[sidr] Subject naming in the RPKI
"David A. Cooper" <david.cooper@nist.gov> Wed, 14 July 2010 21:03 UTC
Return-Path: <david.cooper@nist.gov>
X-Original-To: sidr@core3.amsl.com
Delivered-To: sidr@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CE4563A6994 for <sidr@core3.amsl.com>; Wed, 14 Jul 2010 14:03:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.183
X-Spam-Level:
X-Spam-Status: No, score=-5.183 tagged_above=-999 required=5 tests=[AWL=-1.184, BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6zeJspql-Hnl for <sidr@core3.amsl.com>; Wed, 14 Jul 2010 14:03:45 -0700 (PDT)
Received: from smtp.nist.gov (rimp2.nist.gov [129.6.16.227]) by core3.amsl.com (Postfix) with ESMTP id 6F45C3A6979 for <sidr@ietf.org>; Wed, 14 Jul 2010 14:03:45 -0700 (PDT)
Received: from st26.ncsl.nist.gov (st26.ncsl.nist.gov [129.6.54.72]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id o6EL33EO007835 for <sidr@ietf.org>; Wed, 14 Jul 2010 17:03:03 -0400
Message-ID: <4C3E2607.3090508@nist.gov>
Date: Wed, 14 Jul 2010 17:03:03 -0400
From: "David A. Cooper" <david.cooper@nist.gov>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.10) Gecko/20100625 Mandriva/3.0.5-0.1mdv2010.0 (2010.0) Thunderbird/3.0.5
MIME-Version: 1.0
To: "sidr@ietf.org" <sidr@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-NIST-MailScanner: Found to be clean
X-NIST-MailScanner-From: david.cooper@nist.gov
Subject: [sidr] Subject naming in the RPKI
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jul 2010 21:03:50 -0000
All, The current RPKI documents (draft-ietf-sidr-res-certs, draft-ietf-sidr-cp, draft-ietf-sidr-cps-irs, draft-ietf-sidr-cps-isp, draft-ietf-sidr-arch) require that subject names in certificates be unique relative to all certificates issued by a given CA, but does not require that subject names be issued in a manner that would make it likely that subject names are globally unique (i.e., unique across the entire RPKI). While it is true that there is less of a need for names to be unique across the RPKI than there is other other PKIs (since the RPKI does not use such things as name constraints, indirect CRLs, or attribute certificates), the existence of name collisions within the RPKI would not be without risk. In particular, there is no requirement in X.509 that the CRL used to determine the revocation status of a certificate be signed using the same key as the certificate. Using the X.509 (and RFC 5280) path validation rules, a CRL may be validated using an entirely different certification path than the certificate whose status is being checked. If a path validation implementation does this, and there are two different CAs within the PKI that operate under the same name, then the library may use the CRL issued by one of the CAs to determine the status of certificates issued by the other CA. This could lead to a revoked certificate being accepted as valid or a valid certificate being rejected as revoked. It is my understanding that some current path validation implementations that are being developed for use with the RPKI make use of the OpenSSL path validation libraries. At the moment, OpenSSL will not by default will not use a separate certification path to validate a CRL than was used to validate the certificate whose status is being checked, but the latest version of OpenSSL (1.0.0) does have that capability. One of the changes that is mentioned for OpenSSL 1.0.0 is: *) Add support for distinct certificate and CRL paths. The CRL issuer certificate is validated separately in this case. Only enabled if an extended CRL support flag is set: this flag will enable additional CRL functionality in future. If a future version of OpenSSL enables this feature by default, and that version of OpenSSL is used to validate certificates in the RPKI, and there are name collisions in the RPKI, then relying parties will be at risk of incorrectly accepting or rejecting certificates. I understand that there is a desire to keep subject names within the RPKI simple and that the RPKI cannot impose a centralized or hierarchical naming structure to ensure that there are no name collisions. However, with a very small change to the RPKI specifications, one could maintain a simple naming scheme while making the risk of name collisions negligible. The current RPKI specification states that a subject name consists of a commonName attribute and optionally a serialNumber attribute. However, there was some discussion recently about whether the specification could be changed to require that the subject name contain only a commonName attribute. So, I will present examples of ways in which unambiguous names could be constructed that only include a commonName attribute. The idea is to include enough randomness in the name so that name collisions are unlikely. According to the Birthday Paradox, if there are about one million (2^20) CAs in the RPKI, then collisions will be unlikely if there is significantly more than 40 bits of entropy in the name. Some ways to achieve this would be: 1) Hash of the subject public key (encoded as ASCII HEX). example: cn="999d99d564de366a29cd8468c45ede1848e2cc14" 2) A Universally Unique IDentifier (UUID) - RFC 4122 example: cn="6437d442-6fb5-49ba-bbdb-19c260652098" 3) A randomly generated ASCII HEX encoded string: example: cn="0f8fcc28e3be4869bc5f8fa114db05e1" (A string of 20 ASCII HEX digits would have 80-bits of entropy) 4) An internal database key or subscriber ID combined with one of the above example: cn="<DBkey1> (6437d442-6fb5-49ba-bbdb-19c2606520980)" (The issuing CA may wish to be able to extract the database key or subscriber ID from the commonName. Since only the issuing CA would need to be able to parse the commonName, the database key and the source of entropy (e.g., a UUID) could be separated in any way that the CA wanted, as long as it conformed to the rules for PrintableString. The separator could be a space character, parenthesis, hyphen, slash, question mark, etc. Of course, the source of entropy could also be placed in a separate attribute, if the profile permitted that.) If the internal database key or subscriber ID contained enough entropy by itself, then it may not be necessary to include anything else in the commonName attribute. Of course, even if the RPKI documents required CAs to create subject names as described above, there is a risk that some CAs in the RPKI would not follow these rules and would accidentally (or deliberately) create name collisions. This problem could be mitigated, however, given the way that certificates and CRLs are issued in the RPKI. Unlike X.509 in general, the RPKI requires that the CRL that provides the revocation status of a certificate be signed using the same key as the corresponding certificate. The RPKI could take advantage of that by adding a step to the path validation algorithm (Step 5 in Section 7.2 of draft-ietf-sidr-res-certs) requiring the relying party to verify the signature on the CRL used to determine whether the certificate was revoked using the same public key as was used to verify the signature on the certificate itself. At the moment, the RPKI path validation algorithm does not impose such a requirement. It may also be a good idea to add a paragraph to the Security Considerations section noting that there may be a risk in using a path validation implementation that is capable of using separate certification paths for a certificate and the corresponding CRL if there are name collisions in the RPKI as a result of CAs not following the profiles requirements for constructing subject names. This would result in a belts-and-suspenders approach. Specifying naming rules that will make name collisions unlikely will increase the likelihood that relying parties can safely use any X.509 path validation implementation that has added support for the RFC 3779 extensions. Imposing a path validation requirement to only use CRLs that were signed using the same key as the certificate will encourage relying parties to use path validation software that will be at less risk of getting incorrect certificate validation results even if there are name collisions in the RPKI as as result of some CAs not complying with the naming rules. Dave
- [sidr] Subject naming in the RPKI David A. Cooper
- Re: [sidr] Subject naming in the RPKI Roque Gagliano
- Re: [sidr] Subject naming in the RPKI David A. Cooper
- Re: [sidr] Subject naming in the RPKI Rob Austein
- Re: [sidr] Subject naming in the RPKI Stephen Kent
- Re: [sidr] Subject naming in the RPKI David A. Cooper
- Re: [sidr] Subject naming in the RPKI Stephen Kent
- Re: [sidr] Subject naming in the RPKI Tim Bruijnzeels
- Re: [sidr] Subject naming in the RPKI Roque Gagliano
- [sidr] Subject naming issues in draft-ietf-sidr-r… David A. Cooper
- Re: [sidr] Subject naming in the RPKI Stephen Kent
- Re: [sidr] Subject naming issues in draft-ietf-si… Stephen Kent