Re: [Trans] [trans] #73 (rfc6962-bis): Section 3 textrelogcertvalidationis ambiguous
Rob Stradling <rob.stradling@comodo.com> Tue, 14 July 2015 21:05 UTC
Return-Path: <rob.stradling@comodo.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC8611B2D45 for <trans@ietfa.amsl.com>; Tue, 14 Jul 2015 14:05:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o8YboD6NU7gy for <trans@ietfa.amsl.com>; Tue, 14 Jul 2015 14:05:25 -0700 (PDT)
Received: from mmextmx2.mcr.colo.comodoca.net (mmextmx2.mcr.colo.comodoca.net [IPv6:2a02:1788:402:c00::c0a8:9cd6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62B691B2D41 for <trans@ietf.org>; Tue, 14 Jul 2015 14:05:25 -0700 (PDT)
Received: (qmail 15377 invoked by uid 1004); 14 Jul 2015 21:05:22 -0000
Received: from ian.brad.office.comodo.net (HELO ian.brad.office.comodo.net) (192.168.0.202) by mmextmx2.mcr.colo.comodoca.net (qpsmtpd/0.84) with ESMTP; Tue, 14 Jul 2015 22:05:22 +0100
Received: (qmail 15406 invoked by uid 1000); 14 Jul 2015 21:05:22 -0000
Received: from and0004.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (AES128-SHA encrypted) ESMTPSA; Tue, 14 Jul 2015 22:05:22 +0100
Message-ID: <55A57991.4040405@comodo.com>
Date: Tue, 14 Jul 2015 22:05:21 +0100
From: Rob Stradling <rob.stradling@comodo.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Stephen Kent <kent@bbn.com>, trans@ietf.org
References: <052.b3ecc6ca8b28cc47e13443079611ce86@tools.ietf.org><067.7becba46c4f8b854834f9bb0c27374ce@tools.ietf.org><559A9977.1040808@bbn.com><559A9B83.6040000@comodo.com><559AA60A.1060501@bbn.com><559AD74A.5030806@comodo.com><559ADBF5.7000807@bbn.com><559ADF2B.3050507@comodo.com><559C2734.9090306@bbn.com> <559FA609.3050203@comodo.com> <55A51EC9.3050208@bbn.com>
In-Reply-To: <55A51EC9.3050208@bbn.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/trans/v81tS46eVNnKujRN7XzuQOnJAxo>
Subject: Re: [Trans] [trans] #73 (rfc6962-bis): Section 3 textrelogcertvalidationis ambiguous
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2015 21:05:33 -0000
On 14/07/15 15:38, Stephen Kent wrote: <snip> >> The "profile" for Google's logs would be something like this: >> >> "We accept whatever OpenSSL accepts. Good luck!" > > and is Google's log acceptance criteria the only one that counts? No. <snip> >> For example, when a TLS server sends its cert chain to a TLS client, >> can the TLS server know, deterministically, that the TLS client will >> either accept or reject the cert chain? > > in principle, only the lack of an agreed upon trust anchor should cause > a compliant client to reject a cert from a server (ignoring local policy > controls). Ditto for CT. i.e. in principle, only the lack of an agreed upon trust anchor should cause a compliant log to reject a cert from a submitter. > Servers rely on the ubiquity of trust anchor stores to reduce the > likelihood that validation will fail on that basis. So, for all > practical purposes, a server can have high confidence that its cert will > be accepted by browsers, if the cert is issued by a CA that is > widely represented in the (almost uniform) trust store. I disagree. Only if the CA issues 5280-compliant certs can they have that high confidence. For example, recently one CA was found to be incorrectly encoding basicConstraints.CA=FALSE by explicitly including the FALSE value even though FALSE is the DEFAULT (and DEFAULT values must not be explicitly included). This was discovered when a popular browser maker tightened up their DER decoding code and the certs stopped being accepted. >> Clearly the answer is no. So why should CT be expected to achieve a >> higher standard of determinism than TLS? > > two observations: > first, I disagree that the TLS example above is a probative as you > suggest. TLS clients and CT logs both need to verify certificate chains that they receive, and it's very likely that they'll use existing certificate chain processing libraries rather than roll their own code. So there will be OpenSSL-based TLS clients that encounter 5280-non-compliant cert chains, and there will be OpenSSL-based CT logs that encounter 5280-non-compliant cert chains. In both cases, OpenSSL does the certificate chain verification. > second, we have years of experience with what's wrong with TLS in > terms of cert processing, and hopefully we can do better with this > effort, when we create new ways to introduce non-determinism. I agree that it would be nice to do better, but I just don't see how anyone could ever complete the task of enumerating all of the ways in which 5280 can be violated (including all of the ways that haven't even been thought of yet) such that there can be a list of profiles detailing which sets of violations are tolerated and which aren't. It would be a constantly moving target, entirely unsuited to being an IANA registry. I can recall a couple of bugs in Comodo's ASN.1 code over the years that have led to some certs being issued with "minor" ASN.1 encoding errors. In both cases, the affected certs seemed to "work" fine everywhere until a new version of OpenSSL was released that no longer tolerated those particular encoding errors. So what did I do? Did I blame OpenSSL for breaking my certs? No. Did I blame IETF for not enumerating all possible encoding errors? No, that didn't even occur to me! I blamed myself ('cos I wrote the code that had the bugs), and I fixed the bugs. If, in the future, any CT logs start to reject Comodo certs and this leads to the discovery of another bug in my ASN.1 code, I will blame myself and fix the bug. I don't want CT to be vastly overcomplicated just so that CA bug authors such as myself aren't required to put in some effort (reading 5280, reviewing the OpenSSL source code, asking questions on mailing lists, etc, etc) to diagnose and fix our mistakes. Assuming I've still not convinced you, then let's agree to disagree. You think achieving determinism is practical, and I really don't. >>> Your argument seems to be that by introducing ambiguity and uncertainty >>> into the log validation process we will encourage CAs to adhere to 5280. >>> That strikes me as a questionable design strategy. >> >> Actually, I don't expect the level of CA adherence to 5280 to increase >> or decrease due to this strategy. > > I don't either, yet that seems to be a part of the argument you made. It really isn't. > Steve -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online
- [Trans] [trans] #73 (client-behavior): Section 3 … trans issue tracker
- Re: [Trans] [trans] #73 (rfc6962-bis): Section 3 … trans issue tracker
- Re: [Trans] [trans] #73 (rfc6962-bis): Section 3 … trans issue tracker
- Re: [Trans] [trans] #73 (rfc6962-bis): Section 3 … trans issue tracker
- Re: [Trans] [trans] #73 (rfc6962-bis): Section 3 … Karen Seo
- Re: [Trans] [trans] #73 (rfc6962-bis): Section 3 … Rob Stradling
- Re: [Trans] [trans] #73 (rfc6962-bis): Section 3 … Stephen Kent
- Re: [Trans] [trans] #73 (rfc6962-bis): Section 3 … Rob Stradling
- Re: [Trans] [trans] #73 (rfc6962-bis): Section 3 … Ben Laurie
- Re: [Trans] [trans] #73 (rfc6962-bis): Section 3 … Stephen Kent
- Re: [Trans] [trans] #73 (rfc6962-bis): Section 3 … Stephen Kent
- Re: [Trans] [trans] #73 (rfc6962-bis): Section 3 … trans issue tracker
- Re: [Trans] [trans] #73 (rfc6962-bis): Section 3 … Rob Stradling
- Re: [Trans] [trans] #73 (rfc6962-bis): Section 3 … Stephen Kent
- Re: [Trans] [trans] #73 (rfc6962-bis): Section 3 … Rob Stradling
- Re: [Trans] [trans] #73 (rfc6962-bis): Section 3 … Stephen Kent
- Re: [Trans] [trans] #73 (rfc6962-bis): Section 3 … Rob Stradling
- Re: [Trans] [trans] #73 (rfc6962-bis): Section 3 … Stephen Kent
- Re: [Trans] [trans] #73 (rfc6962-bis): Section 3 … Rob Stradling