Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security considerations for future-dated OCSP responses and stolen private keys. #386

Merged
merged 2 commits into from
Feb 6, 2019
+79 −4
Merged

Security considerations for future-dated OCSP responses and stolen private keys. #386

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
edb54c2
Security considerations for future-dated OCSP responses and stolen pr…
jyasskin Jan 28, 2019
00a921b
Avoid saying a CT log "will" satisfy its promises.
jyasskin Feb 6, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
83 changes: 79 additions & 4 deletions draft-yasskin-http-origin-signed-responses.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,26 @@ normative:

informative:
SRI: W3C.REC-SRI-20160623
BRs:
target: https://cabforum.org/baseline-requirements-documents/
title: Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates
author:
- org: CA/Browser Forum
date: 2018-12-10
CRLSets:
target: https://www.imperialviolet.org/2012/02/05/crlsets.html
title: Revocation checking and Chrome's CRL
author:
- name: Adam Langley
org: Chromium
date: 2012-02-05
OneCrl:
target: https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/
title: "Revoking Intermediate Certificates: Introducing OneCRL"
author:
- name: Mark Goodwin
org: Mozilla
date: 2015-03-03

--- abstract

Expand Down Expand Up @@ -1249,10 +1269,62 @@ attacker.

Relaxing the requirement to consult DNS when determining authority for an origin
means that an attacker who possesses a valid certificate no longer needs to be
on-path to redirect traffic to them; instead of modifying DNS, they need only
convince the user to visit another Web site in order to serve responses signed
as the target. This consideration and mitigations for it are shared by the
combination of {{?RFC8336}} and {{?I-D.ietf-httpbis-http2-secondary-certs}}.
on-path to redirect traffic to them; instead of modifying DNS or IP routing,
they need only convince the user to visit another Web site in order to serve
responses signed as the target. This consideration and mitigations for it are
shared by the combination of {{?RFC8336}} and
{{?I-D.ietf-httpbis-http2-secondary-certs}}, and are discussed further in
{{?I-D.bishop-httpbis-origin-fed-up}}.

### Mis-issued certificates

If a CA mis-issues a certificate for a domain, this specification provides a way
to detect the mis-issuance and mitigate harm within approximately two weeks.
Specifically, because all signed exchanges must include a
`SignedCertificateTimestampList` ({{?RFC6962}}, the mis-issued certificate will
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/will/should/

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's stronger than "should". How about "a CT log has promised to publish the mis-issued certificate within"?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SGTM! Yeah, just wanted to call out 'expected'/'required' from 'actual' behaviour :)

appear in a CT log within that log's Maximum Merge Delay, 1 day for many logs.
The domain owner can then detect the mis-issued certificate and notify the CA to
revoke it, which the {{BRs}}, section 4.9.1.1, say they must do within another 5
days.

Once the mis-issued certificate is revoked, existing OCSP responses begin to
expire. The {{BRs}}, section 4.9.10, require that OCSP responses have a maximum
expiration time of 10 days, after which they can't be used to validate a
certificate chain ({{cert-chain-format}}). This leads to a total compromised
time of 16 days after a mis-issuance.

However, CAs might future-date their OCSP responses, in which case the
mitigation doesn't work.

CAs are forbidden from future-dating their OCSP responses by the {{BRs}} section
4.9.9, "OCSP responses MUST conform to RFC6960 and/or RFC5019." {{?RFC6960}}
includes, "The time at which the status was known to be correct SHALL be
reflected in the thisUpdate field of the response.", and {{?RFC5019}} includes,
"When pre-producing OCSPResponse messages, the responder MUST set the
thisUpdate, nextUpdate, and producedAt times as follows: thisUpdate: The time at
which the status being indicated is known to be correct."

However, if a CA violates the {{BRs}} to sign future-dated OCSP responses,
attempts to keep the nonconformant OCSP responses private, but then leaks them,
it could cause clients to trust a hostile signed exchange long after its
certificate has been revoked.

Clients could use systems like {{CRLSets}} and {{OneCrl}} to revoke the
intermediate certificate that signed the future-dated OCSP responses.

### Stolen private keys
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if this PR is the best place to address it, but it does heavily overlap with the OCSP analysis you provided and the discussion of short-lived certs; namely, the security considerations of validation risks to certificates.

Grossly oversimplifying:

  • Because these certificates can be used without being on path, then exploits in validation practices become more useful
  • OCSP is reactive, once an issue is detected
  • CAA (and lifetimes) are useful in ensuring robustness at time of issuance
  • These methods (CAA, OCSP, reduced lifetime) are existing issues that the ecosystem faces; the only difference is in the calculus about being on-path, hence stronger mitigations than the status-quo

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, and I mention it here because private key compromise and validation compromise are similar in the capabilities they grant, with key compromise being less detectable.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a good unifying point. I'm going to send another PR to talk about it after the CAA requirement is merged.


If the private key for a CanSignHttpExchanges certificate is stolen, it can be
used at scale until the certificate expires or is revoked, and unlike for a
stolen key for a normal TLS-terminating certificate, the rightful owner can't
detect the problem by watching for attacks on the DNS or routing infrastructure.

This specification does not currently propose a way for the rightful owner to
detect that their keys are being used by an attacker, after they've opted into
the risk by requesting a CanSignHttpExchanges certificate in the first place.
Clients can fetch a signature's "validity-url" ({{signature-header}}) to help
owners detect key compromise, but that compromises some of the privacy
properties of this specification.

## Downgrades ## {#seccons-downgrades}

Expand Down Expand Up @@ -1968,6 +2040,9 @@ RFC EDITOR PLEASE DELETE THIS SECTION.

draft-06

* Add a security consideration for future-dated OCSP responses and for stolen
private keys.

draft-05

* Define absolute URLs, and limit the schemes each instance can use.
Expand Down