Re: Origin Signed Responses and certificate requirements from Ryan Sleevi on 2018-04-12 (ietf-http-wg@w3.org from April to June 2018)

From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Thu, 12 Apr 2018 14:41:14 -0400
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: Ryan Sleevi <ryan-ietf@sleevi.com>, Jeffrey Yasskin <jyasskin@chromium.org>, Yoav Weiss <yoav@yoav.ws>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAErg=HF27qx-asmV-tERaJsJ=qM5m3+AmPVSnV2u0e2wqbjf0Q@mail.gmail.com>

On Thu, Apr 12, 2018 at 2:31 PM, Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Thu, Apr 12, 2018 at 02:09:00PM -0400, Ryan Sleevi wrote:
> > On Thu, Apr 12, 2018 at 1:51 PM, Ilari Liusvaara <
> ilariliusvaara@welho.com>
> > wrote:
> > >
> > > Web packaging is not similar to Secondary Certificates. It is however
> > > similar to Delegated Credentials.
> > >
> >
> > Sure it is. A compromise of a secondary certificate key, or of a web
> > packaging key, reduces the cost of attack to "Can I induce a client to
> talk
> > to the attacker" - which, in a Web context, is sort of a key design
> feature
> > of the Web. If you can, then the holder of a compromised Secondary
> > Certificate, or a compromised Signed Exchanges key, can induce a client
> to
> > accept as "from the origin" their content, in an otherwise undetectable
> > manner.
>
> Also, due to the requirement that SC keys are online, even if the key
> is protected from dumping, it can still be misused (in realtime) if the
> web server is compromised (and such compromise may be difficult to
> detect). WP/DC keys do not need to be online.
>
> > > Also, saying that keys for for WP/DC SHALL be protected in some
> > > specified way would have really nasty interactions with current
> > > CABForum BRs, making it effectively impossible to get such
> > > certificates. So any enhanced protection is at most RECOMMENDED.
> > >
> >
> > I'm not sure why you say they would have 'really nasty interactions'.
> > Parties that want code signing certificates from CAs trusted by
> Microsoft,
> > for example, can only do so for keys on hardware security modules. Which
> > effectively means the CA sending out an USB token or smart card, and
> > provisioning the key themselves.
>
> Getting code signing certificates is much much harder than website
> certificates (except EV) anyway. So there the HSM requirement is not
> that much of an increase.
>
> Also, here is yet another difference. Required capacity. WP/DC/CS need
> fairly little signing capacity, so one could put the keys to a
> smartcard or basic USB token (with signing capacity on order of 1-3
> signature per second) if one wanted to. However SC needs much more
> capacity, so smartcard or basic USB token is not going to cut it.
>

If SC was coupled to DC though, doesn't that address some of the concerns?

Received on Thursday, 12 April 2018 18:41:40 UTC