David,
As others have pointed out, the description below is fundamentally
flawed, and as a result the conclusion is flawed as well. See comments
in-line below.
Others are wrong :-).
...
In fact, an attack of the sort Gilmor envisioned can be mounted by
any two CAs that are not name-constrained; the attack need not be
initiated by trust anchors per se. (Also note that X.509 and RFC 5280
do not preclude creation of doppelganger CAs; the requirement for
Subject name uniqueness applies individually to each CA but not
across CA boundaries, and there is no requirement for public key
uniqueness across CAs.)
This is incorrect! X.509 requires name uniqueness, including across CA
boundaries. [Since this issue isn't relevant to the "conspiring CAs
attack," information about this inaccuracy is at the end of the email.
David still believes that the X.500 directory tree is the basis for all
names in certs.
of course this is not even remotely true, and 5280 is quite clear about
this. But I am happy
to avoid this argument by omitting the reference to X.509, since we're
discussing Internet
standards and thus RFC 5280 is relevant reference.
The attack requires that both of the doppelganger CAs issue a
certificate for a targeted Subject (e.g., web site). These two (EE)
certificates are identical; they contain the same name, public key,
serial number, etc. Only one of the malicious CAs logs a bogus
certificate and acquires an SCT for it. Because the bogus
certificates are identical, the SCT will match both.
As noted by others, if the two (EE) certificates are identical, then
there is only one EE certificate. So, in the scenario described above,
there aren't two intermediate CAs and two (identical) EE certificates.
There are two trust anchors, each issuing a certificate to a single
subordinate CA, which in turn has issued a single EE certificate
identifying the target Subject:
wrong, again. In the scenaior there are two distinct, intermediate CAs,
with distinct parents.
The CA certs for the malicious CAs are different, e.g., at a minimum
they have different Issuer names.
The question of whether there are one or two bogus certs strikes me as
an existential distinction.
I'm not going spend my time rebuting the rest of your analysis, as it is
based on a faulty interpretation
of what I wrote, and is illustrated with diagrams that don't match the
scenario that DKG and
I are describe.
Steve
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
