IETF Logo Mail Archive

Re: [pkix] Last Call: <draft-ietf-pkix-rfc2560bis-15.txt> (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard

Stefan Santesson <stefan@aaa-sec.com> Fri, 12 April 2013 04:37 UTC

Return-Path: <stefan@aaa-sec.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FA9C21E8039 for <ietf@ietfa.amsl.com>; Thu, 11 Apr 2013 21:37:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.891
X-Spam-Level:
X-Spam-Status: No, score=-101.891 tagged_above=-999 required=5 tests=[AWL=0.358, BAYES_00=-2.599, HELO_EQ_SE=0.35, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ll2BEuugjfDT for <ietf@ietfa.amsl.com>; Thu, 11 Apr 2013 21:37:57 -0700 (PDT)
Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id AAF3221E803D for <ietf@ietf.org>; Thu, 11 Apr 2013 21:37:57 -0700 (PDT)
Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id 4BAC42063A71 for <ietf@ietf.org>; Fri, 12 Apr 2013 06:37:56 +0200 (CEST)
X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se
Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id xXyxonjO_dAW for <ietf@ietf.org>; Fri, 12 Apr 2013 06:37:54 +0200 (CEST)
Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id 2A5D42063A6B for <ietf@ietf.org>; Fri, 12 Apr 2013 06:37:54 +0200 (CEST)
Received: (qmail 46278 invoked from network); 12 Apr 2013 04:37:53 -0000
Received: from gw.aaa-sec.ideon.se (HELO [192.168.1.201]) (stefan@fiddler.nu@[85.235.7.89]) (envelope-sender <stefan@aaa-sec.com>) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for <hotz@jpl.nasa.gov>; 12 Apr 2013 04:37:53 -0000
User-Agent: Microsoft-MacOutlook/14.3.2.130206
Date: Fri, 12 Apr 2013 06:37:49 +0100
Subject: Re: [pkix] Last Call: <draft-ietf-pkix-rfc2560bis-15.txt> (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard
From: Stefan Santesson <stefan@aaa-sec.com>
To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Message-ID: <CD8D5988.608C9%stefan@aaa-sec.com>
Thread-Topic: [pkix] Last Call: <draft-ietf-pkix-rfc2560bis-15.txt> (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard
In-Reply-To: <04F36061-25C5-4159-A724-26B192C120DE@jpl.nasa.gov>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Cc: pkix@ietf.org, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2013 04:37:58 -0000

On 4/12/13 1:31 AM, "Henry B. Hotz" <hotz@jpl.nasa.gov> wrote:

>What I would find helpful, and what I think some people really would
>like, is for OCSP to be able to provide white-list information in
>addition to the previous black-list information.  When I read through
>2560bis, I could not tell if there was an extension which would allow an
>RP to tell if "good" actually meant a cert was on the white list (and to
>know the responder has the white list), or merely not on the black list.
>(Yes, I'm repeating myself.  Am I making more sense, or just wasting
>everyone's time?)

What we have done is to roll out the red carpet and made it possible for
you to do that.

- The only thing you need to do now is to define a "white-list" extension.


To put it simply. Given how OCSP is designed, the only way to allow "good"
to represent a white-list, is if "revoked" can be returned for everything
else.
Everything else in this context means every other revoked or non-issued
certificate serial number under that CA.


With RFC 2560 that is not possible in a clean way.
With this new extension in RFC 2560bis, it is now possible.

v2.23.0 | Report a Bug | By Email