IETF Logo Mail Archive

Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15

mrex@sap.com (Martin Rex) Wed, 03 April 2013 08:37 UTC

Return-Path: <mrex@sap.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58C8E21F86B2; Wed, 3 Apr 2013 01:37:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.206
X-Spam-Level:
X-Spam-Status: No, score=-10.206 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3s0Jy3scAnX6; Wed, 3 Apr 2013 01:37:37 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 88E8521F857E; Wed, 3 Apr 2013 01:37:37 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id r338bMF7017085 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 3 Apr 2013 10:37:22 +0200 (MEST)
In-Reply-To: <017c01ce2cb3$7be35ff0$73aa1fd0$@ditenity.com>
To: Piyush Jain <piyush@ditenity.com>
Date: Wed, 03 Apr 2013 10:37:22 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20130403083722.3DEE51A68A@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
X-Mailman-Approved-At: Wed, 03 Apr 2013 07:10:52 -0700
Cc: ambarish@gmail.com, slava.galperin@gmail.com, cadams@eecs.uottawa.ca, 'Stefan Santesson' <stefan@aaa-sec.com>, "'Black, David'" <david.black@emc.com>, sts@aaa-sec.com, pkix@ietf.org, gen-art@ietf.org
Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2013 08:37:38 -0000

Piyush Jain wrote:
> 
> The sole reason cited for overloading the meaning of revoked status with
> non-issued was that it allows new servers to interoperate with legacy
> clients.

There is *NO* overloading of a revoked status.  The change is making use
of an existing temporary revocation status (certificateHold) **EXACTLY**
with the original semantics for a temporary revocation,
originating from X.509 08/2005 8.5.2.2 (a):

   A certificate may be placed on hold with a reason code of
   certificateHold. The certificate hold notice may include an
   optional hold instruction code to convey additional information
   to certificate users (see 8.5.2.3).

   Once a hold has been issued, it may be handled in one of three ways:

   a) it may remain on hold with no further action, causing users to reject
      transactions issued during the hold period; or,


>
>     The WG agreed that there are many better alternatives but they all
> break compatibility with older clients.

If you want to describe "an OCSP responder no longer responding 'good'
for certificate serial numbers for which no records of issuance exist"
as "breaking compatibility with older clients", then yes, this is what
we want to do.

But in reality, this is change is about fixing a security problem that
was documented as such in rfc2560 for the "good" status.


>
> In fact, a more secure and complete
> proposal by Denis was not adopted because of the same reason.

I don't understand this statement, but there can not possibly be a more
secure solution that reporting revoked for not-issued certs.


> 
> I believe that Stefan is trying to convey that requiring servers to return
> revoked in this context will make them non-compliant with 2560 and 5019 as
> opposed to breaking interoperability with legacy clients.

The proposed change primarily intends to _standardize_ how to report
revoked/certificateHold for "not-issued" certificate serial numbers,
something that has been found useful (and already been used) in dealing
with certain kinds of security breaches of CAs/RAs.


Returning revoked/certificateHold for not-issued certs is perfectly
compliant with rfc2560 and rfc5019.  Returning "unknown" is also
perfectly compliant with rfc2560 and rfc5019.  Returning an error code
response status would be just dumb for an authoritative OCSP responder.


Should rfc5019 be interpreted to suggest for authoritative OCSP responders
to returning an error code for "not-issued" certs does not make such
behaviour any less dumb.


-Martin

v2.23.0 | Report a Bug | By Email