Public-Key Infrastructure (X.509) (pkix)

Stephen Wilson | 1 Apr 2009 04:41

Renew/Rekey/Modification


Colleagues,

There are a few things about certificate "renewal" and "re-key" that 
have long confounded me.  Things only seem to have got more convoluted 
in RFC 3647 and -- no offence! -- in newer Certificate Policies like the 
US FPKI Policy Authority document.   Can anyone help me understand the 
rationale for the some of the following scenarios?  Thanks in advance!

Re-key is said (in the FPKI CP) to be a good idea because the older a 
key gets, the more susceptible it is to loss and compromise.  Fair 
enough, but why wouldn't that consideration be factored into the chosen 
certificate validity period?

Is there ever a real world scenario when a Subject would of their own 
accord request re-key because they feel the key is getting old?  If so, 
why wouldn't they revoke as well?  The FPKI CA says that after re-key 
"The old certificate may or may not be revoked".  Why would you not 
revoke, given the possibility that the key has got too old?  I don't 
think it would ever be sensible to keep using an old original key and a 
fresh key.  And if I were a Relying Party, I might like to know about 
this possible quality difference, yet there would be nothing in a CRL or 
anywhere else to mark the fact that the Subscriber has re-keyed.

The FPKI CA goes on to say that after re-key "The old certificate ... 
must not be further re-keyed, renewed, or modified".  This seems almost 
oxymoronic.  Consider that I have certificate A and then I re-key A to 
create certificate B.  And then I re-key B to create certificate C.  I 
would say that C is indistinguishable from a re-keyed A since A, B and C 
will only differ by key value.  So how is it meaningful to forbid

(Continue reading)

headers

Johannes Merkle | 1 Apr 2009 14:49

Re: Renew/Rekey/Modification


Stephen,

I do not know the FPKI documents but I think your questions generally refer to RFC 3647.

> Re-key is said (in the FPKI CP) to be a good idea because the older a
> key gets, the more susceptible it is to loss and compromise.  Fair
> enough, but why wouldn't that consideration be factored into the chosen
> certificate validity period?
> 
Typically, a certificate is re-keyed when or right before it expires. In this case, the maximum key
lifetime is factored
into the certificate.

> 
> Is there ever a real world scenario when a Subject would of their own
> accord request re-key because they feel the key is getting old?  If so,
Yes, right before the old certificate expires. An alternative scenario would be after revocation due to
suspected key
compromise, but in this case the application for the new cert can not be secured by the old one.

> why wouldn't they revoke as well?  The FPKI CA says that after re-key
> "The old certificate may or may not be revoked".  Why would you not
> revoke, given the possibility that the key has got too old?  I don't
> think it would ever be sensible to keep using an old original key and a
> fresh key.  And if I were a Relying Party, I might like to know about
> this possible quality difference, yet there would be nothing in a CRL or
> anywhere else to mark the fact that the Subscriber has re-keyed.
If the old certificate is going to expire very soon, revocation might not be necessary. However, it is
considered good

(Continue reading)

headers

Kemp, David P. | 1 Apr 2009 15:45

RE: Renew/Rekey/Modification


You may be over-analyzing the terms.  A certificate can be issued
ab-initio, or it can be related to an existing certificate.  If related,
various things can be held constant while others are changed:
* if only validity (and serial number, of course) changes, it's called
renewal
* if other information excluding the key changes, it's called an update
or modification
* if the key changes, it's called a rekey

If a certificate is replaced because of a known key compromise, the cert
is rekeyed and the old cert is revoked.  If a cert is replaced because
it is getting old (nearing the end of its validity) then the old cert
may either be revoked or be allowed to expire.  Key age is one factor in
determining validity period, but so is other information - it may be
useful to renew short-lived certificates many times without rekeying in
order to avoid or minimize the burden of revocation.

You are correct that if cert A is rekeyed twice, there isn't much
difference between saying cert C is a rekey of B or of A.  But there is
a difference for renew and update - it is a management best practice not
to renew or update A to produce C after rekeying A to produce B - once
A's key has been replaced, no new certificates should be created with
that key.  It may also be good practice to say that if cert A has been
rekeyed to produce B, then only B (and not A, even if still valid)
should be used to authenticate the subject when rekeying to produce C.

Dave

-----Original Message-----

(Continue reading)

headers

Santosh Chokhani | 1 Apr 2009 16:05

RE: OCSP RFC (RFC 2560) Dependence on SHA-1


My resident ASN.1 expert apprised me of the fact that adding a choice
will break backward compatibility.  Thus, extension is a fifth option
(probably third in the priority).

Based on what I know of OCSP implementations, not changing anything in
terms of bits on the wire and aligning the Key ID with SKID in 5280 is
the best approach.  I do not think it will hurt backward compatibility.

OCSP Responder and OCSP client vendors should speak up if I am wrong.

> -----Original Message-----
> From: Santosh Chokhani 
> Sent: Tuesday, March 31, 2009 12:51 PM
> To: 'Massimiliano Pala'; IETF-pkix
> Subject: RE: OCSP RFC (RFC 2560) Dependence on SHA-1
> 
> Max,
> 
> I do not see where and what extension we need to add for 
> other digest algorithm.
> 
> For key id, we need to enhance or broaden the options. 
> 
> > -----Original Message-----
> > From: owner-ietf-pkix <at> mail.imc.org
> > [mailto:owner-ietf-pkix <at> mail.imc.org] On Behalf Of Massimiliano Pala
> > Sent: Tuesday, March 31, 2009 1:37 PM
> > To: IETF-pkix
> > Subject: Re: OCSP RFC (RFC 2560) Dependence on SHA-1

(Continue reading)

headers

David A. Cooper | 1 Apr 2009 16:53

Re: Renew/Rekey/Modification

Stephen Wilson wrote:
> The FPKI CA goes on to say that after re-key "The old certificate ... 
> must not be further re-keyed, renewed, or modified".  This seems 
> almost oxymoronic.  Consider that I have certificate A and then I 
> re-key A to create certificate B.  And then I re-key B to create 
> certificate C.  I would say that C is indistinguishable from a 
> re-keyed A since A, B and C will only differ by key value.  So how is 
> it meaningful to forbid re-keying A more than once?

Consider a scenario in which the private key corresponding to 
certificate A has been compromised (e.g., an attacker, without my 
knowledge, infects my computer with a virus, obtains a copy of the file 
containing the private key, and guesses the password used to encrypt the 
private key file).  When certificate A is about to expire, if I wish to 
continue to have a certificate from this CA, then one of two scenarios 
may happen:

1) I perform re-key, authenticating myself using certificate A, and 
obtain certificate B.  The attacker is now prevented from performing an 
on-line re-key to obtain a new certificate in my name, since the system 
will not permit any further re-key based on certificate A.  Thus, the 
attacker's ability to impersonate me ends either immediately (if 
certificate A is revoked) or when certificate A expires.

2) The attacker performs a re-key, authenticating himself using the 
stolen private key, and obtains certificate B.  Later, I attempt to 
perform a re-key and am unsuccessful, since the system will not permit 
any further re-key based on certificate A.  I call the help desk and 
complain, which will (hopefully) result in certificate B being revoked.

(Continue reading)

headers

Stefan Santesson | 1 Apr 2009 20:34

Re: OCSP RFC (RFC 2560) Dependence on SHA-1


Santosh,

If you are talking about adding other options to calculate the KeyHash value
in ResponderID then I strongly disagree.

If you add unspecified options you change the properties of the field from
deterministic to a completely unknown value. It does not matter if RFC2560
isn't explicit in its description of the use of the field. The fact is that
OCSP explicitly defines this value and as such will allow a client to
deterministically compare this value with the certificate selected to
validate the response signature. If you allow other ways to calculate the
value but do not provide any means to signal what method that was used, then
this feature is lost.

In worst case we will cause current implementation to fail.

I really don't think its worth the effort to change this field. We have a
very large base of implementations that we really don't want to mess up
unless its absolutely necessary.

As the only property of this field is to provide a convenient identifier, it
is far from absolutely necessary to change it. Remember that there is a
second choice to to identify responder by name. For names we have accepted
the possibility of collisions. In that comparison, upgrading from SHA-1 is
really redundant.

/Stefan

On 4/1/09 4:05 PM, "Santosh Chokhani" <SChokhani <at> cygnacom.com> wrote:

(Continue reading)

headers

Anders Rundgren | 1 Apr 2009 21:48

WG Advice on Reviving a multikey certificate I-D


Quite some time ago the following I-D was written and then left to
expire (probably due to lack of interest):
http://www.potaroo.net/ietf/all-ids/draft-lin-mpk-app-00.txt

It seems that there is a class of applications that could use this scheme
as an alternative to multiple certificates and that are devices that are
to be pre-configured with device certificates.  Such devices include
mobile phones and routers (work is currently performed by IEEE).

The router people are currently thinking in terms of hosting a single
authentication certificate which in SOHO configurations would be
used "as-is" as an easier alternative to shared secrets.  However,
for enterprise use, it is likely that corporate IT would like to unify
the equipment to an in-house PKI.  Although you could use the
authentication certificate for credential bootstrapping, a better
solution is making in-device key-generation with attested public
keys.  This calls for device attestation keys which in some way
must be distinguishable from authentication keys.

To avoid that devices get "split personalities" it would be nice to
put the attestation key in the same certificate as normally used for
authentications.  Since attestations is something very specific not
associated with standard applications, there is no impediment
having to dig out the public key from a certificate in a slightly
unusual way, it is just 20 lines extra to 2000 you already got 

TrustedComputingGroup have addressed this topic using a virtual
orgy of keys and certificates.  I prefer simpler solutions.

(Continue reading)

headers

Santosh Chokhani | 1 Apr 2009 22:31

RE: OCSP RFC (RFC 2560) Dependence on SHA-1


Stefan,

See responses in-line.

> -----Original Message-----
> From: Stefan Santesson [mailto:stefan <at> aaa-sec.com] 
> Sent: Wednesday, April 01, 2009 2:34 PM
> To: Santosh Chokhani; Massimiliano Pala; IETF-pkix
> Subject: Re: OCSP RFC (RFC 2560) Dependence on SHA-1
> 
> Santosh,
> 
> If you are talking about adding other options to calculate 
> the KeyHash value in ResponderID then I strongly disagree.
> 
> If you add unspecified options you change the properties of 
> the field from deterministic to a completely unknown value. 
> It does not matter if RFC2560 isn't explicit in its 
> description of the use of the field. The fact is that OCSP 
> explicitly defines this value and as such will allow a client 
> to deterministically compare this value with the certificate 
> selected to validate the response signature.

I hope no one is doing the matching of Responder ID with hash of a key
in place of responder signature verification.  That would be real bad.

> If you allow 
> other ways to calculate the value but do not provide any 
> means to signal what method that was used, then this feature is lost.

(Continue reading)

headers

Santosh Chokhani | 1 Apr 2009 23:00

RE: Renew/Rekey/Modification


Stephen,

See responses in-line. 

> -----Original Message-----
> From: owner-ietf-pkix <at> mail.imc.org 
> [mailto:owner-ietf-pkix <at> mail.imc.org] On Behalf Of Stephen Wilson
> Sent: Tuesday, March 31, 2009 10:42 PM
> To: ietf-pkix <at> imc.org
> Subject: Renew/Rekey/Modification
> 
> 
> 
> Colleagues,
> 
> There are a few things about certificate "renewal" and 
> "re-key" that have long confounded me.  Things only seem to 
> have got more convoluted in RFC 3647 and -- no offence! -- in 
> newer Certificate Policies like the 
> US FPKI Policy Authority document.   Can anyone help me 
> understand the 
> rationale for the some of the following scenarios?  Thanks in advance!
> 
> 
> 
> Re-key is said (in the FPKI CP) to be a good idea because the 
> older a key gets, the more susceptible it is to loss and 
> compromise.  Fair enough, but why wouldn't that consideration 
> be factored into the chosen certificate validity period?

(Continue reading)

headers

Internet-Drafts | 2 Apr 2009 00:00

I-D ACTION:draft-ietf-pkix-tac-03.txt

A New Internet-Draft is available from the on-line Internet-Drafts
directories.
This draft is a work item of the Public-Key Infrastructure (X.509) Working Group of the IETF.

Title : Traceable Anonymous Certificate
Author(s) : S. Park, H. Park, Y. Won, J. Lee, S. Kent
Filename : draft-ietf-pkix-tac-03.txt
Pages : 32
Date : 2009-3-31

Public Key Infrastructure (PKI) provides a powerful means of
authenticating individuals, organizations, and computers(e.g.,
web servers). However, when individuals use certificates to
access resources on the public Internet, there are legitimate
concerns about personal privacy, and thus there are increasing
demands for privacy enhancing techniques on the Internet.

In a PKI, an authorized entity such as a certification Authority
(CA) or a Registration Authority (RA) may be perceived, from a
privacy perspective, as a "big brother," even when a CA issues a
certificate containing a Subject name that is a pseudonym. This
is because such entities can always map a pseudonym in a
certificate they issued to the name of the real user to whom it
was issued. This document defines a practical architecture and
protocols for offering privacy for a user who requests and uses
an X.509 certificate containing a pseudonym, while still retaining
the ability to map such a certificate to the real user who
requested it. The architecture is compatible with IETF certificate
request formats such as PKCS10 [3]and CMC[4]. The architecture
separates the authorities involved in issuing a certificate: one

(Continue reading)

34	May 2013
86	April 2013
93	March 2013
81	February 2013
226	January 2013
63	December 2012
134	November 2012
181	October 2012
96	September 2012
180	August 2012
226	July 2012
92	June 2012
111	May 2012
309	April 2012
363	March 2012
114	February 2012
83	January 2012
96	December 2011
167	November 2011
111	October 2011
81	September 2011
136	August 2011
180	July 2011
78	June 2011
114	May 2011
185	April 2011
215	March 2011
88	February 2011
2	January 2011
27	December 2010
76	November 2010
94	October 2010
73	September 2010
204	August 2010
121	July 2010
126	June 2010
32	May 2010
54	April 2010
120	March 2010
81	February 2010
15	January 2010
152	December 2009
120	November 2009
112	October 2009
18	September 2009
86	August 2009
101	July 2009
41	June 2009
105	May 2009
80	April 2009
138	March 2009
33	February 2009
127	January 2009
107	December 2008
162	November 2008
215	October 2008
39	September 2008
55	August 2008
85	July 2008
88	June 2008
11	May 2008
52	April 2008
14	March 2008
83	February 2008
128	January 2008
149	December 2007
101	November 2007
72	October 2007
101	September 2007
49	August 2007
48	July 2007
41	June 2007
61	May 2007
68	April 2007
108	March 2007
59	February 2007
97	January 2007
118	December 2006
160	November 2006
104	October 2006
184	September 2006
20	August 2006
78	July 2006
47	June 2006
32	May 2006
104	April 2006
58	March 2006
148	February 2006
56	January 2006
35	December 2005
54	November 2005
63	October 2005
77	September 2005
109	August 2005
133	July 2005
189	June 2005
206	May 2005
67	April 2005
82	March 2005
126	February 2005
14	January 2005
142	December 2004
256	November 2004
150	October 2004
217	September 2004
165	August 2004
128	July 2004
19	June 2004
121	May 2004
293	April 2004
102	March 2004
161	February 2004
87	January 2004
172	December 2003
241	November 2003
177	October 2003
284	September 2003
73	August 2003
193	July 2003
122	June 2003
48	May 2003
110	April 2003
193	March 2003
122	February 2003
325	January 2003
208	December 2002
290	November 2002
192	October 2002
184	September 2002
102	August 2002
82	July 2002
146	June 2002
272	May 2002
442	April 2002
214	March 2002
202	February 2002
239	January 2002
50	December 2001
314	November 2001
57	October 2001
192	September 2001
107	August 2001
68	July 2001
311	June 2001
288	May 2001
326	April 2001
361	March 2001
155	February 2001
432	January 2001
175	December 2000
430	November 2000
294	October 2000
277	September 2000
211	August 2000
494	July 2000
296	June 2000
277	May 2000
194	April 2000
159	March 2000
214	February 2000
113	January 2000
179	December 1999
384	November 1999
159	October 1999
244	September 1999
490	August 1999
364	July 1999
254	June 1999
296	May 1999
297	April 1999
267	March 1999
203	February 1999
126	January 1999
135	December 1998
213	November 1998
181	October 1998
389	September 1998
344	August 1998
272	July 1998
187	June 1998
214	May 1998
316	April 1998
337	March 1998
108	February 1998
155	January 1998
189	December 1997
184	November 1997
134	October 1997
124	September 1997
196	August 1997
147	July 1997
116	June 1997
89	May 1997
77	April 1997
87	March 1997
78	February 1997
62	January 1997
65	December 1996
101	November 1996
151	October 1996
28	September 1996
3	June 1995
1	May 1995
2	April 1995
9	March 1995
3	February 1995
5	January 1995
2	November 1994
2	August 1994
4	July 1994
1	June 1994
9	April 1994
3	March 1994
1	February 1994
2	December 1993
3	November 1993

Mon	Tue	Wed	Thu	Fri	Sat	Sun

		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30