[websec] Suggestions for Fixing PKI
Alice Wonder <alice@domblogger.net> Mon, 20 April 2015 17:02 UTC
Return-Path: <alice@domblogger.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1797B1A87E9 for <websec@ietfa.amsl.com>; Mon, 20 Apr 2015 10:02:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.689
X-Spam-Level:
X-Spam-Status: No, score=0.689 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k5ppxPf-TKSG for <websec@ietfa.amsl.com>; Mon, 20 Apr 2015 10:02:30 -0700 (PDT)
Received: from mail.domblogger.net (mail.domblogger.net [IPv6:2600:3c00::f03c:91ff:fe56:d6a2]) by ietfa.amsl.com (Postfix) with ESMTP id 529C51A87E7 for <websec@ietf.org>; Mon, 20 Apr 2015 10:02:30 -0700 (PDT)
Received: from new.domblogger.dev (97-94-132-133.dhcp.trlk.ca.charter.com [97.94.132.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.domblogger.net (Postfix) with ESMTPSA id B400D1178 for <websec@ietf.org>; Mon, 20 Apr 2015 17:02:24 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=domblogger.net; s=default; t=1429549344; bh=XY6RZomKY5BJSOaM6OF+idJtoAyOjIBbcByLFTeE0ZU=; h=Date:From:To:Subject; b=HsYMAlBUkMUSuahZo3n2Y+v/ucqedxulLXvpbU4fVZJPCEK4N65COlgtYbYtsg+q5 yy0oRubqeCvY5b1VGyxzCvOJXbhrV9i8vNP3TKWwBNQJ6VJeQun7HRFhKQaIpqU76V R5+8nwyhsW3f8hWkFgeMJyozHMVE1vPFsAss8yAs=
Message-ID: <5535311F.6020103@domblogger.net>
Date: Mon, 20 Apr 2015 10:02:23 -0700
From: Alice Wonder <alice@domblogger.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: websec@ietf.org
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/websec/rc4reyTRyaXp0f3Ukmb60olsdVw>
Subject: [websec] Suggestions for Fixing PKI
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Apr 2015 17:03:03 -0000
Dear List,
This is just for thought, I have neither the resources nor energy to
push it through.
I would use the existing DNS system to do the equivalent of OCSP stapling.
ICANN creates a new TLD, we can call it pki.
Only certificate authorities can register names in pki.
The registry `Example Certificates, LTD.' would register example.pki
Even though the system uses the DNS system, only a limited subset of RR
types would be allowed in the pki. TLD.
For example, MX and A and AAAA records etc. should not be allowed, it is
a utility TLD intended to serve as infrastructure.
For the serial number in the SOA record, seconds since UNIX epoch would
be what I would suggest. As serial is 32-bit that will eventually wrap
but DNS allows for serial to wrap. Whether it is seconds since UNIX
epoch or something else doesn't matter but I do suggest the serial be
standardized, and YYYYMMDDnn does not allow enough updates in a 24 hour
period.
BIND etc. probably shouldn't be used for the master, the master should
probably be a custom server that talks to the CA's database and probably
shouldn't have a public facing IP address, but bind / NSD / whatever
could serve as slaves, there is no need for non-standard RR types to be
used and they shouldn't be used.
Each signed certificate will have a serial number assigned by the
certificate authority. That may actually already exist. I would suggest
they be ASCII characters <= 63 with existing DNS label limitations, but
no need for hostname restrictions. For example d3we74ldqw1190 could be a
valid serial number. The serial number should be included in the signed
TLS certificate.
For each valid certificate, the DNS server will respond as an
authoritative DNS to a request for a TXT record of the serial number.
For example:
dig TXT d3we74ldqw1190.example.pki. +short
would then get the rdata for that certificate, with a record that can be
DNSSEC validated, if the certificate is valid.
If the certificate is revoked, I *might* get a DNSSEC signed response.
If the certificate was never issued then I would get a DNSSEC signed
response stating is does not exist. NSEC is probably good enough for
that, doesn't need the complexity of NSEC3 IMHO.
For the rdata - it should include the OCSP uri, timestamp, and whether
or not the certificate was valid at the time of the timestamp.
TLS clients could then validate a certificate by doing a simple DNS
query. If they don't get a DNSSEC validating response, they fall back to
using the OCSP URI provided in the certificate.
If they get a validating response stating the record does not exist,
they reject the certificate.
If they get a validating response stating the record does exist but the
certificate has been revoked, they reject the certificate.
If they get a validating response stating the record does exist and the
certificate was not revoked, the client can then look at the timestamp
and if it is recent enough - accept the certificate, otherwise do the
OCSP lookup itself.
This would solve the problem of certificate authorities having the
ability to track users, because the client would be using their local
recursive resolver to query for the information. It would also solve the
problem of a sudden spike at a web site radically increasing traffic at
the certificate OCSP server, because the local resolvers would cache the
requests until the TTL expires.
Obviously this solution needs more details and someone to take the idea
to the appropriate powers, but that is how I would solve the revoked
certificate problem if I was emperor of the Internet.
I would personally limit the RR types to SOA, TXT, RP, and the DNSSEC RR
types, and DNSSEC should be required. But there may be valid reasons for
some other RR types. I would suggest that CAs push updates to the slaves
every 5 to 10 minutes. For the TTL on TXT records, 1800 would be what I
would use but it seems to me like a lot of resolvers ignore that and
make up their own TTL. For the negative TTL I would suggest 120 seconds.
But really until this is implemented those are just numbers, real usage
will help refine them.
Thank you for your time,
Alice Wonder
- [websec] Suggestions for Fixing PKI Alice Wonder
- Re: [websec] Suggestions for Fixing PKI Adam Langley