[147234] in cryptography@c2.net mail archive
Re: [Cryptography] PRISM-Proofing and PRISM-Hardening
daemon@ATHENA.MIT.EDU (Phillip Hallam-Baker)
Thu Sep 19 13:01:52 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <20130918215031.GZ29796@mournblade.imrryr.org>
Date: Wed, 18 Sep 2013 20:36:46 -0400
From: Phillip Hallam-Baker <hallam@gmail.com>
To: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============6968573229880752834==
Content-Type: multipart/alternative; boundary=089e0158cb92b8a57c04e6b1bf3e
--089e0158cb92b8a57c04e6b1bf3e
Content-Type: text/plain; charset=ISO-8859-1
On Wed, Sep 18, 2013 at 5:50 PM, Viktor Dukhovni
<cryptography@dukhovni.org>wrote:
> On Wed, Sep 18, 2013 at 08:47:17PM +0000, Viktor Dukhovni wrote:
>
> > On Wed, Sep 18, 2013 at 08:04:04PM +0100, Ben Laurie wrote:
> >
> > > > This is only realistic with DANE TLSA (certificate usage 2 or 3),
> > > > and thus will start to be realistic for SMTP next year (provided
> > > > DNSSEC gets off the ground) with the release of Postfix 2.11, and
> > > > with luck also a DANE-capable Exim release.
> > >
> > > What's wrong with name-constrained intermediates?
> >
> > X.509 name constraints (critical extensions in general) typically
> > don't work.
>
> And public CAs don't generally sell intermediate CAs with name
> constraints. Rather undercuts their business model.
>
>
This is no longer the case. Best Practice is now considered to be to use
name constraints but not mark them critical.
This is explicitly a violation of PKIX which insists that a name constraint
extension be marked critical. Which makes it impossible to use name
constraints as they will break in Safari and a few other browsers.
The refusal to make the obvious change is either because people do not
understand the meaning of the critical bit or the result of some of that
$250 million being felt in the PKIX group. As I pointed out at RSA, the use
of name constraints might well have prevented the FLAME attack working.
--
Website: http://hallambaker.com/
--089e0158cb92b8a57c04e6b1bf3e
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Wed, Sep 18, 2013 at 5:50 PM, Viktor Dukhovni <span dir=3D"ltr">=
<<a href=3D"mailto:cryptography@dukhovni.org" target=3D"_blank">cryptogr=
aphy@dukhovni.org</a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div class=3D"im">On Wed, Sep 18, 2013 at 08=
:47:17PM +0000, Viktor Dukhovni wrote:<br>
<br>
> On Wed, Sep 18, 2013 at 08:04:04PM +0100, Ben Laurie wrote:<br>
><br>
> > > This is only realistic with DANE TLSA (certificate usage 2 o=
r 3),<br>
> > > and thus will start to be realistic for SMTP next year (prov=
ided<br>
> > > DNSSEC gets off the ground) with the release of Postfix 2.11=
, and<br>
> > > with luck also a DANE-capable Exim release.<br>
> ><br>
> > What's wrong with name-constrained intermediates?<br>
><br>
> X.509 name constraints (critical extensions in general) typically<br>
> don't work.<br>
<br>
</div>And public CAs don't generally sell intermediate CAs with name<br=
>
constraints. =A0Rather undercuts their business model.<br>
<div class=3D"HOEnZb"><div class=3D"h5"><br></div></div></blockquote><div><=
br></div><div>This is no longer the case. Best Practice is now considered t=
o be to use name constraints but not mark them critical.</div><div><br></di=
v>
<div>This is explicitly a violation of PKIX which insists that a name const=
raint extension be marked critical. Which makes it impossible to use name c=
onstraints as they will break in Safari and a few other browsers.=A0</div>
<div><br></div><div>The refusal to make the obvious change is either becaus=
e people do not understand the meaning of the critical bit or the result of=
some of that $250 million being felt in the PKIX group. As I pointed out a=
t RSA, the use of name constraints might well have prevented the FLAME atta=
ck working.</div>
</div><div><br></div>-- <br>Website: <a href=3D"http://hallambaker.com/">ht=
tp://hallambaker.com/</a><br>
</div></div>
--089e0158cb92b8a57c04e6b1bf3e--
--===============6968573229880752834==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============6968573229880752834==--
