Re: [sidr] Subject naming in the RPKI

Tue, 20 Jul 2010 15:09:21 -0700

No. Key identifiers are not used in path validation. The AKI extension in a CRL provides a hint as to which key was used to sign the CRL, but when determining the status of a certificate, there is no requirement in X.509 to use a CRL that was signed using the same key as the certificate.
If the issuer of the CRL has multiple keys, the AKI may help the client more quickly determine which certificate has the key needed to verify the signature on the CRL. But if two different entities within the RPKI are issuing certificates and CRLs under the same name, the AKI extension will do nothing to prevent a relying party from using a CRL issued by one of these entities to determine the status of a certificate issued by the other entity. 


As I noted, the path validation algorithm in Section 7.2 of 
draft-ietf-sidr-res-certs could impose a requirement to only use a CRL 
that was signed using the same key as the certificate whose revocation 
status is being checked.  I believe that if a client performed such a 
check it would avoid the problem.  However, I believe that it would be 
risky for the RPKI to solely rely on the imposition of such as check.  
This would be effectively creating a situation in which using 
X.509-compliant path validation software to validate X.509 certificates 
in the RPKI would be a security risk.



One needs to assume that path validation software that is being 
developed for the RPKI will not be used only to perform path validation 
within the RPKI.  A statement in one of the SIDR RFCs indicating that 
there are different rules for performing path validation within the RPKI 
than in a generic X.509 PKI may not be noticed by developers who are 
working on revising general-purpose path validation software that just 
happens to include support for the RFC 3779.  Even a warning in the 
Security Considerations section of one of the SIDR RFCs that the RPKI 
does not comply with X.509 and that there may be security risks 
associated with using path validation software that is not RPKI-specific 
would likely not be noticed.



OpenSSL, for example, is a general purpose path validation library that 
has added support for the RFC 3779 extensions.  OpenSSL already has the 
capability to validate a CRL using a different certification path than 
the one used to validate the corresponding certificate, as is permitted 
by X.509.  Several years from now, the developers of that code may 
decide to enable this feature by default.  They would be unlikely to be 
reading through the SIDR RFCs at the time they made this decision.  RPKI 
clients that use the OpenSSL implementation would eventually begin to 
use this updated version and then things would begin to stop working 
correctly.



Given that this problem could easily be avoided, I can't see any reason 
to create unnecessary problems.


Dave


On 07/20/2010 04:43 PM, Roque Gagliano wrote:

Hi David,

Isn't this problem prevented by the requirement of including the AKI extension 
in all CRLs as expressed in section 5.7.1 of  draft-ietf-sidr-res-certs-18?


Regards,
Roque.


----------------------------------------------------------------------------------------------------------------------------------------------
Roque Gagliano                                                                  
                Cisco Systems International Sàrl        
Software Engineer                                                               
                Mailstop ROL01/2/
Corporate Development  Technology Group                                 Avenue 
des Uttins 5
                                                                                
                                1180 Rolle
[email protected]                                                              
                Switzerland
Phone: +41 21 823 2805                                                          
        

For corporate legal information go to: 
http://www.cisco.com/web/about/doing_business/legal/cri/index.html

On Jul 14, 2010, at 11:03 PM, David A. Cooper wrote:


   

All,

The current RPKI documents (draft-ietf-sidr-res-certs, draft-ietf-sidr-cp, 
draft-ietf-sidr-cps-irs, draft-ietf-sidr-cps-isp, draft-ietf-sidr-arch) require 
that subject names in certificates be unique relative to all certificates 
issued by a given CA, but does not require that subject names be issued in a 
manner that would make it likely that subject names are globally unique (i.e., 
unique across the entire RPKI).

While it is true that there is less of a need for names to be unique across the 
RPKI than there is other other PKIs (since the RPKI does not use such things as 
name constraints, indirect CRLs, or attribute certificates), the existence of 
name collisions within the RPKI would not be without risk.  In particular, 
there is no requirement in X.509 that the CRL used to determine the revocation 
status of a certificate be signed using the same key as the certificate.  Using 
the X.509 (and RFC 5280) path validation rules, a CRL may be validated using an 
entirely different certification path than the certificate whose status is 
being checked.  If a path validation implementation does this, and there are 
two different CAs within the PKI that operate under the same name, then the 
library may use the CRL issued by one of the CAs to determine the status of 
certificates issued by the other CA.  This could lead to a revoked certificate 
being accepted as valid or a valid certificate being rejected as revoked.

It is my understanding that some current path validation implementations that 
are being developed for use with the RPKI make use of the OpenSSL path 
validation libraries.  At the moment, OpenSSL will not by default will not use 
a separate certification path to validate a CRL than was used to validate the 
certificate whose status is being checked, but the latest version of OpenSSL 
(1.0.0) does have that capability.  One of the changes that is mentioned for 
OpenSSL 1.0.0 is:

*) Add support for distinct certificate and CRL paths. The CRL issuer
    certificate is validated separately in this case. Only enabled if
    an extended CRL support flag is set: this flag will enable additional
    CRL functionality in future.

If a future version of OpenSSL enables this feature by default, and that 
version of OpenSSL is used to validate certificates in the RPKI, and there are 
name collisions in the RPKI, then relying parties will be at risk of 
incorrectly accepting or rejecting certificates.

I understand that there is a desire to keep subject names within the RPKI 
simple and that the RPKI cannot impose a centralized or hierarchical naming 
structure to ensure that there are no name collisions.  However, with a very 
small change to the RPKI specifications, one could maintain a simple naming 
scheme while making the risk of name collisions negligible.

The current RPKI specification states that a subject name consists of a 
commonName attribute and optionally a serialNumber attribute.  However, there 
was some discussion recently about whether the specification could be changed 
to require that the subject name contain only a commonName attribute.  So, I 
will present examples of ways in which unambiguous names could be constructed 
that only include a commonName attribute.  The idea is to include enough 
randomness in the name so that name collisions are unlikely.  According to the 
Birthday Paradox, if there are about one million (2^20) CAs in the RPKI, then 
collisions will be unlikely if there is significantly more than 40 bits of 
entropy in the name.  Some ways to achieve this would be:

1) Hash of the subject public key (encoded as ASCII HEX).
   example: cn="999d99d564de366a29cd8468c45ede1848e2cc14"

2) A Universally Unique IDentifier (UUID) - RFC 4122
   example: cn="6437d442-6fb5-49ba-bbdb-19c260652098"

3) A randomly generated ASCII HEX encoded string:
  example: cn="0f8fcc28e3be4869bc5f8fa114db05e1"
  (A string of 20 ASCII HEX digits would have 80-bits of entropy)

4) An internal database key or subscriber ID combined with one of the above
   example:  cn="<DBkey1>  (6437d442-6fb5-49ba-bbdb-19c2606520980)"
  (The issuing CA may wish to be able to extract the database key or subscriber
  ID from the commonName.  Since only the issuing CA would need to be able to
  parse the commonName, the database key and the source of entropy
  (e.g., a UUID) could be separated in any way that the CA wanted, as long as
  it conformed to the rules for PrintableString.  The separator could be a space
  character, parenthesis, hyphen, slash, question mark, etc.  Of course, the
  source of entropy could also be placed in a separate attribute, if the profile
  permitted that.)

If the internal database key or subscriber ID contained enough entropy by
itself, then it may not be necessary to include anything else in the commonName
attribute.


Of course, even if the RPKI documents required CAs to create subject names as 
described above, there is a risk that some CAs in the RPKI would not follow 
these rules and would accidentally (or deliberately) create name collisions.  
This problem could be mitigated, however, given the way that certificates and 
CRLs are issued in the RPKI.  Unlike X.509 in general, the RPKI requires that 
the CRL that provides the revocation status of a certificate be signed using 
the same key as the corresponding certificate.  The RPKI could take advantage 
of that by adding a step to the path validation algorithm (Step 5 in Section 
7.2 of draft-ietf-sidr-res-certs) requiring the relying party to verify the 
signature on the CRL used to determine whether the certificate was revoked 
using the same public key as was used to verify the signature on the 
certificate itself.  At the moment, the RPKI path validation algorithm does not 
impose such a requirement.

It may also be a good idea to add a paragraph to the Security Considerations 
section noting that there may be a risk in using a path validation 
implementation that is capable of using separate certification paths for a 
certificate and the corresponding CRL if there are name collisions in the RPKI 
as a result of CAs not following the profiles requirements for constructing 
subject names.

This would result in a belts-and-suspenders approach.  Specifying naming rules 
that will make name collisions unlikely will increase the likelihood that 
relying parties can safely use any X.509 path validation implementation that 
has added support for the RFC 3779 extensions.  Imposing a path validation 
requirement to only use CRLs that were signed using the same key as the 
certificate will encourage relying parties to use path validation software that 
will be at less risk of getting incorrect certificate validation results even 
if there are name collisions in the RPKI as as result of some CAs not complying 
with the naming rules.

Dave
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr

     

   



_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr






















					Reply via email to