Re: [TLS] Next steps for Client Certificate URL

To: Pasi.Eronen at nokia.com
Subject: Re: [TLS] Next steps for Client Certificate URL
From: Nelson B Bolyard <nelson at bolyard.com>
Date: Fri, 28 Mar 2008 13:28:02 -0700
Cc: tls at ietf.org
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <1696498986EFEC4D9153717DA325CB7238EA05 at vaebe104.NOE.Nokia.com>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Organization: Network Security Services
References: <1696498986EFEC4D9153717DA325CB7238EA05 at vaebe104.NOE.Nokia.com>
Sender: tls-bounces at ietf.org
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9b5pre) Gecko/2008031700 NOT Firefox/2.0 SeaMonkey/2.0a1pre

Pasi.Eronen at nokia.com wrote, On 2008-03-28 07:13:

> Given this, would everyone be OK with updating the existing
> client_certificate_url extension so that including the hash is
> mandatory (client MUST send, server MUST NOT accept without hash)?
> This behavior would be independent of the negotiated TLS version.

I'm trying to understand the attack against which this hash is going
to protect, that is not already adequately protected without it.
Can someone outline that attack here?

Presumably, the attack involves substituting a different certificate
than the one intended by the client.  To succeed the substitute cert
must bear a public key that will verify the client's signature in the
Certificate Verify message, and must bear a signature verifiable with
the public key from some CA trusted by the server for issuing client
auth certs.  That would seem to necessitate CA key compromise, or
client key compromise, or CA collusion with the attacker.  The hash
would not protect against client key compromise.

Is this hash intended to detect CA key compromise and/or collusion?

_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Next steps for Client Certificate URL
  - From: Pasi.Eronen
- Re: [TLS] Next steps for Client Certificate URL
  - From: Eric Rescorla
- Re: [TLS] Next steps for Client Certificate URL
  - From: Nikos Mavrogiannopoulos

References:
- [TLS] Next steps for Client Certificate URL
  - From: Pasi.Eronen

Prev by Date: Re: [TLS] Security today
Next by Date: Re: [TLS] Security today
Previous by thread: Re: [TLS] Next steps for Client Certificate URL
Next by thread: Re: [TLS] Next steps for Client Certificate URL
Index(es):
- Date
- Thread

Re: [TLS] Next steps for Client Certificate URL

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.