search

GSA / piv-guides

This is the old location for the PIV Playbook. New location below.
https://playbooks.idmanagement.gov/piv/
Other
69 stars 44 forks source link

Finding paths via HTTP SubjectInfoAccess URI #45

Closed grandamp closed 7 years ago

grandamp commented 8 years ago

This is not intended to be a duplicate of #8, as I need to determine current policy on SIA for all FPKI issuers.

I believe SIA is mandatory under Common, but I am not certain if all affiliates under FBCA assert.

The SubjectInfoAccess (SIA) extension is in most intermediate certificates within the Federal PKI. This provides a convenient mechanism for scripts/services to discover most intermediates and issuing CA's within the Federal PKI.

This extension is not used by most validation software today (such as web browsers and web servers) as following all SIA URI is impractical within the Federal PKI, because it yields over 170 CA certificates! That is why they tend to perfom discovery (back to a trust anchor), and mitigate discovery attacks by implementing max size of the returned CMS certs-only file (as well as implementing download timeouts). HTTP is also the best choice, as an issuer can use cache-control headers, and clients do not have to worry about LDAP through firewalls.

For tools and services that are attempting to determine all known certificate paths, such as an SCVP service, processing SIA is a more secure and efficient choice. More secure, and efficient, because you are following references that start with the SIA URI in the Trust Anchor (in our case Common). The reference(s) claim: This file contains all of the CA certificates I have signed. As the references are followed, you have assurance that the reference is good, because it is directly asserted in the CA certificate. You can immediately validate the signature on the children, and if that fails, you log and report, or discard.

lachellel commented 8 years ago

This is definitely an area that we need to write up more on. It's a very common question (what are the certificates, discovery, etc). I tried to explain some of this here:

But I think 1) I made it too wordy and it needs to be simpler, and 2) I only referenced the AIA chase and just in passing.

The SIA chase is just as important to know - and useful imho.

Where do you think this info should go? A Certificate Cheat Sheet?

And any canned scripts are also welcome as contributions... why keep writing the same functions over and over...

grandamp commented 8 years ago

The code I reference in #8 only performs discovery using HTTP SIA, and retains a separate cache of all URI (intent was to add a Spring timed task for each URI, using the caching Apache HTTP client, and performing checks based on each ca cert lifetime/halflife and cache control headers).

Knowing that others maintain AIA/SIA crawling web apps, it would be best if we could refer to a few open source implementations and collaborate, maybe consolidate.

My view on this topic is not only as a relying party, but intended to convey best practices as an issuer. (Hence the statement on policy)

On Thu, Jun 16, 2016, 19:04 LRL notifications@github.com wrote:

This is definitely an area that we need to write up more on. It's a very common question (what are the certificates, discovery, etc). I tried to explain some of this here:

-

https://gsa.github.io/piv-guides/pivcertchains/#download-root-and-intermediate-certificates

piv-guides/pages/certchains.md

But I think 1) I made it too wordy and it needs to be simpler, and 2) I only referenced the AIA chase and just in passing.

The SIA chase is just as important to know - and useful imho.

Where do you think this info should go? A Certificate Cheat Sheet?

And any canned scripts are also welcome as contributions... why keep writing the same functions over and over...

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/GSA/piv-guides/issues/45#issuecomment-226638800, or mute the thread https://github.com/notifications/unsubscribe/AMhKoPKjphHDxW3VGVdX22u_BN6z-KZcks5qMdaOgaJpZM4I34bu .

weirdscience commented 7 years ago

SIA is optional for FBCA certificates (FPKI Cert Profiles - https://www.idmanagement.gov/IDM/servlet/fileField?entityId=ka0t0000000TNS1AAO&field=File__Body__s). May be updated in the next certificate profile update.

I'm working on a CDP, AIA, OCSP, DN list of end entity issuing CAs. No easy way to do it at the moment besides manual collection from the affiliates. Let me know if other info or different formats would be useful.

https://github.com/GSA/fpki-guides/issues/68

lachellel commented 7 years ago

let me close and we'll work on the fpki-guides on (and a _data construct to manage and display).

there are options to enhance or replace manual collection from affiliates; we can scan through artifacts from compliance audits and from trust monitor too.