[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] TLS document status update

To: Mike <mike-list@xxxxxxxxx>
Subject: Re: [TLS] TLS document status update
From: Eric Rescorla <ekr@xxxxxxxxxxxxxxxxxxxx>
Date: Tue, 29 Apr 2008 14:06:48 -0700
Cc: tls@xxxxxxxx
Delivered-to: tls@xxxxxxxxxxxxxx
In-reply-to: <4817881D.9080605@xxxxxxxxx>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <1696498986EFEC4D9153717DA325CB727BC503@xxxxxxxxxxxxxxxxxxxxxx> <48173B41.5000401@xxxxxxxxxxx> <20080429152618.B25AD5081A@xxxxxxxxxxxxxx> <48174BB8.7080009@xxxxxxxxx> <20080429202042.3E54E5081A@xxxxxxxxxxxxxx> <4817881D.9080605@xxxxxxxxx>
Sender: tls-bounces@xxxxxxxx
User-agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)

At Tue, 29 Apr 2008 13:42:05 -0700,
Mike wrote:
> 
> >> But how could the substitution attack even succeed?  You would need
> >> to create a valid CA signature on the replacement certificate, which
> >> should not be possible.
> > 
> > Why not? All you need is a CA which doesn't require technical
> > Proof of Possession of the private key.
> 
> If you can't trust your own CA, then by all means send the hash.

This is not about trusting your own CA, because a CA which issues
certificates without requiring PoP is not acting in an untrustworthy
fashion.

To recap, the attack looks like this:

1. Alice gets a certificate with key pair K_pub, K_priv.
2. The attacker gets his own certificate with K_pub, K_priv
   under his own name.
3. Alice connects to the server and offers to authenticate
   using certificate_url.
4. The attacker intercepts the server's connection to the
   URL provided by Alice and substitutes his own certificate.
5. The server now thinks that any data sent by Alice was
   actually sent by the attacker.

So, first of all, whatever CA the attacker used has not done
anything wrong. Second, the CA can be totally different from
the client. Third, the client has no way of knowing what
policies the CAs trusted by the server enforce.

-Ekr

_______________________________________________
TLS mailing list
TLS@xxxxxxxx
https://www.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] TLS document status update
  - From: Mike

References:
- [TLS] TLS document status update
  - From: Pasi.Eronen
- Re: [TLS] TLS document status update
  - From: Nelson B Bolyard
- Re: [TLS] TLS document status update
  - From: Eric Rescorla
- Re: [TLS] TLS document status update
  - From: Mike
- Re: [TLS] TLS document status update
  - From: Eric Rescorla
- Re: [TLS] TLS document status update
  - From: Mike

Prev by Date: Re: [TLS] TLS document status update
Next by Date: Re: [TLS] TLS document status update
Previous by thread: Re: [TLS] TLS document status update
Next by thread: Re: [TLS] TLS document status update
Index(es):
- Date
- Thread