[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A proxy certificate validation question.

To: Philipp Gühring <pg@xxxxxxxxxxxxx>
Subject: Re: A proxy certificate validation question.
From: Johannes Merkle <johannes.merkle@xxxxxxxxxxx>
Date: Fri, 09 Jan 2009 11:48:30 +0100
Cc: ietf-pkix@xxxxxxx
In-reply-to: <4966369C.5090404@xxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <4964DEFF.9080000@xxxxxxxxx> <87aba33tpd.fsf@xxxxxxxxxxxxxxxxxxx> <49651DFF.9040809@xxxxxxxx> <> <496537D9.6090802@xxxxxxxx> <2788466ED3E31C418E9ACC5C316615572FFC57@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <4966369C.5090404@xxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.19 (Windows/20081209)

Philipp,

>> 2) Employ OCSP as a means of introducing a stronger algorithm (and
>> addressing concerns previously raised in this list)
> 
> You mean using something similar like OCSP, that provides a re-signature
> for an existing certificate?
> 

Actually, SCVP could help to tell original and rogue certificates apart. This requires the following
1) The SCVP server uses a secure hash function and signature algorithm
2) The client requests inclusion of the certificate in question in the response by means of the wantBack id-swb-pkc-cert.
3) The server is able to retrieve the certificate from a trustworthy source (only containing authentic certificates),
i.e. from the CA's repository.
If SCVP was widely deployed, it could mitigate the risks implied by hash function weaknesses.

In Germany, the OCSP responders provided by CA's issuing qualified certificates typically provide a similar white-list
lookup feature:
1) They respond with status "good" only if the certificate has actually been issued by the CA. In particular, they have
access to the CA's repository (or a replication) and do not only rely on a CRL.
2) They use a private OCSP response extension CertHash (defined by the Common PKI standard) to include the hash value of
the certificate in question in the response.

There are some German signature verification tools and email clients which support this white-list lookup feature and
check the certificate against the cert hash included in the response. Of course this features exceeds standard OCSP, but
it is actually used.


> I think some RFC defines that a certificate must be unique according to
> issuer+serial number. And some software actually implemented that and
> completely declares a whole (root?) CA invalid as soon as it sees two
> different certificates with same issuer+serial number.
This problem would not occur with a validation service providing white-list lookup.

> What if we use something like OCSP that delivers a renewed (with
> different serial number) certificate when someone presents an old
> certificate?
Better: SCVP or OCSP with white-list lookup.

Johannes

Follow-Ups:
- Re: A proxy certificate validation question.
  - From: Stephen Kent
- RE: A proxy certificate validation question.
  - From: Hallam-Baker, Phillip

References:
- A proxy certificate validation question.
  - From: Timothy J. Miller
- Re: A proxy certificate validation question.
  - From: Simon Josefsson
- Re: A proxy certificate validation question.
  - From: Von Welch
- Re: A proxy certificate validation question.
  - From: Stephen Kent
- Re: A proxy certificate validation question.
  - From: Von Welch
- RE: A proxy certificate validation question.
  - From: Hallam-Baker, Phillip
- Re: A proxy certificate validation question.
  - From: Philipp Gühring

Prev by Date: RE: [saag] [Cfrg] Further MD5 breaks: Creating a rogue CAcertificate
Next by Date: RE: A proxy certificate validation question.
Previous by thread: RE: A proxy certificate validation question.
Next by thread: RE: A proxy certificate validation question.
Index(es):
- Date
- Thread