Re: [Trans] can CT defend against dual CA compromise?
Rob Stradling <rob.stradling@comodo.com> Tue, 23 February 2016 10:44 UTC
Return-Path: <rob.stradling@comodo.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 281051B3E99 for <trans@ietfa.amsl.com>; Tue, 23 Feb 2016 02:44:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sepuBOOIiM58 for <trans@ietfa.amsl.com>; Tue, 23 Feb 2016 02:44:08 -0800 (PST)
Received: from mmextmx1.mcr.colo.comodoca.net (mmextmx1.mcr.colo.comodoca.net [IPv6:2a02:1788:402:c00::c0a8:9cd5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 229B11B3E89 for <trans@ietf.org>; Tue, 23 Feb 2016 02:44:07 -0800 (PST)
Received: (qmail 543 invoked by uid 1004); 23 Feb 2016 10:44:05 -0000
Received: from ian.brad.office.comodo.net (HELO ian.brad.office.comodo.net) (192.168.0.202) by mmextmx1.mcr.colo.comodoca.net (qpsmtpd/0.84) with ESMTP; Tue, 23 Feb 2016 10:44:05 +0000
Received: (qmail 6999 invoked by uid 1000); 23 Feb 2016 10:44:05 -0000
Received: from and0004.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (AES128-SHA encrypted) ESMTPSA; Tue, 23 Feb 2016 10:44:05 +0000
To: Tom Ritter <tom@ritter.vg>
References: <87io1i3gqw.fsf@alice.fifthhorseman.net> <CABrd9SQh5B8E8phCvgLdUntKBu=u4p2iUHJ7ZrjqMwz8edwLHA@mail.gmail.com> <56CAF5B2.30207@comodo.com> <CA+cU71m7akWkLFPiTVOShuTBHLVWfA+Byw2vXF-AZtH0Byik5A@mail.gmail.com>
From: Rob Stradling <rob.stradling@comodo.com>
Message-ID: <56CC373C.30201@comodo.com>
Date: Tue, 23 Feb 2016 10:41:00 +0000
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <CA+cU71m7akWkLFPiTVOShuTBHLVWfA+Byw2vXF-AZtH0Byik5A@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/trans/RCT7Qpc52DaucKo-lpm_iuieW_k>
Cc: Ben Laurie <benl@google.com>, "trans@ietf.org" <trans@ietf.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Subject: Re: [Trans] can CT defend against dual CA compromise?
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2016 10:44:11 -0000
On 23/02/16 06:03, Tom Ritter wrote: <snip> >> [Rob] >> I think that blacklisting the shared issuer public key would be better than >> blacklisting the shared issuer name. > > At first glance, I agree - but there is that annoying trick where you > can generate multiple (or at least two) public keys that all certify > the same signature. So I'm not sure this would actually work. SCTs in 6962-bis already contain the issuer_key_hash (which is the DER encoding of the issuer's SubjectPublicKeyInfo). Is that enough to defeat your trick key attack? Hmmm, I wonder if we need to add issuer_key_hash to inclusion proofs as well (i.e. the InclusionProofDataV2 struct) ? >> [Rob] >> AIUI, MS CryptoAPI prefers to build certificate chains using the >> Authority/Subject Key Identifiers, and it only cares about whether or not >> the Issuer/Subject Names match if AKI/SKI are absent. > > AKI would _not_ match on these trick public keys, but presumably the > algorithm would fall back to the Issuer name...? For Win2K and WinXP, it appears that it only attempts name matching if the AKI extension is absent. "If there is no information in the AKI, or the AKI does not exist in the certificate being evaluated, a certificate whose subject name matches the evaluated certificate's issuer name will be chosen. This selection method is known as a name match." https://technet.microsoft.com/en-us/library/cc700843.aspx I can't find any more recent documentation. :-( <snip> >> [Rob] >> - say that TLS clients SHOULD fetch and verify inclusion proofs for all >> intermediate certs that they rely on. > > I'm nervous about this. Why so? I wasn't suggesting a "MUST". ;-) -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online
- [Trans] can CT defend against dual CA compromise? Daniel Kahn Gillmor
- Re: [Trans] can CT defend against dual CA comprom… Ben Laurie
- Re: [Trans] can CT defend against dual CA comprom… Rob Stradling
- Re: [Trans] can CT defend against dual CA comprom… Tom Ritter
- Re: [Trans] can CT defend against dual CA comprom… Rob Stradling
- Re: [Trans] can CT defend against dual CA comprom… Ben Laurie
- Re: [Trans] can CT defend against dual CA comprom… Daniel Kahn Gillmor
- Re: [Trans] can CT defend against dual CA comprom… Rob Stradling
- Re: [Trans] can CT defend against dual CA comprom… Ben Laurie
- Re: [Trans] can CT defend against dual CA comprom… Tom Ritter
- Re: [Trans] can CT defend against dual CA comprom… Tom Ritter
- Re: [Trans] can CT defend against dual CA comprom… Ben Laurie
- Re: [Trans] can CT defend against dual CA comprom… Daniel Kahn Gillmor