Re: X509 data element from Tom Gindin on 2003-02-04 (w3c-ietf-xmldsig@w3.org from January to March 2003)

From: Tom Gindin <tgindin@us.ibm.com>
Date: Tue, 4 Feb 2003 15:12:39 -0500
To: Joseph Swaminathan <jswamina@cisco.com>
Cc: Rich Salz <rsalz@datapower.com>, w3c-ietf-xmldsig@w3.org
Message-ID: <OF7AECD13B.DF0C7BD4-ON85256CC3.006D9B33@pok.ibm.com>

      Joseph:

      Some responses below.  I think you've uncovered an actual attack
against some possible RP software - not mainly by substituting X509yyy
parameter values, but by adding KeyValue to them.  The attack I see
(against RP software in which KeyValue's are accepted) is that an attacker
will extract the key from a certificate (probably in X509Certificate, but
possibly retrieved elsewhere given some of the other parameters), create a
KeyValue from it, and add a phony X509SubjectName.
      IMHO, you should be suspicious of a KeyInfo containing KeyValue and
either X509IssuerSerial or X509SubjectName.  Is there anybody on the list
who creates such constructs in their software, and if so, why?

            Tom Gindin

Joseph Swaminathan <jswamina@cisco.com>@w3.org on 02/04/2003 09:42:38 AM

Sent by:    w3c-ietf-xmldsig-request@w3.org


To:    Rich Salz <rsalz@datapower.com>
cc:    w3c-ietf-xmldsig@w3.org
Subject:    Re: X509 data element





Rich Salz wrote:

> >    1. When X509 certificate element is present, is there any need
> >       for X509IssuerSerial, X509SubjectName, X509SKI, elements. Is
> >       it possible for all of these to be present. If so, what is
> >       the significance of the later three, as the first one contains
> >       all of them.
>
> Many implementations actually provide more than one of the differnet
> forms in the same signature.  Yes, the certificate includes all the
> other data, but it requires a fairly heavy-duty ASN1/DER parser.
> Breaking out the alternate "lookup keys" is just "friendly," as it were.

     Since the signature value on the signature node only covers the
signed info element, the individual x.509 elements present in the
key info is not signed at all. In that case, how can these values be
trusted, unless it is cross verified with x.509 certificate.

[Tom] You can't verify the signature on the document without getting the
public key info.  This would have to be gotten either from the certificate
(in which case you've got all the individual values to check) or KeyValue.

       Wont it be possible for a hacker to intercept the XML document
and add these individual x.509 elements which is not consistent with
x.509 certicate and change the signed info as he pleases.

[Tom] The danger you are talking about would occur only if somebody were to
specify KeyValue with one of those elements, and you were to take their
word for it.

thanks
Joseph

> >    2. Also, how is a certificate validated. Is it by
>
> That's a local trust issue, and depends on your implementation and
> business requirements.  A common 80/20 technique is to verify that the
> certificate *or it's issuer* came from a locally-configured trusted list.
>
>         /r$

Received on Tuesday, 4 February 2003 15:16:52 UTC