Re: [pkix] Proposed resolution to non-issued certificates - 2560bis
"Piyush Jain" <piyush@ditenity.com> Wed, 31 October 2012 23:13 UTC
Return-Path: <piyush@ditenity.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B378721F861F for <pkix@ietfa.amsl.com>; Wed, 31 Oct 2012 16:13:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DbibqXw8Ij3Y for <pkix@ietfa.amsl.com>; Wed, 31 Oct 2012 16:13:00 -0700 (PDT)
Received: from mail-ia0-f172.google.com (mail-ia0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id E436721F8611 for <pkix@ietf.org>; Wed, 31 Oct 2012 16:12:59 -0700 (PDT)
Received: by mail-ia0-f172.google.com with SMTP id x24so1682867iak.31 for <pkix@ietf.org>; Wed, 31 Oct 2012 16:12:59 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=from:to:references:in-reply-to:subject:date:message-id:mime-version :content-type:content-transfer-encoding:x-mailer:thread-index :content-language:x-gm-message-state; bh=rfHdWirGrngo5UhqoSsyI4bBpckKi+4q9laibnAEhUA=; b=XhEVealzP5mLbYe4NgWPO1gO0tx49VWPMuU4wiW4nO8FQbQuU+2U1vECBlYDZQPlZE iV9jyAeZ39YXkAoNMahBgvC0EARtclmM88ZW8cMXSRoXLUcSejiQyxzmUuyCt//2EcA9 shq7rAoBLipU1tYr9Y9KQUuXfJsRsiCwDIw14Moydm+vHX3j3h03x8ruJcX1f/fDFKHO +WjbvpYwzRUDTpY9xsN6odT/kK1ItLWwuoVjFrTMPpbgIbFOaa/QHCbuSJvccyUDuc6s fN7hYGMHNDIE8vbrWgHWBlN6EsetKRDOAtxAn1b/dW0aI9VU6kftRgCOhGV8EUT9xgyf E+hA==
Received: by 10.42.101.11 with SMTP id c11mr33201418ico.52.1351725179525; Wed, 31 Oct 2012 16:12:59 -0700 (PDT)
Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id xn10sm11626767igb.4.2012.10.31.16.12.57 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 31 Oct 2012 16:12:58 -0700 (PDT)
From: Piyush Jain <piyush@ditenity.com>
To: 'Stefan Santesson' <stefan@aaa-sec.com>, pkix@ietf.org
References: <CA+i=0E6yVQT3P0Dbqizgvv+Rt-zCbx_FUjAAinW=MNF5nvTmQQ@mail.gmail.com> <CCB72811.5281A%stefan@aaa-sec.com>
In-Reply-To: <CCB72811.5281A%stefan@aaa-sec.com>
Date: Wed, 31 Oct 2012 16:12:55 -0700
Message-ID: <01fc01cdb7bd$43c183b0$cb448b10$@ditenity.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-index: AQK/8f5r6+nRDUkghdB6fIx4xGer1ZXvi2Hw
Content-Language: en-us
X-Gm-Message-State: ALoCoQlpyMuILlS9wgjLZ65GBiR1i79Pm420waGbTDGQFO8MLAI8fWhftPfh2CUR2qQUiTkp23MA
Subject: Re: [pkix] Proposed resolution to non-issued certificates - 2560bis
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Oct 2012 23:13:00 -0000
> -----Original Message----- > From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of > Stefan Santesson > Sent: Wednesday, October 31, 2012 11:47 AM > To: pkix@ietf.org > Subject: [pkix] Proposed resolution to non-issued certificates - 2560bis > > I didn't put up an end date for the straw-poll, but the trend seems clear. > > The results so far (if I counted right) > > Supporting #1: 22 > Supporting #2: 0 > Supporting #3 using "unknown": 6 > Supporting #3 using "unauthorised: 2 > > 6 persons supporting #1 has expressed various levels of support/demand for > an explicit declaration that the OCSP responder supports the enhanced > definition of "revoked" to include "no issued". > > 1 person responded off-line supporting #1. > > > If the trend reflects the opinion of the WG. This is my proposed > resolution: > > > 1) Extend the "revoked" response to also be allowed for non-issued > certificates. Clearly stating that this is optional if and only if the OCSP > responder knows that the requested serial number has never been issued. [Piyush] This requires changing the current text for 'good'. Pasted for your reference The "good" state indicates a positive response to the status inquiry. At a minimum, this positive response indicates that the certificate is not revoked, but does not necessarily mean that the certificate was ever issued or that the time at which the response was produced is within the certificate's validity interval. Response extensions may be used to convey additional information on assertions made by the responder regarding the status of the certificate such as positive statement about issuance, validity, etc. > 2) Specify that a "revoked" status for a non-issued certificate serial number > MUST have revocationTime set to Jan 1, 1970 and MUST set the > revocationReason to certificateHold (6). [Piyush] There were some objections on using certificateHold as revocationReason for this purpose. CA compromise would be more appropriate because the only scenario where this is beneficial is when the CA is compromised. > 2) Define a new optional non-critical extension declaring that OCSP > responder returns "revoked" for non-issued certificates according to the > updated standard. This extension MUST be present in all responses where > the "revoked" response is returned as a result of a status request for a non- > issued certificate. [Piyush] Are you proposing that the specification of this extension would be part of OCSP or it would be published as a separate specification? I think that it should not be part of main OCSP specification, given that it is useful only in the exceptional scenario where CA gets compromised. > > > Rationale: > The certificateHold reason feels important for one particular reason. If a CA is > issuing certificates with sequential serial numbers, then it could be possible > to obtain a revoked response for a certificate serial number that is not yet > issued, but soon will be issued. That the certificate serial number is currently > not issued, does not mean that it never will, thus the certificateHold reason > seems more appropriate. > [Piyush] Given that a fraudulent certificate has been issued with a serial number, the CA would eventually revoke the certificate with this serial number and would not issue any newer certificate with the same serial. I think the confusion arises from the fact that we've been using 'not-issued' and 'fraudulently-issued' interchangeably. All this time I'd been thinking that we are discussing the latter. If that is indeed the case, caCompromise seems more appropriate. > The date 1 Jan, 1970 is appropriate since it is common in programming > languages to express time as milliseconds since jan 1, 1970. Selecting this > time avoids time expression as a negative integer. > > This date translates to (java): > Date revocationTime = new Date(0); //Jan 1st, 1970 > > The extension would be a simple OID with no data structure and MUST not > be set to critical. > > > Question: > Would it make sense to require an OCSP responder that adopts the > expanded use of "revoked" to always include the new extension? > It would add the benefit that someone receiving "good" can know that the > OCSP responder has checked that the certificate in fact has been issued by > the CA. > In such case it may be reasonable to add an optional data structure which > MAY contain a hash of the cert. > Such hash would make the positive confirmation even stronger, adding proof > of existence of the certificate. [Piyush] I hope that you realize that big enterprise PKI deployments use OCSP and CRLs interchangeably. And with this proposal OCSP becomes more authoritative than CRL. So I guess the next step would be to change the basic path validation algorithm to drop the use of CRLs in favor of OCSP and also drop the signature verification (off course if the RP knows that his OCSP responder issues stronger positive confirmations). > > But perhaps this will bee too much to agree on :) > [Piyush] How about a thinner profile of SCVP that could address everything you are trying to achieve in OCSP. > /Stefan > > > > > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Denis Pinkas
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Simon Tardell
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Denis Pinkas
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Denis Pinkas
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Simon Tardell
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Simon Tardell
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Denis Pinkas
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Peter Rybar
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- [pkix] Straw-poll on OCSP responses for non-revok… Stefan Santesson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Yngve Nysaeter Pettersen
- Re: [pkix] Straw-poll on OCSP responses for non-r… Yoav Nir
- Re: [pkix] Straw-poll on OCSP responses for non-r… Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Miller, Timothy J.
- Re: [pkix] Straw-poll on OCSP responses for non-r… David Chadwick
- Re: [pkix] Straw-poll on OCSP responses for non-r… Art Allison
- Re: [pkix] Straw-poll on OCSP responses for non-r… Miller, Timothy J.
- Re: [pkix] Straw-poll on OCSP responses for non-r… Santosh Chokhani
- Re: [pkix] Straw-poll on OCSP responses for non-r… Erwann Abalea
- Re: [pkix] Straw-poll on OCSP responses for non-r… Yoav Nir
- Re: [pkix] Straw-poll on OCSP responses for non-r… Peter Rybar
- Re: [pkix] Straw-poll on OCSP responses for non-r… Paul Hoffman
- Re: [pkix] Straw-poll on OCSP responses for non-r… Juan Gonzalez
- Re: [pkix] Straw-poll on OCSP responses for non-r… Max Pritikin (pritikin)
- Re: [pkix] Straw-poll on OCSP responses for non-r… Simon Tardell
- Re: [pkix] Straw-poll on OCSP responses for non-r… Carl Wallace
- Re: [pkix] Straw-poll on OCSP responses for non-r… Paul Hoffman
- Re: [pkix] Straw-poll on OCSP responses for non-r… Rick Robinson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Jeremy Rowley
- Re: [pkix] Straw-poll on OCSP responses for non-r… Melinda Shore
- Re: [pkix] Straw-poll on OCSP responses for non-r… Martin Rex
- Re: [pkix] Straw-poll on OCSP responses for non-r… Russ Housley
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] Straw-poll on OCSP responses for non-r… Tom Ritter
- Re: [pkix] Straw-poll on OCSP responses for non-r… Dr Stephen Henson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Ryan Sleevi
- Re: [pkix] Straw-poll on OCSP responses for non-r… Johannes Merkle
- Re: [pkix] Straw-poll on OCSP responses for non-r… Denis Pinkas
- Re: [pkix] Straw-poll on OCSP responses for non-r… Art Allison
- Re: [pkix] Straw-poll on OCSP responses for non-r… Ryan Hurst
- Re: [pkix] Straw-poll on OCSP responses for non-r… Ben Wilson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] Straw-poll on OCSP responses fornon-re… Art Allison
- [pkix] Proposed resolution to non-issued certific… Stefan Santesson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Tom Ritter
- Re: [pkix] Proposed resolution to non-issued cert… Tom Ritter
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… David A. Cooper
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Peter Gutmann
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Phillip Hallam-Baker
- Re: [pkix] Proposed resolution to non-issued cert… David A. Cooper
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Peter Rybar
- Re: [pkix] Proposed resolution to non-issued cert… Simon Tardell
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… David A. Cooper
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Peter Rybar
- Re: [pkix] Proposed resolution to non-issued cert… Simon Tardell
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Martin Rex
- Re: [pkix] Proposed resolution to non-issued cert… Martin Rex
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Martin Rex
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Straw-poll on OCSP responses for non-r… Tom Gindin
- Re: [pkix] Straw-poll on OCSP responses for non-r… Phillip Hallam-Baker