[Trans] Comments on draft-ietf-trans-threat-analysis-12.txt
Eric Rescorla <ekr@rtfm.com> Sun, 12 November 2017 04:25 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D1701275F4 for <trans@ietfa.amsl.com>; Sat, 11 Nov 2017 20:25:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pHVTan3F-M5a for <trans@ietfa.amsl.com>; Sat, 11 Nov 2017 20:25:28 -0800 (PST)
Received: from mail-yw0-x22e.google.com (mail-yw0-x22e.google.com [IPv6:2607:f8b0:4002:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8816126C0F for <trans@ietf.org>; Sat, 11 Nov 2017 20:25:28 -0800 (PST)
Received: by mail-yw0-x22e.google.com with SMTP id r186so2591141ywe.13 for <trans@ietf.org>; Sat, 11 Nov 2017 20:25:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=UXtpgNpvn7wSGd87Z/29KKeCWHZ4AT0bndVkXZ5acVc=; b=JecFPn5qqk7HCi4IlNryrrhLUC9fW/DUCKneGtCz6ymvXGcMmVsjlSLmXBBU267TNv UeawmGUr/xHKBR9z73KWd1BmTM7FDDDEkHTYnqXjD9f2XMeW3VViyvvS233TxOTfmPkU gGp7KWr6o61qrHjt8o8J+EwNPBWMX5h1fsTCt4BMowZ3T63ZcNtHLYm/+VyM+kBm+eqd zCHxBDVKB88ZVOZqsoaCp0yuO4GY+5IZtFqODRUGupRUpNLpPFPoj+nj7iTAMC7598o6 YQrGdLv1uak/rP1IhVAaeTtXX7WeR3dBRmIj5SWaOLVtm1PzLEemdiOujPmyAnwv6aXT Bllg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=UXtpgNpvn7wSGd87Z/29KKeCWHZ4AT0bndVkXZ5acVc=; b=MBQQio5y0LtdSlGYCW6oXRzapAICtu8JMUSvumPllzswgiwnyr44YhN4PfVmrKCWlM ViFIcIg8+O9ZLmV8UluE1nsVvKrMJhfPygR0QeMyRH+hLGc1ypJmoKOT/MyFeYhQdhon 4tammp3FreIjfli/3SNJMueXYocrjWq4G7Jzx7XYctQDV4EzFT0zavQFC+sE24Q26Pgg wxhmUPlmtTBbuhvs9XhU4E24BMy+q0hAG3lEQ/gyDFiqmgF0i7COmsEcdWMoWbjQ+dO1 I1Fw71iaKjFA8vVDnDU2oVrX6vgv33EdQM9AwzKYr2AAz5Axgw59VtTMv73G9gtTye7M TG8A==
X-Gm-Message-State: AJaThX6/zt1JprFhYyk225JMV82xRMxvRolVTByWzUoy3Zj2WIcC6xS8 AG25moqjq7GyjDD4XpbYvEZPM1O0Jp5FN64GqRpvur/8FC8=
X-Google-Smtp-Source: AGs4zMbxDL7PHeOMWx6CtbAA6qSm3ybElzTZsnUzltPpO+wCXXfF9v8qyysTKG+fN2aq/4scJ2/gFqUu/4seF/m+wwo=
X-Received: by 10.13.192.196 with SMTP id b187mr3584607ywd.416.1510460727616; Sat, 11 Nov 2017 20:25:27 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.61.12 with HTTP; Sat, 11 Nov 2017 20:24:47 -0800 (PST)
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 12 Nov 2017 04:24:47 +0000
Message-ID: <CABcZeBOMpwoxvi8KBqAQGdigw1hYRUJB7Y0dFArDv39KSZS9zg@mail.gmail.com>
To: trans@ietf.org
Content-Type: multipart/alternative; boundary="001a114edd481dfaf5055dc18bec"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/9DF0bjk_6AFPS2GbmWhvN0ZaS1s>
Subject: [Trans] Comments on draft-ietf-trans-threat-analysis-12.txt
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Nov 2017 04:25:30 -0000
This document appears to be in pretty good shape. I noted a few minor areas for improvement, mostly editorial. S 1. A relying party (e.g., browser) benefits from CT if it rejects a bogus certificate, i.e., treats it as invalid. An RP is protected from accepting a bogus certificate if that certificate is revoked, and if the RP checks the revocation status of the certificate. (An I would add "directly" after benefits, because, as you note later in this section, it also benefits of CT leads to revocation of a bogus cert. Figure 1: In this diagram, all the left <s are missing. I expect you have a failure to escape. S 2. To make use of forged web site certificates, an adversary must be able to direct a TLS client to a spoofed web site, so that it can present the forged certificate during a TLS handshake. An adversary may achieve this in various ways, e.g., by manipulation of the DNS response sent to a TLS client or via a man-in-the-middle attack. The I'm not sure I would characterize this as a MITM attack, but rather as an active attack on the TLS connection itself. Maybe "by manipulation of the DNS response... or, in the case of an on-path attacker, directly intercepting the TLS connection" "malicious" CA. A nation state also might compromise a CA in another country, to effect issuance of bogus certificates. In this case the Why limit this to "in another country"? This form of attack is also available in the same country. S 3.2.1.1.1. The fact that CT doesn't ensure revocation is a really good point. I think it would be worthwhile to make this point earlier, perhaps in Section 1 where you discuss the basic theory of CT. I'd also expand on this in two ways: - A CA can use OCSP stapling to indefinitely extend the lifetime of a revoked certificate (you observe this in S 3.5) - If a CA is able to pass off deliberate missisuance as accidental misissuance, it can in effect issue a completely bogus cert and keep it live permanently without consequence. S 3.2.2.1. Although there is nothing in IETF, Chrome has announced plans to require CT for certificates with issuance dates after a certain flag day, thus resulting in a gradual phase in, so it's probably worth noting that at least in some cases people are working on this. S 3.3. discussions in Section 3.2 are applicable. Section 3.3 explored the undetected compromise of a CA in the context of attacks designed to issue a bogus certificate that might avoid revocation (because the certificate would appear on distinct certificate paths). As this phrase appears in S 3.3, I think you have a mistake here of some kind. S 4.1.1.1. You seem to have some sort of rendering error where you repeatedly have "(pre )certificate" rather than "(pre-)certificate") S 4.2.1.1. Please expand CCID on first user here. -Ekr
- [Trans] Comments on draft-ietf-trans-threat-analy… Eric Rescorla