Re: [websec] Fwd: New Version Notification for draft-ietf-websec-key-pinning-03.txt
"Ryan Sleevi" <ryan-ietfhasmat@sleevi.com> Wed, 17 October 2012 17:52 UTC
Return-Path: <ryan-ietfhasmat@sleevi.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9826221F8673 for <websec@ietfa.amsl.com>; Wed, 17 Oct 2012 10:52:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id faD78Tgcad0X for <websec@ietfa.amsl.com>; Wed, 17 Oct 2012 10:52:54 -0700 (PDT)
Received: from homiemail-a66.g.dreamhost.com (caiajhbdcbbj.dreamhost.com [208.97.132.119]) by ietfa.amsl.com (Postfix) with ESMTP id 9981D21F8639 for <websec@ietf.org>; Wed, 17 Oct 2012 10:52:54 -0700 (PDT)
Received: from homiemail-a66.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a66.g.dreamhost.com (Postfix) with ESMTP id 21662350079; Wed, 17 Oct 2012 10:52:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=message-id :in-reply-to:references:date:subject:from:to:cc:reply-to :mime-version:content-type:content-transfer-encoding; s= sleevi.com; bh=ifqme3Jz6HQ5yh0nu9YljA0quoU=; b=KU0+gWDorHxER/zrM hRoz0T7zAWTvT9Xk8ljX3T3+WBnLovSindRS7CeiDH2H2Q+INa4minx1jbaiN5Qp KN8tJqGr9bIBO1LxhZAoFLiq31ortjst5x1XQOXDbNl3sGTWqAs5G/bO5Fc9eRTT t/JmwhVU5mwMvKjqFzS7x4U1ZQ=
Received: from webmail.dreamhost.com (caiajhbihbdd.dreamhost.com [208.97.187.133]) (Authenticated sender: ryan@sleevi.com) by homiemail-a66.g.dreamhost.com (Postfix) with ESMTPA id 7FF75350058; Wed, 17 Oct 2012 10:52:53 -0700 (PDT)
Received: from 173.8.157.162 (proxying for 173.8.157.162) (SquirrelMail authenticated user ryan@sleevi.com) by webmail.dreamhost.com with HTTP; Wed, 17 Oct 2012 10:52:52 -0700
Message-ID: <c0cb21144ddbc51f15e19051da62ce42.squirrel@webmail.dreamhost.com>
In-Reply-To: <CCA45BB7.33DBE%carl@redhoundsoftware.com>
References: <CCA45BB7.33DBE%carl@redhoundsoftware.com>
Date: Wed, 17 Oct 2012 10:52:52 -0700
From: Ryan Sleevi <ryan-ietfhasmat@sleevi.com>
To: Carl Wallace <carl@redhoundsoftware.com>
User-Agent: SquirrelMail/1.4.21
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Fwd: New Version Notification for draft-ietf-websec-key-pinning-03.txt
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ryan-ietfhasmat@sleevi.com
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Oct 2012 17:52:55 -0000
On Wed, October 17, 2012 10:04 am, Carl Wallace wrote: > > On 10/17/12 12:36 PM, "Ryan Sleevi" <ryan-ietfhasmat@sleevi.com> wrote: > > ><large snip> > >This leaves the broader question of "How does the site operator know > > about > >CA_Alice and CA_Bob to begin with". One possible solution for this is a > >report-but-unenforced mode, where user agents could describe their > >observed chains to the site. As unseemly as this is, it's very likely > > that > >many site operators - even Very Large, High Value sites - may not have a > >full understanding of the PKI that they're a participant in. > > A tool that builds all possible paths that the site operator can run > without involving any users would be good too. The site operator mainly > needs to know where its certificate chains against public stuff and could > check that independently. This should come close to relegating the user > report tool to oddball instances. The problem in general with such tools (and I'm sure this will be a talking point during the WPKOPS and CERTTRANS BOFs) is that it's actually a rather hard problem to know exactly what certificates exist. Beyond the issues such as "What user agents have what behaviour" and "what intermediates are baked into what platforms," one of the more problematic areas is related to the AIA chasing that is functionally and fundamentally necessary to maintain parity and access to a depressingly vast majority of sites. When the site operator installs their cert, they may only install on their HTTPS server (Site_Cert, Intermediate). This is because CA_Bob and the site operator are assuming that CA_Bob can be omitted, since it's the root of trust. For clients that don't trust CA_Bob, Intermediate has an AIA to a URL that contains CA_Bob, which is cross-certified by CA_Alice. So the possible chains are: Site_Cert (via TLS) -> Intermediate (via TLS) -> CA_Bob (obtained out-of-band) Site_Cert (via TLS) -> Intermediate (via TLS) -> CA_Bob (obtained via AIA) -> CA_Alice (obtained out of band) Now what if CA_Bob goes out of business/is acquired? Well, one common trick is to update the URL of Intermediate to point to a new version, signed by CA_Charles. When the path building for Intermediate (via TLS) fails, user agents may "unwind" their depth search, and attempt the AIA fetch from Site_Cert, leading to a new chain. Site_Cert (via TLS) -> Intermediate (via AIA) -> CA_Charles (obtained out-of-band) Or CA_Bob may decide they want to sever ties with CA_Alice, and go with CA_Charlene. They simply replace the AIA URL used to serve up the cross-certified CA_Bob. This is all well and good for "point in time" evaluation - but the added crux on this is that the site operator may be noticing all these shenanigans, and now explicitly configure their server to send a particular chain they believe is accurate/optimal. Also, clients may be caching intermediates as well. So it's "Very Hard" to actually know what *all* possible paths are, because the possible paths change over time, and some paths may no longer be knowable by such a tool when the certificate is being evaluated, because the old certificates served at URL X are now replaced with newer ones. You may think I'm just grasping at edge cases, but unfortunately every situation I just described above has been done by major CAs, including some that might be considered of the "Too big too fail" variety. So it's definitely an issue, and that's some from of client reporting seems necessary (with transparency + disclosure to make it easier to write such tools in the future)
- [websec] Fwd: New Version Notification for draft-… Chris Palmer
- Re: [websec] Fwd: New Version Notification for dr… Yoav Nir
- Re: [websec] Fwd: New Version Notification for dr… Tom Ritter
- Re: [websec] Fwd: New Version Notification for dr… Ryan Sleevi
- Re: [websec] Fwd: New Version Notification for dr… Carl Wallace
- Re: [websec] Fwd: New Version Notification for dr… Ryan Sleevi
- Re: [websec] Fwd: New Version Notification for dr… Carl Wallace
- Re: [websec] Fwd: New Version Notification for dr… Ryan Sleevi
- Re: [websec] Fwd: New Version Notification for dr… Chris Palmer
- Re: [websec] Fwd: New Version Notification for dr… Chris Palmer
- Re: [websec] Fwd: New Version Notification for dr… Tobias Gondrom
- Re: [websec] Fwd: New Version Notification for dr… Tom Ritter
- Re: [websec] Fwd: New Version Notification for dr… Chris Palmer