IETF Logo Mail Archive

Re: [pkix] Straw-poll on OCSP responses for non-revoked certificates.

Yoav Nir <ynir@checkpoint.com> Tue, 30 October 2012 14:26 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B063521F851A for <pkix@ietfa.amsl.com>; Tue, 30 Oct 2012 07:26:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hlte93abCqRL for <pkix@ietfa.amsl.com>; Tue, 30 Oct 2012 07:26:30 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id C0F6321F8519 for <pkix@ietf.org>; Tue, 30 Oct 2012 07:26:29 -0700 (PDT)
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id q9UEQQ6J031330; Tue, 30 Oct 2012 16:26:26 +0200
X-CheckPoint: {508FE137-7-1B221DC2-2FFFF}
Received: from il-ex03.ad.checkpoint.com (194.29.34.71) by il-ex01.ad.checkpoint.com (194.29.34.26) with Microsoft SMTP Server (TLS) id 8.3.213.0; Tue, 30 Oct 2012 16:26:26 +0200
Received: from il-ex01.ad.checkpoint.com ([194.29.34.26]) by il-ex03.ad.checkpoint.com ([194.29.34.71]) with mapi; Tue, 30 Oct 2012 16:26:26 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: "Miller, Timothy J." <tmiller@mitre.org>
Date: Tue, 30 Oct 2012 16:26:28 +0200
Thread-Topic: [pkix] Straw-poll on OCSP responses for non-revoked certificates.
Thread-Index: Ac22qoq2ltprwpL0Qv6gjAZaCSvNnw==
Message-ID: <819475F6-36E9-467E-8D3F-BB61CCA731F2@checkpoint.com>
References: <CCB55CA3.52588%stefan@aaa-sec.com> <71C9EC0544D1F64D8B7D91EDCC62202005EB6544@NABSREX027324.NAB.ORG> <195DB2510AAA004391F58E28FCE21200066E2071@IMCMBX01.MITRE.ORG>
In-Reply-To: <195DB2510AAA004391F58E28FCE21200066E2071@IMCMBX01.MITRE.ORG>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-KSE-AntiSpam-Interceptor-Info: protection disabled
Cc: "pkix@ietf.org" <pkix@ietf.org>
Subject: Re: [pkix] Straw-poll on OCSP responses for non-revoked certificates.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Oct 2012 14:26:30 -0000

On Oct 30, 2012, at 4:07 PM, Miller, Timothy J. wrote:

>> 3) Neither. Add new optional response = unissued.
> 
> UNKNOWN would satisfy in this case, but that wasn't a poll option.  :)
> 
> I disagree in re: lying.  The OCSP responder can respond REVOKED and the CA could add it to the CRL afterward, and a relying party wouldn't be able to tell the difference.

An OCSP query does not reveal the CDP, so the CA wouldn't know which CRL up update.

If it did work, that would be a good way to attack the CA - every request ends up as an entry in the CRL. How quickly can we get to gigabyte-sized CRLs?

v2.23.0 | Report a Bug | By Email