Re: [Add] Potential erratum in RFC 8484
Russ Housley <housley@vigilsec.com> Wed, 13 October 2021 14:34 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6E1A3A0A84 for <add@ietfa.amsl.com>; Wed, 13 Oct 2021 07:34:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fRGTmTXte-pK for <add@ietfa.amsl.com>; Wed, 13 Oct 2021 07:34:38 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 418713A0A83 for <add@ietf.org>; Wed, 13 Oct 2021 07:34:38 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 04309300BE1 for <add@ietf.org>; Wed, 13 Oct 2021 10:34:38 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id sxpfuSlGUhEX for <add@ietf.org>; Wed, 13 Oct 2021 10:34:37 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id 07322300BBA; Wed, 13 Oct 2021 10:34:36 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <9316f233-6be2-4cf2-a7df-e4b1502b11c6@www.fastmail.com>
Date: Wed, 13 Oct 2021 10:34:34 -0400
Cc: add@ietf.org, draft-ietf-doh-dns-over-https@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <B7CEB364-A99B-4119-A913-56BDF377A54F@vigilsec.com>
References: <9316f233-6be2-4cf2-a7df-e4b1502b11c6@www.fastmail.com>
To: Martin Thomson <mt@lowentropy.net>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/uphtTiNwGsPeGUedfbjxPplu8h4>
Subject: Re: [Add] Potential erratum in RFC 8484
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2021 14:34:44 -0000
Martin: > In Section 10, the following text is wrong: > >> The use of Online Certificate Status Protocol (OCSP) [RFC6960] servers or Authority Information Access (AIA) for Certificate Revocation List (CRL) fetching (see Section 4.2.2.1 of [RFC5280]) are examples of how this deadlock can happen. > > The OCSP part is fine, but the AIA piece is whacky. > > For context, there are three different ways (to my knowledge) that a client might make outbound connections in order to validate or build a certification path. > > 1. CRL - this is a simple fetch of CRLs from the designated location. This rarely happens any more as it is grossly inefficient, but it could happen in theory. > > 2. OCSP - this is an OCSP query for the status of a certificate. > > 3. AIA chasing - this is where the TLS handshake doesn't include the full set of certificates required to validate the end-entity certificate, but the certificate includes a URL for that certificate. > > AIA itself is a multi-purpose field. It can include multiple elements, one of which is the identity of an OCSP responder (the same one used in (2) above) and the other being the one used in (3). It does not include CRL distribution points, as the text implies. Agree. In the referenced text, AIA provides the location of the OCSP responder, and CRL Distribution Points extension provides the locations the CRL (or in rare cases the multiple CRLs for different scopes) can be obtained. > Corrected text might read like: > >> The use of Online Certificate Status Protocol (OCSP) [RFC6960] servers, Certificate Revocation List (CRL) distribution points (see Section 4.2.1.13 of [RFC5280]), or Authority Information Access (AIA) to retrieve issuer certificates (see Section 4.2.2.1 of [RFC5280]) are examples of how this deadlock can happen. > > Or the version without CRLs: > >> The use of Online Certificate Status Protocol (OCSP) [RFC6960] servers or Authority Information Access (AIA) to retrieve issuer certificates (see Section 4.2.2.1 of [RFC5280]) are examples of how this deadlock can happen. > > It's a little embarrassing to note this error given how active I was in drafting the original text. In my defense, I found a version of this error in the -05 draft, so it evaded notice for quite some time. There are non-Web PKI situations where CRLs are used. So, I prefer the first alternative. Russ
- [Add] Potential erratum in RFC 8484 Martin Thomson
- Re: [Add] Potential erratum in RFC 8484 Russ Housley