headers
Michael D'Errico | 2 Jun 2011 02:12
Picon
Favicon

Re: [pkix] Proposing CAA as PKIX Working Group Item

Paul Hoffman wrote:
> 
> I support the PKIX WG adopting as a work item (wording taken from the CAA draft's text) "DNS Resource
Records that allow a DNS domain name holder to specify the certificate signing certificate(s)
authorized to issue certificates for that domain".

I haven't read the draft, but from the quote it appears that
this could improve the weakest part of TLS (as it is used
today in browsers) where any of the hundreds of preinstalled
root CAs is trusted to issue a certificate to any possible
domain name.

[CC'ed to the TLS working group]

Mike
Permalink | Reply | 50 comments |
headers
Yoav Nir | 2 Jun 2011 06:10
Picon
Favicon

Re: [pkix] Proposing CAA as PKIX Working Group Item


On Jun 2, 2011, at 3:12 AM, Michael D'Errico wrote:

> Paul Hoffman wrote:
>> 
>> I support the PKIX WG adopting as a work item (wording taken from the CAA draft's text) "DNS Resource
Records that allow a DNS domain name holder to specify the certificate signing certificate(s)
authorized to issue certificates for that domain".
> 
> I haven't read the draft, but from the quote it appears that
> this could improve the weakest part of TLS (as it is used
> today in browsers) where any of the hundreds of preinstalled
> root CAs is trusted to issue a certificate to any possible
> domain name.

I'm not opposed to this draft, but I don't think it solves this problem. The issue is not even the dozens of
pre-installed root CAs, but that those root CAs can have many many affiliates, whether they're sub-CAs or
registration authorities. 

The two famous attacks of the last two years have not been about Verisign or Comodo. The "MD5 sub-CA" was
issued by RapidSSL, which is part of the "Verisign trust network" but not Verisign itself. In the recent
case it was a small Italian RA. In both cases the problem was an affiliate with not quite best practices that
caused the mis-issue.

CAA works if all root CAs and affiliates follow it. That's hundreds or thousands of entities. Any one of them
that fails to comply might ignore the CAA record.

PHB says that having the CAA record may aid in assigning blame, and thus perhaps at some point, liability.
Remains to be seen, but at least in the short term, CAA is not a panacea.
(Continue reading)

Permalink | Reply | 49 comments |
headers
Yoav Nir | 2 Jun 2011 17:37
Picon
Favicon

Re: [pkix] Proposing CAA as PKIX Working Group Item


On Jun 2, 2011, at 4:45 PM, Phillip Hallam-Baker wrote:

> 
> The final point made is that some CAs may not want to support CAA. I can't see why this would be so unless either:
> 
> 1) The technology is deficient (something PKIX might fix).
> 2) They really want to be able to issue fraudulent certificates.
> 3) They resist change for the sake of it.
> 4) It is not yet an IETF standard
> 
> Now I have no idea which of the above might apply if any. But the only way to find out is going to be to deploy. 

I can offer a couple of others
 5) They're too lazy to care
 6) It's cheaper to not do anything than to do something

In late 2008, when some researchers got RapidSSL to sign a certificate request that collided with their
rogue sub-CA certificate, several things came to light:
 - They were using MD5 10 years after RFC 2459 recommended not to
 - They were a ridiculously small company, with the only full-time employee. An accountant
 - They were doing a bunch of other "industry worst practices" - every field in the certificate was predictable

The root problem is that the RapidSSLs of the world issue certificates that are considered by browsers to be
just as valid as any DV certificate issued by responsible CAs. So getting a certificate that validates is
as easy as getting a rogue certificate from the worst CA or sub-CA. And with so many to choose from, I'm sure
it will be possible to find one that didn't implement CAA correctly.

It's still worthwhile, IMO. Because maybe that particular CA that implemented CAA wrong is not using MD5,
or maybe they have some other security mechanism done right. It may very well help thwart the next
(Continue reading)

Permalink | Reply | 7 comments |
headers
Marsh Ray | 2 Jun 2011 18:07
Favicon

Re: [pkix] Proposing CAA as PKIX Working Group Item

On 06/02/2011 08:45 AM, Phillip Hallam-Baker wrote:
>
> At the end of the day buffer over-run exploits will still trump any
> deficiencies in the CA infrastructure. But those don't have people
> running round suggesting urgent remedies because they are too common to
> bear notice. CAs and RAs are definitely not the weakest link in the
> chain here. Anyone claiming that is either grandstanding or has failed
> to pay attention.

Well that depends entirely on the chain in question doesn't it?

Not everything that uses TLS or certificates is an unpatched web browser 
with Adobe plugins operated by an ignorant user for the purpose of 
securing nothing particularly important.

Over time it becomes increasingly difficult for _any_ distributed 
application to run over ports other than TCP 443 due to the growth of 
egress filtering. So stuff is bundled in with web traffic that may, in 
fact, be implemented for high security requirements.

Perhaps a solution is to implement your own application-specific trust 
root that doesn't rely on the current profusion of CAs. But as an 
application developer I can attest to the fact that it's difficult to 
use standard platform TLS libraries without also trusting everything in 
the system root store, too. Some sites will insist on using their own 
in-house CAs too, which is fine, but it's further pressure on everything 
else to integrate/be vulnerable with the browser trust model.

The net security world has changed dramatically over the last couple of 
years. We have to move past this
(Continue reading)

Permalink | Reply | 1 comment |
headers
Phillip Hallam-Baker | 2 Jun 2011 18:31
Picon

Re: [pkix] Proposing CAA as PKIX Working Group Item



On Thu, Jun 2, 2011 at 12:07 PM, Marsh Ray <marsh <at> extendedsubset.com> wrote:
On 06/02/2011 08:45 AM, Phillip Hallam-Baker wrote:

At the end of the day buffer over-run exploits will still trump any
deficiencies in the CA infrastructure. But those don't have people
running round suggesting urgent remedies because they are too common to
bear notice. CAs and RAs are definitely not the weakest link in the
chain here. Anyone claiming that is either grandstanding or has failed
to pay attention.

Well that depends entirely on the chain in question doesn't it?

Not everything that uses TLS or certificates is an unpatched web browser with Adobe plugins operated by an ignorant user for the purpose of securing nothing particularly important.

I hear you.

But lets be realistic here, we are currently actually doing worse for non browser security. 

The weakest link in the TLS protocol is actually the end user who is for some bizarre reason expected to be looking for padlock icons and green bars and know when to look for which one.

This is even more problematic when applying TLS to Web services as there isn't even a user to make the decision and no real idea of what should do that instead.


CAA is not going to solve every problem associated with trust on the Internet and CA infrastructure. Nor is TLS and nor is strict security. But I do think that a combination of those three ideas can make a major step forward.

That is why CAA is designed to be arbitrarily extensible with a tag-value format even though there are only two property tags currently defined. I really like the work that Paypal and Jeff Hodges have been doing and would like to have a way to eventually bring CAA into alignment there.


But for the moment we have to avoid 'crossing the streams' as Stephen F. put it to me. 

Lets work on the part of the problem that we can while the Web Security folk work on understanding the complexities of what strict security involves.


 
Perhaps a solution is to implement your own application-specific trust root that doesn't rely on the current profusion of CAs. But as an application developer I can attest to the fact that it's difficult to use standard platform TLS libraries without also trusting everything in the system root store, too. Some sites will insist on using their own in-house CAs too, which is fine, but it's further pressure on everything else to integrate/be vulnerable with the browser trust model.

Yes and that may well end up motivating a mechanism to allow for protocol specific path properties so that enterprises can have separate CAs authorized for separate protocols. 

Web Services security is a big part of what I am interested in supporting here. We went into the Web Services world with certain interests promoting UDDI as the central directory to make it all work. So now we have a protocol stack predicated on the existence of a directory with no directory to work with.


I have some ideas there, but again, that would be crossing the streams at this point. I think the way to get traction there will be to propose a Web Service application with some pretty severe security requirements and make that the test application for a framework designed to 'do it right'. 

_______________________________________________
TLS mailing list
TLS <at> ietf.org
https://www.ietf.org/mailman/listinfo/tls
Permalink | Reply | 0 comments |
headers
Nikos Mavrogiannopoulos | 3 Jun 2011 09:27

tls with DSA and ECDSA

Hello,
 I've submitted:
http://tools.ietf.org/html/draft-mavrogiannopoulos-tls-dss-00

The purpose is to define choices for the hash algorithm to be used for
the TLS handshake and eventually make the hash algorithm selection for
the DSS signature standard deterministic. That is because DSS as a
standard allows the usage of any SHAx hash function truncated or not.

For example given 256-bit curve, I could use SHA-256, or SHA-384
truncated to 256 bits, or SHA-512 truncated to 256 bits, to sign. This
document tries to restrict the choices to promote interoperability.

This is in line with rfc5480 that does the same thing for PKIX ECDSA
certificates.

regards,
Nikos
Permalink | Reply | 1 comment |
headers
Adam Langley | 3 Jun 2011 20:45
Picon
Favicon

Re: tls with DSA and ECDSA

On Fri, Jun 3, 2011 at 3:27 AM, Nikos Mavrogiannopoulos <nmav <at> gnutls.org> wrote:
> Hello,
>  I've submitted:
> http://tools.ietf.org/html/draft-mavrogiannopoulos-tls-dss-00

Looks good to me.

AGL
_______________________________________________
TLS mailing list
TLS <at> ietf.org
https://www.ietf.org/mailman/listinfo/tls
Permalink | Reply | 0 comments |
headers
Nikos Mavrogiannopoulos | 3 Jun 2011 21:30

Re: Final (hopefully) issues with DTLS 1.2

On 05/30/2011 05:38 PM, Eric Rescorla wrote:

> The effect of this restriction is to require the client to send the
> same ClientHello
> (except with the cookie that he sent initially). This maps to the TLS semantics
> where there is only a single ClientHello message sent which is processed
> immediately. IMO this makes analysis easier since it makes DTLS behave
> more like TLS.
> There's no need for the server to do any negotiation at this point,
> it should simply generate a HelloVerifyRequest with the highest matching
> version (regardless of cipher suite considerations) and then process the
> ClientHello de novo [after checking for matching parameters.] Yes, this leaves
> open the possibility that the handshake will eventually negotiate to some yet
> lower TLS version, but that's what happens in one round trip with TLS. I
> would be happy to add a note to the effect that a yet lower version might
> be negotiated. Though note that it's arguable that RFC 5246 S 7.4.1.3
> prohibits conditioning version on ciphersuite even for TLS "This field
> will contain the lower of that suggested by the client
> in the client hello and the highest supported by the server.  For this
> version of the specification, the version is 3.3.  (See
> Appendix E for details about backward compatibility.)"

My implementation of this HelloVerifyRequest was made without using or
allocating server state. That means it doesn't even know which (DTLS)
protocols are enabled or not. It could even be implemented in a
totally different subsystem (a firewall) in front of the server. Thus it
might not know information the server knows. For me this packet
should be as simple as possible. Using a fixed DTLS version would
satisfy this goal. I see no benefit from doing the DTLS version number
negotiation at this "stateless" point.

regards,
Nikos
Permalink | Reply | 2 comments |
headers
Eric Rescorla | 3 Jun 2011 22:09

Re: Final (hopefully) issues with DTLS 1.2

On Fri, Jun 3, 2011 at 12:30 PM, Nikos Mavrogiannopoulos
<nmav <at> gnutls.org> wrote:
> On 05/30/2011 05:38 PM, Eric Rescorla wrote:
>
>> The effect of this restriction is to require the client to send the
>> same ClientHello
>> (except with the cookie that he sent initially). This maps to the TLS semantics
>> where there is only a single ClientHello message sent which is processed
>> immediately. IMO this makes analysis easier since it makes DTLS behave
>> more like TLS.
>> There's no need for the server to do any negotiation at this point,
>> it should simply generate a HelloVerifyRequest with the highest matching
>> version (regardless of cipher suite considerations) and then process the
>> ClientHello de novo [after checking for matching parameters.] Yes, this leaves
>> open the possibility that the handshake will eventually negotiate to some yet
>> lower TLS version, but that's what happens in one round trip with TLS. I
>> would be happy to add a note to the effect that a yet lower version might
>> be negotiated. Though note that it's arguable that RFC 5246 S 7.4.1.3
>> prohibits conditioning version on ciphersuite even for TLS "This field
>> will contain the lower of that suggested by the client
>> in the client hello and the highest supported by the server.  For this
>> version of the specification, the version is 3.3.  (See
>> Appendix E for details about backward compatibility.)"
>
> My implementation of this HelloVerifyRequest was made without using or
> allocating server state. That means it doesn't even know which (DTLS)
> protocols are enabled or not. It could even be implemented in a
> totally different subsystem (a firewall) in front of the server. Thus it
> might not know information the server knows. For me this packet
> should be as simple as possible. Using a fixed DTLS version would
> satisfy this goal. I see no benefit from doing the DTLS version number
> negotiation at this "stateless" point.

I don't see a problem with the server echoing the client's version number
here. Does anyone disagree with making an explicit exemption in the spec
for that?

-Ekr
Permalink | Reply | 1 comment |
headers
Nikos Mavrogiannopoulos | 3 Jun 2011 23:16

Re: Final (hopefully) issues with DTLS 1.2

On 06/03/2011 10:09 PM, Eric Rescorla wrote:

>> My implementation of this HelloVerifyRequest was made without using or
>> allocating server state. That means it doesn't even know which (DTLS)
>> protocols are enabled or not. It could even be implemented in a
>> totally different subsystem (a firewall) in front of the server. Thus it
>> might not know information the server knows. For me this packet
>> should be as simple as possible. Using a fixed DTLS version would
>> satisfy this goal. I see no benefit from doing the DTLS version number
>> negotiation at this "stateless" point.
> I don't see a problem with the server echoing the client's version number
> here. Does anyone disagree with making an explicit exemption in the spec
> for that?

By reflecting the version back you lose the ability to use a different
format later on (under another version number). It might be better to
just fix it to a protocol number, e.g. DTLS 1.0, and if the format
changes then some other number is used.

regards,
Nikos
Permalink | Reply | 0 comments |

Gmane