Re: [Trans] AIA/cRL for logged certificates
Carl Wallace <carl@redhoundsoftware.com> Fri, 27 March 2015 12:51 UTC
Return-Path: <carl@redhoundsoftware.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB93C1ACDAD for <trans@ietfa.amsl.com>; Fri, 27 Mar 2015 05:51:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AADHEzsY4wHg for <trans@ietfa.amsl.com>; Fri, 27 Mar 2015 05:51:26 -0700 (PDT)
Received: from mail-qg0-f42.google.com (mail-qg0-f42.google.com [209.85.192.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D05291ACDA8 for <trans@ietf.org>; Fri, 27 Mar 2015 05:51:25 -0700 (PDT)
Received: by qgep97 with SMTP id p97so132064933qge.1 for <trans@ietf.org>; Fri, 27 Mar 2015 05:51:24 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version:content-type; bh=ILXY6J1hWQVnnSw5IuvTZSBuWKO+pIMmDQB+Vi4q1Ko=; b=FgRjgUl3HEpHPv89Je5HDaWwyVXLgT9AznxLj/kV6t7kzICDPVfft2llxrUTpKXyoY U4BCWKlgn6/i/ZQgeujWXeoCqWz6JG966YlM9e3X736RM8Hf3K1aEIi6xaMU6p0kUcxu /BSZE7PzQ24elS4hFU8pUFf7oI/RCIlSQTMrD7kT/ClCbILeb3WNXWFSmw2/NZ0Hedlt sfFwdHvU54AOk/ySvkuTxUstJFwndtCf2k1EBEV+8ApfTfZAFPODVugkqFTMfeqVZGMu d5Lr8xHM7jvxa5o0CIdnX885LU0q0Yr7Cz5fIbw+IqJ8McuBh662HpwC8N+Z7BXNIo10 Gs0g==
X-Gm-Message-State: ALoCoQkiKz4hWCTcEb4WITZujWVXsQBwO7eP/ooaZYuGnPCsvDHsU7lrwEzPK/V79sUYwj8lXsyo
X-Received: by 10.55.20.35 with SMTP id e35mr38849841qkh.37.1427460684869; Fri, 27 Mar 2015 05:51:24 -0700 (PDT)
Received: from [192.168.2.27] (pool-96-241-148-223.washdc.fios.verizon.net. [96.241.148.223]) by mx.google.com with ESMTPSA id 23sm1357057qkr.41.2015.03.27.05.51.22 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 27 Mar 2015 05:51:24 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/14.4.7.141117
Date: Fri, 27 Mar 2015 08:51:20 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: Ben Laurie <benl@google.com>, Eran Messeri <eranm@google.com>
Message-ID: <D13AC9E6.3152F%carl@redhoundsoftware.com>
Thread-Topic: [Trans] AIA/cRL for logged certificates
References: <CALzYgEcS8DuqbcPKZRbn1DC2hpSX9WM-NnQf7dkvx_V-jL+QMQ@mail.gmail.com> <CABrd9SQ1FXEVrLXS-fOHRYpsShX3R-ByBo8E3qxhkoOBMQZY5g@mail.gmail.com>
In-Reply-To: <CABrd9SQ1FXEVrLXS-fOHRYpsShX3R-ByBo8E3qxhkoOBMQZY5g@mail.gmail.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3510291083_7098146"
Archived-At: <http://mailarchive.ietf.org/arch/msg/trans/y6ACd5VAEtKjIumRrj3smLjs924>
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] AIA/cRL for logged certificates
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Mar 2015 12:51:29 -0000
From: Ben Laurie <benl@google.com> Date: Friday, March 27, 2015 at 8:47 AM To: Eran Messeri <eranm@google.com> Cc: "trans@ietf.org" <trans@ietf.org> Subject: Re: [Trans] AIA/cRL for logged certificates > > > On 27 March 2015 at 12:45, Eran Messeri <eranm@google.com> wrote: >> I'd like to get opinions from the list on solutions to the following problem, >> which Ben originally pointed out. It applies to Precertificates currently, >> but would apply to X.509 certificates if ticket #4 is accepted. >> >> An "undesirable" certificate is issued and logged (without including >> Authority Information Access / CRL distribution point) and upon discovery is >> revoked - the CRL distribution point in the issuer or one of the intermediate >> certs will list it as revoked. >> That certificate would be signed a second time with the same issuer key, but >> not logged a second time (as the SCT produced for the first certificate is >> valid for the second one). When it is served, it is served together with a >> chain that is different than the one logged, and the issuer or intermediates >> in this chain point to a different AIA/CRL that does *not* show list this >> certificate as revoked (The implied assumption is that the attacker controls >> the private key of the issuer). >> >> Implication: A client believes it has a legitimate certificate by validating >> the SCT and performing an online revocation check. >> >> Potential mitigations: >> - Require that the client only use the AIA/CRL distribution point from the >> chain logged in the CT log (which forces the client to fetch it online, >> before completing the connection). > > Then its not a potential mitigation! This option would not necessarily work as the CRL referenced by the DP in the log may not cover the newly issued certificate. > >> - Require the presence of AIA/CRL distribution point in the end-entity >> certificate. >> >> Any other suggestions? >> Eran >> >> _______________________________________________ >> Trans mailing list >> Trans@ietf.org >> https://www.ietf.org/mailman/listinfo/trans >> > > _______________________________________________ Trans mailing list > Trans@ietf.org https://www.ietf.org/mailman/listinfo/trans
- [Trans] AIA/cRL for logged certificates Eran Messeri
- Re: [Trans] AIA/cRL for logged certificates Ben Laurie
- Re: [Trans] AIA/cRL for logged certificates Carl Wallace
- Re: [Trans] AIA/cRL for logged certificates Rob Stradling