IETF Logo Mail Archive

Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15

"Piyush Jain" <piyush@ditenity.com> Tue, 02 April 2013 18:27 UTC

Return-Path: <piyush@ditenity.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D61DF21F8D0D for <pkix@ietfa.amsl.com>; Tue, 2 Apr 2013 11:27:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.502
X-Spam-Level:
X-Spam-Status: No, score=-1.502 tagged_above=-999 required=5 tests=[AWL=-2.098, BAYES_00=-2.599, DOS_OUTLOOK_TO_MX=1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_EQ_LT4=0.442, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Swafop+bsEjA for <pkix@ietfa.amsl.com>; Tue, 2 Apr 2013 11:27:12 -0700 (PDT)
Received: from mail-yh0-x22c.google.com (mail-yh0-x22c.google.com [IPv6:2607:f8b0:4002:c01::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 61C0421F8A52 for <pkix@ietf.org>; Tue, 2 Apr 2013 11:27:12 -0700 (PDT)
Received: by mail-yh0-f44.google.com with SMTP id q11so108357yhf.17 for <pkix@ietf.org>; Tue, 02 Apr 2013 11:27:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-type:content-transfer-encoding :x-mailer:thread-index:content-language:x-gm-message-state; bh=mu6EFhADWvfTp8Qw9XynbN94uoj5+uT+UQ3l9IFk4eI=; b=O5ssCfwSoAn8ZgTNePz/BpEBOlk9PoEWOdcRwbrBEcI4J0HdCRYoYTkDbSNhn0dubb 1KKbdDjBRzMRIAn6GWMOENzA/Zp26vUQ5j6cDiHOFlYVmmo0LzNem4mdRd8B1U0yzcFN S/9LXiRRGcoNwvGqnSwiDbcEQu1UHqfjqCxqEbBvdEw3lTBDzMTwz5nv2nt1FU7ByqmT NMC7GU5zAxtpwveg+okClZUpgKdqrlaE1QXoRFHnDHMoY9tjM/htiNAgrq+Q01wQlZr7 LEz7WQo4hu171QxcO6myDXkF7yHZ43JL2Zpi8QxbK91E2j/o+hz9aJnv1l2NROcuGMv+ wS/g==
X-Received: by 10.236.202.67 with SMTP id c43mr15578356yho.28.1364927231891; Tue, 02 Apr 2013 11:27:11 -0700 (PDT)
Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id v60sm4591935yhh.23.2013.04.02.11.27.10 (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 02 Apr 2013 11:27:11 -0700 (PDT)
From: Piyush Jain <piyush@ditenity.com>
To: mrex@sap.com
References: <20130402165122.975FC1A689@ld9781.wdf.sap.corp> <20130402181634.C34A01A68A@ld9781.wdf.sap.corp>
In-Reply-To: <20130402181634.C34A01A68A@ld9781.wdf.sap.corp>
Date: Tue, 02 Apr 2013 11:27:02 -0700
Message-ID: <033501ce2fcf$ac7f4240$057dc6c0$@ditenity.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQHx4eyEpd/6Zj56FRQIgRRUnDLZ4ph72W3w
Content-Language: en-us
X-Gm-Message-State: ALoCoQnYiimTynAUhdcwtPA5qodoNeulDOYWPWxT0GSO0JIW+Rg1rSgUh6r/XD0Gz6x6jKti+Kgl
Cc: 'Stefan Santesson' <stefan@aaa-sec.com>, sts@aaa-sec.com, pkix@ietf.org
Subject: Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2013 18:27:13 -0000

> The original guidance in rfc2560 for thisUpdate/nextUpdate is fine with
me.

[Piyush] Which original guidance? There is a note that says that these
values correspond to the values in the CRL.
> 

> You specific guidance on nextUpdate := current Time is actually
problematic!
>   http://tools.ietf.org/html/rfc2560#section-4.2.2.1
> 
>                Responses whose nextUpdate value is earlier than
>    the local system time value SHOULD be considered unreliable.
> 
> because a nextUpdate = "current Time" on the OCSP responder may often
> result in nextUpdate < "current Time" on the OCSP client when processing
> the OCSP response.
[Piyush] Servers typically add a skew and clients typically assume a skew
when they process the response.
> 
> The semantics that you might have been looking for is "nextUpdate not
set".
> 
[Piyush] Agreed. Not set implies newer responses are available all the time.

> 
> I believe, however, that the OCSP responder should not return "nextUpdate
> not set" for the not-issued situation if it would return nextUpdate
several
> hours or days into the future for "good", "unknown"
> or CRL-originated "certificateHold" situations.
>
[Piyush] What is the reason for this belief? I bet it contradicts with the
rationale behind marking the reason code as "onHold".

 
> 
> -Martin

v2.23.0 | Report a Bug | By Email