[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: OCSP Algorithm Agility

To: <ietf-pkix@xxxxxxx>
Subject: RE: OCSP Algorithm Agility
From: Paul Hoffman <paul.hoffman@xxxxxxxx>
Date: Fri, 21 Sep 2007 10:15:06 -0700
In-reply-to: <2788466ED3E31C418E9ACC5C3166155703DF57@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <2788466ED3E31C418E9ACC5C3166155703DF57@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


At 7:04 AM -0700 9/21/07, Hallam-Baker, Phillip wrote:

The way I see it, the process of transition from one algorithm toanother has two sets of constraints, the first is the securityconsiderations, the second is the operational/managementconsiderations.
In the past security issues have been the alpha and omega of PKI.The only justification accepted for a change has been to improvesecurity. So we end up with a whole slew of arbitrary operationalconstraints and then wonder why people have such difficultydeploying and maintaining these systems.
If we want to deploy new algorithms we have to decouple the OCSP andCert issuing infrastructures, otherswise we will perpetually be insituations where we are waiting for an evolution in oneinfrastructure before a change can be made in the other.


Fully agree up to here.

We have to get PKIX in order before we start proposing work for theTLS group. Than means making OCSP algorithm agile.

And mostly agree with this. Where I disagree with Phill (I think) iswhat "algorithm agile" means. My reading of OCSP is that it is*already* fully algorithm agile.

From Phill's message at the start of this thread, I think what hemeans is "agile in a way that is not susceptible to downgrade attacksby a MITM". The list then went into the design of an anti-downgraderevision to OCSP. This is quite similar to the discussion we had inthe DKIM WG on a very similar topic.

The most important feature of these attacks is that Mallory canimpersonate the OCSP responder by signing a message with acompromised algorithm. I contend that this attack is isomorphic tothe problem of, even with no algorithm agility, Mallory impersonatingthe OCSP responder using a stolen signing key. In fact, the latterseems much more likely than the former in the real world.

We haven't even thought about how an OCSP responder could say in anunspoofable fashion "here is my legitimate signing key, don't trustthat stolen key". That is been a non-issue for all these years,probably because it is intractable without going out-of-band. Thecompromised-algorithm problem is likely to be just as intractablewithout going out of band. Once we go out of band, the OCSP respondersimply gives the key and algorithm of the day.

So, can we can safely say that OCSP is algorithm agile withoutneeding a solution to the compromised algorithm problem? If not, howis the problem different operationally from the stolen-key problem?


--Paul Hoffman, Director
--VPN Consortium

Follow-Ups:
- RE: OCSP Algorithm Agility
  - From: Stephen Kent

References:
- RE: OCSP Algorithm Agility
  - From: Hallam-Baker, Phillip

Prev by Date: I-D ACTION:draft-ietf-pkix-scvp-33.txt
Next by Date: RE: OCSP Algorithm Agility
Previous by thread: RE: OCSP Algorithm Agility
Next by thread: RE: OCSP Algorithm Agility
Index(es):
- Date
- Thread