From: Peter Rybar [mailto:rybar(_at_)nbusr(_dot_)sk]
Sent: Wednesday, October 21, 2009 11:41 AM
To: 'pkix(_at_)ietf(_dot_)org'
Cc: 'ietf-smime(_at_)ietf(_dot_)org'; 'ESI(_at_)list(_dot_)etsi(_dot_)org';
'peterryb(_at_)gmail(_dot_)com'
Subject: RE: [pkix] I-D Action:draft-ietf-pkix-rfc3161-update-07.txt
Dear all,
The pkix-bounces(_at_)ietf(_dot_)org timestamp discussion about allowing to use
ESSCertIDv2 (defined in RFC 5035) together with presently used mandatory
ESSCertID(SHA1) in timestamp causes a confusion.
For example at one important meeting, an expert from one EU country presented
that he was incorrectly informed that the usage of ESSCertID or ESSCertIDv2 is
useful only for solving of the hypothetical attack which is not possible in
reality and mentioned that it was the opinion of IETF and ETSI experts.
According to such incorrect information from unknown UK IETF or ETSI expert,
the one national decision of the usage of ESSCertID or ESSCertIDv2 presented
ESSCertID or ESSCertIDv2 as not useful as mandatory to be included in Qualified
Electronic Signatures or AdES based on Qualified Certificates.
For that reason I would like to remind that at least two easy realizable
attacks are possible:
Anybody can use any editor tools for substitution attack e.g.
http://lipingshare.com/Asn1Editor/ which is really smart.
1. Attacker (timestamp or electronic document signer) asks two trusted CA for
issuing of two certificates with the same key.
2. Attacker asks one CA for revocation of one certificate.
3. If ESSCertID or ESSCertIDv2 is not used, the attacker is able to substitute
the signer certificate in timestamp (or signature).
4. The electronic signature is therefore not useable as trusted evidence in
some actions.
1. Attacker (timestamp or electronic document signer) asks two trusted CA for
issuing of two certificates with the same key but the second certificate is
asked and issued after the expiration of the first certificate issued for the
same key.
2. If ESSCertID or ESSCertIDv2 is not used, the attacker is able to substitute
the signer certificate in timestamp (or signature).
3. The electronic signature is therefore not useable as trusted evidence in
some actions.
If a certificate is used only as a carrier of public key and the certificate
validity is not important, then also ESSCertID or ESSCertIDv2 is not important
but in any other situation when the validity has a significant impact on some
actions, ESSCertID or ESSCertIDv2 must be used.
Another possibility for solving such attacks is to have mandatory rules for CA
and registration authorities:
The CA must issue a certificate only for the key which was newly generated by
CA or registration operators before the certificate creation.
Regards,
Peter Rybar
tel.: +421 2 6869 2163
mob.: +421 902 891 155
fax: +421 2 6869 1701
e-mail: peter(_dot_)rybar(_at_)nbusr(_dot_)sk
e-mail: peterryb(_at_)gmail(_dot_)com
_____
From: pkix-bounces(_at_)ietf(_dot_)org
[mailto:pkix-bounces(_at_)ietf(_dot_)org] On Behalf Of Stefan Santesson
Sent: Tuesday, October 20, 2009 10:10 AM
To: denis(_dot_)pinkas(_at_)bull(_dot_)net; pkix
Subject: Re: [pkix] I-D Action:draft-ietf-pkix-rfc3161-update-07.txt
_______________________________________________
smime mailing list
smime(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/smime