Re: [Trans] [trans] #79 (rfc6962-bis): Precertificate signaturemustbe over something other than just the TBSCertificate

Fri, 12 Jun 2015 08:46:52 -0700 

On 12/06/15 16:27, Erwann Abalea wrote:
<snip>

If the eContentType is set to id-data, the CMS producer can omit the
SignedAttributes, the signature is performed over the eContent (which
contains the TBSCertificate), and the resulting signed precertificate
can be manipulated to become a valid certificate:
   - take the TBSCertificate and the signature from the CMS/precertificate,
   - build a SEQUENCE containing the TBSCertificate, a properly
formatted SignatureAlgorithm, and the signature (reencode it from OCTET
STRING to BIT STRING)
   - you have a valid certificate


Indeed.


To avoid this, just make sure that the TBD in the current rfc6962-bis is
NOT id-data. Or require the presence of the SignedAttributes.


Ben, do you want to allocate an OID from the Google arc for this?

<snip>

               After discussion with Rob, core point is that the CMS
            signature is
            not an X509 signature.

               Fixed at https://github.com/google/certificate-transparency-
               rfcs/commit/546e6e9451186e96ddd7b54ca02f17c8d86f951e.

This commit has nothing to do with the ticket ;)


It was a series of several commits.  That was the final one.


Click the link just to the right of "1 parent".  Then do the same again, 
and you should arrive at...

https://github.com/google/certificate-transparency-rfcs/commit/c62061213c5085cf4d0f266dc8aa2c803bcf4c8f

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
  3rd Floor, 26 Office Village, Exchange Quay,
  Trafford Road, Salford, Manchester M5 3EQ


This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.


_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans























					Reply via email to