IETF Logo Mail Archive

Re: [pkix] [dane] 5280 and self-signed ee certs (was: Re:

Martin Rex <mrex@sap.com> Mon, 18 April 2011 22:49 UTC

Return-Path: <mrex@sap.com>
X-Original-To: pkix@ietfc.amsl.com
Delivered-To: pkix@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 1CCB2E085A; Mon, 18 Apr 2011 15:49:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.701
X-Spam-Level:
X-Spam-Status: No, score=-9.701 tagged_above=-999 required=5 tests=[AWL=-0.052, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_24=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f49-sxJ6PfxY; Mon, 18 Apr 2011 15:49:36 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfc.amsl.com (Postfix) with ESMTP id 34016E084C; Mon, 18 Apr 2011 15:49:36 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id p3IMnSBI019261 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 19 Apr 2011 00:49:32 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201104182249.p3IMnS6u029126@fs4113.wdf.sap.corp>
To: hallam@gmail.com
Date: Tue, 19 Apr 2011 00:49:28 +0200
In-Reply-To: <BANLkTi=QCvgDJTfb7BgaQF1W5e7akb9peg@mail.gmail.com> from "Phillip Hallam-Baker" at Apr 18, 11 06:00:13 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: stefan@aaa-sec.com, dane@ietf.org, pkix@ietf.org
Subject: Re: [pkix] [dane] 5280 and self-signed ee certs (was: Re:
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Apr 2011 22:49:37 -0000

Phillip Hallam-Baker wrote:
> 
> But the standard is set by the consensus and the running code which
> recognize self-signed certs..
> 
> 
> I see the following courses of action as being open:
> 
> D1) DANE says nothing at all about this issue in the DANE spec (I see no
> reason it need be mentioned at all).
> 
> D2) DANE says that the EE cert can be a self signed EE cert in accordance
> with customary Internet usage
> 
> P1) PKIX writes draft on how to specify self signed EE certs so that this is
> properly understood. I.E. relying applications MUST NOT rely on any claims
> other than the POP of the key and any restrictions on validity/usage.
> 
> P2) PKIX ignores the issue.
> 
> Note that D1/2 and P1/2 are orthogonal.
> 
> 
> These certs exist and I can't see there being a consensus likely to emerge
> to require a chain with a CA cert at the head.


I have very little experience with / exposure to the discussions
in the PKIX WG, so I don't know how much I like (P1).

>From the data collected by EFF, there appear to be

  ~ 830000 self-signed X.509v3 Web Server Certs installed on the internet
           with the BasicConstraint cA=TRUE
  ~ 494000 self-signed X.509v1 Web Server Certs installed on the internet

  ~  56000 self-signed X.509v3 Web Server certs installed on the internet
           without the BasicConstraint cA=TRUE

There may be a much higher number of use case for self-signed certs
on home networks (HomeNAS, DSL-Router, Set-Top Boxes), but they're
probably irrelevant for DANE because most are on private IP-Addresses and
don't use officially registered DNS domains on their internal networks.


>
> Nor can I see a requirement
> to introduce a downref to X.509v1 to try to circumvent this.

I do not see the particular gripe that you have with X.509v1.

X.509v1 is a proper subset of X.509v3 -- nothing weird or awkard.


The beauty of X.509v1 certs is that they're *MUCH* easier to create
and hard to get wrong in an interop-impairing fashion.

And, the biggest advantage: enforcing a rule "do not accept as signers
of other certs" is trivial and fool-proof to implement, so that you
don't create immediate and serious problems when you add such
certs to the list of trusted keys for your PKI software along
with Trust Anchors from commercial CAs.

When you mix up self-signed CA certs from some web-servers into the
list of trusted keys next to rootCAs from commercial CAs, then
you may put yourself at risk today.

But what are you real options today, with programmatic clients?
Either disable the peer certificate check entirely, or add some
peers self-signed certs to the same file as the self-signed certs
of the commercial rootCAs.


-Martin

v2.23.0 | Report a Bug | By Email