Re: [pkix] Optimizing OCSP - Time for some spec work ?

Niklas Matthies <> Sun, 27 October 2019 22:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 48F0D120169 for <>; Sun, 27 Oct 2019 15:13:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cp-1mVce67HM for <>; Sun, 27 Oct 2019 15:13:00 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 03508120170 for <>; Sun, 27 Oct 2019 15:13:00 -0700 (PDT)
Received: from matthies by with local (Exim 4.89) (envelope-from <>) id 1iOqmQ-0002qP-Jd for; Sun, 27 Oct 2019 23:12:58 +0100
Date: Sun, 27 Oct 2019 23:12:58 +0100
From: Niklas Matthies <>
Message-ID: <>
References: <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
In-Reply-To: <>
User-Agent: NeoMutt/20170113 (1.7.2)
Archived-At: <>
Subject: Re: [pkix] Optimizing OCSP - Time for some spec work ?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 27 Oct 2019 22:13:06 -0000

On Sat 2019-10-26 at 11:07h, Peter Gutmann wrote on pkix:
>Niklas Matthies <> writes:
>>To make the additional responses optional (controlled by the client), a
>>corresponding request extension could be defined. Hence that aspect could be
>>covered by specifying a profile of the current OCSP protocol.
>You could also do a simpler version where the responder includes an extension
>that says "I've checked the entire chain from the cert you requested all the
>way up to the root.  You're welcome".  It'd be fully compatible with current
>deployments, and if clients are able to process the extension they get extra
>value from it.

In my opinion that's highly dubious, as it reverses the chain of 
trust. Even if you trust the responder to have performed that check 
correctly, you first have to validate the responder's signature before 
you can trust the (signed) extension to be authentic, and for that you 
have to validate the responder's certificate chain, which includes the 
CA that issued the certificate being revocation-checked, and hence 
whose validity the extension is supposed to confirm. This effetively 
creates a cyclic dependency of trust.

Suppose that the responder has been compromised (and that it has the 
ocsp-nocheck extension): Then if the CA certificate is revoked due to 
that compromise, a client trusting the extension won't notice, as the 
compromised responder will happily (and falsely) assert that it has 
successfully checked the CA chain.

>>OCSP responses are allowed to include additional single responses 
>>that weren't explicitly requested by the client, see RFC 6960 section 
>> last paragraph.
>At one point this was tested and the it was found that the number of
>responders/clients who could handle more than one entry per OCSP 
>query and who hadn't been set up explicitly to work with the 
>Indentrus trust model, which requires multiple entries, was 
>approximately zero. 

Having implemented such a client myself, I have to concur. :)