Re: [Trans] defining "mis-issuance"
Stephen Kent <kent@bbn.com> Mon, 29 September 2014 14:50 UTC
Return-Path: <kent@bbn.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A59E91A8757 for <trans@ietfa.amsl.com>; Mon, 29 Sep 2014 07:50:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.986
X-Spam-Level:
X-Spam-Status: No, score=-4.986 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uG0uQKTz9hXl for <trans@ietfa.amsl.com>; Mon, 29 Sep 2014 07:50:18 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F2CF1A6FAD for <trans@ietf.org>; Mon, 29 Sep 2014 07:50:18 -0700 (PDT)
Received: from dommiel.bbn.com ([192.1.122.15]:41368 helo=comsec.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1XYcHJ-0000Xz-3C for trans@ietf.org; Mon, 29 Sep 2014 10:50:17 -0400
Message-ID: <542971A7.7030700@bbn.com>
Date: Mon, 29 Sep 2014 10:50:15 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: "trans@ietf.org" <trans@ietf.org>
References: <542477E3.8070304@bbn.com> <544B0DD62A64C1448B2DA253C011414607D1628D70@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
In-Reply-To: <544B0DD62A64C1448B2DA253C011414607D1628D70@TUS1XCHEVSPIN33.SYMC.SYMANTEC.COM>
Content-Type: multipart/alternative; boundary="------------040306090403070606050203"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/IKbe9VosnIO8SGnaeShwmYqB0Q4
Subject: Re: [Trans] defining "mis-issuance"
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Sep 2014 14:50:21 -0000
Rick,
Thanks for taking the time to review my initial cut at an Appendix.
I have made changes to reflect all of the typos you noted.
> Also, although I like the idea of log servers rejecting
> syntactically-invalid certificates, that may create problems for CAs
> because the CABF requirements have changed over time and will likely
> change in the future. Any changes would have to be rolled out to log
> servers and browsers in time to prevent rejection of a valid certificate.
>
Your observation about the need to coordinate CABF requirements changes
with what log servers
would check gave me an idea. Why not have the add (pre-cert) chain to
log request specify
whether the cert being added is to be checked against DV or EV specs,
and note the version
of the DV/EV spec to be used? This would make it easy for the log to
know which set of
checks to employ. Since each log needs to advertise a set of data about
itself anyway
(e.g., what root CAs it supports), it could also advertise the set of
specs against which
it is prepared to check submissions. This way a CA or Subject would know
whether the log
was prepared to accept a chain for checking under the selected criteria.
Note that a Monitor
could not perform checks as easily, because it does not interact
directly with the entity
submitting the log request. I think that argues for logs performing
these checks.
>
> *A.2 Semantic Verification of a Certificate *
>
> Nonetheless, a Monitor can "protect" specific Subjects, based on
> reference data provided by these Subjects. A Monitor trying to
> determine that a certificate has been issued to the "right" Subject
> can do so using the certificate(s) issued to the Subject, as a
> reference. For example, if a Monitor is providing "protection" for a
> Subject, it requires the name of the Subject (as it appears in the
> Subject field or subjectAltName extension) and the public key
> associated with that Subject. Armed with this information, a Monitor
> can examine every log entry to determine if it contains the same
> Subject or SubjectAltName. If a log entry matches either of these
> names, and if it contain a different public key, this is evidence of
> mis-issuance.
>
> There's no requirement that a Subject be associated with a single
> public key. In some cases, web site owners generate a different key
> pair on each machine behind a load balancer, and apply for
> certificates with the same Subject name but different key.
>
> I'm not sure if you've captured the type of mis-issuance that CT was
> originally intended to detect: when a hacked, faulty or rogue CA
> issues a certificate to a Subject without the Subject's knowledge. The
> Monitor alone cannot detect that. It can report to the Subject that a
> certificate was logged for the Subject, but only the Subject can tell
> if that was a valid issuance or mis-issuance.
>
Your observation is correct; that's what I get for trying to write a
quick description of
the algorithm for this. Accommodating multiple keys per Subject is easy
to fix.
For example, if a Monitor is providing "protection" for a Subject,
it requires the name of the Subject (as it appears in the Subject
field or subjectAltName extension) and the public key(s) associated
with that Subject. Armed with this information, a Monitor can
examine every log entry to determine if it contains the same Subject
or SubjectAltName. If a log entry matches either of these names, and
if it contain a public key other that the one(s) provided by the
Subject, this is evidence of mis-issuance.
If the Subject provides a list of all o the keys associated with the
Subject, perhaps in the form
of certs issued to the Subject (and currently valid) this would enable a
Monitor to detect this form of mis-issuance, agreed?
A separate topic is issuance of a bogus cert for a Subject who doesn't
have a cert issued legitimately.
In this case there is no reference cert to present to a Monitor. It may
be hard for a Subject who
doesn't have a cert to convince a 3rd party Monitor to check for certs
issued to the Subject name
in question. Should we classify this as mis-issuance as well?
Steve
Steve
- [Trans] defining "mis-issuance" Stephen Kent
- Re: [Trans] defining "mis-issuance" Rick Andrews
- Re: [Trans] defining "mis-issuance" Santosh Chokhani
- Re: [Trans] defining "mis-issuance" Stephen Kent
- Re: [Trans] defining "mis-issuance" Stephen Kent
- Re: [Trans] defining "mis-issuance" Santosh Chokhani
- Re: [Trans] defining "mis-issuance" Rick Andrews
- Re: [Trans] defining "mis-issuance" Stephen Kent
- Re: [Trans] defining "mis-issuance" Rob Stradling
- Re: [Trans] defining "mis-issuance" Peter Bowen
- Re: [Trans] defining "mis-issuance" Rob Stradling
- Re: [Trans] defining "mis-issuance" Peter Bowen
- Re: [Trans] defining "mis-issuance" Stephen Kent
- Re: [Trans] defining "mis-issuance" Ben Laurie
- Re: [Trans] defining "mis-issuance" Stephen Kent
- Re: [Trans] defining "mis-issuance" Ben Laurie
- Re: [Trans] defining "mis-issuance" Stephen Kent