Re: Announcing Mozilla::PKIX, a New Certificate Verification Library

Kyle Hamilton Mon, 28 Apr 2014 16:16:25 -0700

(quick correction to my prior email: the certificates issued by the
intermediate are valid for up to 15 months in that example, and the
key is retired when it cannot sign anything with a validity less than
12 months.)


-Kyle H


On Mon, Apr 28, 2014 at 4:10 PM, Kyle Hamilton <aerow...@gmail.com> wrote:


On Fri, Apr 25, 2014 at 6:59 AM, Erwann Abalea <eaba...@gmail.com> wrote:
> Le vendredi 25 avril 2014 13:46:51 UTC+2, Martin Paljak a écrit :
>> On Thu, Apr 24, 2014 at 9:07 PM, Kathleen Wilson <kwil...@mozilla.com> wrote:
>> > Also, we added a section to the wiki page to list some behavior changes 
>> > that
>> > could cause a website certificate to no longer validate with Firefox 31.
>> > https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Behavior_Changes
>>
>> What is the rationale for this:
>>
>> 4. Mozilla::pkix performs chaining based on issuer name alone, and
>> does not require that issuer's subject key match the authority key
>> info (AKI) extension in the certificate. Classic verification enforces
>> the AKI restriction.
>
> AKI is only a helper for certificate path building.
> It's mandatory for CAs to issue certificates with matching keyIdentifiers 
> (issued.AKI.keyIdentifier = issuer.SKI), but it's not mandatory for relying 
> parties to verify that the values match.

Erwann (and all),

AKI is necessary for multiple public keys used by the same Subject
certifier.  It's particularly useful for a "rolling chain" of public
keys, each one used to sign certificates within a given period of
months, but with overlapping validity periods.

0     3     6     9    12    15    18    21    24    27
|uuuuu|vvvvv|vvvvv|vvvvv|vvvvv|.....|.....|.....|.....|
|.....|uuuuu|vvvvv|vvvvv|vvvvv|vvvvv|.....|.....|.....|
|.....|.....|uuuuu|vvvvv|vvvvv|vvvvv|vvvvv|.....|.....|
|.....|.....|.....|uuuuu|vvvvv|vvvvv|vvvvv|vvvvv|.....|
|.....|.....|.....|.....|uuuuu|vvvvv|vvvvv|vvvvv|vvvvv|

In this diagram, 'u' means "in use".  'v' means "valid".  The numbers
at the top refer to 'counted months'.  So, in this case, the private
keys are used for 3 months while their issued certificates are valid
for up to 12 months.  There are 5 potential keys, identifiable only
through the use of the AKID extension.

Yes, the certified entity is supposed to provide its verifiable chain,
back to the root (but not including the root)... at least, according
to TLS, and other IETF Security working-area client protocols.  But,
it's not mandatory per PKIX, and it's also not mandatory per X.509,
either.

I believe this to be a poor design decision on the part of Mozilla.

-Kyle H

Edited to add:
(quick correction to my prior email: the certificates issued by the
intermediate are valid for up to 15 months in that example, and the
key is retired when it cannot sign anything with a validity less than
12 months.)<div class="gmail_extra"><br><br><div
class="gmail_quote">On Mon, Apr 28, 2014 at 4:10 PM, Kyle Hamilton
<span dir="ltr">&lt;<a href="mailto:aerow...@gmail.com";
target="_blank">aerow...@gmail.com</a>&gt;</span>
wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><div
dir="ltr"><br><div><div><div><div class=""><div><span
style="font-family:arial,helvetica,sans-serif">On Fri, Apr 25, 2014 at
6:59 AM, Erwann Abalea &lt;eabalea@gm</span><a href="http://ail.com";
target="_blank">ail.com</a>&gt; wrote:<br>&gt; Le vendredi 25 avril
2014 13:46:51 UTC+2, Martin Paljak a écrit :<br>
&gt;&gt; On Thu, Apr 24, 2014 at 9:07 PM, Kathleen Wilson &lt;<a
href="mailto:kwil...@mozilla.com";
target="_blank">kwil...@mozilla.com</a>&gt; wrote:<br>&gt;&gt; &gt;
Also, we added a section to the wiki page to list some behavior
changes that<br>
&gt;&gt; &gt; could cause a website certificate to no longer validate
with Firefox 31.<br>&gt;&gt; &gt; <a
href="https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Behavior_Changes";
target="_blank">https://wiki.mozilla.org/<wbr>SecurityEngineering/mozpkix-<wbr>testing#Behavior_Changes</a><br>
&gt;&gt;<br>&gt;&gt; What is the rationale for
this:<br>&gt;&gt;<br>&gt;&gt; 4. Mozilla::pkix performs chaining based
on issuer name alone, and<br>&gt;&gt; does not require that issuer's
subject key match the authority key<br>
&gt;&gt; info (AKI) extension in the certificate. Classic verification
enforces<br>&gt;&gt; the AKI restriction.<br>&gt;<br>&gt; AKI is only
a helper for certificate path building.<br>&gt; It's mandatory for CAs
to issue certificates with matching keyIdentifiers
(issued.AKI.keyIdentifier = issuer.SKI), but it's not mandatory for
relying parties to verify that the values match.<br>
<br></div></div><div>Erwann (and
all),<br></div><div><br><div><div><div><div><div><div><span
style="font-family:courier new,monospace"><span
style="font-family:arial,helvetica,sans-serif">AKI is necessary for
multiple public keys used by the same
Subject certifier. &nbsp;It's particularly useful for a "rolling chain" of
public keys, each one used to sign certificates within a given period of
 months, but with overlapping validity periods.<br></span><br>0 &nbsp;
&nbsp; 3 &nbsp; &nbsp; 6 &nbsp; &nbsp; 9 &nbsp; &nbsp;12 &nbsp;
&nbsp;15 &nbsp; &nbsp;18 &nbsp; &nbsp;21 &nbsp;
&nbsp;24&nbsp;&nbsp;&nbsp;
27<br>|uuuuu|vvvvv|vvvvv|vvvvv|<wbr>vvvvv|.....|.....|.....|.....|<br></span></div><span
style="font-family:courier
new,monospace">|.....|uuuuu|vvvvv|vvvvv|<wbr>vvvvv|vvvvv|.....|.....|.....|<br>
</span></div><span style="font-family:courier
new,monospace">|.....|.....|uuuuu|vvvvv|<wbr>vvvvv|vvvvv|vvvvv|.....|.....|<br></span></div><span
style="font-family:courier
new,monospace">|.....|.....|.....|uuuuu|<wbr>vvvvv|vvvvv|vvvvv|vvvvv|.....|<br>
</span></div><div><span style="font-family:courier
new,monospace">|.....|.....|.....|.....|<wbr>uuuuu|vvvvv|vvvvv|vvvvv|vvvvv|<br></span></div><div><span
style="font-family:courier new,monospace"><br></span></div><span
style="font-family:arial,helvetica,sans-serif">In
 this diagram, 'u' means "in use".&nbsp; 'v' means "valid".&nbsp; The
numbers at
the top refer to 'counted months'.&nbsp; So, in this case, the private keys
are used for 3 months while their issued certificates are valid for up
to 12 months.&nbsp; There are 5 potential keys, identifiable only through the
 use of the AKID extension.<br><br></span></div><span
style="font-family:arial,helvetica,sans-serif">Yes,
 the certified entity is supposed to provide its verifiable chain, back
to the root (but not including the root)... at least, according to
TLS, and other IETF Security
working-area client protocols.&nbsp; But, it's not mandatory per PKIX, and
it's also not mandatory per X.509, either.<br><br></span></div><span
style="font-family:courier new,monospace"><span
style="font-family:arial,helvetica,sans-serif">I believe this to be a
poor design decision on the part of Mozilla.<br>
</span></span><div><span
style="font-family:arial,helvetica,sans-serif"><br></span></div><span
style="font-family:arial,helvetica,sans-serif">-Kyle H<br></span><span
style="font-family:arial,helvetica,sans-serif"><br></span></div>
</div></div></div></div>
</blockquote></div><br></div>
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Announcing Mozilla::PKIX, a New Certificate Verification Library

Reply via email to