On Fri, 2022-10-07 at 17:30 +0000, Peter Gutmann wrote: von Oheimb, David <david.von.ohe...@siemens.com<mailto:david.von.ohe...@siemens.com>> writes:
Peter, the argument you gave below: I mean what actual attack that's been actively exploited in the real world will use of PoP prevent? We've been shipping raw PKCS #10's around for decades (with no PoP) without causing the collapse of civilisation. appears invalid to me because PKCS#10 requires a self-signature (at least, this is how they are understood/used by most implementations) and thus does provide a PoP - and maybe civilization has survived just because of tha A self-signature on a CSR isn't a PoP though, I can intercept your CSR and get myself a certificate issued for it even though I don't have the private key. No - all you get is a cert for the original requester, with its name rather than yours. And even this will only happen if the CA neglects what I just stressed again: the importance of the proof of origin! On Fri, 2022-10-07 at 17:30 +0000, Tomas Gustavsson wrote: I'd like to add that adding a challenge-response POP need to be built into protocols as well, not only in CSR formats/specification. Only adding a method for this to PKCS#10, without also specifying how it is to be used in ACME, CMP, EST and SCEP will most likely wreak total havoc. Very true. On Fri, 2022-10-07 at 17:39 +0000, Peter Gutmann wrote: We also need to ask CAs and users what they want. The advantage of a CSR is that it can be pasted into a web form, emailed, POSTed to a server, and many other mechanisms. Challenge-response PoP breaks all of that, which means it breaks most of the common mechanisms for getting a cert outside the web PKI where CSRs are near-universal. So even adding a mechanism for this to PKCS #10 will wreak total havoc, or in practice just get ignored. This is why the nearly 30-year-old PKCS #10, like the B52, keeps outliving all of its successors, it gets the job done in a way that suits users. This just adds further reasons why I strongly dislike the PKCS#10 CSR format. @Peter, I really wonder why you as a security expert speak that much in favor of it, just for the convenience of its often insecure use, or at least appear to excuse its naive use. David
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
