IETF Logo Mail Archive

[Trans] Using a Precertificate Signing Certificate to sign TBScertificates for CT

"Doug Beattie" <doug.beattie@globalsign.com> Wed, 04 June 2014 19:52 UTC

Return-Path: <doug.beattie@globalsign.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 988211A0273 for <trans@ietfa.amsl.com>; Wed, 4 Jun 2014 12:52:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_24=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RhJW9BKRt16q for <trans@ietfa.amsl.com>; Wed, 4 Jun 2014 12:52:32 -0700 (PDT)
Received: from mail-qa0-x231.google.com (mail-qa0-x231.google.com [IPv6:2607:f8b0:400d:c00::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 457931A026B for <trans@ietf.org>; Wed, 4 Jun 2014 12:52:32 -0700 (PDT)
Received: by mail-qa0-f49.google.com with SMTP id cm18so7605077qab.36 for <trans@ietf.org>; Wed, 04 Jun 2014 12:52:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=globalsign.com; s=google; h=from:to:subject:date:message-id:mime-version:thread-index :content-language:content-type; bh=lUo+lSJ4ZhaxCesO7p8huvMZ5P14BPv6gWrqshPEj6I=; b=reEyWs4LdBokDQPULdMx8Utws8QeIkQUN20fogtQLyn2c5tqLv+Qbe8itLTT0ycF/j YkEfheFLDbm6Df9mP1d8V48jnrOmoEXTRFuy4sQa0ESQGJb4J7xtuQzD96l/krfvHvfH 5QwOs5/hvKiwcEkSQe8gvfQ9aJ9cOe63D+oVQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :thread-index:content-language:content-type; bh=lUo+lSJ4ZhaxCesO7p8huvMZ5P14BPv6gWrqshPEj6I=; b=HjS18D5hVpvXCev2N1Hx+bXTY+aaSUAauKlzluBifZ/n3hHVnKCO5wnxUiaBs9OLXi bVM2/3y6IOJIwOLyj+55Iwepf0CPQtYBOb3aO3zWpjyq/2pKB2KJoUoPXPCRxAntHVZn o4pYtK6D/w+Hw47QIV7XV0ZvE0Y0rw1STdnPbpnJTGl8OfNj8kAtNSo5OmUxVhDqeo6x hyXUkTf4kZ6xyvUiMo6OZIvuu6JI3Zk+t2ISkFqoEebj3Pb6LdO7H+uSHhyqQVFQJgt6 alqOHacCK5Jek4RNo0kBz51KTbcVvdI4zWheRZGPheo0SM0jZ+QFA+ID2JWlcft95BGS XP0A==
X-Gm-Message-State: ALoCoQnK6ykRGrkvjfwDBTGfKosAxdOiRZYmH80iJLLOp4h8PtBnyINIhDeOsafSRKuAHOQeSqlj
X-Received: by 10.229.2.200 with SMTP id 8mr50118791qck.10.1401911545674; Wed, 04 Jun 2014 12:52:25 -0700 (PDT)
Received: from psmlt013 (pool-108-49-225-12.bstnma.fios.verizon.net. [108.49.225.12]) by mx.google.com with ESMTPSA id f106sm2238901qge.8.2014.06.04.12.52.24 for <trans@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 04 Jun 2014 12:52:24 -0700 (PDT)
From: Doug Beattie <doug.beattie@globalsign.com>
To: trans@ietf.org
Date: Wed, 04 Jun 2014 15:52:24 -0400
Message-ID: <00b701cf802e$81893ea0$849bbbe0$@globalsign.com>
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 15.0
Thread-Index: Ac+ALQQtMitYwrQqR0u9E0AtBE3d5w==
Content-Language: en-us
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_00B2_01CF800C.F9CB3200"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/wb5jpNKD1OMoFBJ5ux-7LyuxbqQ
Subject: [Trans] Using a Precertificate Signing Certificate to sign TBScertificates for CT
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jun 2014 19:52:33 -0000

Those CAs that want to use a Precertificate Signing Certificate need to
follow a more complicated process for signing and I don't think it's well
documented or thought out.

1) What chain does the Precertificate Signing Certificate need to be issued
under? 

RFC 6962 states: "The Precertificate Signing Certificate MUST be *directly
certified* by the (root or intermediate) *CA certificate that will
ultimately sign the end-entity TBScertificate* yielding the end-entity
certificate (note that the log *may* relax standard validation rules to
allow this, so long as the issued certificate will be valid)"

Point 1.1: Normally CAs have path length set to 0, so CAs are not able to
issue CA certificates under them, and this looks like a CA certificate
because CA:TRUE.  

Point 1.2: The also RFC States: "If the Precertificate is not signed with
the CA certificate that will issue the final certificate, then the
TBScertificate also has its issuer changed to that of the CA that will issue
the final certificate. "

This makes the Precertificate Signing Certificate look even less like a CA
certificate.  How do we convince a compliant/certified CA application to use
an Issuer DN other than the one that was used to sign the certificate?
Compliant CAs won't.

Point 1.3: The "may" above needs to be MUST, or validation will fail due to
the Issuer DN not matching what was posted.

Recommendation 1: At a minimum, remove CA:true from the Certificate Signing
Certificate profile.  Ideally the profile should be updated to be more like
a Document/Code signing certificate than a CA certificate. 

The signed TBScertificates posted to the log specifies the final
certificate's issuer DN, but the cert chain for the Precertificate Signing
Certificate is supplied so the CT log can validate that chain using relaxed
validation rules.  What's the relationship between the hierarchy of the
Precertificate Signing Certificate and the final certificate? I struggle to
find any relationship except they both chain to publicly trusted roots.  Is
that the intent of the RFC?

Recommendation 2: The Precertificate Signing Certificate used by a CA may be
issued under any one of its roots and be used to sign all entries to be
posted to the log.  Unless there is a requirement to validate that the
chains use the same root/hierarchy, there is no reason to require that.

2) Does the certificate serial number need to be the same in the
TBScertificate and the final certificate?

CAs that randomly generate serial numbers during issuance can't pre-generate
serial numbers to be used in the TBScertificate, then subsequently in the
final certificate. Is the serial number *that* important that it MUST be
included in the SCT?  The issuer for the TBScertificate does not match the
value of the certificate that signed it, so what's the point of the serial
number?  The CN, SAN, signing algorithms and keys are the most critical
components.  Can we limit the SCT to these values?

Recommendation 3: Don't require that the TBScertificate and the final
certificate contain the same serial number.


Summary: The CT Log validation rules need to be clearly defined so that the
CAs can post valid entries to the CT logs.  

* Currently I don't believe that the RFC is implementable by compliant CAs
that want to use Precertificate Signing Certificate.  
* Compliant CAs won't issue certificates with duplicate issuer DNs and
serial numbers, so that model is also broken - the Precertificate Signing
Certificate needs to be a non-CA certificate.  
* CAs that randomly generate serial numbers during issuance can't
pre-generate serial numbers to be used in the TBScertificate, then
subsequently in the final certificate, so serial numbers need to be removed
from the content hashed by the SCT.

Doug

v2.23.0 | Report a Bug | By Email