[cabf_validation] [EXTERNAL]Re: Ballot Proposal: Validation Method in certificatePolicies

Wed Aug 8 06:37:06 MST 2018

I'm afraid that significantly misunderstands how transparency logs works -
or is proposing a solution that is not fleshed out. Transparency is not
some magic pixie dust we can sprinkle and add arbitrary information. This
is perhaps most obvious in the fact that solutions like Certificate
Transparency were explicitly and intentionally designed in such a way as to
explicitly avoid any secondary lookups (such as required by OCSP or CRLs),
and yet to try and stuff such information into logs (setting aside the
whole host of ecosystem concerns with how they work) is to effectively
force such online lookups.

I think it might be useful to consider the counter-example: Why put the
domain in the certificate at all? It will start small, with just one or two
domains, but will eventually clutter the certificate when the certificate
is used for multiple domains.

I'm sure you can quickly realize that there are a host of design tradeoffs
and problems with such a design in removing the domain name, and those same
concerns are equally relevant for the validation method used for the domain
name.

On Wed, Aug 8, 2018 at 4:34 AM Burton <burton at typewritten.net> wrote:

> Why include this information into the certificate and clutter it? This
> will start small but eventually will grow and end up covering all method in
> use by CAs for all certificate types and clutter it. A better way would be
> introduce a dedicated transparency log which lists all the validation
> method(s) used to validate that particular certificate and this
> transparency log would be better for analysation.
>
>
>
>
>
> On Wed, Aug 8, 2018 at 1:40 AM Ryan Sleevi via Validation <
> validation at cabforum.org> wrote:
>
>> Correct.
>>
>> The ID is 13, which the following don't support: OpenSSL
>> <https://github.com/openssl/openssl/blob/master/include/openssl/asn1.h>,
>> BoringSSL
>> <https://boringssl.googlesource.com/boringssl/+/master/include/openssl/bytestring.h#143>,
>> LibreSSL
>> <https://github.com/libressl/libressl/blob/ba04546060b835e279c0e8a26261e73a1964927c/src/crypto/asn1/asn1.h#L96>,
>> NSS <https://dxr.mozilla.org/nss/source/nss/lib/util/quickder.c#728>, Apache
>> Harmony
>> <https://harmony.apache.org/subcomponents/classlibrary/asn1_framework.html#ASN1Oid>,
>> Microsoft Windows
>> <https://docs.microsoft.com/en-us/windows/desktop/SecCrypto/constants-for-cryptencodeobject-and-cryptdecodeobject>,
>> and perhaps most importantly for a number of members, EJBCA
>> <https://www.ejbca.org/docs/Custom_Certificate_Extensions.html> and
>> BouncyCastle
>> <https://github.com/bcgit/bc-java/blob/master/core/src/main/java/org/bouncycastle/asn1/ASN1InputStream.java#L424>
>> .
>>
>> As I said, it's not well-supported. For generating or parsing.
>>
>> On Tue, Aug 7, 2018 at 7:15 PM Wayne Thayer <wthayer at mozilla.com> wrote:
>>
>>> I tried to create a test certificate containing a relative OID using
>>> OpenSSL. As best I can tell it's not possible - that ASN.1 type isn't even
>>> defined:
>>>
>>> https://github.com/openssl/openssl/blob/master/include/openssl/asn1.h
>>>
>>> On Tue, Aug 7, 2018 at 11:02 AM Ryan Sleevi <sleevi at google.com> wrote:
>>>
>>>> Tim,
>>>>
>>>> It's not just browsers that are affected. I would hope you are
>>>> concerned about the wide variety of consuming products, which, to date,
>>>> have not needed to implement relative OIDs, and which, as a distinct
>>>> universal tag, can and will and do treat such certificates as invalid.
>>>>
>>>> It might help if you could articulate, concretely, the benefits of
>>>> relative OIDs, given the risk you're asking CAs to accept with having their
>>>> certificates not respected by a large body of existing software - of which
>>>> browsers are but one part.
>>>>
>>>> When you say "waste bytes", it's equally useful if you indicate the
>>>> context. Are you concerned about TLS handshakes? Something else? By my
>>>> math, the difference we're speaking of would be approximately 26 bytes
>>>> uncompressed. However, the IETF is actively working on certificate
>>>> compression (
>>>> https://datatracker.ietf.org/doc/draft-ietf-tls-certificate-compression/
>>>> ), and that may practically amortize to two bytes.
>>>>
>>>> Are two bytes worth the compatibility risk? Why?
>>>>
>>>> On Tue, Aug 7, 2018 at 1:57 PM Tim Hollebeek <
>>>> tim.hollebeek at digicert.com> wrote:
>>>>
>>>>> Then browsers should fix their code.  I thought the benefit of rapid
>>>>> update cycles for browsers was we didn’t have to have workarounds for dodgy
>>>>> browser code?  There should be plenty of time to make sure relative OIDs
>>>>> work correctly before the compliance deadline next year.
>>>>>
>>>>>
>>>>>
>>>>> It doesn’t make sense to me to waste a few bytes in certificates just
>>>>> because browsers have ignored or badly implemented relative OIDs.
>>>>>
>>>>>
>>>>>
>>>>> -Tim
>>>>>
>>>>>
>>>>>
>>>>> *From:* Wayne Thayer <wthayer at mozilla.com>
>>>>> *Sent:* Tuesday, August 7, 2018 12:02 PM
>>>>> *To:* Ryan Sleevi <sleevi at google.com>
>>>>> *Cc:* Tim Hollebeek <tim.hollebeek at digicert.com>; CA/Browser Forum
>>>>> Validation WG List <validation at cabforum.org>
>>>>> *Subject:* Re: [cabf_validation] [EXTERNAL]Re: Ballot Proposal:
>>>>> Validation Method in certificatePolicies
>>>>>
>>>>>
>>>>>
>>>>> I believe Ryan is stating that - even if we do require the relative
>>>>> form - it could cause compatibility issues with clients. The ASN.1 encoding
>>>>> of relative OIDs is a unique an apparently poorly supported type - even NSS
>>>>> doesn't recognize it. So either allowing or requiring the use of relative
>>>>> OIDs is risky and probably not worth the bytes saved.
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Aug 7, 2018 at 8:54 AM Ryan Sleevi <sleevi at google.com> wrote:
>>>>>
>>>>> I'm not sure I understand your reply.
>>>>>
>>>>>
>>>>>
>>>>> The complexity I mention is precisely because of requiring the
>>>>> relative OID. I'm afraid you may have taken the opposite meaning of my
>>>>> message.
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Aug 7, 2018 at 11:34 AM Tim Hollebeek <
>>>>> tim.hollebeek at digicert.com> wrote:
>>>>>
>>>>> I agree with Wayne, I think it might make sense to just require the
>>>>> use of the relative OID, to avoid the complexity you mention.
>>>>>
>>>>>
>>>>>
>>>>> -Tim
>>>>>
>>>>>
>>>>>
>>>>> *From:* Ryan Sleevi <sleevi at google.com>
>>>>> *Sent:* Monday, August 6, 2018 11:05 AM
>>>>> *To:* Wayne Thayer <wthayer at mozilla.com>; CA/Browser Forum Validation
>>>>> WG List <validation at cabforum.org>
>>>>> *Cc:* Tim Hollebeek <tim.hollebeek at digicert.com>
>>>>> *Subject:* Re: [cabf_validation] [EXTERNAL]Re: Ballot Proposal:
>>>>> Validation Method in certificatePolicies
>>>>>
>>>>>
>>>>>
>>>>> It would be clearer, and easier, to use the absolute form. The
>>>>> relative form is a nightmare to deal with in client software - because it's
>>>>> not used in any widely used X.509 extension (AFAICT). Certainly, NSS does
>>>>> not support decoding that type
>>>>>
>>>>>
>>>>>
>>>>> Further, in ASN.1, "RELATIVE OID" is a distinct type and tag than
>>>>> OBJECT IDENTIFIER (0x06 vs 0x0D). Thus the proposed language "MAY" requires
>>>>> a separate ASN.1 syntax (such as a CHOICE OF) to support the optionality,
>>>>> and will require updates to client software to support. This may be easier
>>>>> with implicit tagging rather than explicit, to avoid parsing issues on the
>>>>> unhandled relative OIDs, but... it's better to just not bother with it.
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Aug 3, 2018 at 2:42 PM Wayne Thayer via Validation <
>>>>> validation at cabforum.org> wrote:
>>>>>
>>>>> On Fri, Aug 3, 2018 at 11:30 AM Tim Hollebeek <
>>>>> tim.hollebeek at digicert.com> wrote:
>>>>>
>>>>> I’ll endorse.
>>>>>
>>>>>
>>>>>
>>>>> >
>>>>>
>>>>> Thanks. Anyone else?
>>>>>
>>>>> >
>>>>>
>>>>> I think you just want:
>>>>>
>>>>>
>>>>>
>>>>> BRValidationMethodSyntax ::= SEQUENCE SIZE (1..MAX) OF
>>>>> DomainOrIpAddressValidationMethodId
>>>>>
>>>>> DomainOrIpAddressValidationMethodId ::= OBJECT IDENTIFIER
>>>>>
>>>>> I think there’s a way to express the concept that
>>>>> DomainOrIpAddressValidationMethodId MUST be a child of { 2.23.140.1.11 }
>>>>> via ASN.1 constraints, but I can’t do it.  It might be better anyway just
>>>>> to be handle that constraint outside of the ASN.1.
>>>>>
>>>>>
>>>>>
>>>>> The ballot should make explicit that relative OIDs are allowed in
>>>>> addition to absolute OIDs, and if relative forms of OIDs are used, the
>>>>> forms MUST be relative to the prefix { 2.23.140.1.2 }.  That’ll make the
>>>>> encoding much smaller.
>>>>>
>>>>>
>>>>>
>>>>> So maybe something like:
>>>>>
>>>>>
>>>>>
>>>>> “BRValidationMethodSyntax ::= SEQUENCE SIZE (1..MAX) OF
>>>>> DomainOrIpAddressValidationMethodId
>>>>>
>>>>> DomainOrIpAddressValidationMethodId ::= OBJECT IDENTIFIER
>>>>>
>>>>> DomainOrIpAddressValidationMethodId OIDs MUST be a child of
>>>>> 2.23.140.1.2.4 or 2.23.140.1.2.5, and MAY appear in relative form, relative
>>>>> to 2.23.140.1.2.”
>>>>>
>>>>>
>>>>>
>>>>> >
>>>>>
>>>>> Would it be better to just require the use of relative form? I think
>>>>> so.
>>>>>
>>>>> >
>>>>>
>>>>> -Tim
>>>>>
>>>>>
>>>>>
>>>>> *From:* Validation <validation-bounces at cabforum.org> *On Behalf Of *Wayne
>>>>> Thayer via Validation
>>>>> *Sent:* Thursday, August 2, 2018 8:05 PM
>>>>> *To:* CA/Browser Forum Validation WG List <validation at cabforum.org>
>>>>> *Subject:* Re: [cabf_validation] [EXTERNAL]Re: Ballot Proposal:
>>>>> Validation Method in certificatePolicies
>>>>>
>>>>>
>>>>>
>>>>> I've addressed all the feedback that I have received in the version of
>>>>> the ballot below and at [1].
>>>>>
>>>>>
>>>>>
>>>>> I'm a complete rookie at ABNF and I've almost certainly botched the
>>>>> syntax. Can someone help me get the encoding right?
>>>>>
>>>>>
>>>>>
>>>>> I'm also looking for two endorsers, and of course, any additional
>>>>> feedback.
>>>>>
>>>>>
>>>>>
>>>>> - Wayne
>>>>>
>>>>>
>>>>>
>>>>> ==========================================================
>>>>>
>>>>>
>>>>>
>>>>> Ballot SC#: Validation Method Encoded in Certificates
>>>>>
>>>>> Purpose of Ballot: The methods defined in BR section 3.2.2.4 and
>>>>> 3.2.2.5 to confirm control or ownership of each domain name or IP address
>>>>> placed in a TLS certificate have varying security properties. This ballot
>>>>> proposes a standard format for expressing the method(s) the CA used to
>>>>> validate domain control or ownership of the Authorization Domain Name(s)
>>>>> placed in a certificate, and requires conforming CAs to include this
>>>>> information in certificates issued on or after July 1, 2019. This
>>>>> information is useful for quantification and analysis when vulnerabilities
>>>>> in specific methods are identified, and disclosing it will benefit the PKI
>>>>> ecosystem. As specified, this information is not useful or intended for
>>>>> making trust decisions in user agents.
>>>>>
>>>>> The following motion has been proposed by Wayne Thayer of Mozilla and
>>>>> endorsed by XXX of YYY and XXX of YYY.
>>>>>
>>>>>
>>>>>
>>>>> — MOTION BEGINS –
>>>>> This ballot modifies the “Baseline Requirements for the Issuance and
>>>>> Management of Publicly-Trusted Certificates” as follows, based upon Version
>>>>> 1.5.7:
>>>>>
>>>>> Add the following definitions to section 1.2:
>>>>>
>>>>> {joint‐iso‐itu‐t(2) international‐organizations(23)
>>>>> ca‐browser‐forum(140) certificate‐policies(1) baseline‐ requirements(2)
>>>>> domain-validation-methods(4)} (2.23.140.1.2.4).
>>>>> {joint‐iso‐itu‐t(2) international‐organizations(23)
>>>>> ca‐browser‐forum(140) certificate‐policies(1) baseline‐ requirements(2)
>>>>> IP-address-validation-methods(5)} (2.23.140.1.2.5).
>>>>>
>>>>> Add section 7.1.2.3(g), as follows:
>>>>>
>>>>> This extension MUST be present and SHOULD NOT be marked critical. g.
>>>>> cabf-BRValidationMethod (2.23.140.1.11) (required on or after April 1, 2019)
>>>>>
>>>>> This extension contains a list of one or more OIDs that assert every
>>>>> distinct method performed by the CA to validate domain control or ownership
>>>>> of each FQDN contained in the certificate's subjectAlternativeName. If an
>>>>> FQDN has been validated using multiple methods, the CA MAY assert more than
>>>>> one of the methods. This extension SHOULD NOT be marked critical.
>>>>>
>>>>> These OIDs representing validation methods SHALL be defined as follows:
>>>>>     * 2.23.140.1.2.4. concatenated with the subsection number of
>>>>> section 3.2.2.4 corresponding to the domain validation method that was used
>>>>> to validate one or more subjectAlternativeNames in this certificate (e.g.
>>>>> 2.23.140.1.2.4.2'); or,
>>>>>
>>>>>     * 2.23.140.1.2.5 concatenated with the subsection number of
>>>>> section 3.2.2.5 corresponding to the IP address validation method that was
>>>>> used to validate one or more subjectAlternativeNames in the certificate
>>>>> (e.g. '2.23.140.1.2.5.1').
>>>>>
>>>>> OIDs representing validation methods MUST be encoded in this extension
>>>>> as follows:
>>>>>
>>>>> cabf-BRValidationMethod OBJECT IDENTIFIER ::= { 2.23.140.1.11 }
>>>>>
>>>>> BRValidationMethodSyntax ::= SEQUENCE SIZE (1..MAX) OF
>>>>> DomainOrIpAddressValidationMethodId
>>>>>
>>>>> DomainOrIpAddressValidationMethodId ::= OBJECT IDENTIFIER
>>>>>
>>>>>
>>>>> — MOTION ENDS –
>>>>>
>>>>>
>>>>>
>>>>> [1]
>>>>> https://github.com/cabforum/documents/compare/master...wthayer:Ballot226#diff-7f6d14a20e7f3beb696b45e1bf8196f2
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Validation mailing list
>>>>> Validation at cabforum.org
>>>>> https://cabforum.org/mailman/listinfo/validation
>>>>>
>>>>> _______________________________________________
>> Validation mailing list
>> Validation at cabforum.org
>> https://cabforum.org/mailman/listinfo/validation
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180808/b054c346/attachment-0001.html>