[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Next steps for Client Certificate URL

To: <nelson@xxxxxxxxxxx>
Subject: Re: [TLS] Next steps for Client Certificate URL
From: <Pasi.Eronen@xxxxxxxxx>
Date: Mon, 31 Mar 2008 10:45:09 +0300
Cc: tls@xxxxxxxx
Delivered-to: tls@xxxxxxxxxxxxxx
In-reply-to: <47ED54D2.5040000@xxxxxxxxxxx>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <1696498986EFEC4D9153717DA325CB7238EA05@xxxxxxxxxxxxxxxxxxxxxx> <47ED54D2.5040000@xxxxxxxxxxx>
Sender: tls-bounces@xxxxxxxx
Thread-index: AciREkBi5e9UNz5pTCq8g7uztgIG7wB7+qHA
Thread-topic: [TLS] Next steps for Client Certificate URL

This issue was originally raised by Ray Perlner from NIST:
http://www.ietf.org/mail-archive/web/tls/current/msg00881.html

Basically, without the hash, the client and the server could have
different idea on what client identity was authenticated, if there
exists several certificates containing the same public key. Note 
that all those certificates can be totally valid, and the situation 
doesn't assume key compromise or CA misbehavior.

Best regards,
Pasi

> -----Original Message-----
> From: ext Nelson B Bolyard [mailto:nelson@xxxxxxxxxxx] 
> Sent: 28 March, 2008 22:28
> To: Eronen Pasi (Nokia-NRC/Helsinki)
> Cc: tls@xxxxxxxx
> Subject: Re: [TLS] Next steps for Client Certificate URL
> 
> Pasi.Eronen@xxxxxxxxx wrote, On 2008-03-28 07:13:
> 
> > Given this, would everyone be OK with updating the existing
> > client_certificate_url extension so that including the hash is
> > mandatory (client MUST send, server MUST NOT accept without hash)?
> > This behavior would be independent of the negotiated TLS version.
> 
> I'm trying to understand the attack against which this hash is going
> to protect, that is not already adequately protected without it.
> Can someone outline that attack here?
> 
> Presumably, the attack involves substituting a different certificate
> than the one intended by the client.  To succeed the substitute cert
> must bear a public key that will verify the client's signature in the
> Certificate Verify message, and must bear a signature verifiable with
> the public key from some CA trusted by the server for issuing client
> auth certs.  That would seem to necessitate CA key compromise, or
> client key compromise, or CA collusion with the attacker.  The hash
> would not protect against client key compromise.
> 
> Is this hash intended to detect CA key compromise and/or collusion?
_______________________________________________
TLS mailing list
TLS@xxxxxxxx
https://www.ietf.org/mailman/listinfo/tls

References:
- [TLS] Next steps for Client Certificate URL
  - From: Pasi.Eronen
- Re: [TLS] Next steps for Client Certificate URL
  - From: Nelson B Bolyard

Prev by Date: Re: [TLS] Security today
Previous by thread: Re: [TLS] Next steps for Client Certificate URL
Index(es):
- Date
- Thread