Re: Origin Signed Responses and certificate requirements

On Thu, Apr 12, 2018 at 09:36:30AM -0400, Ryan Sleevi wrote:
> I commented on the PR, but in the spirit of bringing things to the list, I
> think allowing reuse with TLS is a net-negative for security, and we should
> not do this.
> The same conversation being had around Secondary Certificates and Delegated
> Credentials is applicable here. In this case, we have an online signing
> entity that fundamentally must be near the edge (to terminate TLS), while
> also granting it the ability to create long-lived signatures (the web
> package). From an operational standpoint, this incentivizes weak key
> protection, when the threat model of Web Packaging arguably requires
> stronger key protection, due to the greater risk being introduced to
> clients - namely, the ability to deploy misused signatures more widely
> (from oracles or key compromise).

Web packaging is not similar to Secondary Certificates. It is however
similar to Delegated Credentials.

Both Web Packaging and and Delegated Credentials:

- Are insecure against weak compromise. So ROBOT/DROWN type attacks
  would be devastating.
- Can have the key (semi-)offline.

However, Secondary Certificates:

- Are secure against weak compromise (but not full compromise).
- Must have the key online.
- More vulernable to ROBOT/DROWN type attacks than TLS handshakes due
  to longer time windows.

Also, saying that keys for for WP/DC SHALL be protected in some
specified way would have really nasty interactions with current
CABForum BRs, making it effectively impossible to get such
certificates. So any enhanced protection is at most RECOMMENDED.


Received on Thursday, 12 April 2018 17:51:51 UTC