Re: [pkix] New draft-ietf-pkix-rfc2560bis-06
Simon Tardell <simon@tardell.se> Mon, 22 October 2012 16:30 UTC
Return-Path: <simon@tardell.se>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4500221F892E for <pkix@ietfa.amsl.com>; Mon, 22 Oct 2012 09:30:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ClrSCWHji375 for <pkix@ietfa.amsl.com>; Mon, 22 Oct 2012 09:30:43 -0700 (PDT)
Received: from mail-la0-f44.google.com (mail-la0-f44.google.com [209.85.215.44]) by ietfa.amsl.com (Postfix) with ESMTP id E26D521F849D for <pkix@ietf.org>; Mon, 22 Oct 2012 09:30:42 -0700 (PDT)
Received: by mail-la0-f44.google.com with SMTP id b11so2022594lam.31 for <pkix@ietf.org>; Mon, 22 Oct 2012 09:30:41 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=MFIZOW3DQOrYuHzlP69S0t1NNN5/CI9xgsBUnvnIfjg=; b=lIzoLQBl0nKzbgAUl1ZqcPl5BVS3OmuxTwcvynj+2BjUIrvICtGu0oAzuRyENTKtfP sVX95+Qw+P3eHkbUQcOl1aABpYGcWJNCZA/MY91xWxsJPBCdz0vSzO46NIuwZ4QjFUv1 NoQsoCezLx8nEyfZZ2R0MFwdrVJ/6GNIneJSiOD+QBDLrC4EIt2CYtAF24ekZsGjEHtI jKYyGyBBYT+uQSdU63Zlpv+fxOZ5d2CskLGWAs5GuKYLbqgXziFM+bIfxx8yBkox0jWJ iZssWqnx+uZ+PfeNq0pyKy8db/hJ5Rkygz+7J4txsYnQrWhk1yVzQ8+4iVwSrUdqwXOT mTfA==
MIME-Version: 1.0
Received: by 10.152.124.201 with SMTP id mk9mr8849642lab.33.1350923441427; Mon, 22 Oct 2012 09:30:41 -0700 (PDT)
Received: by 10.112.27.105 with HTTP; Mon, 22 Oct 2012 09:30:41 -0700 (PDT)
In-Reply-To: <50855DC5.6010609@bull.net>
References: <CCAA01E3.51B2A%stefan@aaa-sec.com> <50855225.1030202@bull.net> <CANkYYy6HF-9pT94uwAUFHa619b4xWydBani0xRtcMKAeYMnhhQ@mail.gmail.com> <50855DC5.6010609@bull.net>
Date: Mon, 22 Oct 2012 18:30:41 +0200
Message-ID: <CANkYYy6kcfR8QSOAFxrO0mLVWVk1OuAi0YzOAOyeoV93XX_MRQ@mail.gmail.com>
From: Simon Tardell <simon@tardell.se>
To: Denis Pinkas <denis.pinkas@bull.net>
Content-Type: multipart/alternative; boundary="f46d0434bcead854e704cca85fd3"
X-Gm-Message-State: ALoCoQm+Xb2gEdpNP2TmS/lp+5RTfaF1MGfjaOjHoI8euZtkzBHpZ4qkl4hOroCmpXirE+gUyoci
Cc: pkix@ietf.org
Subject: Re: [pkix] New draft-ietf-pkix-rfc2560bis-06
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Oct 2012 16:30:44 -0000
On Mon, Oct 22, 2012 at 4:52 PM, Denis Pinkas <denis.pinkas@bull.net> wrote: > Simon, > > > You said: > > "revocationReason must be certificateHold, since, in principle, the > certificate may be issued at a later point in time". > > I don't believe this is appropriate. If you have certificateHold then the > OCSP client may make other calls later on > to check if the suspension state has finished or not. > Which is entirely appropriate. If you make a standard OCSP query the certificate is identified with the hash of the issuer name and key and the serial number. There is nothing that prevents a CA from later issuing a certificate with the just-queried key. It would be unlikely, given best practices for generating serial numbers, but still. On the other hand, one could imagine a scenario where there is a time lag between the issuance of the certificate and the insertion of the certificate into the responder database (e.g. where the token hasn't been "activated" or "acknowledged" yet and the issuer wants to prevent the token from being used before such "activation"). If the relying party would get a definite revocation reason code it would not (necessarily) try again once the token has been "activated" and the certificate is valid for use and used to generate a second signature (since it knows a definite reason code doesn't change). This scenario isn't as contrived as it may seem. /Simon The less controversial revocationReason is "unspecified". Let us go for > "unspecified". > > Denis > > > If the meaning of "revoked" >> is changed it is also necessary to say what should be the values of both >> revocationTime and revocationReason: >> > […] > > >> CRLReason is defined in RFC 5280 as: >> >> CRLReason ::= ENUMERATED { >> unspecified (0), >> keyCompromise (1), >> cACompromise (2), >> affiliationChanged (3), >> superseded (4), >> cessationOfOperation (5), >> certificateHold (6), >> -- value 7 is not used >> removeFromCRL (8), >> privilegeWithdrawn (9), >> aACompromise (10) } >> >> > For the revocationTime should we use the content of notBefore field >> from the certificate ? >> > > The certificate that was not issued could have any time. It is also not > seen by the responder. The reasonable revocationTime would be "the > beginning of time". Any time which is before any reasonable issuance time > of any certificate in the PKI would do. The issuance time of the issuing CA > would do, or for that matter the battle of Hastings. > > >> For the revocationReason should we use unspecified or keyCompromise ? >> > > revocationReason must be certificateHold, since, in principle, the > certificate may be issued at a later point in time. If a key was > compromised, it would be the CA key, not the key that the certificate. > > >> In any case, guidance should be given. >> >> Although I understand that changing the meaning of "revoked" may be seen >> as "safer" >> for old implemenations, changing the meaning of "unknown" also seems to >> be a reasonable alternative. >> >> In this case, it might be useful (and sufficient) to say that if an OCSP >> responder is authoritative >> for the target certificate, then the OCSP client SHOULD NOT use an >> alternative source >> of revocation information like CRLs. >> > > Which would be putting requirements on the behavior of already existing > OCSP clients out there that we know are not true and are out of the control > of most people setting up PKIs. > > Simon Tardell, > Technology Nexus. > > >
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Denis Pinkas
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Simon Tardell
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Denis Pinkas
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Denis Pinkas
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Simon Tardell
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Simon Tardell
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Denis Pinkas
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Peter Rybar
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- [pkix] Straw-poll on OCSP responses for non-revok… Stefan Santesson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Yngve Nysaeter Pettersen
- Re: [pkix] Straw-poll on OCSP responses for non-r… Yoav Nir
- Re: [pkix] Straw-poll on OCSP responses for non-r… Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Miller, Timothy J.
- Re: [pkix] Straw-poll on OCSP responses for non-r… David Chadwick
- Re: [pkix] Straw-poll on OCSP responses for non-r… Art Allison
- Re: [pkix] Straw-poll on OCSP responses for non-r… Miller, Timothy J.
- Re: [pkix] Straw-poll on OCSP responses for non-r… Santosh Chokhani
- Re: [pkix] Straw-poll on OCSP responses for non-r… Erwann Abalea
- Re: [pkix] Straw-poll on OCSP responses for non-r… Yoav Nir
- Re: [pkix] Straw-poll on OCSP responses for non-r… Peter Rybar
- Re: [pkix] Straw-poll on OCSP responses for non-r… Paul Hoffman
- Re: [pkix] Straw-poll on OCSP responses for non-r… Juan Gonzalez
- Re: [pkix] Straw-poll on OCSP responses for non-r… Max Pritikin (pritikin)
- Re: [pkix] Straw-poll on OCSP responses for non-r… Simon Tardell
- Re: [pkix] Straw-poll on OCSP responses for non-r… Carl Wallace
- Re: [pkix] Straw-poll on OCSP responses for non-r… Paul Hoffman
- Re: [pkix] Straw-poll on OCSP responses for non-r… Rick Robinson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Jeremy Rowley
- Re: [pkix] Straw-poll on OCSP responses for non-r… Melinda Shore
- Re: [pkix] Straw-poll on OCSP responses for non-r… Martin Rex
- Re: [pkix] Straw-poll on OCSP responses for non-r… Russ Housley
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] Straw-poll on OCSP responses for non-r… Tom Ritter
- Re: [pkix] Straw-poll on OCSP responses for non-r… Dr Stephen Henson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Ryan Sleevi
- Re: [pkix] Straw-poll on OCSP responses for non-r… Johannes Merkle
- Re: [pkix] Straw-poll on OCSP responses for non-r… Denis Pinkas
- Re: [pkix] Straw-poll on OCSP responses for non-r… Art Allison
- Re: [pkix] Straw-poll on OCSP responses for non-r… Ryan Hurst
- Re: [pkix] Straw-poll on OCSP responses for non-r… Ben Wilson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] Straw-poll on OCSP responses fornon-re… Art Allison
- [pkix] Proposed resolution to non-issued certific… Stefan Santesson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Tom Ritter
- Re: [pkix] Proposed resolution to non-issued cert… Tom Ritter
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… David A. Cooper
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Peter Gutmann
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Phillip Hallam-Baker
- Re: [pkix] Proposed resolution to non-issued cert… David A. Cooper
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Peter Rybar
- Re: [pkix] Proposed resolution to non-issued cert… Simon Tardell
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… David A. Cooper
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Peter Rybar
- Re: [pkix] Proposed resolution to non-issued cert… Simon Tardell
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Martin Rex
- Re: [pkix] Proposed resolution to non-issued cert… Martin Rex
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Martin Rex
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Straw-poll on OCSP responses for non-r… Tom Gindin
- Re: [pkix] Straw-poll on OCSP responses for non-r… Phillip Hallam-Baker