Peter Bowen and I have been collaborating on a possible solution for
certificate privacy. Thoughts?
++++++++++
Precertificate Transformation Extension
Many of the concerns around certificate privacy (the ability to privatize some
certificate fields) are due to fears that multiple final certs could be
generated for the same precertificate. This solution uses a random key in the
final certificate which can be matched against the hashed redacted information
in the precertificate to demonstrate that the precertificate was unique. The
precert contains a hash of the original information; without the key in the
full certificate, the hash is not transformable, and if the key works to
transform the hash (as a one way function), the pre certificate can be proven
to have been the correct one issued for the full cert. This solves the
difficult problem of ensuring that a given precert is the one that was indeed
issued for the full certificate.
In order to give domain registrants options for what domain name labels are
disclosed in precertificates, we propose a new certificate extension:
Precertifcate Transformation. This extension is found in both the final
certificate and in the precertificate. The extension specifies a
transformation algorithm, genneral parameters for the algorithm, and a count of
disclosed component per subject alternative name.
There are two transformation algorithms initially defined. The basic algorithm
is as described in 6962 and 6962bis. It has no parameters and the
sanDisclosedComponents component is not used. This algorithm is the default.
The second is the partialhm256 algorithm. This extends the basic algorithm by
including transformation of the subjectAlternativeName extension. The Parms is
a 128-bit value that is used as K for a HMAC (cf RFC 2104) that uses H =
SHA256. For each entry in the subjectAlternativeName extension, an entry in
the sanPartialComponents sequence must exist. Matching is done by order. Let
the disclosed components count for the entry in question be N. If N is -1,
then the SAN entry is unmodified. If it is greater than or equal to zero, then
the following transformations occur:
(1) If the GeneralName type is not dNSName or iPAddress, the result is
undefined and an error must be thrown
(2) If the GeneralName type is dNSName, then the entry is replaced with an
otherName entry of type id-ct-partialGN-dNSName with a value created by copying
the N labels closest to the root to the new name and prepending them with a
value created by taking the remaining labels and calculating the HMAC-SHA256
value and hex encoding it and prepending '#'. Note that a '*.' prefix on a
name is not considered a label; it must be copied to the output as is.
For example, if the input is "*.beta.group.secret.demo.test" with key
0x4fa1cb4ce23db6e45caf727b0b1d85ed and the number of disclosed labels is 2,
then the resulting name is
"*.#4d240f70beb97f4c402984e94ac6e1c8351c89ff13e8a94dabfbc474ded4d3d4.demo.test"
(3) If the GeneralName type is iPAddress, then the entry is replaced with an
otherName entry of type id-ct-partialGN-iPAddress. The value is a IA5String in
the format <partial> + "|" + <hashed>. For the hashed part, the address first
is converted to a text string. The format is dotted decimal, with no leading
zeroes, for IPv4 addresses and is as described in Section 4 of RFC 5952 for
IPv6 addresses (section 5 is not used in this case). The HMAC-SHA256 value is
calculated of this string as in (2) and <hashed> is the hex encoding of the
result. Partial is formed by setting the bits other than N most significant
bits to zero and the converting to string as described above.
For example, if the input is "198.51.100.47" with key
0x4fa1cb4ce23db6e45caf727b0b1d85ed and the number of disclosed labels is 27,
then the resulting name is
"198.51.100.32|8e38c51f339de29c05e543a099ba76468367043d5bc167c801ae0330a648925d".
In the precertificate the transformation parameter is set to a zero length bit
string.
If the subject contains a commonName type attribute and the value of the
commonName attribute value matches a dNSName in the SAN and the precertificate
contains a partialGN otherName in place of that entry, then the commonName
attribute is replaced with a id-ct-partialGN-replacedCN type attribute with the
value being the otherName value.
This algorithm provides the recipient of a full certificate the ability to
deterministically create the precertificate. It also ensures that the
precertificate can only reasonably match one full certificate.
id-ct-precertificateTransformation ID ::= {1 3 187 97 1}
id-ct-partialGN ID ::= {1 3 187 97 10}
id-ct-partialGN-dNSName ID ::= {id-ct-redactedGN 2} # type IA5String
id-ct-partialGN-iPAddress ID ::= {id-ct-redactedGN 7} # type IA5String
id-ct-partialGN-replacedCN ID ::= {id-ct-redactedGN 127} # type IA5String
id-ct-taAlgorithm ::= {1 3 187 97 20}
id-ct-taAlgorithm-basic ::= {id-ct-taAlgorithm 1}
id-ct-taAlgorithm-partialhm256 ::= {id-ct-taAlgorithm 2}
precertificateTransformation EXTENSION ::= {
SYNTAX PrecertificateTransformation
IDENTIFIED BY id-ct-precertificateTransformation
}
PrecertificateTransformation ::= SEQUENCE {
transformationAlgorithm TransformationAlgorithm DEFAULT
id-ct-taAlgorthim-basic,
transformationParms TransformationParms BIT STRING OPTIONAL,
sanPartialCount SEQUENCE SIZE (1..MAX) OF NamePartialCount OPTIONAL
}
TransformationAlgorithm ::= OBJECT IDENTIFIER
TransformationParms ::= ANY
NamePartialCount ::= INTEGER (-1..127) DEFAULT -1
--
Tarah M. Wheeler
Principal Security Advocate and Sr Director of Engineering - Website Security -
Delivering Confidence for Customers and Consumers by Securing Websites and
Applications
Symantec Corporation
www.symantec.com<http://www.symantec.com/>
________________________________
(206) 276-4920
[email protected]
________________________________
[cid:4524896B-C0DD-4A56-BA9D-E836A716603F]<http://www.symantec.com/>
________________________________
This message (including any attachments) is intended only for the use of the
individual or entity to which it is addressed and may contain information that
is non-public, proprietary, privileged, confidential, and exempt from
disclosure under applicable law or may constitute as attorney work product. If
you are not the intended recipient, you are hereby notified that any use,
dissemination, distribution, or copying of this communication is strictly
prohibited. If you have received this communication in error, notify us
immediately by telephone and (i) destroy this message if a facsimile or (ii)
delete this message immediately if this is an electronic communication.
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
