IETF Logo Mail Archive

Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15

Sean Turner <turners@ieca.com> Mon, 08 April 2013 20:23 UTC

Return-Path: <turners@ieca.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C743221F8E36 for <pkix@ietfa.amsl.com>; Mon, 8 Apr 2013 13:23:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.227
X-Spam-Level:
X-Spam-Status: No, score=-102.227 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PN7Nb5PQbC+g for <pkix@ietfa.amsl.com>; Mon, 8 Apr 2013 13:23:11 -0700 (PDT)
Received: from gateway02.websitewelcome.com (gateway02.websitewelcome.com [67.18.65.20]) by ietfa.amsl.com (Postfix) with ESMTP id E4E0D21F8D8F for <pkix@ietf.org>; Mon, 8 Apr 2013 13:23:10 -0700 (PDT)
Received: by gateway02.websitewelcome.com (Postfix, from userid 5007) id E3C7EDB029166; Mon, 8 Apr 2013 15:23:05 -0500 (CDT)
Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway02.websitewelcome.com (Postfix) with ESMTP id D309FDB0290F8 for <pkix@ietf.org>; Mon, 8 Apr 2013 15:23:05 -0500 (CDT)
Received: from [108.45.16.214] (port=53222 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80) (envelope-from <turners@ieca.com>) id 1UPIas-00035X-6W; Mon, 08 Apr 2013 15:23:10 -0500
Message-ID: <5163272D.9040507@ieca.com>
Date: Mon, 08 Apr 2013 16:23:09 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: Peter Rybar <rybar@nbusr.sk>
References: <201304030835.r338ZbNb012706@mail.nbusr.sk>
In-Reply-To: <201304030835.r338ZbNb012706@mail.nbusr.sk>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator1743.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (thunderfish.local) [108.45.16.214]:53222
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 17
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20=
Cc: pkix@ietf.org, sts@aaa-sec.com, 'Stefan Santesson' <stefan@aaa-sec.com>
Subject: Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2013 20:23:13 -0000

Peter,

The ocsp responder can only act on the information it has.  If the 
responder knows that the certificate was issued, then it wouldn't send a 
response indicating the status it knows about (good/revoked/unknown); if 
it's revoked it won't include the special revovationTime.  If the 
responder doesn't know the certificate was issued before time X, then 
the response will include the revoked with the special revocationTime. 
If the client goes back later and asks again, the responder now can 
respond indicating the status it knows about (good/revoked/unknown); if 
it's revoked it won't include the special revocationTime.

I don't see any requirement in RFC 2560 or 2560bis for clients to order 
requests according to thisUpdate.

spt

On 4/3/13 4:35 AM, Peter Rybar wrote:
> Yes, "revoked" response for certificate serial number that is not associated with issued certificate can confuse validations systems.
>
> When is used the "revoked" response for certificate serial number that is not associated with issued certificate and the OCSP thisUpdate value is actual time X and real certificate was issued in some short time before X then it will be a real confusion for clients ordering responses according to OCSP thisUpdate value when OCSP database will be later updated with a real issued certificate with the same serial number.
>
> To avoid it the value of thisUpdate of not issued cert must be older then thisUpdate of real certificate with the same serial number.
>
> Peter
>
> -----Original Message-----
> From: Martin Rex [mailto:mrex@sap.com]
> Sent: Wednesday, April 03, 2013 10:11 AM
> To: Peter Rybar
> Cc: 'Andris Berzins'; 'Piyush Jain'; 'Stefan Santesson'; sts@aaa-sec.com; pkix@ietf.org
> Subject: Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15
>
> Peter Rybar wrote:
>>
>> When is used the "revoked" response for certificate serial number that
>> is not associated with issued certificate then the OCSP nextUpdate
>> field is not used and OCSP thisUpdate field is better to be set to some
>> strange value or to proposed value of issuer CA cert notBefore.
>
> I strongly disagree and consider this a bad idea.
>
> There is already a special value assigned to the revocationDate.
> Messing around with thisUpdate/nextUpdate is not going to provide
> any additonal value, but will cause confusion, be incompatible with
> the rfc2560-defined semantics of thisUpdate/nextUpdate and may even
> cause problems -- depending on the ordering of the checks performed
> while processing an OCSP response.
>
> -Martin
>
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix
>

v2.23.0 | Report a Bug | By Email