Re: [pkix] New draft-ietf-pkix-rfc2560bis-06
Erwann Abalea <eabalea@gmail.com> Tue, 23 October 2012 11:24 UTC
Return-Path: <eabalea@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C5D921F86D5 for <pkix@ietfa.amsl.com>; Tue, 23 Oct 2012 04:24:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J3+wE4jVNnDl for <pkix@ietfa.amsl.com>; Tue, 23 Oct 2012 04:24:57 -0700 (PDT)
Received: from mail-la0-f44.google.com (mail-la0-f44.google.com [209.85.215.44]) by ietfa.amsl.com (Postfix) with ESMTP id B1BB021F86CF for <pkix@ietf.org>; Tue, 23 Oct 2012 04:24:56 -0700 (PDT)
Received: by mail-la0-f44.google.com with SMTP id b11so2596061lam.31 for <pkix@ietf.org>; Tue, 23 Oct 2012 04:24:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=6z1PDPOQr1bI8lKYZFiKwYGZ9JyYyTxoaVVudNlGs/I=; b=sQkX1SVOeF+A3shqWrfOn0TdglYlfKt00lCpzZUnJkBnz0Tfmnyan2/aNS+zARFpEr e4JO5LK55olVt72rPAJGwtRL+jIhBGKYI5WcqmXJjHJJShWyNU591SPJTQ7kkKUDyu7+ pjSzETYw5xD2/UuScATK+GpPAxeFnant8W/iNgJiOYBis0/ePrL+nGuXl8nBBeaqCe2e VlpZxdhWUGCiP2jItSu7Cbu71U7j7TfFYYGtx06D6xBjOpMbXWHZeUek1Fd8kNKR/gZT yOtpnKdgkDI6knl0jH5ZjWW0Rq73HkCn/O2T1wW7s/QrdiaFj4uF5+z+nPtylF8F1Otd wC6A==
MIME-Version: 1.0
Received: by 10.112.38.65 with SMTP id e1mr5071923lbk.15.1350991495432; Tue, 23 Oct 2012 04:24:55 -0700 (PDT)
Received: by 10.114.25.74 with HTTP; Tue, 23 Oct 2012 04:24:55 -0700 (PDT)
In-Reply-To: <20121023103829.53FA01A2EE@ld9781.wdf.sap.corp>
References: <CA+i=0E7PGJgKb59djvanGR96WSbOyUe75=YsGM1ab=FZx_REnQ@mail.gmail.com> <20121023103829.53FA01A2EE@ld9781.wdf.sap.corp>
Date: Tue, 23 Oct 2012 13:24:55 +0200
Message-ID: <CA+i=0E5EjhvqU+4fdtiEMO-gjGqjrSkbZ30S19VvgYie97jG5w@mail.gmail.com>
From: Erwann Abalea <eabalea@gmail.com>
To: mrex@sap.com
Content-Type: multipart/alternative; boundary="e0cb4efe31182e0a2204ccb838cd"
Cc: Peter Rybar <peterryb@gmail.com>, pkix@ietf.org, Stefan Santesson <stefan@aaa-sec.com>
Subject: Re: [pkix] New draft-ietf-pkix-rfc2560bis-06
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Oct 2012 11:24:58 -0000
2012/10/23 Martin Rex <mrex@sap.com> > Erwann Abalea wrote: > >> CertificateHold is EXACTLY the correct ReasonCode: > >> It indicates that the CA has not issued a cert with the given serial > >> *YET*, but it MAY eventually issue such a cert in the future > >> (sometimes even in the _very_next_future_ ... i.e. it is about > >> to become visible to the OCSP responder, but not visible yet). > > > > No. It indicates that the corresponding (existent) certificate has been > put > > on hold. > > You're asking the CA to assert a status for a non-existent certificate. > > Where exactly does X.509 or PKIX require that a serial on a CRL > will have to refer to an existing cert, i.e. one that the CA has > positive proof to have issued. I (now) believe this is a completely > flawed assumption. > X.509, 7.3 revokedCertificates identifies certificates that have been revoked. The revoked certificates are identified by their serial numbers. CRL as in "Certificate Revocation List", not as in "inexistent Certificate Revocation List". Fraudulently producing certificates is bad, but producing a CRL for nonexistent certificate is good? CRLs and OCSP only assert a state to a certificate serial. > Infering about existance/noexistance of certs is a logical fallacy. The certificate is identified by its serial number (along with its issuer name, of course). What is the meaning/value of a serial number that doesn't identify anything? > > What's next? Ask CAs to sign the next OCSP response with a > "removeFromCRL" > > code for dumb serial numbers for which they replied "certificateHold"? > Why > > not also add a holdInstructionCode extension to the OCSP response, and > > define proper codes? > > removeFromCRL doesn't make sense in an OCSP response, because OCSP does > not hand out CRLs. > But holdInstructionCode could make sense, right? > The number of bogus requests far outweighs the number of bad certificates. > > In our case, as a public CA, it even outweighs the number of good public > > certificates we produced. > > > > Asking for a signed response to a bogus request gives anonymous attackers > > much power. Consider big CAs that receive billions of OCSP requests a > week, > > or even a day (that's reality). Do you really consider that asking for > > billions of signatures a day for bogus requests, asserting an > authoritative > > status for nonexistent certificate is the right thing to do? > > > > With my "CA" hat, I see that OCSP is a hidden cost, and you want to make > it > > more costly. > > > Having an OCSP responder look at cert issuance logs and produce an > intelligible, risk-reducing response rather that an entirely useless > response will be a completely optional feature! > > Nobody is pushing *YOU* to have your OCSP responder adopt this. > > But why are you so obsessed in denying others that possibility? > > > If you're concerned about the load of creating signatures > for "not issued" requests, you may want to talk to Denis first, > who proposed to create signatures on errors, and in particular on > "not authorized" errors (which includes requests for status of > certs from other CAs). > I apologize if I offended you, I'm not pointing at you personally, just replying to the thread. I choose an anchor and it was one of your posts, nothing more. I have nothing against a "positive assertion", maybe the hash of the certificate for which the responder produces a good answer. If the responder can have access to an issuance log and pick useful authoritative information from it and optionally deliver it with the response, I'm fine. Asking for a signed response from a bogus request is different. The thread then slept into producing a revoked response for bogus requests, and discussing about what could a plausible reason code and revocation date be. I believe that a well-behaving CA shouldn't produce a CRL containing random serial numbers provided by anonymous requesters. By extension, I believe that a well-behaving OCSP responder shouldn't assert anything authoritative (either good or revoked) about a random serial number. That's a fail for the "good" response because an OCSP responder can be based on a blacklist, I don't think that changing "good" into "revoked" is the right way to solve this problem. -- Erwann.
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Denis Pinkas
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Simon Tardell
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Denis Pinkas
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Denis Pinkas
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Simon Tardell
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Simon Tardell
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Denis Pinkas
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Peter Rybar
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- [pkix] Straw-poll on OCSP responses for non-revok… Stefan Santesson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Yngve Nysaeter Pettersen
- Re: [pkix] Straw-poll on OCSP responses for non-r… Yoav Nir
- Re: [pkix] Straw-poll on OCSP responses for non-r… Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Miller, Timothy J.
- Re: [pkix] Straw-poll on OCSP responses for non-r… David Chadwick
- Re: [pkix] Straw-poll on OCSP responses for non-r… Art Allison
- Re: [pkix] Straw-poll on OCSP responses for non-r… Miller, Timothy J.
- Re: [pkix] Straw-poll on OCSP responses for non-r… Santosh Chokhani
- Re: [pkix] Straw-poll on OCSP responses for non-r… Erwann Abalea
- Re: [pkix] Straw-poll on OCSP responses for non-r… Yoav Nir
- Re: [pkix] Straw-poll on OCSP responses for non-r… Peter Rybar
- Re: [pkix] Straw-poll on OCSP responses for non-r… Paul Hoffman
- Re: [pkix] Straw-poll on OCSP responses for non-r… Juan Gonzalez
- Re: [pkix] Straw-poll on OCSP responses for non-r… Max Pritikin (pritikin)
- Re: [pkix] Straw-poll on OCSP responses for non-r… Simon Tardell
- Re: [pkix] Straw-poll on OCSP responses for non-r… Carl Wallace
- Re: [pkix] Straw-poll on OCSP responses for non-r… Paul Hoffman
- Re: [pkix] Straw-poll on OCSP responses for non-r… Rick Robinson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Jeremy Rowley
- Re: [pkix] Straw-poll on OCSP responses for non-r… Melinda Shore
- Re: [pkix] Straw-poll on OCSP responses for non-r… Martin Rex
- Re: [pkix] Straw-poll on OCSP responses for non-r… Russ Housley
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] Straw-poll on OCSP responses for non-r… Tom Ritter
- Re: [pkix] Straw-poll on OCSP responses for non-r… Dr Stephen Henson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Ryan Sleevi
- Re: [pkix] Straw-poll on OCSP responses for non-r… Johannes Merkle
- Re: [pkix] Straw-poll on OCSP responses for non-r… Denis Pinkas
- Re: [pkix] Straw-poll on OCSP responses for non-r… Art Allison
- Re: [pkix] Straw-poll on OCSP responses for non-r… Ryan Hurst
- Re: [pkix] Straw-poll on OCSP responses for non-r… Ben Wilson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] Straw-poll on OCSP responses fornon-re… Art Allison
- [pkix] Proposed resolution to non-issued certific… Stefan Santesson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Tom Ritter
- Re: [pkix] Proposed resolution to non-issued cert… Tom Ritter
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… David A. Cooper
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Peter Gutmann
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Phillip Hallam-Baker
- Re: [pkix] Proposed resolution to non-issued cert… David A. Cooper
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Peter Rybar
- Re: [pkix] Proposed resolution to non-issued cert… Simon Tardell
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… David A. Cooper
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Peter Rybar
- Re: [pkix] Proposed resolution to non-issued cert… Simon Tardell
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Martin Rex
- Re: [pkix] Proposed resolution to non-issued cert… Martin Rex
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Martin Rex
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Straw-poll on OCSP responses for non-r… Tom Gindin
- Re: [pkix] Straw-poll on OCSP responses for non-r… Phillip Hallam-Baker