On Mon, Nov 27, 2017 at 4:51 PM, Hubert Kario <
hka...@redhat.com> wrote:
>
> > First, I absolutely disagree with your assumption - we need to assume
> > hostility, and design our code and policies to be robust against that. I
> > should hope that was uncontroversial, but it doesn't seem to be.
>
> my point was that there are some actions of the other party we interact
> with
> that must be taken on faith, like that the server_random is actually
> random,
> or the server private part of the key share stays secret, or a myriad other
> things that we cannot verify legitimacy or correctness of. Without assuming
> that good faith it's impossible to communicate. Same for generated keys
> provided to CAs.
>
With respect to CA behaviours, I still disagree.
I agree we must rely on server random to be random. Similarly, we 'rely' on
CA's random serials to be random - but we also make it clear that it's a
policy expectation.
In this same regard, if the intent is to limit a given key from being used
with multiple RSA-PSS hash algorithms, or from being used with RSA-PSS and
RSA-PKCS#1v1.5, then we should explicitly state that in policy. Implying
that (via the certificate limits) without requiring that is, as time has
repeatedly shown, a recipe for disaster, because it's completely
non-obvious as to why this might be (and, again, not supported by the
literature)
Alternatively, if it's not necessary to limit such usage, then we should
not be requiring parameters in the SPKI, because it's not necessary.
Further, for simplicitly and interoperability - and to prevent the
misguided belief it is necessary - then we should explicitly forbid
parameters.
There's no need to support both cases - we should MUST or MUST NOT, but
should not SHOULD.
> > Second, the only reason this is an issue was your suggestion (derived
> from
> > 4055, to be fair) about restricting the params<->signature interaction.
> The
> > flexibility afforded by 4055 in expressing the parameters, and then
> > subsequently constraining the validation rules, is not actually met by
> the
> > threat model.
>
> There was a threat model in RFC 4055?
>
> Is it so hard to imagine that a CA may want to ensure that the signatures
> it
> makes will never use weak hash? And even if it makes them, they won't be
> validated by a conforming implementation?
>
If the CA wishes to ensure that, then it doesn't need the certificate to
ensure that - as the certificate doesn't control how they use the key.
If the CA happens to do so anyways, the certificate doesn't prevent them
from being validated by a conforming implementation, because another
certificate may have been issued with the same subject name with a
different set of parameters.
That is, under an adversarial model, it makes no sense to hinge it on the
certificate's encoding of the parameters. If you're trying to prevent CA
misuse of the private key, then be explicit about the policy being that the
CA should not misuse said private key, and any use of the private key is a
violation. If any signatures are thus created, the fact that the CA has
generated such a signature is the issue, not whether or not clients accept
it - because if the CA can't protect their private key adequately (from
insider misconfiguration or external attack), then all bets are off.
This is about having a rational threat model for the required policy. What
you propose is not rational under either external CA adversarial threats or
internal misconfiguration.
>
> > That is, if it's dangerous to mix the hash algorithms in PSS signatures
> > (and I'm not aware of literature suggesting this is necessary, versus
> being
> > speculative concern), then we should explicitly prohibit it via policy.
> > Requiring the parameters in the certificates does not, in any way,
> mitigate
> > this risk - and its presumptive inclusion in 4055 was to constrain how
> > signature-creating-software behaved, rather than how
> > signature-accepting-clients should behave.
> >
> > Alternatively, if mixing the hash algorithms is not fundamentally unsafe
> in
> > the case of RSA-PSS, then it's unnecessary and overly complicating things
> > to include the params in the SPKI of the CA's certificate. The fact that
> > 'rsaEncryption' needs to be accepted as valid for the issuance of RSA-PSS
> > signatures already implies it's acceptable, and so the whole SHOULD
> > construct is imposing on the ecosystem an unsupported policy.
>
> it would be nice if the world was black and white, it would make any kind
> of
> nuanced work so much easier...
>
> Those are all shades of grey, for some uses allowing possibility of cross-
> protocol attacks is not important, for other, not so much.
>
We're talking about the Web PKI. It really is black or white here - there's
no need to introduce flexibility that can be misused (intentionally or not)
by CAs and add complexity to clients.
Either it's safe to do - and we should both explicitly allow it and prevent
unnecessary complexity that is RFC 4055's many knobs - or it's not safe to
do, in which case, none of 4055's knobs adequately capture that it's
unsafe, and the policies should be based around the key. It really is that
black or white :)
> > So no, we should not assume well-meaning actors, and we should be
> explicit
> > about what the "intention" of the RFCs is, and whether they actually
> > achieve that.
>
> but we should achieve that by saying "do this", not "don't do this",
> enumerating badness doesn't work - ask firewall people if you don't believe
> me.
>
> Or did we add to policy that keys revoked because they may haven been
> compromised (heartbleed) can't be reused? Ever? Even by a different CA?
>
You've completely misframed my proposal. I'm enumerating a specific
whitelist of what is permitted. Every other option, unless otherwise
permitted, is restricted. I'm even going to the level of proposing a
byte-for-byte comparison function such that there's not even a prosaic
whitelist - it's such that the policy is black and white and transcends
language barriers by expressing directly in the technology.
You're enumerating a blacklist - saying that all of the flexibility of 4055
is permitted (except for these specific combinations), but propose to
enforce neither of those through code or policy. These restrictions or
prohibitions are easily misunderstood, especially for non-native speakers,
and without justification - thus failing to meet the test for good policy.
I don't think this is intentional, but it's why I reframed your proposal
into first principles - if our goal is X, we should do this, if our goal is
Y, we should do this - and not leave it ambiguous.
> > B is absolutely useless as a security mechanism against threats, and is
> > instead a way of signature-producing software to bake in an API contract
> in
> > to an RFC. We shouldn't encourage that, nor should the ecosystem have to
> > bear that complexity.
> >
> > If it's not a security mechanism, then it's unnecessary.
>
> how is stating "I will never use SHA-1" not a security mechanism?
>
Stating "Don't trust SHA-1 signatures from me - but, oh, btw, I'll happily
create them" is a failure of security, much in the way that you're
seemingly worried about cross-protocol attacks. If the goal is to ensure
the private key doesn't create a weak signature, then let's say that is the
requirement - everything else is defense in depth. But if you're solely
relying on the certificate to constrain those, rather than the key
protection, then that's insufficient.
> > IMO, a) is not relevant to set of concerns, which I echo'd on the bug and
> > again above
> >
> > And I'm suggesting that while you're proposing prosaically three valid
> > encodings, this community has ample demonstration that CAs have
> difficulty
> > correctly implementing things - in part, due to clients such as NSS
> > shipping Postel-liberal parsers - and so the policy should make it as
> > unambiguous as possible. The best way to make this unambiguous is to
> > provide the specific encodings - byte for byte.
>
> or provide examples of specific encodings with explanations what can change
> and to what degree...
>
There's no need for that flexibility. None. Not in the Web PKI. Especially
if your concern is someone running a production CA based on OpenSSL's
default implementation.
> > Then a correct implementation can do a byte-for-byte evaluation of the
> > algorithm, without needing to parse at all - a net win.
>
> that horse left the barn long time ago
>
Hardly. OpenSSL can't parse RSA-PSS SPKIs until the (unreased) OpenSSL
1.1.1, and which this policy would require (for CA certificates). Look at
the Web PKI and you see virtually no such certificates exist.
The point of the policy is what is on publicly trusted CAs, so I don't
think it's relevant or productive to argue for hypothetical future-public
CAs or internal CAs.
> > Consider, for example, that RFC 4055's rsaSSA-PSS-SHA256-Params,
> > SHA384-Params, and SHA512-Params all set saltLength as 20. The subtlety
> of
> > the policy requiring 32/48/64 rather than 20/20/20 is absolutely a
> mistake
> > a CA can make. For example, their software may say "PSS/SHA-256" and
> result
> > in 4055's PSS-SHA256-Params rather than the proposed requirement.
>
> then describe what is allowed, update policy, inform CAs in CA
> communication
> what is allowed and implement those limitations in software.
>
And don't ship the software until those limitations are implemented, as
otherwise, the implementation is incomplete.
> we are talking about months of time for any ossification to happen, it took
> decades to PKCS#1 v1.5 problems to pop up and it still affected only single
> digit percentages of certificates.
>
The fact that it affected a single-digit percentage of certificates (and, I
want to note, you haven't provided any citation for that - I would greatly
welcome backing that up) is a HUGE number in web compatibility terms.
> > That's OK, because none of these certificates are publicly trusted, and
> > there's zero reason for a client to support all of the ill-considered
> > flexibility of 4055.
>
> that does not apply to software already released that can make those
> signatures with valid, publicly trusted keys
>
> also, just because those CAs are not trusted now, doesn't mean that they
> can't
> become trusted in the future through cross-signing agreements
>
Yes, it does mean that - we can set the policy now, and such CAs cannot
become 'retroactively valid'. That's already a goal of the policy, and why
root store inclusions already evaluate whether the existing CA has issued
non-BR or Mozilla-complying certs and, if so, requires a new infrastructure
to be split from the old infrastructure.
It seems like the crux of your objections to these common sense restraints
are:
- OpenSSL might have generated such certificates for internal purposes
- Noting that the lack of SPKI parsing means that the proposed
constraints are already not-interoperable
- This only applies to internal certificates
- CryptoAPI supports the 'existing' OIDs (and by default) and we need to
support that case
- CryptoAPI also doesn't include subjectAltNames by default, but the BRs
require it, so that's not a very compelling argument