[tech] signing when rotating (Was: Re: Enhancing TOFU)



>* Friday, 2021-03-05 at 13:33 +0100 - nothien at uber.space <nothien at uber.space>:
>
>>I think that people find TOFU controversial because it [...] 
>>prevents servers from ever being able to change certificates.
>I think we can solve this neatly by using certificate chains.

I experimented a bit more with this, and discovered that chains can be 
awkward. Not all servers support sending a certificate chain, TLS 
libraries may complain if the root cert isn't set as a CA, and we lose 
the efficiency savings of only transmitting a single cert.

But there's a much simpler version which avoids chains.
If your server is currently using certificate A and you want to switch 
to a new certificate:

     (e.g. using openssl x509 -CA A.crt ...)


The signature on a self-signed certificate is worthless, so we lose 
nothing by replacing it with a signature from the old certificate in 
this way.

Clients can check for this as follows:

correctly signed by the pubkey of the old certificate.

there should be a warning if the old certificate had expired.

I experimented a bit with this, and the only small complication I ran 
into is that tls libraries may complain if the Distinguished Names of 
the two certificates are identical (at least, the haskell tls library 
I tested with does). But it isn't hard to include a field in the DN of 
the new certificate to make it unique.

So why don't we make this a convention? Any subtleties I'm missing?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20210309/98e3
0cd9/attachment.sig>

---

Previous in thread (12 of 17): 🗣️ Thomas Frohwein (tfrohwein (a) fastmail.com)

Next in thread (14 of 17): 🗣️ (nothien (a) uber.space)

View entire thread.