Re: [TLS] TLS document status update

To: <mike-list at pobox.com>, <tls at ietf.org>
Subject: Re: [TLS] TLS document status update
From: <Pasi.Eronen at nokia.com>
Date: Wed, 30 Apr 2008 11:27:39 +0300
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <48174BB8.7080009@pobox.com>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <1696498986EFEC4D9153717DA325CB727BC503@vaebe104.NOE.Nokia.com><48173B41.5000401@bolyard.com><20080429152618.B25AD5081A@romeo.rtfm.com> <48174BB8.7080009@pobox.com>
Sender: tls-bounces at ietf.org
Thread-index: AciqFXKOG2MjkomOShKxVHKPibKFwAAhMIsQ
Thread-topic: [TLS] TLS document status update

Mike wrote:
> But how could the substitution attack even succeed?  You would need
> to create a valid CA signature on the replacement certificate, which
> should not be possible.

This has been explained couple of times earlier, but let me recap
one scenario:

Assume that the client has several certificates (all of which are
properly issued by valid CAs) that contain the same public key, but
different subject names.

For example, one of the subject names could identify the user as an
employee of Example Inc; another name could be his personal identity;
third one might be an administrator/superuser role; etc.

(In this example, nobody's keys have been compromised, all CAs are
behaving exactly as they should, proof-of-possession is being done,
etc.)

If the hash is not included, the client could send an URL to the first
certificate, but the attacker could replace it with the third
certificate.  Given that TLS is a building block that's used in large
variety of applications (and will be used in the future for things we
don't know about yet), it's not totally unplausible that more than one
of these certificates could be acceptable to a server, and it would
behave differently for them.

(You could of course argue that the user should have used different
private/public key pairs when requesting these different certificates,
but that's not always done. You could also argue that since all the
certificates belong to the same user, there's no attack, but I don't
agree with that one.)

Best regards,
Pasi
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

References:
- [TLS] TLS document status update
  - From: Pasi.Eronen
- Re: [TLS] TLS document status update
  - From: Nelson B Bolyard
- Re: [TLS] TLS document status update
  - From: Eric Rescorla
- Re: [TLS] TLS document status update
  - From: Mike

Prev by Date: Re: [TLS] TLS document status update
Next by Date: [TLS] Re: TLS document status update
Previous by thread: Re: [TLS] draft-badra-tls-psk-new-mac-aes-gcm as WG item
Next by thread: [TLS] I-D Action:draft-ietf-tls-ecc-new-mac-06.txt
Index(es):
- Date
- Thread

Re: [TLS] TLS document status update

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.