Re: [Trans] Review of draft-ietf-trans-threat-analysis-15
Stephen Kent <stephentkent@gmail.com> Mon, 24 September 2018 17:33 UTC
Return-Path: <stephentkent@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 498CA130E5B for <trans@ietfa.amsl.com>; Mon, 24 Sep 2018 10:33:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KbGh-8A6jEhM for <trans@ietfa.amsl.com>; Mon, 24 Sep 2018 10:33:26 -0700 (PDT)
Received: from mail-qk1-x72b.google.com (mail-qk1-x72b.google.com [IPv6:2607:f8b0:4864:20::72b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7269A130E3F for <trans@ietf.org>; Mon, 24 Sep 2018 10:33:26 -0700 (PDT)
Received: by mail-qk1-x72b.google.com with SMTP id q12-v6so3519183qkl.13 for <trans@ietf.org>; Mon, 24 Sep 2018 10:33:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:subject:to:references:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=L35I/YchSHn9Wc5Fgbm5Cs7DemJFf8ppoIolETrbLwc=; b=nq3WeeDB2cK9eFKRpvDL+GaPZqWqaHAN2zgIj+2mspwTM0ObwZUFQwvynoB03DS5A6 Yu+ljCpqS4y9NYwSEXTrEcWBzJ8/IeCnvwwSY7fJBgD2hiOYSNBCGobWiF/7E4pv3C1L HIgXcMH3ISmKGfa7FWQW3IoJw7yv4rX2cQ2lW2n72fP3ewAQq8oYBz/3ycyyPKUZ6zqy e2UCMzkZa6UWmOwtUQ11pyo343VX31lT/wbFyqc/rUGo8es9NUlEsy8DdZLOoyj9CzOx 7PODgncdtvuACn1NIb01zLPxA4SqKqatVAzjy/PTUGFJGojXaDpx5Ai9p8OfwTC+Mv+W rxYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:references:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=L35I/YchSHn9Wc5Fgbm5Cs7DemJFf8ppoIolETrbLwc=; b=hTAVpQkotGznH2xMODgSYoKpW3SXnyG9JC1/mHQ5SKOv3Wo8IFZ+MQiFQMKoDR9ZWp NDiXbYiqFyZHaZ2u3EHFLz2Yko96JcSEbiJexvqDdUtzjGiROY0LuLb6dv+e/5HSWGXu fCE7TgPJNETSS6liGjC8EyUVtbVXNArYTovqKzy6vkomoBklVyCHdpdIr4i3YXOs+U0/ DXRLpipzmodyRPa5al8DjU4hjosBJ7Zq+QPtgAUiorCdy0Chw0qb0Utly+cUllCCC68/ cwKLq/uiGmRNnS6c45mlmLBJ+KXQj5LTqq4Q4vBZJ8/H0AieY0Jl50KPZDnSIahlxqSD P04w==
X-Gm-Message-State: ABuFfoiU4uPnRrSdIquF7yWFaLi8z42JkhAhCRAp46Orn0/UsrbF2G17 3gEOSYn0zm4mW/qaPhLR3cwWzQmC
X-Google-Smtp-Source: ACcGV60Jl8rmeTMbRSrNwMlLSPowQXzXNTtWNUi96z0EQjGFb4Jq1RfXIHLQLE/lpZ/dR19VsksgWA==
X-Received: by 2002:a37:cc1b:: with SMTP id r27-v6mr5634862qki.272.1537810404790; Mon, 24 Sep 2018 10:33:24 -0700 (PDT)
Received: from iMac-Study.fios-router.home (pool-72-74-32-219.bstnma.fios.verizon.net. [72.74.32.219]) by smtp.gmail.com with ESMTPSA id z34-v6sm23997179qtj.19.2018.09.24.10.33.23 for <trans@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 24 Sep 2018 10:33:23 -0700 (PDT)
From: Stephen Kent <stephentkent@gmail.com>
To: trans@ietf.org
References: <CAErg=HFGQYaSbm=bQ+_cX4_PtksGGvqQRUGhnyNH2qDSn7haBQ@mail.gmail.com>
Message-ID: <2b3f206f-523c-f3db-bce2-895a90dee630@gmail.com>
Date: Mon, 24 Sep 2018 13:33:22 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CAErg=HFGQYaSbm=bQ+_cX4_PtksGGvqQRUGhnyNH2qDSn7haBQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------E809DA6DD6BB5A1BBBE039B7"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/iMAb-5mMobODKtGnG-Jf9H9n1t8>
Subject: Re: [Trans] Review of draft-ietf-trans-threat-analysis-15
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Sep 2018 17:33:30 -0000
Ryan, > With the publication of -15, and with the Chairs suggesting [1] again > [2] that it's appropriate to take a thorough review, I've tried to > review this doc in full again. Pre-emptive apologies if the format has > messed up, and my kingdom for a decent review tool to leave these more > mangably inline. Apologies for the delays, as I work to translate my > notes in the margin into concrete and actionable feedback, > suggestions, and hopefully productive explanations of the concerns and > considerations. In the same spirit of your thanks to me for the work involved in creating this threat analysis doc, let me thank you for taking the time to provide many detailed comments on that doc. > > At a high level, I think it’s worth echoing the concerns Andrew Ayer > raised on 2018-05-07 at [3]. Specifically, Andrew highlighted that the > document’s structure, and attempted hierarchy, leads to some > duplication of information and potential understating > culpability/threats. I think this remains accurate, and the suggestion > to focus on describing the attacks still seems a worthwhile > consideration. I believe that such an attempt would likely be able to > resolve a number of comments below, which appear to be the result of > trying to coerce the threats into the hierarchy. As I noted in my reply to Andrew, the structure of the document has been fairly constant for over 2 years. It's unreasonably late in this process to suggest restructuring. I believe Eric Rescorla (the cognizant Security AD) indicated that, at this stage, changes to the document should be limited to addressing errors, not editorial issues, including the overall structure. I'll respond to your detailed comments, in my next message, but I do not intend to make changes to the document structure, unless EKR revises his earlier guidance. > With such a restructure, I think it’d be useful to avoid > discriminating based on syntactic and semantic mis-issuance - which is > the foundation for this documents hierarchy. The document establishes > the semantic mis-issuance is a misleading Subject or Subject > Alternative Name, while everything else is syntactical. However, this > understanding of syntactical misissuance muddies the waters between > what historically has been syntactical issues - e.g. BER encoding > instead of DER - and what’s been seen as a semantics issue, such as > granting a capability or extended key usage without the appropriate > procedural controls or validation. In the context addresses in 6962-bis, the fundamental semantic issue for a cert is ensuring that the Subject identifier accurately represents the holder of the private key. In some other contexts a cert may represent a capability (in the traditional, computer security sense), but that's not the primary focus here. > The early emphasis on syntax and semantics causes a whole class of > adversarial models to be missed, ones which have been the forefront of > concerns from existing Log operators and CT consumers. Such attacks > include the ‘malicious’ logging of certificates - that is, syntax and > semantics that are fully conforment with the relevant profiles, but > which a Log may find undesirable to provide in an append-only record. > For example, certificate extensions with ‘objectionable’ content > provide such a model. I was wondering what is "objectionable content" is in this context, but upon reading your detailed comments the example you provide seems to be inclusion of libelous text as a cert extension. No, the document does not address that sort of attack. > Another attack that is omitted includes that of denial of service > through ‘flooding’ - an issue that has seen more than one Log struggle > to keep up - in which the existing corpus of certificates not present > within a given Log are suddenly presented to that Log. This same > adversarial model applies to revoked certificates, particularly > revoked CA certificates, in that they allow for large corpora of > certificates to be created, potentially with problematic content, and > be submitted to Logs. I found only one comment in 6962-bis about DoS via flooding wrt submissions, in 4.2. It appears that a log could reject/delay a submission if it is busy, without violating 6962-bis, but I agree that the spec is not very clear on that topic. 4.2 specifically notes that a log could reject submissions to counter flooding attacks. Ultimately, if a log operator cannot offer a robust processing and communication capability, it probably it ill-suited to act in that capacity. This might be a good example of where 6962-bis could have provided useful guidance, but ... Nonetheless, I have revised the abstract to note that DoS attacks are not considered to to emphasize that 6962-bis is the primary reference: "This document defines an attack model and discusses threats based on the system design presented in [I-D.ietf-trans-rfc6962-bis]. It analyzes potential vulnerabilities associated with that design, and considers compromises of system elements and malicious behavior by such elements. It does not consider implementation vulnerabilities, including ones that might enable denial of service attacks against these elements." > Similarly, this treatment of syntax and semantics leads to suggestions > that would actively undermine some of the goals of Certificate > Transparency. In particular, the suggestion of CT logs performing > syntax validation has, in the discussions previously, been pointed out > that it hinders, rather than helps, transparency, in that it allows > for an entire class of syntax violations to be swept under the rug by > colluding Logs, preventing transparency around the CA’s operations. > This fundamentally redefines the goals of Certificate Transparency, in > a way that is inconsistent with its widely-deployed usage among root > programs to supervise participants and review CA operations, and it > would be a mistake not to mention this. As noted above, the threat analysis is based primary on what 6962-bis mandates as requirements, and what it fails to mandate. That approach to a threat/attack analysis is typical for an RFC. As I noted previously, IF 6962-bis stated that logs are precluded from checking syntax, then there would be no discussion of the implications of such checks in my document. But, that's not the case. What may be common practice in the current deployment environment is not relevant to an analysis based on what the defining CT document says (and fails to say), in the same sense that flaws in current implementations are not part of such an analysis. > Another high-level point is that the document makes heavy use of > parentheticals. While clearly my own writing is just as guilty of > this, although perhaps through abuse of hyphens and commas, I think > many of the parenthetical remarks fall into categories that either > derail the discussion at hand with asides and speculation, or which > should otherwise be appropriately integrated into the text and the > document structure itself. At times, there are even nested or unclosed > parentheticals, which stick out rather substantially. The RFC Editor will ensure that unbalanced parentheses will be fixed. However, the choice of parenthetical comments vs. using a hyphen is an example of a style issue that is no longer appropriate for discussion. > > One last high-level point, before the more detailed line-item > feedback, which is that this document broadly speaks to the notion of > “trusting” Logs, as if that is something that either Monitors or RPs > do. In particular, in the discussions about misbehaving Logs, it’s > frequently suggested that Monitors should not “trust” the Log, or > presents Log misbehavior as an ‘attack’ against Monitors. While it’s > certainly true that Monitors need to be careful in regarding what a > Log omits, there’s no risk or harm in examining what a Log includes - > indeed, it’s particularly beneficial to clients to widely consume data > from Logs, even those no longer recognized by CT clients for purposes > of SCT enforcement. Andrew touched on this in his previous reply, and > I don’t think draft-15 really meaningfully addresses that concern. When a Monitor relies on a log to detect certs of interest, it is trusting that log. But I agree that a phrase like "relies upon" is preferable, and I will change the text accordingly. When an RP relies on an SCT in deciding whether to accept a cert, it too is trusting the log, but, as above I will review the text to see where this term should be changed. Steve
- [Trans] Review of draft-ietf-trans-threat-analysi… Ryan Sleevi
- Re: [Trans] Review of draft-ietf-trans-threat-ana… Melinda Shore
- Re: [Trans] Review of draft-ietf-trans-threat-ana… Salz, Rich
- Re: [Trans] Review of draft-ietf-trans-threat-ana… Ryan Sleevi
- Re: [Trans] Review of draft-ietf-trans-threat-ana… Stephen Kent