Hello,
As you all know, the new Apple and Mozilla policies for CAs to disclose the locations of CRL-based revocation information became effective this month. One of the options for CAs to provide this CRL-based revocation information is to provide a list of all CRL URLs, which when combined, provide a complete list of revoked certificates for the CRL issuer (CA) in the CCADB “JSON Array of Partitioned CRLs” field.
The issuance of partitioned CRLs is described in some detail in section 5.2.5 of RFC 5280 [1]. This section notes that CAs may partition CRLs any way they see fit. However, there is this requirement when partitioning CRLs:
“If the distributionPoint field is absent, the CRL MUST contain
entries for all revoked unexpired certificates issued by the CRL
issuer, if any, within the scope of the CRL.”
Although the wording could be improved, this passage is rather clear that the IDP extension with the distributionPoint field (which contains the URI of the CRL, in the WebPKI case) must be included if the CRL is partitioned.
X.509 08/2005 (which RFC 5280 profiles), section 8.6.2.2 is even clearer regarding the requirement to include the IDP extension in partitioned CRLs:
“If the issuing distribution point field, the AA issuing distribution point field, and the CRL scope field are all absent, the CRL shall contain entries for all revoked unexpired public-key certificates issued by the CRL issuer.”
Why does all this matter? Including the IDP extension not only aligns the CRL with the RFC 5280 profile, but also provides a security-critical function: it provides sufficient information to Relying Parties so that they can confirm they have retrieved the correct CRL and detect substitution attacks. Without the information carried in the IDP, an on-path attacker could substitute another CRL which doesn’t contain a serial number for a certificate that has been revoked, thus allowing the attacker to “hide” the revocation of a certificate. Given that the transport of these CRLs listed in CCADB is plaintext HTTP, such an attack would be feasible and would allow bad actors to tamper with the creation of the “compressed CRLs” that are generated by Apple, Mozilla, or other user agents. This security issue also has been raised several times on the IETF PKIX mailing list [2][3].
It does not appear that there is universal agreement or awareness on the above, based on some CCADB entries that were observed. Given this, I wanted to raise this topic for discussion to ensure that there is universal understanding of the requirements and expectations of Root Programs.
Thanks,
Corey
[1] https://www.rfc-editor.org/rfc/rfc5280#section-5.2.5
[2] https://mailarchive.ietf.org/arch/msg/pkix/sdBe9RXFcot9P23XPW-FiOvV2aM/
[3] https://mailarchive.ietf.org/arch/msg/pkix/qAQHDXOM_Y3xY3te-xR0e7lQLjM/
Although the wording could be improved, this passage is rather clear that the IDP extension with the distributionPoint field (which contains the URI of the CRL, in the WebPKI case) must be included if the CRL is partitioned.
If you think there is a bug in RFC 5280, please file an errata and let the IETF process take care of it, instead of coming to your own independent conclusion.
-Tim
If you think there is a bug in RFC 5280, please file an errata and let the IETF process take care of it, instead of coming to your own independent conclusion.
-Tim
I think it is totally reasonable to conclude that RFC 5280's "within the scope of the CRL" language is a bug.
Although this "defect" remains in RFC5280, ISTM that the original X.509 requirement is restored by MRSP section 5.2 [2], which says:
"CA operators MUST NOT issue ... partial/scoped CRLs that lack a distributionPoint in a critical issuingDistributionPoint extension"
Does this observation cause you to rethink your conclusion?
As you correctly point out, IETF processes differ significantly from WG to WG, and occasionally IETF doesn’t live up to the standards it claims to uphold, for various reasons. I haven’t been closely following your experiences with ACME, but I apologize if you feel that they were not handled to your satisfaction, and if I can help with that in any way with that I’m willing to do so.
If people feel that filing errata is not worth their time, that is their choice to make. However, even if the errata is never incorporated into an update, it’s still useful documentation to have. For example, the 6844 errata were even referenced in the BRs long before they ever got put into 6844-bis. Many of the IETF RFCs (including RFC 5280!) have published errata that are quite useful.
I happen to know that both of the LAMPS chairs (I’m one) are pretty familiar with RFC 5280, and if there are important errors to call out, we’d certainly be interested in seeing that done. It’s an important RFC.
I’m dancing around the merits, because I don’t want to comment on a topic that might come to LAMPS in the near future, but I do want to reiterate, if you think that there is something wrong with RFC 5280, I’d appreciate if people would file errata, and we can take things from there.
-Tim
From: 'Rob Stradling' via dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Sent: Friday, October 7, 2022 1:13 PM
To: Tim Hollebeek <tim.ho...@digicert.com>
Cc: dev-secur...@mozilla.org; Aaron Gable <aa...@letsencrypt.org>; Corey Bonnell <Corey....@digicert.com>
Subject: Re: CRL partitioning and IDPs
Hi Tim. That's the theoretically correct process, but...
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB4729F3A7356AEBD37C087047AA5F9%40MW4PR17MB4729.namprd17.prod.outlook.com.
> A simple fix would be to require that CAs use HTTPS URLs for CRL shards,
> though this wouldn't be as strong as relying on indicators within the CRL
> itself.
I believe including the IDP is the better solution, for three reasons:
Firstly, compromise of the web server/CDN serving the sharded CRLs would allow
an attacker to carry out the substitution attack described in this thread,
whereas the use of IDP would require the attacker to compromise the CA's
signing infrastructure to suppress the inclusion of the extension. Thus, there
is a different level of security in the two approaches.
Secondly, using HTTPS for transport raises the possibility of recursive
revocation lookups, depending on the certificate chain employed.
Lastly, the inclusion of the IDP extension and distributionPoint field in
sub-scoped CRLs is a requirement of RFC 5280 and X.509 and thus must be
unconditionally included (it is a deviation of the profile to omit it). Given
that the inclusion of the IDP is the standard mechanism to prevent exactly the
attack described in this thread, it should be employed here as opposed to
layering hacky fixes on top of CRLs that do not adhere to the profile.
Hi Aaron,
> But no, including the distributionPoint is absolutely not required by RFC 5280 as long as the CRL includes all revoked unexpired certificates within its scope. It is not even required by the Mozilla Root Store Policy, as long as there is no critical IssuingDistributionPoint extension in the CRL. It is required by X.509, but the whole point of RFC 5280 is that it defines what portions of X.509 apply to the Web PKI; it does not include that requirement from X.509. These may be oversights or mistakes, and I agree they should be changed, but we try very hard to separate intent from actual requirements here.
I’ll quote the relevant passage from RFC 5280 again here for easy reference:
“If the distributionPoint field is absent, the CRL MUST contain
entries for all revoked unexpired certificates issued by the CRL
issuer, if any, within the scope of the CRL”
My interpretation of this passage is that it is defining the required scope of the CRL in the absence of the distributionPoint field. Namely, all revoked certificates issued by the CA must be contained within the scope of the CRL. However, it sounds like your interpretation is that the CRL must contain all revoked certificates that are within its scope. This sounds tautological or seemingly indicates that it is somehow possible to recursively scope CRLs (i.e., a scope within a scope) by including the distributionPoint field.
Can you expand upon how your interpretation would work in practice?
Thanks,
Corey
From: 'Aaron Gable' via dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Sent: Wednesday, October 12, 2022 12:26 PM
To: Corey Bonnell <Corey....@digicert.com>
Cc: Andrew Ayer <ag...@andrewayer.name>; 'Aaron Gable' via dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Subject: Re: CRL partitioning and IDPs
On Wed, Oct 12, 2022 at 7:07 AM Corey Bonnell <Corey....@digicert.com> wrote:
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnEreuC0JKJo5kOjaYqgPB9zS8xgeM3j0afJ_HcQmkx%3DsEUA%40mail.gmail.com.
My interpretation of this passage is that it is defining the required scope of the CRL in the absence of the distributionPoint field. Namely, all revoked certificates issued by the CA must be contained within the scope of the CRL. However, it sounds like your interpretation is that the CRL must contain all revoked certificates that are within its scope. This sounds tautological or seemingly indicates that it is somehow possible to recursively scope CRLs (i.e., a scope within a scope) by including the distributionPoint field.
Can you expand upon how your interpretation would work in practice?
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErfpyPYrhu35fJ1nDGqeht%3D7Dyw8VZKzoMfVvk%3DM3GyP1g%40mail.gmail.com.
Shouldn’t CABF ballot discussions and endorsement conversations happen on the relevant CABF lists? This is somewhat important both to make sure the relevant conversations are properly documented and archived in the right place, as well as for compliance with the CABF IPR rules. It doesn’t horribly matter for small ballots like this, but it’s still probably a good idea to do things the usual ways and locations.
Also, January 1st is not a particularly good date to use as a compliance deadline. The proximity to the winter holidays and year rollover causes all sorts of fun silliness that’s generally best avoided.
-Tim
From: 'Aaron Gable' via dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Sent: Friday, October 14, 2022 12:30 PM
To: Corey Bonnell <Corey....@digicert.com>
Cc: Andrew Ayer <ag...@andrewayer.name>; 'Aaron Gable' via dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Subject: Re: CRL partitioning and IDPs
To ensure that future parties don't have to have this same discussion again, I have put together a CA/BF ballot to update the BRs to explicitly require the distributionPoint field in sharded CRLs:
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErfpyPYrhu35fJ1nDGqeht%3D7Dyw8VZKzoMfVvk%3DM3GyP1g%40mail.gmail.com.
We largely don’t care as we consider this to be an existing requirement, so the date doesn’t really matter for us, but I’m totally ok with enhancing the BRs to make the requirement more explicit, and putting an agreed upon future compliance date in there for anyone who might have missed this subtle requirement. I was mostly commenting on Jan 1st being bad to help out other people who might be affected.
I have previously noted that the 15th day of odd months tends to dodge most holidays (e.g. Jan 15th or Mar 15th), and choosing from those six compliance dates might make CABF BR compliance schedules look a little bit more organized and less like 100 individuals randomly throwing darts at a calendar, but that’s just a personal preference of mine.
-Tim
From: 'Aaron Gable' via dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Sent: Friday, October 14, 2022 1:07 PM
To: Tim Hollebeek <tim.ho...@digicert.com>
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErekmR76rbFvjyPQK7z85QbPQHynszFSN8tee48B_XcO%2Bw%40mail.gmail.com.
Hi Aaron,
I had a draft reply written up to better explain my interpretation but deleted it since I think the CABF ballot is a more constructive path forward on this issue.
Are you also considering filing an erratum against 5280 so this particular PKI footgun can be addressed at the IETF?
Thanks,
Corey
From: Aaron Gable <aa...@letsencrypt.org>
Sent: Wednesday, October 12, 2022 7:51 PM
To: Corey Bonnell <Corey....@digicert.com>
Cc: Andrew Ayer <ag...@andrewayer.name>; 'Aaron Gable' via dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Subject: Re: CRL partitioning and IDPs
On Wed, Oct 12, 2022 at 1:02 PM Corey Bonnell <Corey....@digicert.com> wrote:
Are you also considering filing an erratum against 5280 so this particular PKI footgun can be addressed at the IETF?
More information about the process: https://www.ietf.org/about/groups/iesg/statements/processing-errata-ietf-stream/
Thanks for filing it. I’m actually curious to see where the discussion goes, and what the people who were around at the time (including the author) have to say about the history, original intent, and proposed resolution.
-Tim
From: 'Aaron Gable' via dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Sent: Friday, October 14, 2022 3:44 PM
To: Corey Bonnell <Corey....@digicert.com>
Cc: Andrew Ayer <ag...@andrewayer.name>; 'Aaron Gable' via dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Subject: Re: CRL partitioning and IDPs
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErd1g11zCEMnMHbSQf2n1o5GUm5A%2BGa4H93c05%2B3bAuJnA%40mail.gmail.com.