IETF Logo Mail Archive

Re: [pkix] Straw-poll on OCSP responses for non-revoked certificates.

Johannes Merkle <johannes.merkle@secunet.com> Wed, 31 October 2012 10:36 UTC

Return-Path: <Johannes.Merkle@secunet.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35A9C21F8785 for <pkix@ietfa.amsl.com>; Wed, 31 Oct 2012 03:36:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M77otcuF12CH for <pkix@ietfa.amsl.com>; Wed, 31 Oct 2012 03:36:34 -0700 (PDT)
Received: from a.mx.secunet.com (a.mx.secunet.com [195.81.216.161]) by ietfa.amsl.com (Postfix) with ESMTP id 6BB8F21F8775 for <pkix@ietf.org>; Wed, 31 Oct 2012 03:36:34 -0700 (PDT)
Received: from localhost (alg1 [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id CEA411A006F for <pkix@ietf.org>; Wed, 31 Oct 2012 11:36:31 +0100 (CET)
X-Virus-Scanned: by secunet
Received: from mail-srv1.secumail.de (unknown [10.53.40.200]) by a.mx.secunet.com (Postfix) with ESMTP id 3F1CB1A0085 for <pkix@ietf.org>; Wed, 31 Oct 2012 11:36:23 +0100 (CET)
Received: from [10.208.1.73] ([10.208.1.73]) by mail-srv1.secumail.de with Microsoft SMTPSVC(6.0.3790.4675); Wed, 31 Oct 2012 11:36:22 +0100
Message-ID: <5090FF26.8040204@secunet.com>
Date: Wed, 31 Oct 2012 11:36:22 +0100
From: Johannes Merkle <johannes.merkle@secunet.com>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:16.0) Gecko/20121026 Thunderbird/16.0.2
MIME-Version: 1.0
To: pkix@ietf.org
References: <CCB55CA3.52588%stefan@aaa-sec.com>
In-Reply-To: <CCB55CA3.52588%stefan@aaa-sec.com>
X-Enigmail-Version: 1.4.5
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 31 Oct 2012 10:36:22.0987 (UTC) FILETIME=[9264F1B0:01CDB753]
Subject: Re: [pkix] Straw-poll on OCSP responses for non-revoked certificates.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Oct 2012 10:36:35 -0000

Option 1 with strong support for Paul's request to change the name of this status (e.g. to "revoked or never issued").

While I agree to defining an extension signaling the new semantic, I deem it more important to have an extension
providing positive evidence (not just indication) of the fact that a certificate has been issued, e.g. by including a
hash of the certificate in question.

> It would
> be easy to adapt an attack to circumvent such response, for example by
> issuing a fake certificate that duplicates a legitimate serialNumber.

This attack would be prevented by returning in the response the hash value of the certificate.


Inclusion of a new status, as suggested in some answers, would require a new protocol version number.


Johannes

v2.23.0 | Report a Bug | By Email