09/15/2014
Hello,
I have a question on the management of error codes during the establishment of a secure channel since the different parts of the specification (1.03) are indicating different behavior.
In part. 4, the table 11 indicates different status code including really detailed errors on the certificate validation (Bad_CertificateRevoked, etc.) process.
In part. 6, §6.7.6 it is indicated:
The receiver shall check that the Certificate is trusted first and return Bad_CertificateUntrusted on
error. The receiver shall then verify the SenderCertificate using the rules defined in Part 4. The
receiver shall report the appropriate error if Certificate validation fails. The receiver shall verify
the ReceiverCertificateThumbprint and report a Bad_CertificateUnknown error if it does not
recognize it.
which is kind of coherent with part 4 regarding the detailed status code on certificate validation.
It also indicates in same section:
At this point the SecureChannel knows it is dealing with an authenticated Message that was not tampered with or resent. This means the SecureChannel can return secured error responses if any further problems are encountered.
which seems to mean that more detailed error responses can now be sent since the secure channel is open and as a consequence that detailed error messages should not be sent before this step.
Moreover in part 2, §6.3 we can read the following:
Error handling uses the error code, defined in Part 4, which most precisely fits the
condition and only when returning an error code is appropriate. Error codes can be used
as an attack vector, thus their uses should be limited as described in Part 4. Part 4
describes that a single generic error is returned before and during the establishment of a
secure channel. Once the secure channel has been established then appropriate
specific error codes are returned.
which is in contradiction with the table 11 (part. 4) describing detailed error code and never mention a generic error code to be used.
As a consequence my questions are the following:
1) Which error codes are allowed to be returned in an open secure channel response messsage ? And what is the “generic error” to return during establishment of secure channel and for which verification steps ?
2) In a more general way in the specification, I think there is a confusion between the error codes that can be returned in service response messages and recorded in the audit log. Is this a correct interpretation of the incoherency found in the specification ? And then how to differentiate those 2 cases ?
Best regards
Moderators-Specifications
Moderators-Companion
Moderators-Implementation
Moderators-Certification
Moderators-COM
02/24/2014
Part 4 does describe the generic error that should be returned “Bad_SecurityChecksFailed”. This should be the only error that is returned to a client until a secure channel is established. The detailed errors should be logged in the server or included in Audit messages – so connection problems can be diagnosed. The generic “Bad_SecurityChecksFailed” will help prevent server profiling. Once a secured connection is establish , i.e. the connection is open with a valid trusted certificate and all handshaking required for the selected security profile are completed then if some minor error occur, more detailed messages can be returned.
Paul
Paul Hunkar - DSInteroperability
1 Guest(s)