IETF Logo Mail Archive

Re: [Trans] Mutability of Certificate Signatures

Andrew Ayer <agwa@andrewayer.name> Tue, 06 June 2017 17:39 UTC

Return-Path: <agwa@andrewayer.name>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B86C129B16 for <trans@ietfa.amsl.com>; Tue, 6 Jun 2017 10:39:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewayer.name
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y2OsYiYxapY6 for <trans@ietfa.amsl.com>; Tue, 6 Jun 2017 10:39:11 -0700 (PDT)
Received: from alcazar.beanwood.com (alcazar.beanwood.com [IPv6:2600:3c00:e000:6c::1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C65AF129B0E for <trans@ietf.org>; Tue, 6 Jun 2017 10:39:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=andrewayer.name; s=beanwood20160511; t=1496770751; bh=IOnigPbcz5KxJI4Dt98MRS5bv9qlhqreHmJO1gXmGOc=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=GJ61b63cg3F7sm8uaIOuy7qLmS5sC9t8V8nWo/RQGXFkwNIO51AtWZRbvuDoRqwye 0smItVPK/nNxBBBOJ6zsz3daup6f/FAsXuQAG/1paepmgm47FI+BV6YweWCXwcPDD6 SeR2+fDCbr3mwp6B0T6WiM9ODd0bb+xNIdYwOtIQP0Sui93Rzms1n/RFrXOed/C4SV /xm4HxbEPBOF40JgnAXhdv7ywwvpka2iFUOt2X4Du44+750hYvBcTUPI0gsjVZC8mj pt1anGyDX4W3mHZeMNsgTTzlU4G049/7FYBE75kGhpiz6jcf4IUgFXVuHlp+YDAW7x tUcYrTmBJ2OuQ==
Date: Tue, 06 Jun 2017 10:39:10 -0700
From: Andrew Ayer <agwa@andrewayer.name>
To: Eran Messeri <eranm@google.com>
Cc: "trans@ietf.org" <trans@ietf.org>
Message-Id: <20170606103910.fd3034e146a98322c1227a14@andrewayer.name>
In-Reply-To: <CALzYgEdCyaGWcprvPjdfj1Z2c5bVnHQ13PZ6aEU3PSMBjfUYBg@mail.gmail.com>
References: <20170528191028.20f285073eea33a3f23b6b5a@andrewayer.name> <CALzYgEc6fV7n3mDFfDP9gktA7igghVA7duRWYMytzKAZ51O3sQ@mail.gmail.com> <20170606100022.581f35cc2775fcc3abdfcfa2@andrewayer.name> <CALzYgEdCyaGWcprvPjdfj1Z2c5bVnHQ13PZ6aEU3PSMBjfUYBg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/od9bBoKdSOAN6eckI4rtGW03SWo>
Subject: Re: [Trans] Mutability of Certificate Signatures
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jun 2017 17:39:13 -0000

On Tue, 6 Jun 2017 18:27:51 +0100
Eran Messeri <eranm@google.com> wrote:

> [...]
>
> >
> > Unfortunately, if the logged certificate is a non-self-signed trust
> > anchor accepted by the log, then certificate_chain is empty and
> > there is no way to get the issuer public key.  So a log could evade
> > responsibility by making the certificate with a mutated signature a
> > trust anchor.
> >
> Correct - but then the monitor should be able to verify it was a trust
> anchor at the point it was logged (maybe the output of
> get-trust-anchors should  be signed?).

Could you elaborate?  How does the monitor being able to verify it was
a trust anchor at time of logging help?  Regardless, the monitor is
unable to perform checks 2 and 3 if it can't get the issuer public key,
and so the attack which started this email thread can still be performed.

> >
> > The inability to always get the issuer public key has been an
> > inconvenience for me when monitoring RFC6962 logs. Sometimes I end
> > up with a certificate and all I know about its issuer is its
> > subject, when ideally I would like to know its public key as well
> > (since a CA is uniquely identified by its subject and public key).
> > (I suspect crt.sh has the same problem, based on some weird things
> > I've observed there.) I previously considered this a mere
> > inconvenience, but now I see it as a security problem.
> >
> Could you elaborate? Is that a security problem from a CT perspective
> - as in, could enable a log to avoid responsibility for something it
> logged, or from a WebPKI perspective, where some certificates can be
> in circulation but their issuer unknown?

I mean from the CT perspective: that is, the log can still perform
the attack we're trying to prevent.

> I'm trying to better understand under which circumstances such
> certificates would end up in the log - when would a log add a
> non-self-signed certificate as a trust anchor?

I don't know, but I have seen such certificates added as "roots" in
existing RFC6962 logs.  It's also interesting that RFC6962-bis changed
the language from "root" to "trust anchor" which suggests this
practice was intended to be explicitly supported.  What was the motivation
behind this language change?  It would certainly fix the problem if
trust anchors were required to be roots - that is, self-signed.

Regards,
Andrew

v2.23.0 | Report a Bug | By Email