[Trans] Proposal to modularize pre certificate transformation
Tarah Wheeler <Tarah_Wheeler@symantec.com> Wed, 22 March 2017 19:31 UTC
Return-Path: <Tarah_Wheeler@symantec.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54E6C129BCF for <trans@ietfa.amsl.com>; Wed, 22 Mar 2017 12:31:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=symc.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 30Zop6CGXGDm for <trans@ietfa.amsl.com>; Wed, 22 Mar 2017 12:31:50 -0700 (PDT)
Received: from asbsmtoutape02.symantec.com (asbsmtoutape02.symantec.com [155.64.138.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F793126BF6 for <trans@ietf.org>; Wed, 22 Mar 2017 12:31:50 -0700 (PDT)
Received: from asbsmtmtaapi01.symc.symantec.com (asb1-f5-symc-ext-prd-snat7.net.symantec.com [10.90.75.7]) by asbsmtoutape02.symantec.com (Symantec Messaging Gateway) with SMTP id 3A.1F.37454.521D2D85; Wed, 22 Mar 2017 19:31:49 +0000 (GMT)
X-AuditID: 0a5af81a-8fa559a00000924e-8a-58d2d12576cd
Received: from TUSXCHMBXWPI01.SYMC.SYMANTEC.COM (asb1-f5-symc-ext-prd-snat3.net.symantec.com [10.90.75.3]) by asbsmtmtaapi01.symc.symantec.com (Symantec Messaging Gateway) with SMTP id 05.59.04315.321D2D85; Wed, 22 Mar 2017 19:31:49 +0000 (GMT)
Received: from tus3xchcaspin01.SYMC.SYMANTEC.COM (10.44.91.13) by TUSXCHMBXWPI01.SYMC.SYMANTEC.COM (10.44.91.33) with Microsoft SMTP Server (TLS) id 15.0.1236.3; Wed, 22 Mar 2017 12:31:46 -0700
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (10.44.128.7) by tus3xchcaspin01.SYMC.SYMANTEC.COM (10.44.91.13) with Microsoft SMTP Server (TLS) id 15.0.1236.3 via Frontend Transport; Wed, 22 Mar 2017 12:31:46 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=symc.onmicrosoft.com; s=selector1-symantec-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=yUQX4RGyuCXve1yvL/yk60n+r2XChyKu5eSGnULY0G4=; b=Xs5PAPujLn/fT1W2pFUUrGycc4roWl1vdxTU4GZ9gNiqWXEARBrCl1AVoy6Mdicctfx1P8smWxiNm2EQ5zyyuQwalT7LJhgYOhAJ9N2UuYmPwFEPXwGoKO0n7aUGd9wLR5FI8GiC4x+9UvX2Relwpqf3U2f89nVL42ehvxEYm2w=
Received: from BN3PR16MB0899.namprd16.prod.outlook.com (10.165.81.153) by BN3PR16MB0900.namprd16.prod.outlook.com (10.165.81.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.977.11; Wed, 22 Mar 2017 19:31:44 +0000
Received: from BN3PR16MB0899.namprd16.prod.outlook.com ([10.165.81.153]) by BN3PR16MB0899.namprd16.prod.outlook.com ([10.165.81.153]) with mapi id 15.01.0977.020; Wed, 22 Mar 2017 19:31:43 +0000
From: Tarah Wheeler <Tarah_Wheeler@symantec.com>
To: "trans@ietf.org" <trans@ietf.org>
Thread-Topic: Proposal to modularize pre certificate transformation
Thread-Index: AQHSo0LvLcFxGd4fV0CeqEQxJK1Smg==
Date: Wed, 22 Mar 2017 19:31:43 +0000
Message-ID: <D4F8495D.4F2D%tarah_wheeler@symantec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.2.170228
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=symantec.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [155.64.38.27]
x-microsoft-exchange-diagnostics: 1; BN3PR16MB0900; 7:4uw9QsVKfns4tJPj3ZqCcF16cCTvIgQOUr+pDprS/mg41l72Ua80LdOMxfWRLqzs9SgYSVhtex4QNMGEZ4UWbRBvGMvtlg5RRtGkN6CXBoQZzebBMnT3JKQfDItcZ2RA5fazDb+4MmmHi6OEBcQPWxMAWEbuJvc6w24ZSy7wb8fPPd27vievEst+oeuS7ogoNAwaHAmS8f5n1cPHEq1eQsS0+yPaefkhT8x2ML28y6hISoM6UtCfB3n5E8tzJI6nDJ+qt2S0eQFOCcgbN9IjbXYVt/vOGHQZMbA3uqFqpWjeUkPtAcVIkO2O+ZCqPn9ZqylhkMSDli5sYK0ndhrlhg==
x-ms-office365-filtering-correlation-id: f6ffefca-1734-4610-2567-08d4715a1288
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075); SRVR:BN3PR16MB0900;
x-microsoft-antispam-prvs: <BN3PR16MB0900A98CD98B66AE33C5E50EFA3C0@BN3PR16MB0900.namprd16.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(278428928389397)(192374486261705)(164924216521020);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6041248)(20161123564025)(20161123560025)(20161123555025)(20161123562025)(20161123558025)(6072148); SRVR:BN3PR16MB0900; BCL:0; PCL:0; RULEID:; SRVR:BN3PR16MB0900;
x-forefront-prvs: 02543CD7CD
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39450400003)(40134004)(85714005)(110136004)(54356999)(189998001)(38730400002)(7736002)(6116002)(102836003)(3846002)(122556002)(6486002)(575784001)(606005)(77096006)(6436002)(99936001)(6916009)(3280700002)(2900100001)(551944002)(7906003)(6506006)(733005)(2906002)(86362001)(66066001)(5640700003)(1730700003)(50986999)(5890100001)(81166006)(53936002)(6306002)(10290500002)(236005)(83506001)(2501003)(19618635001)(861006)(36756003)(99286003)(3660700001)(5660300001)(6512007)(8936002)(80792005)(54896002)(54556002)(4001350100001)(8676002)(25786009)(2351001); DIR:OUT; SFP:1101; SCL:1; SRVR:BN3PR16MB0900; H:BN3PR16MB0899.namprd16.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/related; boundary="_004_D4F8495D4F2Dtarahwheelersymanteccom_"; type="multipart/alternative"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Mar 2017 19:31:43.5648 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 3b217a9b-6c58-428b-b022-5ad741ce2016
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR16MB0900
X-OriginatorOrg: symantec.com
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupnk+LIzCtJLcpLzFFi42LhivJm11W9eCnC4NtsCYu1jy+yODB6LFny kymAMYrLJiU1J7MstUjfLoEr48rlbawFW/4zViw/ENfA+P4BYxcjJ4eEgInEhS/vmbsYuTiE BD4ySpzqeMcCk5i3YBYrROIbo8TTzp+MEM5RIOfpGqjMS0aJ9v0nWUAcFoFOZokDHy9ADZvG JHG06SRU2TFGiZdP1jF1MXJwsAkYSHy8EQWyRERAVeLz/RYmEFtYwE5i2Y5t7BBxZ4nGFysZ IWw9icO3J4PFWYDqr/atAYvzCphJzDv/GizOKCAm8f3UGrA5zALiEreezGeCeEJE4uHF02wQ tqjEy8f/WEFsUaCZ+/59ZQO5jVGgm1Fi65790ODQkTh7/QmUrSBxc2YL2DcSAj3MEh+mLWYE eUBCwFfi2T5eiJoYiY8bDzND2NkS255/hYZerMT0e9NZIXqXMkmsPfUGaqiMxO0ZHVCJ56wS B3ZNZ5rAqDMLyeUQdrnEq9UzWGaBfSoocXLmExaIeLTE+UlrGSFsHYkFuz+xQdjaEssWvmaG sc8ceAw1x0Ni/49GVkw13hJb+s+xQ9gOEhO6vwHN5AKygTE1s38aVLORxI5HX6AWK0pM6X7I voCRbxWjQmJxUnFuSX5pSWJBqoGRXnFlbjKISAQmzGS95PzcTYzgpPlDagfjkzs+hxgFOBiV eHhVj16KEGJNLAOqPMSoAjTy0YbVFxilWPLy81KVRHhzzwCleVMSK6tSi/Lji0pzUosPMUpz sCiJ807MuRAhJJCeWJKanZpakFoEk2Xi4JRqYORbN49X5L0ng+ScpYdeTONtVnq0R84hb/8C OzE3+UsT1wdVJ1kxTZq8v0u88Piv5szynWK2N4yUCl35Tx5cd3qSj/zkd+s+s/icLck3fXa3 QKzsxfpkRsdXlwqCj3lwaEyL62+N/dUX+0Bz5yr3TeXX384TieaX1O6czvJnZpfkmugD1j5H TyuxFGckGmoxFxUnAgC43EYBogMAAA==
X-Brightmail-Tracker: H4sIAAAAAAAAA2WSfUhTURjGObv3btdLy9vy49UM/EDQMp0hYlAiRDFRIYRiaJk3vaToTDaz rH80xNJFmoVTCZtohqWZpiJ96FC0ZpofaZkflTnbTKHWUpNM23ZvEPTP5fc+73Pec55zD4lJ jIQ7mZqRxSozmHRvIYVTcVHYHt+RUbl0YFoQ1jg3gkcgWW3tmuAIiqP2J7PpqdmsMig8kUoZ e91OZLZuovN3dQm56OtHVIQcSKBDoEpbSRQhipTQKwjmC9cQV/Rai/kGvrOA4HKXHrcVOF2I gc48jHGdMgH0XtLztj4EC4YHgiJEkkJaCuaJONsmTrQvWD7kC2y8nQ6Huo52EacfhDxTPeI4 EHqmbth13Oofv9Zg18V0KFQNLdp1RLvAan+DfQ5Gu8Kk4baAC+EEsyMvhRw7w8LcBmFjZ+vM zo1loe1siFYjaHvaxacOgMG3Bp494V1Fvj0N0Fcx+FZWg2wBgI6Bz51iznMczM09GMdp0G5c xjk+AZr3GoJbe0cAjf1L/FAPmCq/wjeMBOgea/j47jAzVog49gDT9DOiBPlV/pOI43Pw5X45 Xmm/gW2grzDgnB4PQ6WNiOMA0D75LuR4N9RVL2J/eUA3x8+RQdfPPOJ/TxS0Fr8ScRwBJeoV 60zKytY/WFFcxi/eCx2ffvAbe8FN9axIi7beQ56M6pRKkaXIYpjMVGlwoCpHkWT7MNZ3mRSY dEbRguwv85dLB9KtR3cjmkTeW8Ty56NyCcFkW53daAeJe7uKJ4Jb5BL6NJPFprFsJqs8qTyb zqq6kYB0cM9FtW5psrWmA0svtI5NOfFRg9FeLtLJhwV4glloerRanqxsS9msvhV0yKSrx4W5 TTK5/3qNus7f4oSuL6pmxi2M42HKk74Y6Re77BMSltTZp9FZRH5i/fJR0XAzuBn2xVzwhdDE N78LCMojttTHpy3vWGzkSudiUPmgeadR642rUpjgXZhSxfwBcQRHmXoDAAA=
X-CFilter-Loop: ASB01
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/Ud_W3KAlhgLi5U0kjvMwehmvlc0>
Subject: [Trans] Proposal to modularize pre certificate transformation
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2017 19:31:53 -0000
Peter Bowen and I have been collaborating on a possible solution for certificate privacy. Thoughts?
++++++++++
Precertificate Transformation Extension
Many of the concerns around certificate privacy (the ability to privatize some certificate fields) are due to fears that multiple final certs could be generated for the same precertificate. This solution uses a random key in the final certificate which can be matched against the hashed redacted information in the precertificate to demonstrate that the precertificate was unique. The precert contains a hash of the original information; without the key in the full certificate, the hash is not transformable, and if the key works to transform the hash (as a one way function), the pre certificate can be proven to have been the correct one issued for the full cert. This solves the difficult problem of ensuring that a given precert is the one that was indeed issued for the full certificate.
In order to give domain registrants options for what domain name labels are disclosed in precertificates, we propose a new certificate extension: Precertifcate Transformation. This extension is found in both the final certificate and in the precertificate. The extension specifies a transformation algorithm, genneral parameters for the algorithm, and a count of disclosed component per subject alternative name.
There are two transformation algorithms initially defined. The basic algorithm is as described in 6962 and 6962bis. It has no parameters and the sanDisclosedComponents component is not used. This algorithm is the default.
The second is the partialhm256 algorithm. This extends the basic algorithm by including transformation of the subjectAlternativeName extension. The Parms is a 128-bit value that is used as K for a HMAC (cf RFC 2104) that uses H = SHA256. For each entry in the subjectAlternativeName extension, an entry in the sanPartialComponents sequence must exist. Matching is done by order. Let the disclosed components count for the entry in question be N. If N is -1, then the SAN entry is unmodified. If it is greater than or equal to zero, then the following transformations occur:
(1) If the GeneralName type is not dNSName or iPAddress, the result is undefined and an error must be thrown
(2) If the GeneralName type is dNSName, then the entry is replaced with an otherName entry of type id-ct-partialGN-dNSName with a value created by copying the N labels closest to the root to the new name and prepending them with a value created by taking the remaining labels and calculating the HMAC-SHA256 value and hex encoding it and prepending '#'. Note that a '*.' prefix on a name is not considered a label; it must be copied to the output as is.
For example, if the input is "*.beta.group.secret.demo.test" with key 0x4fa1cb4ce23db6e45caf727b0b1d85ed and the number of disclosed labels is 2, then the resulting name is "*.#4d240f70beb97f4c402984e94ac6e1c8351c89ff13e8a94dabfbc474ded4d3d4.demo.test"
(3) If the GeneralName type is iPAddress, then the entry is replaced with an otherName entry of type id-ct-partialGN-iPAddress. The value is a IA5String in the format <partial> + "|" + <hashed>. For the hashed part, the address first is converted to a text string. The format is dotted decimal, with no leading zeroes, for IPv4 addresses and is as described in Section 4 of RFC 5952 for IPv6 addresses (section 5 is not used in this case). The HMAC-SHA256 value is calculated of this string as in (2) and <hashed> is the hex encoding of the result. Partial is formed by setting the bits other than N most significant bits to zero and the converting to string as described above.
For example, if the input is "198.51.100.47" with key 0x4fa1cb4ce23db6e45caf727b0b1d85ed and the number of disclosed labels is 27, then the resulting name is "198.51.100.32|8e38c51f339de29c05e543a099ba76468367043d5bc167c801ae0330a648925d".
In the precertificate the transformation parameter is set to a zero length bit string.
If the subject contains a commonName type attribute and the value of the commonName attribute value matches a dNSName in the SAN and the precertificate contains a partialGN otherName in place of that entry, then the commonName attribute is replaced with a id-ct-partialGN-replacedCN type attribute with the value being the otherName value.
This algorithm provides the recipient of a full certificate the ability to deterministically create the precertificate. It also ensures that the precertificate can only reasonably match one full certificate.
id-ct-precertificateTransformation ID ::= {1 3 187 97 1}
id-ct-partialGN ID ::= {1 3 187 97 10}
id-ct-partialGN-dNSName ID ::= {id-ct-redactedGN 2} # type IA5String
id-ct-partialGN-iPAddress ID ::= {id-ct-redactedGN 7} # type IA5String
id-ct-partialGN-replacedCN ID ::= {id-ct-redactedGN 127} # type IA5String
id-ct-taAlgorithm ::= {1 3 187 97 20}
id-ct-taAlgorithm-basic ::= {id-ct-taAlgorithm 1}
id-ct-taAlgorithm-partialhm256 ::= {id-ct-taAlgorithm 2}
precertificateTransformation EXTENSION ::= {
SYNTAX PrecertificateTransformation
IDENTIFIED BY id-ct-precertificateTransformation
}
PrecertificateTransformation ::= SEQUENCE {
transformationAlgorithm TransformationAlgorithm DEFAULT id-ct-taAlgorthim-basic,
transformationParms TransformationParms BIT STRING OPTIONAL,
sanPartialCount SEQUENCE SIZE (1..MAX) OF NamePartialCount OPTIONAL
}
TransformationAlgorithm ::= OBJECT IDENTIFIER
TransformationParms ::= ANY
NamePartialCount ::= INTEGER (-1..127) DEFAULT -1
--
Tarah M. Wheeler
Principal Security Advocate and Sr Director of Engineering - Website Security -
Delivering Confidence for Customers and Consumers by Securing Websites and Applications
Symantec Corporation
www.symantec.com<http://www.symantec.com/>
________________________________
(206) 276-4920
tarah@symantec.com
________________________________
[cid:4524896B-C0DD-4A56-BA9D-E836A716603F]<http://www.symantec.com/>
________________________________
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication.
- [Trans] Proposal to modularize pre certificate tr… Tarah Wheeler
- Re: [Trans] Proposal to modularize pre certificat… Melinda Shore
- Re: [Trans] Proposal to modularize pre certificat… Peter Bowen
- Re: [Trans] Proposal to modularize pre certificat… Melinda Shore
- Re: [Trans] [EXT] Re: Proposal to modularize pre … Tarah Wheeler
- Re: [Trans] Proposal to modularize pre certificat… Andrew Ayer
- Re: [Trans] Proposal to modularize pre certificat… Peter Bowen
- Re: [Trans] Proposal to modularize pre certificat… Eran Messeri