[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Next steps for Client Certificate URL

To: Nelson B Bolyard <nelson@xxxxxxxxxxx>
Subject: Re: [TLS] Next steps for Client Certificate URL
From: Eric Rescorla <ekr@xxxxxxxxxxxxxxxxxxxx>
Date: Sat, 29 Mar 2008 08:26:53 -0700
Cc: tls@xxxxxxxx
Delivered-to: tls@xxxxxxxxxxxxxx
In-reply-to: <47ED54D2.5040000@xxxxxxxxxxx>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <1696498986EFEC4D9153717DA325CB7238EA05@xxxxxxxxxxxxxxxxxxxxxx> <47ED54D2.5040000@xxxxxxxxxxx>
Sender: tls-bounces@xxxxxxxx
User-agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.1 Mule/5.0 (SAKAKI)

At Fri, 28 Mar 2008 13:28:02 -0700,
Nelson B Bolyard wrote:
> 
> Pasi.Eronen@xxxxxxxxx wrote, On 2008-03-28 07:13:
> 
> > Given this, would everyone be OK with updating the existing
> > client_certificate_url extension so that including the hash is
> > mandatory (client MUST send, server MUST NOT accept without hash)?
> > This behavior would be independent of the negotiated TLS version.
> 
> I'm trying to understand the attack against which this hash is going
> to protect, that is not already adequately protected without it.
> Can someone outline that attack here?
> 
> Presumably, the attack involves substituting a different certificate
> than the one intended by the client.  To succeed the substitute cert
> must bear a public key that will verify the client's signature in the
> Certificate Verify message, and must bear a signature verifiable with
> the public key from some CA trusted by the server for issuing client
> auth certs.  That would seem to necessitate CA key compromise, or
> client key compromise, or CA collusion with the attacker.  The hash
> would not protect against client key compromise.
>
> Is this hash intended to detect CA key compromise and/or collusion?

Why do you think it requires CA key compromise or collusion?

-Ekr
_______________________________________________
TLS mailing list
TLS@xxxxxxxx
https://www.ietf.org/mailman/listinfo/tls

References:
- [TLS] Next steps for Client Certificate URL
  - From: Pasi.Eronen
- Re: [TLS] Next steps for Client Certificate URL
  - From: Nelson B Bolyard

Prev by Date: Re: [TLS] Next steps for Client Certificate URL
Previous by thread: Re: [TLS] Next steps for Client Certificate URL
Index(es):
- Date
- Thread