IETF Logo Mail Archive

Re: [pkix] Straw-poll on OCSP responses for non-revoked certificates.

"Max Pritikin (pritikin)" <pritikin@cisco.com> Tue, 30 October 2012 15:59 UTC

Return-Path: <pritikin@cisco.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 820DA21F85C1 for <pkix@ietfa.amsl.com>; Tue, 30 Oct 2012 08:59:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NEqpaoAmLnpE for <pkix@ietfa.amsl.com>; Tue, 30 Oct 2012 08:59:53 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by ietfa.amsl.com (Postfix) with ESMTP id 7129E21F85A0 for <pkix@ietf.org>; Tue, 30 Oct 2012 08:59:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4914; q=dns/txt; s=iport; t=1351612793; x=1352822393; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=dOLdQf5vBkMiAThP5fS6ncTUonavt50h1M8OxP1gLuw=; b=BLeBytDGlmW7zZXQ0m3rkVOxVHYianhEHjCY/PKhFc4KPZvjNBL3CsXT QHG76ZzVRHKrwNGnbQjFox2qN4DINO5FbKdgIM/gbA85Lo2toRwu1pPi8 sbxCcYvuWMETidkcSox/tBrbQcqTZWRQs4JLF64mIWThD3tiqsOlsrPJU o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av8EAPH3j1CtJXG8/2dsb2JhbABEw0iBCIIeAQEBAwEBAQEPASc0CwULAgEIIhQQJwslAgQOBQgah14GC50Fj2eQOgSLd4V8YQOkTIFrgm+BWwYaAhw
X-IronPort-AV: E=Sophos;i="4.80,679,1344211200"; d="scan'208";a="136940557"
Received: from rcdn-core2-1.cisco.com ([173.37.113.188]) by rcdn-iport-7.cisco.com with ESMTP; 30 Oct 2012 15:59:52 +0000
Received: from xhc-rcd-x10.cisco.com (xhc-rcd-x10.cisco.com [173.37.183.84]) by rcdn-core2-1.cisco.com (8.14.5/8.14.5) with ESMTP id q9UFxq2t030104 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 30 Oct 2012 15:59:52 GMT
Received: from xmb-rcd-x03.cisco.com ([169.254.7.215]) by xhc-rcd-x10.cisco.com ([173.37.183.84]) with mapi id 14.02.0318.001; Tue, 30 Oct 2012 10:59:52 -0500
From: "Max Pritikin (pritikin)" <pritikin@cisco.com>
To: Stefan Santesson <stefan@aaa-sec.com>
Thread-Topic: [pkix] Straw-poll on OCSP responses for non-revoked certificates.
Thread-Index: AQHNto57TRZ+yDCKBkSubPlV/ldcXZfSVemA
Date: Tue, 30 Oct 2012 15:59:51 +0000
Message-ID: <53EA47528D6ACF4486AA152F92C2B6982A5F9E@xmb-rcd-x03.cisco.com>
References: <CCB55CA3.52588%stefan@aaa-sec.com>
In-Reply-To: <CCB55CA3.52588%stefan@aaa-sec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.21.0.199]
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19320.004
x-tm-as-result: No--42.702600-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: text/plain; charset="us-ascii"
Content-ID: <FC35F33A418D614A8EA42F0696599C25@cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<pkix@ietf.org>" <pkix@ietf.org>
Subject: Re: [pkix] Straw-poll on OCSP responses for non-revoked certificates.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Oct 2012 15:59:54 -0000

#1 

The system should fail closed. I agree with Paul Hoffman's point that this extends the definition of the 'revoked' response during this protocol exchange which must be noted. I'd also accept a new "unknown, fail closed" type response so long as clients that don't yet understand this new response fail closed.

- max

On Oct 30, 2012, at 3:52 AM, Stefan Santesson <stefan@aaa-sec.com> wrote:

> Before we loose everyone engaged in this, I would like to make a
> straw-poll:
> 
> 
> Background:
> A client may do a request for a certificate that has never been issued by
> the CA.
> This request may be done deliberately, by mistake or as a consequence of a
> compromised CA.
> 
> The OCSP protocol does not require OCSP responders to have any knowledge
> about issued certificates. It must only know about revoked certificates
> that are within it's current validity period. However, some OCSP
> responders closely coupled with the CA may also know if a certificate with
> a particular serialNumber value has been issued or not.
> 
> The following is agreed:
>   - An OCSP responder is allowed to respond "good" to a status request
> for a non-revoked certificate, disregarding if it has ever been issued.
> 
>   - A client, having no additional out-of-band knowledge about the OCSP
> responder, will just know that the certificate is "not revoked" when
> receiving a "good" response, unless the response includes one or more
> response extensions that provides additional information.
> 
> 
> The following is debated:
>   - Is an OCSP responder allowed to respond "revoked" even if a requested
> certificate serial number is not on the list of revoked certificates, IF
> the OCSP responder has positive knowledge that the requested serial number
> does NOT represent a valid certificate issued by the identified CA?
> 
> 
> Rationale for:
> There are a number of reasons to allow this that has been mentioned, such
> as:
> - It breaks nothing. A legitimate request for an issued certificate will
> get a legitimate deterministic response.
> - It's safer. Responding "revoked" may not prevent a compromised CA from
> being exploited. But if a request for a serialNumber that is known to be
> bad is done nevertheless, a "revoked" response will at least be safer than
> responding "good".
> - Allowing extension definitions with further semantics. A response
> extension may be defined in the future that adds more information about
> the requested certificate. This may include a positive confirmation that
> the certificate has been issued as well as information that this
> particular OCSP responder will only respond "good" if it knows that the
> requested certificate has been issued, otherwise it will respond
> "revoked". An extension with such semantics can only be defined if the
> base standard allows a status other than "good" in such situation.
> - Supporting Web-PKI. The CAB-Forum has indicated that they will profile
> the OCSP protocol for use with web server authentication. In such profile
> they have indicated that they will NOT allow the "good" response unless
> the requested certificate is known to have been issued. This means that
> they will require OCSP responder in their infrastructure to have this
> knowledge. Such profile would have to break the base OCSP standard if this
> states that "good" MUST be returned unless the certificate has been
> revoked.
> 
> Rationale against:
> The basic rationale against raised on this list has been the argument that
> it is wrong and confusing to allow anything but "good" as a response to a
> non-revoked certificate (if the cert is issued by a CA that is served by
> this OCSP responder).
> Another strong opinion is that it basically does not solve anything. A
> broken CA is broken and can't be fixed by responding "revoked". It would
> be easy to adapt an attack to circumvent such response, for example by
> issuing a fake certificate that duplicates a legitimate serialNumber.
> 
> 
> Please reply with either:
> 
> 1. Allow "revoked" response for a certificate that has not been "revoked"
> but where that OCSP responder for any other reason knows the certificate
> to be "bad".
> 
> 2. Require that the OCSP responder MUST respond "good" in this situation.
> 
> 3. Neither 1 or 2 (motivate).
> 
> 
> 
> 
> Note: both alternatives are placed in a context where the certificate is
> claimed to be issued by a CA that is served by this OCSP responder. The
> exact meaning of "bad" is for later discussion.
> 
> Please keep any motivation short and do not use this thread for long
> debates.
> 
> 
> 
> 
> 
> 
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix

v2.23.0 | Report a Bug | By Email