info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
(Possible) DigiCert EV Violation
273 views
Skip to first unread message
Ryan Sleevi
Feb 27, 2017, 4:41:59 PM2/27/17
to mozilla-dev-s...@lists.mozilla.org
The EV Guidelines require certificates issued for .onion include the cabf-TorServiceDescriptor extension, defined in the EV Guidelines, as part of these certificates. This is required by Section 11.7.1 (1) of the EV Guidelines, reading: "For a Certificate issued to a Domain Name with .onion in the right-most label of the Domain Name, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant’s control over the .onion Domain Name in accordance with Appendix F. "
The intent was to prevent collisions in .onion names due to the use of a truncated SHA-1 hash collision with distinct keys, as that would allow two parties to respond on the hidden service address using the same key.
Last week, a SHA-1 collision was announced.
In examining the .onion precertificates DigiCert has logged, available at https://crt.sh/?q=facebookcorewwwi.onion , I could not find a single one bearing this extension, which suggests these are all misissued certificates and violations of the EV Guidelines.
During a past discussion of precertificates, at https://groups.google.com/d/msg/mozilla.dev.security.policy/siHOXppxE9k/0PLPVcktBAAJ , Mozilla did not discuss whether or not it considered precertificates misissuance, although one module peer (hi! it's me!) suggested they were.
This interpretation seems consistent with the discussions during the WoSign issues, as some of those certificates examined were logged precertificates.
Have I missed something in examining these certificates? Am I correct that they appear to be violations?
The intent was to prevent collisions in .onion names due to the use of a truncated SHA-1 hash collision with distinct keys, as that would allow two parties to respond on the hidden service address using the same key.
Last week, a SHA-1 collision was announced.
In examining the .onion precertificates DigiCert has logged, available at https://crt.sh/?q=facebookcorewwwi.onion , I could not find a single one bearing this extension, which suggests these are all misissued certificates and violations of the EV Guidelines.
During a past discussion of precertificates, at https://groups.google.com/d/msg/mozilla.dev.security.policy/siHOXppxE9k/0PLPVcktBAAJ , Mozilla did not discuss whether or not it considered precertificates misissuance, although one module peer (hi! it's me!) suggested they were.
This interpretation seems consistent with the discussions during the WoSign issues, as some of those certificates examined were logged precertificates.
Have I missed something in examining these certificates? Am I correct that they appear to be violations?
Peter Bowen
Feb 27, 2017, 5:12:16 PM2/27/17
to Ryan Sleevi, mozilla-dev-s...@lists.mozilla.org
On Mon, Feb 27, 2017 at 1:41 PM, Ryan Sleevi via dev-security-policy
<dev-secur...@lists.mozilla.org> wrote:
> The EV Guidelines require certificates issued for .onion include the cabf-TorServiceDescriptor extension, defined in the EV Guidelines, as part of these certificates. This is required by Section 11.7.1 (1) of the EV Guidelines, reading: "For a Certificate issued to a Domain Name with .onion in the right-most label of the Domain Name, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant’s control over the .onion Domain Name in accordance with Appendix F. "
I don't see anything requiring this extension to be included in
<dev-secur...@lists.mozilla.org> wrote:
> The EV Guidelines require certificates issued for .onion include the cabf-TorServiceDescriptor extension, defined in the EV Guidelines, as part of these certificates. This is required by Section 11.7.1 (1) of the EV Guidelines, reading: "For a Certificate issued to a Domain Name with .onion in the right-most label of the Domain Name, the CA SHALL confirm that, as of the date the Certificate was issued, the Applicant’s control over the .onion Domain Name in accordance with Appendix F. "
certificates. (hat tip to Andrew Ayer for noticing the lack of
requirement)
> The intent was to prevent collisions in .onion names due to the use of a truncated SHA-1 hash collision with distinct keys, as that would allow two parties to respond on the hidden service address using the same key.
>
> Last week, a SHA-1 collision was announced.
>
> In examining the .onion precertificates DigiCert has logged, available at https://crt.sh/?q=facebookcorewwwi.onion , I could not find a single one bearing this extension, which suggests these are all misissued certificates and violations of the EV Guidelines.
>
> During a past discussion of precertificates, at https://groups.google.com/d/msg/mozilla.dev.security.policy/siHOXppxE9k/0PLPVcktBAAJ , Mozilla did not discuss whether or not it considered precertificates misissuance, although one module peer (hi! it's me!) suggested they were.
>
> This interpretation seems consistent with the discussions during the WoSign issues, as some of those certificates examined were logged precertificates.
>
> Have I missed something in examining these certificates? Am I correct that they appear to be violations?
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
Jeremy Rowley
Feb 27, 2017, 5:20:02 PM2/27/17
to Peter Bowen, Ryan Sleevi, mozilla-dev-s...@lists.mozilla.org
I was just going to respond with something similar.
Appendix F:
"A CA may issue an EV Certificate with .onion in the right-most label of the Domain Name provided
that issuance complies with the requirements set forth in this Appendix:
1. CAB Forum Tor Service Descriptor Hash extension (2.23.140.1.31) The CAB Forum has created an
extension of the TBSCertificate for use in conveying hashes of keys related to .onion addresses. The
Tor Service Descriptor Hash extension has the following format:
cabf-TorServiceDescriptor OBJECT IDENTIFIER ::= { 2.23.140.1.31 }
TorServiceDescriptorSyntax ::=
SEQUENCE ( 1..MAX ) of TorServiceDescriptorHash
TorServiceDescriptorHash:: = SEQUENCE {
onionURI UTF8String
algorithm AlgorithmIdentifier
subjectPublicKeyHash BIT STRING
}
Where the AlgorithmIdentifier is a hashing algorithm (defined in RFC 6234) performed over the DERencoding
of an ASN.1 SubjectPublicKey of the .onion service and SubjectPublicKeyHash is the hash
output."
The requirements don't specify what to do with this information. I know our product team interpreted this as part of the validation methods and exchange of key information, not something that was included in a certificate. We can include this information, but the guidelines are unclear what we do with this.
Appendix F:
"A CA may issue an EV Certificate with .onion in the right-most label of the Domain Name provided
that issuance complies with the requirements set forth in this Appendix:
1. CAB Forum Tor Service Descriptor Hash extension (2.23.140.1.31) The CAB Forum has created an
extension of the TBSCertificate for use in conveying hashes of keys related to .onion addresses. The
Tor Service Descriptor Hash extension has the following format:
cabf-TorServiceDescriptor OBJECT IDENTIFIER ::= { 2.23.140.1.31 }
TorServiceDescriptorSyntax ::=
SEQUENCE ( 1..MAX ) of TorServiceDescriptorHash
TorServiceDescriptorHash:: = SEQUENCE {
onionURI UTF8String
algorithm AlgorithmIdentifier
subjectPublicKeyHash BIT STRING
}
Where the AlgorithmIdentifier is a hashing algorithm (defined in RFC 6234) performed over the DERencoding
of an ASN.1 SubjectPublicKey of the .onion service and SubjectPublicKeyHash is the hash
output."
The requirements don't specify what to do with this information. I know our product team interpreted this as part of the validation methods and exchange of key information, not something that was included in a certificate. We can include this information, but the guidelines are unclear what we do with this.
Ryan Sleevi
Feb 27, 2017, 5:42:28 PM2/27/17
to Jeremy Rowley, Ryan Sleevi, mozilla-dev-s...@lists.mozilla.org, Peter Bowen
On Mon, Feb 27, 2017 at 2:19 PM, Jeremy Rowley via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:
> The requirements don't specify what to do with this information. I know
> our product team interpreted this as part of the validation methods and
> exchange of key information, not something that was included in a
> certificate. We can include this information, but the guidelines are
> unclear what we do with this.
Yeah, let's fix this in the EVGs over in the CA/Browser Forum.
dev-secur...@lists.mozilla.org> wrote:
> The requirements don't specify what to do with this information. I know
> our product team interpreted this as part of the validation methods and
> exchange of key information, not something that was included in a
> certificate. We can include this information, but the guidelines are
> unclear what we do with this.
As you know from our private and public conversations, Jeremy, Google's
support for allowing this issuance was contingent upon that extension
appearing within the certificate, as that was the only mitigation .onion
owners had to detect different-key, same-name collisions. It was this
property - the combined implicit logging (due to Chrome's CT policy,
although not explicitly required of CAs) and explicit extension that
provided the safety bar for sites. This is also why we pushed for the
revocation of the existing certs.
Gervase Markham
Feb 28, 2017, 6:19:02 AM2/28/17
to Ryan Sleevi
On 27/02/17 21:41, Ryan Sleevi wrote:
> During a past discussion of precertificates, at
> https://groups.google.com/d/msg/mozilla.dev.security.policy/siHOXppxE9k/0PLPVcktBAAJ
> , Mozilla did not discuss whether or not it considered
> precertificates misissuance, although one module peer (hi! it's me!)
> suggested they were.
On this particular point, the CT RFC says that issuing a pre-certificate
> During a past discussion of precertificates, at
> https://groups.google.com/d/msg/mozilla.dev.security.policy/siHOXppxE9k/0PLPVcktBAAJ
> , Mozilla did not discuss whether or not it considered
> precertificates misissuance, although one module peer (hi! it's me!)
> suggested they were.
is a binding statement of intent to issue the certificate. Therefore,
for example, one can exempt the cert itself from CAA checking if the
pre-cert was checked.
Therefore, I would say that we do consider mis-issued pre-certs as
misissuance.
Gerv
0 new messages