[tech] signing when rotating (Was: Re: Enhancing TOFU)

mbays mbays at sdf.org
Tue Mar 9 21:02:41 GMT 2021

* Friday, 2021-03-05 at 19:14 +0100 - mbays at sdf.org <mbays at sdf.org>:

>* Friday, 2021-03-05 at 13:33 +0100 - nothien at uber.space <nothien at uber.space>:
>>I think that people find TOFU controversial because it [...] 
>>prevents servers from ever being able to change certificates.
>I think we can solve this neatly by using certificate chains.

I experimented a bit more with this, and discovered that chains can be 
awkward. Not all servers support sending a certificate chain, TLS 
libraries may complain if the root cert isn't set as a CA, and we lose 
the efficiency savings of only transmitting a single cert.

But there's a much simpler version which avoids chains.
If your server is currently using certificate A and you want to switch 
to a new certificate:
* create a new self-signed certificate C with key K,
* sign it with A to produce a signed certificate S,
     (e.g. using openssl x509 -CA A.crt ...)
* tell your server to use S and K.

The signature on a self-signed certificate is worthless, so we lose 
nothing by replacing it with a signature from the old certificate in 
this way.

Clients can check for this as follows:
* When TOFU-trusting a certificate for a host, save its pubkey.
* If later a new cert is provided for the host, check if it was 
correctly signed by the pubkey of the old certificate.
* If so, accept the new certificate and delete the old one. Arguably 
there should be a warning if the old certificate had expired.

I experimented a bit with this, and the only small complication I ran 
into is that tls libraries may complain if the Distinguished Names of 
the two certificates are identical (at least, the haskell tls library 
I tested with does). But it isn't hard to include a field in the DN of 
the new certificate to make it unique.

So why don't we make this a convention? Any subtleties I'm missing?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20210309/98e30cd9/attachment.sig>

More information about the Gemini mailing list