|
On 08/03/2018 09:40 PM, Paul Wouters
wrote:
The issues that seem to need consensus can be seen in thie message: Paul, Below are the comments that I raised in my message on May 9 that I believe have not been resolved. However, it does not seem accurate to suggest that the only issues that need consensus are the ones from my message on May 9. Andrew Ayer and Ryan Sleevi also raised issues with the most recent draft (see for example https://www.ietf.org/mail-archive/web/trans/current/msg03178.html) and I have not seen any messages on the list since then to suggest that the issues they raised have been address - only a comment from Steve Kent suggesting that he does not feel any changes are needed (https://www.ietf.org/mail-archive/web/trans/current/msg03225.html). In addition, Eric Rescorla submitted some, mainly editorial, comments on draft -12 (https://www.ietf.org/mail-archive/web/trans/current/msg03103.html), and there was never any response to his comments, many of which remain unaddressed. I would also like to note again, given the nature of https://www.ietf.org/mail-archive/web/trans/current/msg03225.html, that I submitted the comments on May 9 specifically because of a request from the WG chairs (https://www.ietf.org/mail-archive/web/trans/current/msg03146.html) to "please review the entire document." So, any implication that there was something inappropriate about submitting comments on new issues after draft -13 was published is rather unfortunate. On 05/09/2018 08:49 AM, Stephen Kent
wrote:
The response is not related to the comment. The comment did not suggest that issuing a certificate with syntactic errors shouldn't be considered mis-issuance, nor did it suggest that the threat analysis document shouldn't discuss syntactic mis-issuance. The problem is that the text suggests that the issuance of a certificate with syntactic errors might be part of an attack, but it does not explain how it could be part of an attack. This text is particularly confusing in the case in which the Subject is aware that there is an error in the certificate. The text states that "a malicious CA may do nothing or may delay the action(s) needed to remedy the problem." How can the CA "attack" the Subject in this way when the Subject can just get a new certificate from a different CA and not use the mis-issued certificate? The source of the problem may be that the document appears to be using rather bizarre definitions for "threat" and "attack." For example, there is new text in Section 2 that says: Nonetheless, it is useful to document perceived threats against a system to provide a context for understanding attacks (even though some attacks may be the result of errors, not threats).The parenthetical makes no sense. It seems to be based on some definition of "attack" that encompasses unintentional errors while also relying on an incorrect definition of "threat" (see below). For what reasonable definition of "attack" could one say that an attack may be the result of errors in the context of certificate mis-issuance?
I can find no such DoD definition for threat, cannot find the word "threat" in the Cornell CS 5430 syllabus, and cannot seem to access either the MIT course 6.805 syllabus or the NRC report. I do see, however, that Steve Kent is listed as one of the authors of the NRC report, which suggests that it is not a independent source for the definition. Certainly in some cases the only source of a threat may be a "motivated, capable adversary," and in such a context the term may be described in that way, but that does not mean the definition of threat is limited to motivated, capable adversaries. On the other hand, there are sources such as https://dictionary.cambridge.org/us/dictionary/english/threat and https://en.wikipedia.org/wiki/Threat_(computer). The Wikipedia article specifically notes that "a threat type can have multiple origins" and it lists deliberate, accidental, environmental, and negligence. Also, note that in the original comment I did not suggest that mis-issuance is a threat. When I said "Mis-issuance may be the result of carelessness, but it is still a threat" I intended to suggest possibility that someone could act carelessly is a threat.
This text is still odd, and seems inconsistent with the previous paragraph. The previous paragraph has new text that says "some attacks may be the result of errors," whereas this paragraph now says: As noted above, the goals of CT are to deter, detect, and facilitate remediation of attacks that result in certificate mis-issuance in the Web PKI. (CT also may facilitate detection and remediation of errors that result in certificate mis-issuance.)So, unlike in the previous paragraph, this text seems to acknowledge that an error is not an attack. It is still not clear the reason for two separate sentences. What is actually "noted above" is that CT is "designed to detect, deter, and facilitate remediation of certificate mis-issuance" (regardless of the reason the mis-issuance happened), so why imply that it is primarily about mis-issuance that was caused by an attack, especially when Section 4 is devoted to syntactic mis-issuance, which is far more likely to be the result of an error than an attack.
This text is still incorrect. It now says "The data from this [Authority Information Access] extension also may be used by a browser to request OCSP responses from a TLS server with which it is communicating [RFC6066][RFC6961]." To obtain OCSP responses from a TLS server the browser just sends a status_request [RFC6066] (or status_request_v2 [RFC6961]) extension in the ClientHello. The status_request extension sent in the ClientHello does not contain any information from the server certificate's AIA extension - the client doesn't obtain the server's certificate until after sending the ClientHello. Also, there is no information in the AIA extension that could be included in the status_request extension. The sentence should just be changed to something like: "A browser may also request OCSP responses from a TLS server with which it is communicating [RFC6066][RFC6961]."
The response here seems to be based on the highly unusual, but unspecified definition of "attack" used in this document. The response certainly has nothing to do with the comment, which doesn't suggest anything like what the response implies that it does.
See https://www.ietf.org/mail-archive/web/trans/current/msg03160.html and https://www.ietf.org/mail-archive/web/trans/current/msg03103.html. There was no suggestion that one browser makes the Internet. The problem is that the text says, for example: If a browser rejects certificates without SCTs (see Section 5.4), CAs may be "encouraged" to log the certificates they issue. This, in turn, would make it easier for Monitors to detect bogus certificates. However, the CT architecture does not describe how such behavior by browsers can be deployed incrementally throughout the Internet. As a result, this attack model does not assume that browsers will reject a certificate that is not accompanied by an SCT. It might be perfectly fine to say that the attack model does not assume that browsers will reject a certificate that is not accompanied by an SCT since the CT architecture does not require browsers to do so. But, that is not what the text says. The text says that the model doesn't make the assumption because the CT architecture does describe how browsers can do it. The comment was not suggesting that since Chrome requires SCTs for all newly issued certificates, the attack model needs to assume that browsers will reject certificates not accompanied by an SCT. The point is that since the developers of Chrome have described "how such behavior by browsers can be deployed incrementally throughout the Internet," the lack of such a description in "the CT architecture" isn't relevant. Browser developers may have good reasons not to reject certificates that are not accompanied by an SCT, but it is not because no one described to them how to deploy such behavior.
This problem is still not addressed. The DigiNotar case was moved to Section 3.3, where parts of the corresponding paragraph notes that not all compromises involve theft of the private key. However, the second paragraph of Section 3.3 still says: The section focuses on undetected compromise of CAs. Such compromises warrant some additional discussion, since some relying parties may see signed objects issued by the legitimate (non-malicious) CA, others may see signed objects from its compromised counterpart, and some may see objects from bothand Section 3.3.1 begins: In the case of a compromised (non-malicious) CA, an attacker uses the purloined private key to generate a bogus certificate (that the CA would not knowingly issue).So while there is now some text that notes that not all compromises involve theft of the private key, there is still other text that says otherwise.
This reference was corrected, but draft -14 still has problems with incorrect references. I have not checked all of the references, but there is a parenthetical in Section 3.3.1 that says "(see 3.1.2.2)" even though there is no Section 3.1.2.2. Similarly, Section 4.2.1.3 begins "As noted above (4.1.1.4)," but there is no Section 4.1.1.4.
Both this comment and https://www.ietf.org/mail-archive/web/trans/current/msg03160.html noted that the final paragraph of Section 3.5 is related to the attack in Section 3.4 and not to the contents of Section 3.5. The text has nothing to do with the rest of Section 3.5 nor does it "note that the cited revocation status distribution problems might be addressed by mechanisms not specified by 6962-bis."
This is a non-answer. Did the attacker do something that caused the certificate to be mis-issued? If so, how? The CA can't be the attacker since it is non-malicious in Section 4.1. Is this sentence considering the possibility that the Subject could an an "attacker," sending a certificate request that somehow tricks the CA into issuing an erroneous certificate? Is there any other than the CA or Subject that could influence the contents of the certificate? Could it be that the "attacker" had no influence over the issuance of the certificate, but was just hoping that a certificate would be mis-issued? If so, what role does it play in the "attack" (other than passive observer)?
As I noted previously (see, for example, https://www.ietf.org/mail-archive/web/trans/current/msg03162.html) this response is not related to the comment. There is a difference between a browser checking for things that can be expected not to change (e.g., is the keyUsage extension DER encoded - https://www.ietf.org/mail-archive/web/trans/current/msg03172.html) and checking for things may may change (e.g., does a subject field that doesn't contain an organizationName attribute contain a streetAddress attribute - https://www.ietf.org/mail-archive/web/trans/current/msg03162.html). While the underlying syntax rules for X.509 certificates can be presumed to be unchanging, certificate profiles can change over time, and this document makes clear that syntax checks includes checking for conformance with the appropriate profile. If a browser performed "thorough syntax checks" as this document defined that term, then it would be effectively checking for conformance to a particular version of a certificate profile. There can't be an assumption that every browser on every client will be updated as soon as any certificate profile changes, so browsers performing such checks would create problems. As a related example, consider the recent discussions in the TLS WG about ossification, the need to make last-minute changes to the TLS 1.3 protocol in order to deal with version-intolerant servers and middleboxes, and the addition of text to RFC 8446 about protocol invariants. There seems to be some confusion about the nature of syntactic mis-issuance. Section 1 of the threats document says: A certificate is characterized as syntactically mis-issued (aka erroneous) if it violates syntax constraints associated with the class of certificate that it purports to represent. Syntax constraints for certificates are established by certificate profiles, and typically are application-specific. For example, certificates used in the Web PKI environment might be characterized as domain validation (DV) or extended validation (EV) certificates. Certificates used with applications such as IPsec or S/MIME have different syntactic constraints from those in the Web PKI context.Yet, in the response to the above comment and in https://www.ietf.org/mail-archive/web/trans/current/msg03174.html, Steve seems to suggest that checking for syntactic mis-issuance is really about checking whether certificates are valid with respect to RFC 5280. Of course one could check for both types of errors. However, there is a very big difference between just checking for compliance with X.509 (RFC 5280) and checking for compliance with the current profile rules for DV certificates.
This is not a response. Neither this comment nor any other comment suggested that syntactic mis-issuance should not be included in the document.
The sentence was supposed to end just "to effect revocation," but it just ends to "to effect."
See response to prior comment. A method has been defined that is compatible with incremental deployment. It may not have been defined in an RFC, but it has been defined. So, the text shouldn't be implying that no one has defined a mechanism that accommodates incremental deployment of a capability to reject certificates that have not been logged.
Again, the comment does not suggest that syntactically erroneous certificates are not mis-issued nor does it suggest that syntactic mis-issuance should not be discussed in this document. So, the response does not address the comment.
|
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
