IETF Logo Mail Archive

Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15

"Piyush Jain" <piyush@ditenity.com> Tue, 09 April 2013 15:14 UTC

Return-Path: <piyush@ditenity.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77D4E21F95D7 for <pkix@ietfa.amsl.com>; Tue, 9 Apr 2013 08:14:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1
X-Spam-Level:
X-Spam-Status: No, score=-1 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NbC3DTvEOEye for <pkix@ietfa.amsl.com>; Tue, 9 Apr 2013 08:14:17 -0700 (PDT)
Received: from mail-gh0-f176.google.com (mail-gh0-f176.google.com [209.85.160.176]) by ietfa.amsl.com (Postfix) with ESMTP id C988A21F9402 for <pkix@ietf.org>; Tue, 9 Apr 2013 08:14:16 -0700 (PDT)
Received: by mail-gh0-f176.google.com with SMTP id f16so1089249ghb.21 for <pkix@ietf.org>; Tue, 09 Apr 2013 08:14:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-type:content-transfer-encoding :x-mailer:thread-index:content-language:x-gm-message-state; bh=EeXCAEEUuQXknGjOu3bVGL+OocjcAIezAEBSxxhTTFY=; b=BycAru/mvVLHJIGWDois3CPIyYmDy65JJbDkdxoRvyUeFxIQLLLMGxSealhnBf7F00 I9v9uE137KbmewSuOhFW5tuE2QSkSMJ7zlFKXYwQyYdz7VmQ6vdHayio/kSWE/HvFy5v MPuZdAnREZy9lNqwjs2zddxXIxXslT8N7tSinwXIf9nITASPj+9pJLUbjB//crgbw7Og EHTPk35KXgHyZZ3Q2GcHdS/PqTHfyLB5Toe6gK5iHHJ/msqFKiSFJS0ZOuwcRv2FAWle GmHM7vYc2RJrQGPNjDgJzGgXZuU0P6Ag7N0k1g5ge2fJpcIb6YURwWAL31OlERTAnKGn SMvg==
X-Received: by 10.236.2.39 with SMTP id 27mr14574375yhe.183.1365520456194; Tue, 09 Apr 2013 08:14:16 -0700 (PDT)
Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id v60sm43690040yhh.23.2013.04.09.08.14.14 (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 09 Apr 2013 08:14:15 -0700 (PDT)
From: Piyush Jain <piyush@ditenity.com>
To: "'Black, David'" <david.black@emc.com>, 'Sean Turner' <turners@ieca.com>
References: <003e01ce3077$5b6329f0$12297dd0$@ditenity.com> <20130403160532.EB4FD1A68A@ld9781.wdf.sap.corp> <00a401ce3092$0a1415d0$1e3c4170$@ditenity.com> <5163270C.20300@ieca.com> <07af01ce34a4$582df1d0$0889d570$@ditenity.com> <5163840F.2030508@ieca.com> <083601ce34e7$e3dcef40$ab96cdc0$@ditenity.com> <8D3D17ACE214DC429325B2B98F3AE71293E22D3E@MX15A.corp.emc.com>
In-Reply-To: <8D3D17ACE214DC429325B2B98F3AE71293E22D3E@MX15A.corp.emc.com>
Date: Tue, 09 Apr 2013 08:14:03 -0700
Message-ID: <08b901ce3534$e057b920$a1072b60$@ditenity.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQHHvIU0pEj95jqjILpXYwEgVOm34gLGPak8AXFeg0kBCCz4MwNWbgjOAWN27bMCjnis0AKXx8I0mGHZF+A=
Content-Language: en-us
X-Gm-Message-State: ALoCoQmMVi/X6KmOUqYs/XIu5Y9mDVymUlpN7gctcsxU8RHW5lAkJSvJ7sxH8Zcw7ufXpyS9nNT+
X-Mailman-Approved-At: Sat, 20 Apr 2013 16:53:15 -0700
Cc: ambarish@gmail.com, slava.galperin@gmail.com, cadams@eecs.uottawa.ca, 'Stefan Santesson' <stefan@aaa-sec.com>, gen-art@ietf.org, sts@aaa-sec.com, pkix@ietf.org
Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Apr 2013 15:14:17 -0000

> I do not see that prohibition in the new text in -16.  In the cited email
> message, I do see a disagreement between you and Stefan about what
> implementations are likely to do, but I don't see any text in the draft
that
> dictates that implementations must or must not make that interpretation.

I think I failed to clarify this in my last message. Let me try again. I
based my interpretation on the following response from Stefan :

BEGIN QUOTE
~~~~~~~~~~~
" The draft does NOT define a "not-issued" response. It allows the "revoked"
response if a certificate serial number has never been issued. That is two
entirely different things. If you ask how to deal with the response, then
the client will not get a non- issued response. It will get a "revoked"
status."
END QUOTE
~~~~~~~~

The above explanation at the minimum indicates the author's intent that
clients should treat such certificates as "revoked" and not "non-issued".
However, if readers of the draft do not think that the draft explicitly
mandates it, we have a bigger problem w.r.t. to establishing trust in such
responses. Please see the text from section 4.2.2.2 bullet 2 and 3(page 15)

Begin TEXT
~~~~~~~~~
Clients MUST reject the   response if the certificate required to validate
the signature on the response fails to meet at least one of the following
criteria:
   1. Matches a local configuration of OCSP signing authority for the
certificate in question; or
   2. Is the certificate of the CA that issued the certificate in
question; or
   3. Includes a value of id-kp-OCSPSigning in an ExtendedKeyUsage extension
and is issued by the CA that issued the certificate in question as stated
above."
End Text
~~~~~~~

Based on above the responder trust models referred to by "2." and "3."
cannot be used to communicate "non-issued". 

-Piyush

v2.23.0 | Report a Bug | By Email