Re: [pkix] Should a CRL be required for an OCSP service provider to assert status.
daniel bryan <danbryan80@gmail.com> Thu, 09 June 2016 18:30 UTC
Return-Path: <danbryan80@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18E8B128B44 for <pkix@ietfa.amsl.com>; Thu, 9 Jun 2016 11:30:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1nS0i6az1t8C for <pkix@ietfa.amsl.com>; Thu, 9 Jun 2016 11:30:54 -0700 (PDT)
Received: from mail-vk0-x236.google.com (mail-vk0-x236.google.com [IPv6:2607:f8b0:400c:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B85E0127058 for <pkix@ietf.org>; Thu, 9 Jun 2016 11:30:53 -0700 (PDT)
Received: by mail-vk0-x236.google.com with SMTP id g67so66942112vkb.3 for <pkix@ietf.org>; Thu, 09 Jun 2016 11:30:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=igmwmi8Q2LJd9+nqZjR2rPqaiMPkGKD32oPR2SvCNk0=; b=hi+48nwKwzcttH6DWxZ5O+I4squd9XTjvRc25seREYbeKK40+JgxvNXiHVWNeMI7MA AL2moDMrqYWwMxT402kDZVB1Nox4JgBMrJvlCsyMOIiMXVt7/tVoDjObEQESqRCqX9sS IXdCmfQThaMyDObbwEy4uAymoBAePPOLD236ZXskb4pZ68tfMZGamlJ7XjsvGzfjr6eb dfMsXqTf9ryGV+5luW1WbuGz+CMzrJYrOrn2XMVNYGOM5gex50397xAdge/T4g7YW7hB +qLL0zCtw+KPs9o6PXeX0J2VgpqaMlWoS5gbIIaeO30T8XIa32GCFpw9pTApmzg+44e/ AdCQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=igmwmi8Q2LJd9+nqZjR2rPqaiMPkGKD32oPR2SvCNk0=; b=DO9WYlPkhQO+hQiP4YDq65izzR9zVoi9bp2LIsx6BfTJ2yMEHFtFFJ6CrgHUmDzcg6 Op74Kyf4o3fqq2OgwBEcfxsCO1v/5Rg4THlawDNzX3Jt4rXFHL1AyaFjoQp0O3TzgQ15 LH+e1MGVUuMXG8X3eTKcCkNazCFR8UIZDcE9oJph5I6Se7sw3D7VlCFReITES9j1DcU8 q7PaGBiRY5+eDFdvDNEvR90aaX7zwvJBRLYp0FJ9I3oUBgaXVKgGmhAXqEg9+fkEJkOO SE+Yrj4haObGWKJbf0+vZavXjGrf0kDxMr8PA+dSDQgH7f7MGTLeP6ay3ywjElHLg7oN rrEA==
X-Gm-Message-State: ALyK8tKZVDJ2xaqC0hxoXCV6GPOq5FG9FpaXVXZwNB/AKwCHvbsbA02DTUO0NTmdHgl6r+l1E568a1XGeKPkSQ==
X-Received: by 10.31.136.194 with SMTP id k185mr5294058vkd.2.1465497052711; Thu, 09 Jun 2016 11:30:52 -0700 (PDT)
MIME-Version: 1.0
References: <CAJKvcBQq_uK3H_R4Twa9T7xPO-=ySTT1aS049b9QFYGhjsP+xg@mail.gmail.com> <201606091329.u59DTRJ2025745@mail.nbusr.sk>
In-Reply-To: <201606091329.u59DTRJ2025745@mail.nbusr.sk>
From: daniel bryan <danbryan80@gmail.com>
Date: Thu, 09 Jun 2016 18:30:43 +0000
Message-ID: <CAJKvcBQJp8syy8-AY0xez4K8KTeZLuNoVs4MWOn2CT+67gXsbg@mail.gmail.com>
To: Peter Rybár <peter.rybar@nbusr.sk>, pkix@ietf.org
Content-Type: multipart/alternative; boundary="001a11441b7c3f16c80534dc9fb6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/9G6xYy60e1BHOrX_Woay0K2wZu0>
Cc: peterryb@gmail.com
Subject: Re: [pkix] Should a CRL be required for an OCSP service provider to assert status.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jun 2016 18:30:57 -0000
Thanks for such a detailed response. I believe i understand what your saying, but I want to resay it just to make sure. Point 1: The first point you say is that "This update" should be based on the most recent time at which the status is known to be correct to the responder. Suppose the following case. The CA makes the status known via a CRL. It publishes a CRL june 9th at 12am UTC. The next CRL will be published 12 hours later (June 9th 12pm). The OCSP service is asked for the status of this certificate june 9th at 6am. It sounds like your saying the proper response for the OCSP service to return in the this update field is the time on the CRL (june 9th @12am) because we don't "know" if any revocation took place between 12am and 6am, and we wont find out for 6 more hours. We would still use jun 9th@6am for the "produced at" time, but not "this update" Am i understanding this point right? Regarding Question 1: should the ocsp service be able to say revoked if the CA hasnot/will not revoke the cert. It sounds like your saying yes. As long as the CA has authorized the service to respond on it's behalf, it's ok if the status of the CA database, is different from the ocsp service. Regarding question 2: should the ocsp service be able to assert good.. It sounds like your saying, it's ok for it to assert good, as long as it was learned from an authorized source, for example, if the CA allows the ocsp service to view the database of issued certs. But it is NOT ok for the OCSP service to just say good, when it has no idea if the cert was issued or valid. This is also semi related to pre-computed databases. Alot of OCSP service software allows you to "assume" certs are good as long as they are not on a CRL. for example, if the CA issued certs 0x1to 0x500 and only revoked serial 0x100. the software allows you to assume good based on the CRL. you might say that you want to assume 500 up, and 500 down as good. so 0x1 to 0x600 would be good (with the exception of the revoked 0x100) But in reality, serials 501 - 600 have never been issued. I can see the certhash extension being of use here also. Overall, it sounds like your saying, it is absolutely against standard to assume a cert is good, unless you have been explicitly told by the CA that its been issued and is not revoked. Am i understanding this right? On Thu, Jun 9, 2016 at 9:29 AM Peter Rybár <peter.rybar@nbusr.sk> wrote: > Dear Daniel, > > > > You must provide also the correct time value in the *thisUpdate* OCSP > field. > > > > When the validations are expected in the online system, e.g. the system > based on SSL/TLS, then the system uses directly or imaginary the value of > acceptable calculated risk. > http://www.dictionary.com/browse/calculated-risk > > The calculated risk, in this case, is the interval between the time value > (the present time in the online system) and the time value in *thisUpdate* > field. > > > > *- Q1: Should an OCSP service provider be able to assert a status of > revoked when the serial is not revoked on the CA.* > > > > This case is already define in ISO/ITU-T X.509 as an *authorization*. > > See Clause 7.10 > http://www.itu.int/itu-t/recommendations/rec.aspx?rec=X.509 > > „This revocation and a notification of the revocation may be done directly *by > the same authority that issued the certificate*, or indirectly *by > another authority duly authorized* by the authority that issued the > certificate.“ > > > > The trusted authorization is usually declared at a upper level. > > E.g. in a globally accessible European Union trusted list. > > See http://ep.nbusr.sk/kca/tsl/tlX509XMLSchemaDocumentation.pdf > > > > *- Q2: Should an OCSP service provider be able to assert a status of good > for a truly valid issued certificate when no CRL has been created by the CA* > > This case is also already covered e.g. by European legislation where the > CA store the certificates in the CA database and the CA database contains > also the certificate status. > > OCSP response is directly created according to information from this > database. > > > > For more information see the document in the attachment. > > > > The eIDAS Regulation (EU) No 910/2014 > http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32014R0910 > > > > Article 24(2) point (k): in case of qualified trust service providers > issuing qualified certificates, establish and keep updated a *certificate > database*. > > > > Article 24(3): If a qualified trust service provider issuing qualified > certificates decides to revoke a certificate, it *shall register* such > *revocation* in *its certificate database* and publish the revocation > status of the certificate in a timely manner, and in any event *within 24 > hours* after the receipt of the request. The revocation shall become > effective immediately upon its publication. > > > > Article 24(4): With regard to paragraph 3, qualified trust service > providers issuing qualified certificates shall provide to any relying party > information on the *validity* or *revocation* status of qualified > certificates issued by them. This information shall be made available at > least *on a per certificate basis at any time and beyond the validity > period* of the certificate in an automated manner that is reliable, free > of charge and efficient. > > > > The OCSP response is already able to cover the requirements like "beyond > the validity period of the certificate" with the one of the two already > used OCSP response extensions in the real systems: > > • *CertHash* OCSP single extension, see > http://www.common-pki.org/uploads/media/Common-PKI_v2.0.pdf > > • *ArchiveCutoff* OCSP extension, see RFC 6960 > https://tools.ietf.org/html/rfc6960#section-4.4.4 > > > > The *CertHash* - OCSP single extension is mandatory in some EU member > states. > > > > OCSP - *CertHash* is the hash value of the certificate whose status is > returned by the OCSP response (Common PKI extensions *CertHash* (positive > statement), Clause 3.1.2, Common PKI Specification V2.0). If this extension > is found in the OCSP response, then the certificate status is known for > OCSP and the hash value ensures the integrity by currently secure hash > algorithm. > > > > ITU-T/ISO standard for X.509 certificates and RFC 6960 define the rules > for CRL and OCSP response. > > RFC 6960: > > " > > *thisUpdate* - The most recent time at which the status being > indicated is known by the responder to have been correct. > > *nextUpdate* - The time at or before which newer information will be > available about the status of the certificate. > > *producedAt* - The time at which the OCSP responder signed this > response. > > *revocationTime* - The time at which the certificate was revoked or > placed on hold. > > > > If *nextUpdate* is not set, the responder is indicating that newer > revocation information is available all the time. > > " > > > > Best regards, > > Peter > > > > > > *From:* pkix [mailto:pkix-bounces@ietf.org] *On Behalf Of *daniel bryan > *Sent:* Wednesday, June 8, 2016 10:22 PM > *To:* pkix@ietf.org > *Subject:* [pkix] Should a CRL be required for an OCSP service provider > to assert status. > > > > So i ran into an interesting situation today that sparked a conversation. > Suppose we have a development CA that has issued 2 certificates. The first > is a SSL webserver cert, and the second is the OCSP Signing certificate > allowing our OCSP service to assert status. The CA has NOT created or > published a CRL. The software we are researching allows a lot of > flexibility in how the ocsp database is created. One of the configuration > options is to compute the database based on a list of serial numbers that > we know the CA says has/will issue. So for example I know this CA has > issued the server cert (serial 0x12345) so I choose to compute 0x12345 as > good. I also choose to make the OCSP response this update value = to the > response creation time, as well as the validity to be a static 10 days from > the response creation. The vendor tool fails to create a database because a > CRL is not present. During my discussion with the vendor, they said, > although they could technically create a database without the CRL in this > case, they don't feel that they have the authority to do so. But, on the > contrary, they also allow the OCSP service owner to perform "instant > revocation" which marks a serial as revoked regardless if the CA owner > revokes the serial, or publishes a CRL. My initial thought is an OCSP > service should be able to assert any status as long as the CA has delegated > authority to the service via the OCSP Signing certificate. > > Ok, with that whole semi organized info dump about what I know here are > the official questions. > > *Q1: Should an OCSP service provider be able to assert a status of revoked > when the serial is not revoked on the CA.* > > > *Q2: Should an OCSP service provider be able to assert a status of good > for a truly valid issued certificate when no CRL has been created by the CA* > > I would like to know if their our any standards out there that provide > guidance on this subject. >
- Re: [pkix] Should a CRL be required for an OCSP s… Stephen Kent
- Re: [pkix] Should a CRL be required for an OCSP s… Martin Rex
- Re: [pkix] Should a CRL be required for an OCSP s… Stephen Kent
- Re: [pkix] Should a CRL be required for an OCSP s… Peter Bowen
- Re: [pkix] Should a CRL be required for an OCSP s… Erwann Abalea
- Re: [pkix] Should a CRL be required for an OCSP s… Stephen Kent
- [pkix] Should a CRL be required for an OCSP servi… daniel bryan
- Re: [pkix] Should a CRL be required for an OCSP s… Peter Rybár
- Re: [pkix] Should a CRL be required for an OCSP s… Stephen Kent
- Re: [pkix] Should a CRL be required for an OCSP s… daniel bryan
- Re: [pkix] Should a CRL be required for an OCSP s… David A. Cooper
- Re: [pkix] Should a CRL be required for an OCSP s… Martin Rex