On 20/06/2018 19:31, Viktor Dukhovni wrote:
If some root CAs, or intermediate CAs to which they delegate authority, employ weak algorithms, your best bet is to not trust those CAs, they should not be using weak algorithms. TLS is not the best place to regulate (Web) PKI.
I believe there is a fundamental concern, impossible to handle sanely at the CA policy level, that a CA may reasonably have certificate hierarchies targeting people with different maximum security strength and/or living at different times within a root certificate lifespan (decades). Thus it is reasonable for a particular TLS participant to dynamically reject/ignore certificates weaker than it's own policies even if issued by a root CA that has both strong and weak subtrees. For example CA1 may, over time, have the following chains: longtermCAroot -> OldIntermediary(signed-with-RSA2048-SHA1, expired or revoked) -> OldEECerts(all expired or revoked) longtermCAroot -> crossSignedNewCAroot(signed-with-RSA2048-SHA256) -> NewIntermediary(signed-with-RSA4096-SHA256) -> CurrentEEcerts (all signed with RSA4096-SHA256) newCAroot-> NewIntermediary(signed-with-RSA4096-SHA256) -> CurrentEEcerts (all signed with RSA4096-SHA256) longtermCAroot -> NeverIssuedIntermediary(falsified via SHA1 weakness) -> FakeCert (signed with RSA4096-SHA256). By making a TLS library able to reject certificate chains involving RSA-MD5 (or whatever else the run time configuration chooses to distrust), it can protect its user against trusting the NeverIssuedIntermediary and thus the FakeCert. CA policy and the browser forum can only choose to accept or refuse longtermCAroot entirely. Trusting only the self-signed variant of crossSignedNewCAroot won't work until that has been distributed via secure channels and all needs to trust longtermCAroot for other uses of the unified openSSL CA directory have disappeared. The scenario becomes even more complicated in cases when (due to refusals to backport algorithms to older libraries), there are real systems that cannot accept the latest state of the art minimum algorithms, thus in turn requiring the ongoing issuance of certificates with old algorithm chaining to CA roots trusted by such older systems. The above pattern of algorithm distrust can be expected to reccur every few decades as new attacks are found or otherwise become viable. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
