Re: [websec] Key pinning for DSA keys with inherited domain params
Phillip Hallam-Baker <hallam@gmail.com> Fri, 16 December 2011 13:22 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9D0D21F8B43 for <websec@ietfa.amsl.com>; Fri, 16 Dec 2011 05:22:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.845
X-Spam-Level:
X-Spam-Status: No, score=-2.845 tagged_above=-999 required=5 tests=[AWL=0.753, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9nFwbcedqSwJ for <websec@ietfa.amsl.com>; Fri, 16 Dec 2011 05:22:19 -0800 (PST)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 00E1D21F8B76 for <websec@ietf.org>; Fri, 16 Dec 2011 05:22:18 -0800 (PST)
Received: by ggnk5 with SMTP id k5so3093577ggn.31 for <websec@ietf.org>; Fri, 16 Dec 2011 05:22:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=wfbp8SgcQYxnEYPSRGgcRWPE68RHmVbvxVoG8ln90c0=; b=r6GkL0myuW3VktD7o4F2NEhZNiiRKGMH/tGAIlr1EzelpJ0+OFVop8uNAsR6MZKCQl gtHfQU5U7XuT/b20S5KnObTlUqJCcBzk6e9v3iMzFkv6NPeqjBZiJUBti4f5eehHhDf2 KLntQ0SfGE3M2tMCYCvG350L+Efs0PtJkvouc=
MIME-Version: 1.0
Received: by 10.182.144.69 with SMTP id sk5mr3461608obb.27.1324041738546; Fri, 16 Dec 2011 05:22:18 -0800 (PST)
Received: by 10.182.160.72 with HTTP; Fri, 16 Dec 2011 05:22:18 -0800 (PST)
In-Reply-To: <CAL9PXLxhTQxWy8NXj3R2C7JpjBj=oSMdDP_aNtH2F=+r3h-X=Q@mail.gmail.com>
References: <76E2AAC7-2070-4C98-B0EE-08BE5D2B0CB9@team.telstra.com> <CAL9PXLz7fVbH5SC0X1G+uj_-BZKW=Gj5L1zQbxX8398e+e2t6g@mail.gmail.com> <CAOuvq213m-KNTenfNLi1nknj1KPa4O_m7yAXpDtX7NaDiMraWA@mail.gmail.com> <CAOuvq22Y0Ame2BGZuPM_YsYztQB0en=5+btQVg5C9p-Hk4V67g@mail.gmail.com> <D36CA259-5E25-41A4-A3BE-765636D7C491@checkpoint.com> <CAMm+LwhP9_ZUP0j-JtQGVwbcCMTZ7TZ4AHFLJJNCHK4S8fpXGw@mail.gmail.com> <CAL9PXLxhTQxWy8NXj3R2C7JpjBj=oSMdDP_aNtH2F=+r3h-X=Q@mail.gmail.com>
Date: Fri, 16 Dec 2011 08:22:18 -0500
Message-ID: <CAMm+LwhoWWs1ntD04cDA-WCC1OTEXnuOOGrim_hY7oiQwA+bRA@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Adam Langley <agl@google.com>
Content-Type: multipart/alternative; boundary="14dae93996717e6c3e04b4357d09"
Cc: "websec@ietf.org" <websec@ietf.org>
Subject: Re: [websec] Key pinning for DSA keys with inherited domain params
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Dec 2011 13:22:20 -0000
Actually, the inheritance mechanism should probably be prohibited altogether. As things stand it allows a CA to poison a cert issued by another CA! Let us imagine CA X issues a cert for Alice, the chain is X -> XI -> A. Now imagine that CA Y issues a cross cert for XI, we now have a chain Y-> XI -> A The parameters for the key now depend on the path! Yuk! I don't know if there is a practical attack possible , this just occurred to me. But even if there is no attack there is potential for error. [The sort of attack I am thinking of is a kleptography like attack when country A sells sabotaged crypto equipment to country B. Country B may verify that only certs issued through the sub CA XI they control are used but this gives a way to defeat that control.] On Tue, Dec 13, 2011 at 10:20 AM, Adam Langley <agl@google.com> wrote: > On Tue, Dec 13, 2011 at 7:56 AM, Phillip Hallam-Baker <hallam@gmail.com> > wrote: > > I don't like a solution for pinning that depends on the CA delivering the > > 'right' sort of cert. I would prefer to add in a second hash over the > > parameter values or specify them explicitly in the pin or to have the > hash > > be over what the values would be if completely specified in the Key Info. > > In the case of ECDSA, it'll be very rare for the parameters to be > omitted since they can be compactly represented by a named curve. In > fact, I've not seen code in SSL libraries that'll go hunting for EC > parameters in a CA key - I strongly suspect that support for this is > minimal at best. > > Therefore I'm happy to simply exclude the possibility in the spec and > save the complexity. > > > Cheers > > AGL > -- Website: http://hallambaker.com/
- [websec] Key pinning for DSA keys with inherited … Manger, James H
- Re: [websec] Key pinning for DSA keys with inheri… Adam Langley
- Re: [websec] Key pinning for DSA keys with inheri… Chris Palmer
- Re: [websec] Key pinning for DSA keys with inheri… Chris Palmer
- Re: [websec] Key pinning for DSA keys with inheri… Yoav Nir
- Re: [websec] Key pinning for DSA keys with inheri… Phillip Hallam-Baker
- Re: [websec] Key pinning for DSA keys with inheri… Adam Langley
- Re: [websec] Key pinning for DSA keys with inheri… Phillip Hallam-Baker