[Trans] Using a Precertificate Signing Certificate to sign TBScertificates for CT
"Doug Beattie" <doug.beattie@globalsign.com> Wed, 04 June 2014 19:52 UTC
Return-Path: <doug.beattie@globalsign.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 988211A0273 for <trans@ietfa.amsl.com>; Wed, 4 Jun 2014 12:52:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_24=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RhJW9BKRt16q for <trans@ietfa.amsl.com>; Wed, 4 Jun 2014 12:52:32 -0700 (PDT)
Received: from mail-qa0-x231.google.com (mail-qa0-x231.google.com [IPv6:2607:f8b0:400d:c00::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 457931A026B for <trans@ietf.org>; Wed, 4 Jun 2014 12:52:32 -0700 (PDT)
Received: by mail-qa0-f49.google.com with SMTP id cm18so7605077qab.36 for <trans@ietf.org>; Wed, 04 Jun 2014 12:52:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=globalsign.com; s=google; h=from:to:subject:date:message-id:mime-version:thread-index :content-language:content-type; bh=lUo+lSJ4ZhaxCesO7p8huvMZ5P14BPv6gWrqshPEj6I=; b=reEyWs4LdBokDQPULdMx8Utws8QeIkQUN20fogtQLyn2c5tqLv+Qbe8itLTT0ycF/j YkEfheFLDbm6Df9mP1d8V48jnrOmoEXTRFuy4sQa0ESQGJb4J7xtuQzD96l/krfvHvfH 5QwOs5/hvKiwcEkSQe8gvfQ9aJ9cOe63D+oVQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :thread-index:content-language:content-type; bh=lUo+lSJ4ZhaxCesO7p8huvMZ5P14BPv6gWrqshPEj6I=; b=HjS18D5hVpvXCev2N1Hx+bXTY+aaSUAauKlzluBifZ/n3hHVnKCO5wnxUiaBs9OLXi bVM2/3y6IOJIwOLyj+55Iwepf0CPQtYBOb3aO3zWpjyq/2pKB2KJoUoPXPCRxAntHVZn o4pYtK6D/w+Hw47QIV7XV0ZvE0Y0rw1STdnPbpnJTGl8OfNj8kAtNSo5OmUxVhDqeo6x hyXUkTf4kZ6xyvUiMo6OZIvuu6JI3Zk+t2ISkFqoEebj3Pb6LdO7H+uSHhyqQVFQJgt6 alqOHacCK5Jek4RNo0kBz51KTbcVvdI4zWheRZGPheo0SM0jZ+QFA+ID2JWlcft95BGS XP0A==
X-Gm-Message-State: ALoCoQnK6ykRGrkvjfwDBTGfKosAxdOiRZYmH80iJLLOp4h8PtBnyINIhDeOsafSRKuAHOQeSqlj
X-Received: by 10.229.2.200 with SMTP id 8mr50118791qck.10.1401911545674; Wed, 04 Jun 2014 12:52:25 -0700 (PDT)
Received: from psmlt013 (pool-108-49-225-12.bstnma.fios.verizon.net. [108.49.225.12]) by mx.google.com with ESMTPSA id f106sm2238901qge.8.2014.06.04.12.52.24 for <trans@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 04 Jun 2014 12:52:24 -0700 (PDT)
From: Doug Beattie <doug.beattie@globalsign.com>
To: trans@ietf.org
Date: Wed, 04 Jun 2014 15:52:24 -0400
Message-ID: <00b701cf802e$81893ea0$849bbbe0$@globalsign.com>
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 15.0
Thread-Index: Ac+ALQQtMitYwrQqR0u9E0AtBE3d5w==
Content-Language: en-us
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_00B2_01CF800C.F9CB3200"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/wb5jpNKD1OMoFBJ5ux-7LyuxbqQ
Subject: [Trans] Using a Precertificate Signing Certificate to sign TBScertificates for CT
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jun 2014 19:52:33 -0000
Those CAs that want to use a Precertificate Signing Certificate need to follow a more complicated process for signing and I don't think it's well documented or thought out. 1) What chain does the Precertificate Signing Certificate need to be issued under? RFC 6962 states: "The Precertificate Signing Certificate MUST be *directly certified* by the (root or intermediate) *CA certificate that will ultimately sign the end-entity TBScertificate* yielding the end-entity certificate (note that the log *may* relax standard validation rules to allow this, so long as the issued certificate will be valid)" Point 1.1: Normally CAs have path length set to 0, so CAs are not able to issue CA certificates under them, and this looks like a CA certificate because CA:TRUE. Point 1.2: The also RFC States: "If the Precertificate is not signed with the CA certificate that will issue the final certificate, then the TBScertificate also has its issuer changed to that of the CA that will issue the final certificate. " This makes the Precertificate Signing Certificate look even less like a CA certificate. How do we convince a compliant/certified CA application to use an Issuer DN other than the one that was used to sign the certificate? Compliant CAs won't. Point 1.3: The "may" above needs to be MUST, or validation will fail due to the Issuer DN not matching what was posted. Recommendation 1: At a minimum, remove CA:true from the Certificate Signing Certificate profile. Ideally the profile should be updated to be more like a Document/Code signing certificate than a CA certificate. The signed TBScertificates posted to the log specifies the final certificate's issuer DN, but the cert chain for the Precertificate Signing Certificate is supplied so the CT log can validate that chain using relaxed validation rules. What's the relationship between the hierarchy of the Precertificate Signing Certificate and the final certificate? I struggle to find any relationship except they both chain to publicly trusted roots. Is that the intent of the RFC? Recommendation 2: The Precertificate Signing Certificate used by a CA may be issued under any one of its roots and be used to sign all entries to be posted to the log. Unless there is a requirement to validate that the chains use the same root/hierarchy, there is no reason to require that. 2) Does the certificate serial number need to be the same in the TBScertificate and the final certificate? CAs that randomly generate serial numbers during issuance can't pre-generate serial numbers to be used in the TBScertificate, then subsequently in the final certificate. Is the serial number *that* important that it MUST be included in the SCT? The issuer for the TBScertificate does not match the value of the certificate that signed it, so what's the point of the serial number? The CN, SAN, signing algorithms and keys are the most critical components. Can we limit the SCT to these values? Recommendation 3: Don't require that the TBScertificate and the final certificate contain the same serial number. Summary: The CT Log validation rules need to be clearly defined so that the CAs can post valid entries to the CT logs. * Currently I don't believe that the RFC is implementable by compliant CAs that want to use Precertificate Signing Certificate. * Compliant CAs won't issue certificates with duplicate issuer DNs and serial numbers, so that model is also broken - the Precertificate Signing Certificate needs to be a non-CA certificate. * CAs that randomly generate serial numbers during issuance can't pre-generate serial numbers to be used in the TBScertificate, then subsequently in the final certificate, so serial numbers need to be removed from the content hashed by the SCT. Doug
- [Trans] Using a Precertificate Signing Certificat… Doug Beattie
- Re: [Trans] Using a Precertificate Signing Certif… Ben Laurie
- Re: [Trans] Using a Precertificate Signing Certif… Stephen Kent
- Re: [Trans] Using a Precertificate Signing Certif… Stephen Kent
- Re: [Trans] Using a Precertificate Signing Certif… Hill, Brad
- Re: [Trans] Using a Precertificate Signing Certif… Ben Laurie
- Re: [Trans] Using a Precertificate Signing Certif… Stephen Kent
- Re: [Trans] Using a Precertificate Signing Certif… Carl Wallace
- Re: [Trans] Using a Precertificate Signing Certif… Ben Laurie
- Re: [Trans] Using a Precertificate Signing Certif… Ben Laurie
- Re: [Trans] Using a Precertificate Signing Certif… Doug Beattie
- Re: [Trans] Using a Precertificate Signing Certif… Ben Laurie
- Re: [Trans] Using a Precertificate Signing Certif… Carl Wallace
- Re: [Trans] Using a Precertificate Signing Certif… Stephen Kent
- Re: [Trans] Using a Precertificate Signing Certif… Rob Stradling