Re: Cross-cert as anchor (was Re: AD Review ofdraft-ietf-pkix-rfc5280-clarifications-03.txt)

        The trust anchor information defined in RFC 5280 6.1.1-d-1 
includes the DN of the first certificate in the chain, but not the DN of 
the issuer.  The process of using a CA certificate as a trust anchor drops 
those fields which distinguish a self-signed certificate from an ordinary 
cross-certificate, so there seems little reason to accept one type as an 
anchor but not the other.  There is also no requirement that only 
self-signed certificates be used as a certificate within CertPathControls 
in RFC 5914 section 2.5.  Further comments marked as [TG].

Tom Gindin

From:   "David A. Cooper" <david.cooper <at> nist.gov>
To:     Tom Gindin/Watson/IBM <at> IBMUS
Cc:     PKIX <pkix <at> ietf.org>
Date:   09/28/2011 10:42 AM
Subject:        Re: Cross-cert as anchor (was Re: [pkix] AD Review 
ofdraft-ietf-pkix-rfc5280-clarifications-03.txt)

On 09/27/2011 09:13 PM, Tom Gindin wrote:
>          The issuer of the cross-certificate is clearly NOT the trust
> anchor in the first scenario.  If it were, the RP would trust paths
> originating at that issuer through any of its many cross-certificates
> instead of only those using the trusted cross-certificate.

The X.509 path validation algorithm simply takes a trust anchor, a 
prospective certification path, and other information, and provides a 
valid/not valid response (or at least that's a slightly simplified 
version of how it works).  There is nothing that says that if you choose 
to use a particular trust anchor when validating one particular 
prospective certification path that you must accept any certification 

PKIX review on draft-ietf-pkix-cmp-transport-protocols-14.txt

Dear PKIX working group members,

the content of the "CMPtrans" draft is now quite complete.  The
interested readers will see that it now became quite short,
straightforward and largely reflects the implemented reality.

It would be great if you could review this document and provide feedback
of any kind.

Now the draft describes a way how to transport all CMP messages over
HTTP.  This includes the optional transporting of "CMP Announcements"
which are specified in RFC 4210 but couldn't serve any use at all
before.

Other kinds of transport as e.g. the "TCP-Based Management Protocol" or
high-level mentioning of FTP or email transport were completely removed.
The "TCP-Based" transport is generally considered to be inferior
compared with HTTP and does not provide any advantage.  Description of
transport over other existing protocols is left as future challenge for
those who find the use case. 

<http://tools.ietf.org/html/draft-ietf-pkix-cmp-transport-protocols-14>

Kind regards,
Martin

-----Original Message-----
From: pkix-bounces <at> ietf.org [mailto:pkix-bounces <at> ietf.org] On Behalf Of
ext internet-drafts <at> ietf.org
Sent: Thursday, September 29, 2011 2:40 PM

OCSP handling versus the DigiNotar incident, best practices?

All,

There appears to be no differentiation in OCSP libraries and OCSP-consuming applications as to "valid"
versus "unknown" responses, and no differentiation between "responded unknown" and "non-responded unknown".

I have a bit of a problem with this, as it permits the magnification of errors (error in CA key control
magnified by error in OCSP handling compounds to critical incident).

Would it make sense to change the interpretation of an "unknown" response from a CA's OCSP responder from
"the OCSP responder doesn't know what the CA hasn't told it" to "the CA doesn't know about this certificate
at all, so it's best to treat it as revoked"?

Or is this something that will be so contentious here that it must be separately profiled?

-Kyle H

_______________________________________________
pkix mailing list
pkix <at> ietf.org
https://www.ietf.org/mailman/listinfo/pkix

Re: OCSP handling versus the DigiNotar incident, best practices?

Hi Kyle

Changing the OCSP responder functionality in this way has been discussed a
few times before.  I believe you are asking for a white-list check rather
than a black-list.  I.e. "good" response only if the certificate was issued
by the CA and is not revoked.  From past experience, I don't think this will
be accepted as a change to the standard because of the already installations
out there (since many OCSP responders work off CRLs, without access the DB
of issued certs).  Easiest route to achieving what you want is the use of
specific profiles IMO.  I also agree with you that this is an important
point.   

Regards
Liaquat

-----Original Message-----
From: pkix-bounces <at> ietf.org [mailto:pkix-bounces <at> ietf.org] On Behalf Of Kyle
Hamilton
Sent: 01 October 2011 15:00
To: pkix <at> ietf.org
Subject: [pkix] OCSP handling versus the DigiNotar incident, best practices?

All,

There appears to be no differentiation in OCSP libraries and OCSP-consuming
applications as to "valid" versus "unknown" responses, and no
differentiation between "responded unknown" and "non-responded unknown".

I have a bit of a problem with this, as it permits the magnification of
errors (error in CA key control magnified by error in OCSP handling

Re: OCSP handling versus the DigiNotar incident, best practices?

_______________________________________________
pkix mailing list
pkix <at> ietf.org
https://www.ietf.org/mailman/listinfo/pkix

Re: OCSP handling versus the DigiNotar incident, best practices?

On Mon, Oct 3, 2011 at 3:15 PM, Simon Tardell <simon <at> tardell.se> wrote:
>> Would it make sense to change the interpretation of an "unknown" response
>
> No, it wouldn't. You can't change the semantics of the protocol. Look at it
> this way: What can a client do with a "good", "revoked" and "unknown"
> response respectively? With a "good" response it can proceed, with "revoked"
> it stops, and with "unknown" it can ask another responder if one is
> available (or download CRLs). If "unknown" means "I KNOW this certificate
> was never issued" the behavior of the client must be different -- it should
> act identically in the "revoked" and "unknown" case, and there would be no
> way to tell a client that someone else might have better information about
> the status of a certificate.

No, there is a huge difference between "I do not know the status of
this cert" and "I know that there is no such cert".

This was lossage when first proposed and it is going to be fixed. The
discussion in PKIX was driven by a commercial position that is no
longer operative (it is an ex-dot-com, if you hadn't merged him to his
perch he would be pushing up the daisies, etc.)

The point of OCSP was to communicate information. I need to
communicate information that differentiates the two very distinct
conditions. The other CAs seemed to be similarly convinced of that
need when we met last week. So what this group is being asked is HOW
to communicate said information not 'whether'.

--

-- 
Website: http://hallambaker.com/
_______________________________________________
pkix mailing list
pkix <at> ietf.org
https://www.ietf.org/mailman/listinfo/pkix

Re: OCSP handling versus the DigiNotar incident, best practices?

On Mon, Oct 3, 2011 at 12:15 PM, Simon Tardell <simon <at> tardell.se> wrote:
>> Would it make sense to change the interpretation of an "unknown" response
>
> No, it wouldn't. You can't change the semantics of the protocol. Look at it
> this way: What can a client do with a "good", "revoked" and "unknown"
> response respectively?

How about 'no response', which is also a valid case?

I suggest that it should be treated as a negative 'unknown', which should be treated separately from a
positive 'unknown' response from the originating PKI, which should be treated differently from a
positive "unknown" response signed by the verifier's PKI.  Thus, there is a larger number of states than is
contemplated within OCSP.

try { (good from verifier), (good from issuer), (unknown from verifier), (unknown from issuer), (revoked
from verifier), (revoked from issuer) } catch (ExceptionNullResponse) { :trysomethingelse }

As it stands, current implementations treat the two unknowns as equal to no response.  This creates the
problem that DigiNotar had to be removed for: DN couldn't issue 'good' responses for certificates it
didn't know it had issued, so it hopefully responded with 'unknown'.  The handling of the issuer's
'unknown' as somehow conveying less authoritative information than the verifier's own 'unknown',
permitting the connection, is what magnified the original CA key misuse into something that required a
global-scale code update.

I can think of no use-case where it would be desirable to ignore any useful information from authoritative
sources, but evidently the OCSP designers did.

I propose an alternative semantic for the (unknown from issuer) case, to balance the states.  Currently
there are 3 + null, and I believe that they should be split into 6 + null.

> With a "good" response it can proceed, with "revoked"
> it stops, and with "unknown" it can ask another responder if one is
> available (or download CRLs). If "unknown" means "I KNOW this certificate
> was never issued" the behavior of the client must be different -- it should
> act identically in the "revoked" and "unknown" case, and there would be no
> way to tell a client that someone else might have better information about
> the status of a certificate.

How about, "The OCSP responder which was signed by the originating CA claims it's unknown" versus "The OCSP
responder which I'm configured with that isn't signed by the originating CA claims it's unknown"?

There are more variables than the current semantic addresses.

> If you want to assert something about the issuance of a certificate you
> could do so through an extension in SingleResponse. In my mind, it would do
> little to address the DigiNotar case, though. If the OCSP responder is
> dependent of the CA, then a compromise of the CA would compromise the
> responder, at least for some time.

OCSP requires that responder certificates not be permitted any other purposes.  So, under this alternate
semantic, the compromise of the CA would require the issuance of an OCSP certificate which is either
recorded (and hopefully revoked upon discovery) or unrecorded (unknown).  The only thing that can
recover from that is revocation of the CA involved.

Furthermore, having an OCSP responder operate from a CRL makes it a blacklist-based problem, which is poor
design -- personally, I'm okay with the idea of requiring that public CAs create OCSP responders that
interface with their back-end systems.  Private CAs can do whatever they like.

Having the capacity to respond to known bad certs found in the wild by adding them to the CRL would at least
permit the OCSP responder to respond with positive "revoked".

"at least for some time" is a false target.  This is what the court system is for -- if there are disputes, the
judge or jury figures out who is responsible for what.  The largest attitude adjustment that needs to
happen before real progress can be made is that we can ever achieve complete security, or be completely
certain that we're not being tricked.  All we can do is reduce the probability to a point we can consider
acceptable for our individual purposes.

The "backward compatibility" argument fails too.  Right now, because of the mandate that things stay the
broken same, that argument means we effectively can't act to change the standards to protect against the
post-standardization identification of a new threat vector at the standards level.  Are we too proud to
admit that we were wrong, that we didn't see all threat vectors because we trusted the cryptography?

We know more about the private-sector non-business threat model today than we did 12 years ago.  We need to
make the best system that we can from what we have learned thus far.  We have 12 years of knowledge of how
people want to interact, how the Internet creates vibrant communities that exist without the assistance
we could give them.  These communities suffer the problems that we saw 30+ years ago on the first MUDs, and we
have seen just how bad those problems can get (cyberbullying causing suicide because there was no
effective way to intervene or hold the perpetrators responsible for their abuses).  In other words, we
have seen that our inaction has actually cost lives.

(And no, the problem isn't "they didn't adopt the tools we gave them", it's "we didn't give them tools that
they could use".)

The lack of security that exists today is so much worse than what we can create that I feel we're derelicting
our duty.

> If the OCSP responder asserts the
> issuance of a certificate entirely independent of the CA it is in effect a
> CA of its own. If so, why don't just issue two certs from two independent
> CAs and require both of them to be valid (generalize to n of m to get your
> required level of security and redundancy)? 

Several reasons, actually.

First, OCSP was designed to permit corporations to effectively insist to their internal cells that a
particular certificate was good or wasn't, overriding the originator.  (That's the reason for the
"unknown" response in the first place.)

Second, TLS only permits the atomic assertion of one certificate chain.

Third, it's not our place to dictate how people run their own existences.  It's our place (as developers) to
give them usable, useful tools they can use to do so -- because they've certainly paid enough for them.

-Kyle H

_______________________________________________
pkix mailing list
pkix <at> ietf.org
https://www.ietf.org/mailman/listinfo/pkix

Re: OCSP handling versus the DigiNotar incident, best practices?

_______________________________________________
pkix mailing list
pkix <at> ietf.org
https://www.ietf.org/mailman/listinfo/pkix

Re: OCSP handling versus the DigiNotar incident, best practices?

_______________________________________________
pkix mailing list
pkix <at> ietf.org
https://www.ietf.org/mailman/listinfo/pkix

Re: OCSP handling versus the DigiNotar incident, best practices?

_______________________________________________
pkix mailing list
pkix <at> ietf.org
https://www.ietf.org/mailman/listinfo/pkix