ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: I-D ACTION:draft-ietf-smime-escertid-01.txt

2006-11-07 08:21:54
from [Denis Pinkas] [Permanent Link] 

Jim,


Demis,

       ^^
  Denis


The statement in parens is not meant to be true, it is meant to state a
condition under which the preceding statement would be sufficent.  Thus it
starts "This assumes..."  


The text states:

   The issuer/serial number pair would therefore normally be sufficient to 
identify
   the correct signing certificate.  (This assumes the same issuer name
   is not re-used from the set of trust anchors.) 

We cannot construct on assumptions, in particular since there is no 
standardized way 
to know when this assumption would be met.


If you think that the issuer/serial number pair is insufficent to identify a
certificate, have you filed a defect report with X.509?  


If you think that  the issuer/serial number pair is sufficient to identify a 
certificate, 
why have you issued RFC 2634 ?  :-)

The issuer/serial number pair is only sufficient when it is possible to know 
the name of the CA 
that has issued a certificate to that issuer (and recursively up to a trust 
anchor).


I don't see a
significant difference in content between the second sentence you have and
sentences 2 and 3 in my paragraph.   


I see it. If you don't care, it would save much time to take my wording 
proposal.


I would be more worried about an
attacker re-using the same issuer name rather than the re-use of the same
issuer name in a single tree of certificate authorities.


The use of the same issuer name is not necessarily an attack.


I am unconvinced that in cases where the issuer/serial is not used in the
sid, it needs to be placed in the cert id structure.  


Your original text is:

   The issuer/serial
   number pair can be stored in the sid field of the SignerInfo object.
   However the sid field is not covered by the signature.  In the cases
   where the issuer/serial number pair is not used in the sid or the
   issuer/serial number need to be signed, they should be placed in the
   issuerSerial field of the ESSCertIDv2 structure.


This is only a hint
for finding the certificate and is not good identification.  The true
identification is going to be the hash of the certificate.  


We both agree.


Thus I don't see
the need for the statement einging "In the cases ..."  Additionally this is
covered in my current last sentence of the text.


I tried to use your text as much as possible. So the two sentences are similar:

Yours:

   In the cases where the issuer/serial number pair is not used in the sid 
   or the issuer/serial number need to be signed, they should be placed in the
   issuerSerial field of the ESSCertIDv2 structure.

Mine:

        In the cases where the issuer/serial number pair is not used in the 
sid, 
        it should be placed in the issuerSerial field of the ESSCertIDv2 
structure.


I think that the order you are placing the paragraphs is backwards.  The
most important thing is the reason why the hash value is there rather than
why issuer/serial is not a good method.


It is a matter of presentation, but it is necessary to explain in the case of 
an *accidental* name collision 
why issuer/serial may be insufficient. The three scenario of attack do NOT 
cover the case of name collision 
because it is not necessarilly an attack: it may happen by accident. The case 
of name collision is not covered 
in the security considerations section either.

Another option would be to add text in the security considerations section, 
which would then allow 
to shorten the explanations in the main body of the document.

I am unhappy with the current text. In order to move forward, would you be able 
to make a new text 
proposal that would possibly satisfy both of us ?

Denis


Jim



-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org 
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Denis 
Pinkas
Sent: Thursday, August 24, 2006 11:29 AM
To: ietf-smime(_at_)imc(_dot_)org
Subject: Re: I-D ACTION:draft-ietf-smime-escertid-01.txt


Jim,

In order to solve my two concerns, the faster is to propose a 
text replacement.
I hope this will clarify my statements.

The statement in the parenthesis is not true. The 
issuer/serial number is not sufficient.

I propose the following as a global replacement:

   The issuer/serial number pair is the method of identification of
   certificates used in [PKIXCERT].  The issuer/serial number pair may
   be insufficient since two or more CAs with the same DN 
   could exist in different branches from a given certification tree.  The
   issuer/serial number pair may be used as a hint to fetch the
   certificate(s).  The issuer/serial number pair can be stored in the
   sid field of the SignerInfo object.  In the cases where the
   issuer/serial number pair is not used in the sid, it should be
   placed in the issuerSerial field of the ESSCertIDv2 structure.
   In some cases, hashes are used by certificate stores as a method of
   indexing and retrieving certificates, hence another reason for
   having the issuer/serial number pair optional.

   The hash of the entire certificate allows for a verifier to check
   that the certificate used in the verification process is indeed the
   one the signer intended to be used.  The use of the hash is
   required by this structure since the detection of substituted
   certificates with the same DN and serial number is based on the
   fact they would map to different hash values.

Denis
 

 I have several problems with draft-ietf-smime-escertid-01.txt.

 In RFC 2634, we have section "5.4 called Signing Certificate  
Attribute Definition"

 The proposal is to add a section 5.4.1 to define the v2  version 
first (!) and then the current version (with SHA-1).
 This should be done in the reverse way:

 - first a section 5.4.1 to define the current version (with SHA-1),
 - then a section 5.4.2 to define the v2 version.


I prefer the existing ordering.  I would rather have the 
items that people are to be using occur first and then 
obsolete items rather than the other way around.  I have not 
changed this.



 After this restructuring, I have some problems with the 

text itself :


 Issue 1 (page 4):

   "Applications SHOULD recognize both attributes as long as
   they consider SHA-1 to be sufficiently descriminating".

 "descriminating" is not crystal clear for me. Would it be  

possible 

to have the same idea expressed using a different wording ?


Done



 Issue 2 (pages 4 & 5):

 There is a duplication of the same paragraph (one is enough):

   "The signing certificate attribute is designed to prevent  the 
simple
   substitution and re-issue attacks, and to allow for a  

restricted 

set
   of authorization certificates to be used in verifying a 

signature".

I believe that not having any descriptive text at these 
locations and jumping directly into the ASN.1 to be a poor 
choice.  I have not changed this.



 Issue 3 (page 7):

   "The issuer/serial number pair would therefore normally be  
sufficient
   to identify the correct signing certificate.  (This  assumes the 
same
   issuer name is not re-used from the set of trust anchors.)"

 The assumption between the parenthesis is insufficient to  

correctly 

identify the correct signing certificate. The  sentence needs to be 
changed.


I do not understand your statement.  If the statement in 
parenthesis is true, then it is sufficent.  If the statement 
in the parenthesis is not true, then issuer/serial number is 
not sufficent.  Please re-read the text and explain better 
what your problem is.



 Issue 4 (page 7):

   "In the cases
   where the issuer/serial number pair is not used in the sid or the
   issuer/serial number need to be signed, they should be  

placed in 

the
   issuerSerial field of the ESSCertIDv2 structure."

 The issuer/serial number pair can be used in the sid, but  

since it 

is unsigned, it is insufficient to correctly  identify the correct 
signing certificate.
 So this rational is incorrect. The sentence needs to be changed.


I have no idea what you are trying to state here.  My 
sentence and your comment do not seem to be coming from the 
same context.  Please re-read the sentence.



 Finally, I would propose that the next draft proposes a  global 
replacement  for section 5.4 to make sure that the whole section is 
consistent  (and that the text in it is not redondant).


I can understand your concern, however I believe that the 
current layout is better and more explicit for the RFC editor.

Jim



 Denis













 >A New Internet-Draft is available from the on-line  

Internet-Drafts 

directories.
 >This draft is a work item of the S/MIME Mail Security  

Working Group 

of the IETF.
 >
 >      Title                 : ESS Update: Adding CertID 

Algorithm Agility

 >            Author(s)         : J. Schaad
 >            Filename          : draft-ietf-smime-escertid-01.txt
 >      Pages               : 18
 >      Date                 : 2006-4-18
 >     
 >In the original Enhanced Security Services for S/MIME draft, a  

structure for cryptographically linking the certificate to 

be used in  

validation with the signature was introduced, this structure was  
hardwired to use SHA-1.  This document allows for the 

structure to  

have algorithm agility and defines new attributes to deal 

with the  

updating.

 >
 >A URL for this Internet-Draft is:
 
http://www.ietf.org/internet-drafts/draft-ietf-smime-escertid-01.txt
 >
 >To remove yourself from the I-D Announcement list, send a 

message to  

i-d-announce-request(_at_)ietf(_dot_)org with the word unsubscribe in 

 the body 

of the message.
 >You can also visit
 https://www1.ietf.org/mailman/listinfo/I-D-announce
 >to change your subscription settings.
 >
 >
 >Internet-Drafts are also available by anonymous FTP. 

Login  with the 

username  >"anonymous" and a password of your e-mail address. After 
logging in,  >type "cd internet-drafts" and then
 >      "get draft-ietf-smime-escertid-01.txt".
 >
 >A list of Internet-Drafts directories can be found in  

http://www.ietf.org/shadow.html  >or 

ftp://ftp.ietf.org/ietf/1shadow-sites.txt
 >
 >
 >Internet-Drafts can also be obtained by e-mail.
 >
 >Send a message to:
 >            mailserv(_at_)ietf(_dot_)org(_dot_)
 >In the body type:
 >      "FILE /internet-drafts/draft-ietf-smime-escertid-01.txt".
 >     
 >NOTE:            The mail server at ietf.org can return 

the document in

 >      MIME-encoded form by using the "mpack" utility.  To use this
 >      feature, insert the command "ENCODING mime" before 

the "FILE"

 >            command.  To decode the response(s), you will need 

"munpack" or

 >      a MIME-compliant mail reader.  Different MIME-compliant
 mail readers
 >      exhibit different behavior, especially when dealing with
 >            "multipart" MIME messages (i.e. documents 

which have been 
split

 >      up into multiple messages), so check your local 

documentation on

 >      how to manipulate these messages.
 >                 
 >                 
 >Below is the data which will enable a MIME compliant mail reader  

implementation to automatically retrieve the ASCII version of the  
Internet-Draft.

 >
 >Content-Type: text/plain
 >Content-ID:            <2006-4-18160113(_dot_)I-D(_at_)ietf(_dot_)org>
 >
 >ENCODING mime
 >FILE /internet-drafts/draft-ietf-smime-escertid-01.txt
 >

 Regards,

 Denis Pinkas













Regards,

Denis Pinkas
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: I-D ACTION:draft-ietf-smime-escertid-01.txt, Denis Pinkas <=
Next by Date:  {Blocked Content} I-D ACTION:draft-ietf-smime-escertid-02.txt, Internet-Drafts
Next by Thread:  {Blocked Content} I-D ACTION:draft-ietf-smime-escertid-02.txt, Internet-Drafts
Indexes:  [Date] [Thread] [Top] [All Lists]