Re: [Trans] WGLC started for draft-ietf-trans-threat-analysis

"David A. Cooper" <david.cooper@nist.gov> Tue, 15 May 2018 14:51 UTC

Return-Path: <david.cooper@nist.gov>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E990712D80F for <trans@ietfa.amsl.com>; Tue, 15 May 2018 07:51:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.476
X-Spam-Level:
X-Spam-Status: No, score=-3.476 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GAgV5aJK8YRF for <trans@ietfa.amsl.com>; Tue, 15 May 2018 07:51:06 -0700 (PDT)
Received: from wsget1.nist.gov (wsget1.nist.gov [IPv6:2610:20:6005:13::150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A57B124D37 for <trans@ietf.org>; Tue, 15 May 2018 07:51:06 -0700 (PDT)
Received: from WSGHUB2.xchange.nist.gov (129.6.42.35) by wsget1.nist.gov (129.6.13.150) with Microsoft SMTP Server (TLS) id 14.3.389.1; Tue, 15 May 2018 10:53:05 -0400
Received: from postmark.nist.gov (129.6.16.94) by mail-g.nist.gov (129.6.42.33) with Microsoft SMTP Server id 14.3.389.1; Tue, 15 May 2018 10:51:03 -0400
Received: from [129.6.105.183] (cooper-optiplex-9010.campus.nist.gov [129.6.105.183]) by postmark.nist.gov (8.13.8/8.13.1) with ESMTP id w4FEoIkC030635; Tue, 15 May 2018 10:50:19 -0400
To: Ryan Sleevi <ryan-ietf@sleevi.com>
CC: Trans <trans@ietf.org>
References: <alpine.LRH.2.21.1804161658150.17034@bofh.nohats.ca> <20180507122941.300b69582fa3acdb52b625af@andrewayer.name> <alhGtNm005X-hBR82niHi9RpJoLosgZF8ah8HC4qLzFX0PPStVGSTbgJtP-zrg1u8vgfb_IiQ70ANuRua2kjRf4zwutQHVRo3pE2PCgZfHo=@zerho.info> <CAErg=HH7XM=a3fyYeSLnGA+C1iYrZT6VRPdpMfJw-JVqUirjEA@mail.gmail.com>
From: "David A. Cooper" <david.cooper@nist.gov>
Message-ID: <fdcddd94-fd7a-9275-7aec-916537326c0b@nist.gov>
Date: Tue, 15 May 2018 10:50:20 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <CAErg=HH7XM=a3fyYeSLnGA+C1iYrZT6VRPdpMfJw-JVqUirjEA@mail.gmail.com>
Content-Type: text/html; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-NIST-MailScanner-Information:
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/epPn1ZysR7RvkqziFjjO7IKuiiE>
Subject: Re: [Trans] WGLC started for draft-ietf-trans-threat-analysis
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 May 2018 14:51:12 -0000

I can't speak for Steve, but I can provide an example of a syntax error I encountered as a result of "quirks of CA certificate-issuing software."

Many years ago when I was tasked to check whether certificates being issued by a CA were being issued in conformance with the appropriate profile, I discovered that the keyUsage extensions in the certificates were not DER encoded. The contents of the extension were correct according to BER, but not DER, and everything else about the certificate was correct.

This must have been the fault of the developer of the CA software and not the company operating the CA. This would not be a security or trust failure by the CA and most clients wouldn't even notice the problem. There would, however, be the risk that some client software somewhere would not accept the certificate simply because of the encoding problem, so it was useful for the encoding problem to be identified and fixed.

It's not clear, however, that this is the type of error draft-ietf-trans-threat-analysis has in mind. Section 1 of the document says:

   A certificate is characterized as syntactically mis-issued (aka
   erroneous) if it violates syntax constraints associated with the
   class of certificate that it purports to represent.  Syntax
   constraints for certificates are established by certificate profiles,
   and typically are application-specific.

Similarly, https://tools.ietf.org/html/draft-kent-trans-domain-validation-cert-checks" rel="nofollow">https://tools.ietf.org/html/draft-kent-trans-domain-validation-cert-checks makes no mention of encoding errors, such as the one I encountered.

But, my guess would be that syntactic mis-issuance was intended to include encoding errors in addition to violations of application-specific certificate profiles.

NOTE: I have no position of which entity, if any, should be checking for these types of errors, or on how the discovery of such errors should be handled if they are found.

On 05/14/2018 10:06 PM, Ryan Sleevi wrote:
 
Page 20 says that "syntactic checking [of pre-certificates] by a log helps avoid issuance of an erroneous certificate." This is contrary to RFC6962 and RFC6962-bis, which both state that issuing a pre-certificate is a binding commitment by the CA to issue a certificate. It would be dangerous for a CA to follow the advice on page 20, as browsers rightly consider misissuance of a pre-certificate to be equivalent to misissuance of a real certificate.

I'll change the text on page 20 to state that a log could help a CA detect and avoid issuing a syntactically erroneous cert. Also, what 6962 says is not relevant here- that was an experimental doc, not standards track. Submission of a pre-cert to a log probably does indicate an internet to issue a cert, but certificate issuance need not result in delivery to a Subject. If a CA were advised by a log that a certificate was malformed (e.g.., due to “quirks of CA certificate-issuing software” then the CA could ditch the certificate, or revoke it, and try again.

I don't think that would be a positive change, and have to agree with Andrew here, that it would seem moreso detrimental to the ecosystem that CT aims to improve.

I'm not sure the rationale for ditching the certificate is at all reasonable - the fact that such a certificate was even considered as 'log worthy' by a CA is a demonstration of a failure by that CA to uphold public trust. In that model, it's vitally essential for the Log to make that known - not to help the CA cover it up. In this regard, that the CA has used its key to sign something - anything - that fails the checks is a demonstration of risk to any PKI that trust this CAs.

I think painting it as quirks does a disservice - it's an operational failure of the CA, and thus, by proxy, a security and trust failure by the CA. That is, if anything, one of the most noteworthy events - rather than the inverse.
 
CAs must perform syntactic checks on the TBSCertificate prior to signing anything.

In principle yes, but in practice, … “quirks of CA certificate-issuing software”

I'm not sure what you're referring to as quirks again. This is a rather fatal failure mode, and one of the express goals of 6962 (and, through proxy, 6962-bis) is to detect and publicize any CA with such quirks, such that relying parties can move to distrust or otherwise restrict such CAs.