Re: [Trans] Proving certificate freshness
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 01 October 2014 13:46 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 508101A8A60 for <trans@ietfa.amsl.com>; Wed, 1 Oct 2014 06:46:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.4
X-Spam-Level: *
X-Spam-Status: No, score=1.4 tagged_above=-999 required=5 tests=[BAYES_50=0.8, J_CHICKENPOX_34=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uhk7Gzu6nlXp for <trans@ietfa.amsl.com>; Wed, 1 Oct 2014 06:45:59 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 292E01A1A06 for <trans@ietf.org>; Wed, 1 Oct 2014 06:45:59 -0700 (PDT)
Received: from [10.70.10.54] (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 11F42F984 for <trans@ietf.org>; Wed, 1 Oct 2014 09:45:55 -0400 (EDT)
Message-ID: <542C0587.3080702@fifthhorseman.net>
Date: Wed, 01 Oct 2014 09:45:43 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Icedove/32.0
MIME-Version: 1.0
To: "trans@ietf.org" <trans@ietf.org>
References: <CAA7UWsXpTzMgrDNo73cB5U_Q3wS2xDsGpws-4njXqEDJm-TG3A@mail.gmail.com>
In-Reply-To: <CAA7UWsXpTzMgrDNo73cB5U_Q3wS2xDsGpws-4njXqEDJm-TG3A@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="iWdL78tc0plxvjdCBseBXBrGfSugk6Q1a"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/bD-63lXAeoVvhICfgJFNEFjuPbw
Subject: Re: [Trans] Proving certificate freshness
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Oct 2014 13:46:00 -0000
On 09/30/2014 11:56 PM, David Leon Gil wrote:
> Something that is rather difficult to prove, at present, is that a
> certificate has been used after it has expired or been revoked.
To be clear, this is a concern because it's otherwise possible to claim
abuse of a revoked/expired cert without being able to substantiate the
claim.
That makes reports of cert misuse less trustworthy, which makes it
harder to act on them.
However, CT is designed to detect (and hopefully deter) misissuance, not
misuse. Is this scope creep?
How would a certificate holder act on a report of misuse of a
revoked/expired certificate? clearly, revoking the certificate isn't
sufficient :) Maybe such a proof could be used to get browsers to push
the key into their internal blocklist instead of relying on our existing
flawed network-based revocation mechanisms?
Would we want to do anything else besides "revoke harder" upon proof of
certificate/secret-key misuse?
> If servers were required to include a signature over a recent STH (or
> STH+OCSP staple) along with their SCT, this would provide an easy way
> of showing that a *server* was behaving incorrectly.
I think you're talking specifically about the end-entity doing this, and
not any of the CAs in the CA chain. My comments below are based on that
assumption.
> E.g., as a TLS extension:
>
> struct {
> STH;
> sign(SignedCertificateTimestamp || OCSP || STH);
> } FreshnessProof;
Are your || symbols here "or"s or concatenation operators?
> This seems rather better than signing a timestamp; the STH isn't
> predictable without a colluding log, so it isn't possible to
> "accidentally" sign a future time.
I agree that signing a recent STH or OCSP response is better than
signing a raw timestamp on its own. Is there a reason that this needs
to be an STH, though? Put another way, should this be discussed on the
tls@ietf.org instead of trans@ietf.org?
If a certificate is required to staple a recent-enough OCSP response
(e.g. via one of the proposed "must-staple" x.509v3 extensions), and it
is expired/revoked, no OCSP response is available. Presumably, clients
would simply not accept connections from a host offering such a certificate.
So what does this signature add?
Performance-wise, at worst it's an additional secret key operation per
TLS handshake, but the same signature could be cached and reused until
the next scheduled OCSP or STH fetch, which should be minimal.
--dkg
- [Trans] Proving certificate freshness David Leon Gil
- Re: [Trans] Proving certificate freshness Daniel Kahn Gillmor
- Re: [Trans] Proving certificate freshness Ben Laurie
- Re: [Trans] Proving certificate freshness Ben Laurie
- Re: [Trans] Proving certificate freshness David Leon Gil
- Re: [Trans] Proving certificate freshness Ben Laurie