific Subjects, based on > reference data provided by these Subjects. A Monitor trying to > determine that a certificate has been issued to the "right" Subject > can do so using the certificate(s) issued to the Subject, as a > reference. For example, if a Monitor is providing "protection" for a > Subject, it requires the name of the Subject (as it appears in the > Subject field or subjectAltName extension) and the public key > associated with that Subject. Armed with this information, a Monitor > can examine every log entry to determine if it contains the same > Subject or SubjectAltName. If a log entry matches either of these > names, and if it contain a different public key, this is evidence of > mis-issuance. > > There's no requirement that a Subject be associated with a single > public key. In some cases, web site owners generate a different key > pair on each machine behind a load balancer, and apply for > certificates with the same Subject name but different key. > > I'm not sure if you've captured the type of mis-issuance that CT was > originally intended to detect: when a hacked, faulty or rogue CA > issues a certificate to a Subject without the Subject's knowledge. The > Monitor alone cannot detect that. It can report to the Subject that a > certificate was logged for the Subject, but only the Subject can tell > if that was a valid issuance or mis-issuance. > Your observation is correct; that's what I get for trying to write a quick description of the algorithm for this. Accommodating multiple keys per Subject is easy to fix. For example, if a Monitor is providing "protection" for a Subject, it requires the name of the Subject (as it appears in the Subject field or subjectAltName extension) and the public key(s) associated with that Subject. Armed with this information, a Monitor can examine every log entry to determine if it contains the same Subject or SubjectAltName. If a log entry matches either of these names, and if it contain a public key other that the one(s) provided by the Subject, this is evidence of mis-issuance. If the Subject provides a list of all o the keys associated with the Subject, perhaps in the form of certs issued to the Subject (and currently valid) this would enable a Monitor to detect this form of mis-issuance, agreed? A separate topic is issuance of a bogus cert for a Subject who doesn't have a cert issued legitimately. In this case there is no reference cert to present to a Monitor. It may be hard for a Subject who doesn't have a cert to convince a 3rd party Monitor to check for certs issued to the Subject name in question. Should we classify this as mis-issuance as well? Steve Steve
- [Trans] defining "mis-issuance" Stephen Kent
- Re: [Trans] defining "mis-issuance" Rick Andrews
- Re: [Trans] defining "mis-issuance" Santosh Chokhani
- Re: [Trans] defining "mis-issuance" Stephen Kent
- Re: [Trans] defining "mis-issuance" Stephen Kent
- Re: [Trans] defining "mis-issuance" Santosh Chokhani
- Re: [Trans] defining "mis-issuance" Rick Andrews
- Re: [Trans] defining "mis-issuance" Stephen Kent
- Re: [Trans] defining "mis-issuance" Rob Stradling
- Re: [Trans] defining "mis-issuance" Peter Bowen
- Re: [Trans] defining "mis-issuance" Rob Stradling
- Re: [Trans] defining "mis-issuance" Peter Bowen
- Re: [Trans] defining "mis-issuance" Stephen Kent
- Re: [Trans] defining "mis-issuance" Ben Laurie
- Re: [Trans] defining "mis-issuance" Stephen Kent
- Re: [Trans] defining "mis-issuance" Ben Laurie
- Re: [Trans] defining "mis-issuance" Stephen Kent