IETF Logo Mail Archive

Re: [Trans] [trans] #73 (rfc6962-bis): Section 3 textrelogcertvalidationis ambiguous

Rob Stradling <rob.stradling@comodo.com> Tue, 14 July 2015 21:05 UTC

Return-Path: <rob.stradling@comodo.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC8611B2D45 for <trans@ietfa.amsl.com>; Tue, 14 Jul 2015 14:05:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o8YboD6NU7gy for <trans@ietfa.amsl.com>; Tue, 14 Jul 2015 14:05:25 -0700 (PDT)
Received: from mmextmx2.mcr.colo.comodoca.net (mmextmx2.mcr.colo.comodoca.net [IPv6:2a02:1788:402:c00::c0a8:9cd6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62B691B2D41 for <trans@ietf.org>; Tue, 14 Jul 2015 14:05:25 -0700 (PDT)
Received: (qmail 15377 invoked by uid 1004); 14 Jul 2015 21:05:22 -0000
Received: from ian.brad.office.comodo.net (HELO ian.brad.office.comodo.net) (192.168.0.202) by mmextmx2.mcr.colo.comodoca.net (qpsmtpd/0.84) with ESMTP; Tue, 14 Jul 2015 22:05:22 +0100
Received: (qmail 15406 invoked by uid 1000); 14 Jul 2015 21:05:22 -0000
Received: from and0004.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (AES128-SHA encrypted) ESMTPSA; Tue, 14 Jul 2015 22:05:22 +0100
Message-ID: <55A57991.4040405@comodo.com>
Date: Tue, 14 Jul 2015 22:05:21 +0100
From: Rob Stradling <rob.stradling@comodo.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Stephen Kent <kent@bbn.com>, trans@ietf.org
References: <052.b3ecc6ca8b28cc47e13443079611ce86@tools.ietf.org><067.7becba46c4f8b854834f9bb0c27374ce@tools.ietf.org><559A9977.1040808@bbn.com><559A9B83.6040000@comodo.com><559AA60A.1060501@bbn.com><559AD74A.5030806@comodo.com><559ADBF5.7000807@bbn.com><559ADF2B.3050507@comodo.com><559C2734.9090306@bbn.com> <559FA609.3050203@comodo.com> <55A51EC9.3050208@bbn.com>
In-Reply-To: <55A51EC9.3050208@bbn.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/trans/v81tS46eVNnKujRN7XzuQOnJAxo>
Subject: Re: [Trans] [trans] #73 (rfc6962-bis): Section 3 textrelogcertvalidationis ambiguous
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2015 21:05:33 -0000

On 14/07/15 15:38, Stephen Kent wrote:
<snip>
>> The "profile" for Google's logs would be something like this:
>>
>> "We accept whatever OpenSSL accepts.  Good luck!"
>
> and is Google's log acceptance criteria the only one that counts?

No.

<snip>
>> For example, when a TLS server sends its cert chain to a TLS client,
>> can the TLS server know, deterministically, that the TLS client will
>> either accept or reject the cert chain?
>
> in principle, only the lack of an agreed upon trust anchor should cause
> a compliant client to reject a cert from a server (ignoring local policy
> controls).

Ditto for CT.  i.e. in principle, only the lack of an agreed upon trust 
anchor should cause a compliant log to reject a cert from a submitter.

> Servers rely on the ubiquity of trust anchor stores to reduce the
> likelihood that validation will fail on that basis.  So, for all
> practical purposes, a server can have high confidence that its cert will
> be accepted by browsers, if the cert is issued by a CA that is
> widely represented in the (almost uniform) trust store.

I disagree.  Only if the CA issues 5280-compliant certs can they have 
that high confidence.

For example, recently one CA was found to be incorrectly encoding 
basicConstraints.CA=FALSE by explicitly including the FALSE value even 
though FALSE is the DEFAULT (and DEFAULT values must not be explicitly 
included).  This was discovered when a popular browser maker tightened 
up their DER decoding code and the certs stopped being accepted.

>> Clearly the answer is no.  So why should CT be expected to achieve a
>> higher standard of determinism than TLS?
>
> two observations:
>      first, I disagree that the TLS example above is a probative as you
> suggest.

TLS clients and CT logs both need to verify certificate chains that they 
receive, and it's very likely that they'll use existing certificate 
chain processing libraries rather than roll their own code.

So there will be OpenSSL-based TLS clients that encounter 
5280-non-compliant cert chains, and there will be OpenSSL-based CT logs 
that encounter 5280-non-compliant cert chains.  In both cases, OpenSSL 
does the certificate chain verification.

>      second, we have years of experience with what's wrong with TLS in
> terms of cert processing, and hopefully we can do better with this
> effort, when we create new ways to introduce non-determinism.

I agree that it would be nice to do better, but I just don't see how 
anyone could ever complete the task of enumerating all of the ways in 
which 5280 can be violated (including all of the ways that haven't even 
been thought of yet) such that there can be a list of profiles detailing 
which sets of violations are tolerated and which aren't.  It would be a 
constantly moving target, entirely unsuited to being an IANA registry.

I can recall a couple of bugs in Comodo's ASN.1 code over the years that 
have led to some certs being issued with "minor" ASN.1 encoding errors. 
  In both cases, the affected certs seemed to "work" fine everywhere 
until a new version of OpenSSL was released that no longer tolerated 
those particular encoding errors.  So what did I do?  Did I blame 
OpenSSL for breaking my certs?  No.  Did I blame IETF for not 
enumerating all possible encoding errors?  No, that didn't even occur to 
me!  I blamed myself ('cos I wrote the code that had the bugs), and I 
fixed the bugs.

If, in the future, any CT logs start to reject Comodo certs and this 
leads to the discovery of another bug in my ASN.1 code, I will blame 
myself and fix the bug.  I don't want CT to be vastly overcomplicated 
just so that CA bug authors such as myself aren't required to put in 
some effort (reading 5280, reviewing the OpenSSL source code, asking 
questions on mailing lists, etc, etc) to diagnose and fix our mistakes.

Assuming I've still not convinced you, then let's agree to disagree. 
You think achieving determinism is practical, and I really don't.

>>> Your argument seems to be that by introducing ambiguity and uncertainty
>>> into the log validation process we will encourage CAs to adhere to 5280.
>>> That strikes me as a questionable design strategy.
>>
>> Actually, I don't expect the level of CA adherence to 5280 to increase
>> or decrease due to this strategy.
>
> I don't either, yet that seems to be a part of the argument you made.

It really isn't.

> Steve

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

v2.23.0 | Report a Bug | By Email