[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Offline Root CA with valid CRL hierachie


Ambarish,

I completely agree with you. This is an ongoing issue when designing and building secure and reliable PKI implementations.

How often a client or service provider (both as relying parties) retrieves an updated CRL is dependant on the intended use of the PKI. It all comes down to risk mitigation and associated costs. If you are protecting highly sensitive information then maybe you need to support frequent checking of CRLs and if this is the case then maybe you need to deploy a LDAP farm fronted by some sort of HA device or maybe you deploy a smaller scale LDAP deployment and push certificate status checking to an OCSP responder which too may be integrated into an HA solution. However, this can become very costly and if the cost outweighs the value of the information being protected, then there needs to be a balancing act between cost and risk.

Relying parties, especially service providers, need to be configurable allowing an administrator to determine the frequency in which an updated CRL is fetched. There may be a situation where different relying parties have different intervals, based on risk. In addition, administrators must be able to issue a command to the service front end (that is responsible for CRL checking) telling it to go out and fetch a new CRL immediately. This is important for these cases when there is an emergency revocation early in the validity period of a CRL.

In most CP/CPS documents, reference is made to emergency certificate revocation and notification of relying parties in such cases. However, if the relying party either cannot or does not effect an immediate retrieval of an update CRL, then emergency revocation procedures are useless.

Mitch

At 04:52 PM 12/31/2002, Ambarish Malpani wrote:

Hi Mitchell,
    As a CA, you can tell the RP (relying party) that it is
responsible for fetching the latest CRL. If you then give it
no way of knowing when to get a new CRL, any serious security
client would keep checking for a new CRL *every* time it needed
to validate a certificate/certification path.

As a root CA, it is very unlikely that your directory could handle
the load you would get from every client trying to get your latest
CRL for every certificate that chains up to you (*distribution* is
the real scalability problem with CRLs - as opposed to OCSP - not
generation).

Regards,
Ambarish

---------------------------------------------------------------------
Ambarish Malpani                                         650.759.9045
Malpani Consulting Services                      ambarish@xxxxxxxxxxx
http://www.malpani.biz



> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx
> [mailto:owner-ietf-pkix@xxxxxxxxxxxx]On Behalf Of Mitchell Arnone
> Sent: Monday, December 30, 2002 5:13 PM
> To: David P. Kemp; ietf-pkix@xxxxxxx
> Subject: Re: Offline Root CA with valid CRL hierachie
>
>
>
> Dave,
>
> This sounds like a very complex technical solution that
> circumvents proper
> procedures designed to maintain a significantly high level of
> assurance.  The Root CA is the root of trust and therefore must
> live up to
> the highest level of assurance attested to by a particular PKI.
>
> CRLs must be generated on the date and at the time they become
> effective.  Predicting contents of a CRL and generating them in advance
> leaves much room and opportunity to render a PKI untrustworthy.
>
> A CRL can be generated by an off-line Root CA where the next
> update can be
> one day, one month or even one year from the date contained in
> "thisUpdate".  Depending on this setting, and assuming that no
> subordinate
> CA certificates have been revoked prior to the normally scheduled update
> period, the off-line Root CA can be brought on-line allowing it
> to generate
> and publish a fresh CRL.  In the event that a subordinate CA
> certificate is
> revoked, obviously the Root CA must brought on-line to do so and
> immediately following the revocation, the Root CA can generate
> and publish
> an updated CRL.  This is the proper way to handle an Off-line Root CA.
>
> The burden of obtaining a current CRL is on the Relying Party
> where it must
> periodically refresh its CRL regardless of whether the "nextUpdate" has
> been reached or not.  A Relying Party can flush its cache at prescribed
> intervals and then retrieve a new (updated) CRL as required.
>
> Mitch
>
> At 11:01 AM 12/30/2002, David P. Kemp wrote:
>
> >Because revocation of a signing CA should be very rare event, the
> >offline root can take advantage of a "long pipeline" to minimize
> >the human effort required to transport disks of CRLs to an online
> >repository.  The root could pre-generate, say, one week's worth of
> >empty daily CRLs (where nextUpdate = thisUpdate + 1 day) and put
> >the 7 CRLs on media.  The repository would then be responsible
> >for doling out the correct CRL each day and not publishing any
> >CRL for which thisUpdate is in the future.
> >
> >In the event of a CA compromise, the pipeline would need to be
> >flushed - future CRLs in the repository would be destroyed and
> >the root CA would generate a new batch of CRLs on media.
> >
> >This assumes that compromise of the online repository (allowing
> >access to CRLs up to 7 days in the future) is a much less serious
> >event than compromise of the offline root CA.  I believe that
> >assumption is valid and supportable.
> >
> >Dave
> >
> >
> >
> >
> >Al Arsenault wrote:
> > >
> > > Okay, I'm a little confused here.  This problem isn't really
> all that hard
> > > to solve. My comments/questions are in-line, prefaced by my initials,
> > "AWA".
> > >
> > > ----- Original Message -----
> > > From: "Haaino Beljaars" <beljaars@xxxxxxxxxxxx>
> > > To: "Mark Scherling" <markscherling@xxxxxxx>
> > > Cc: <ietf-pkix@xxxxxxx>
> > > Sent: Monday, December 23, 2002 6:36 AM
> > > Subject: Re: Offline Root CA with valid CRL hierachie
> > >
> > > >
> > > > > You can still publish a CRL for an off-line CA.  You will need to
> > > > establish
> > > > > a fairly long expiry time for the CRL if you do not plan to bring
> > the CA
> > > > > on-line often.  In many cases the Root CA is off-line and
> only used to
> > > > issue
> > > > > new intermediary CAs or revoke intermediary CAs.  You will need to
> > > > establish
> > > > > a very good procedure for startup and shutdown of the root CA (two
> > > person
> > > > > control, locked in a safe, two person combination on the safe,
> > > documenting
> > > > > each time the CA is removed, etc. )  The reason for
> documenting the
> > > > process
> > > > > is for audit purposes.
> > > > >
> > > > > You will also need to document in your CP that the CA is
> off-line and
> > > that
> > > > > the onus is on the relying party to verify that an
> intermediary CA is
> > > > still
> > > > > valid.
> > > >
> > >
> > > AWA:  Let's first clarify terms.  What, exactly, do you mean
> by "off-line
> > > CA"?  To me, that term means that the CA is not connected to a larger
> > > network (specifically, it's not connected to the Internet or
> larger telecom
> > > network through which it can be accessed).  It's still
> running, locked in
> > > its secure facility somewhere.  That is, start-up/shut-down is not an
> > issue;
> > > it's already running.  Is that what you mean, or is there
> something else?
> > >
> > > > I agree that you still publish a valid CRL for an offline
> Root CA. The
> > > > problem is the following,
> > > > example: I issue an CRL with the Root CA with a validity of
> for example a
> > > > month, and after
> > > > issuing the CRL I take it offline. During that month, for
> example after
> > > two
> > > > weeks, one of the
> > > > intermediate CA's is compromised and I have to revoke that CA.
> > > > According to the specs I can only issue a CRL which has a
> validity time
> > > that
> > > > starts after
> > > > current one.
> > >
> > > AWA:  I'm not sure you're interpreting RFC 3280 correctly.  Paragraph
> > > 5.1.2.5 starts:
> > >
> > >   5.1.2.5  Next Update
> > >
> > >    This field indicates the date by which the next CRL will be issued.
> > >    The next CRL could be issued before the indicated date, but it will
> > >    not be issued any later than the indicated date.  CRL
> issuers SHOULD
> > >    issue CRLs with a nextUpdate time equal to or later than
> all previous
> > >    CRLs.  nextUpdate may be encoded as UTCTime or GeneralizedTime.
> > >
> > > That is, you can only issue a CRL whose "thisUpdate" time is
> later than the
> > > previous one, and whose nextUpdate time is equal to or later
> than those on
> > > previous CRLs (although that latter part is not required).  There's no
> > > reason why you have to wait until the current CRL expires to
> issue the new
> > > one.
> > >
> > > >This means in practise that I have a valid intermediate CA for
> > > > over two weeks,
> > > > but in reality that intermediate CA is revoked. How can I
> let everybody
> > > know
> > > > during that
> > > > two week period that the intermediate CA is compromised, taking in
> > > > account:"Conforming
> > > > applications are NOT REQUIRED to support processing of delta CRLs,
> > > indirect
> > > > CRLs, or CRLs
> > > > with a scope other than all certificates issued by one CA"?
> > > >
> > >
> > > AWA:  Okay, here's how I've solved this problem in the past.
> The root CA,
> > > while off-line, is running in its secure facility.  When it
> is necessary to
> > > revoke an intermediate CA, the root CA is accessed to create
> a new CRL.
> > > This CRL is dumped to some medium, either burned onto a CD or
> put onto a
> > > floppy.  This medium is then hand-carried (the term we used
> to use was
> > "sent
> > > via sneaker-net") to a server that is on the network.  It can
> be either
> > made
> > > available as a CRL from, e.g., an LDAP repository; or it can
> be provided to
> > > an OCSP responder.
> > >
> > > The rest is up to your revocation policy.  If you rely only on CRLs,
> > and you
> > > allow users to cache CRLs until the end of their validity
> period (e.g.,
> > > until their "nextUpdate" time), then yes, you have in your scenario a
> > > two-week window of vulnerability where users think an
> intermediate CA is
> > > good but it's really not.  That's a risk you take by relying
> only on static
> > > CRLs with that long a validity period. (Of course, one would hope that
> > > revocation of an intermediate CA would be an extremely rare
> event, so the
> > > overall system risk/cost tradeoff may be acceptable, but...)
> > >
> > > On the other hand, you can use an OCSP-based system, where
> users query the
> > > responder and will discover that the intermediate CA has been
> revoked the
> > > first time they query its status.  OR you can use CRLs with a
> shorter life
> > > cycle.  Depending on what you're willing to pay in "human
> capital" costs,
> > > there's no reason you can't have the off-line CA issue a new CRL -
> > generally
> > > identical to the previous one - as often as you want; e.g.,
> every day,
> > every
> > > 4 hours, whatever.  It just costs you to have the human move
> the medium -
> > > floppy, CD - from the off-line CA to the network-connected
> > repository.  It's
> > > not that hard.
> > >
> > > > Best regards,
> > > > Haaino
> > > >
> > >
> > > Hope this helps.
> > >
> > >                     Al Arsenault
> > >                     Chief Security Architect
> > >                     Diversinet Corp.
>
> ***********************************************************
> Mitchell Arnone
> Managing Consultant
> SchlumbergerSema
> Technical Consulting Practice, Northeast Region
> Network & Infrastructure Solutions
>
> marnone@xxxxxxxxxxxxxxxxxxxxxx
> www.slb.com/nws
>
> 35 Waterview Blvd.
> Suite 210
> Parsippany, NJ 07054-1200
> USA
>
> Phone  +1 410-579-8691
> Mobile  +1 443-864-1590
>
>


***********************************************************
Mitchell Arnone
Managing Consultant
SchlumbergerSema
Technical Consulting Practice, Northeast Region
Network & Infrastructure Solutions

marnone@xxxxxxxxxxxxxxxxxxxxxx
www.slb.com/nws

35 Waterview Blvd.
Suite 210
Parsippany, NJ 07054-1200
USA

Phone  +1 410-579-8691
Mobile  +1 443-864-1590