IETF Logo Mail Archive

RE: OCSP Algorithm Agility

"Hallam-Baker, Phillip" <pbaker@verisign.com> Mon, 15 October 2007 17:57 UTC

Return-path: <owner-ietf-pkix@mail.imc.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IhUBs-0004nq-22 for pkix-archive@lists.ietf.org; Mon, 15 Oct 2007 13:57:20 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IhUBi-0003zv-Ix for pkix-archive@lists.ietf.org; Mon, 15 Oct 2007 13:57:12 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l9FGwxB4001604 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 15 Oct 2007 09:58:59 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l9FGwxAj001603; Mon, 15 Oct 2007 09:58:59 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from colibri.verisign.com (colibri.verisign.com [65.205.251.74]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l9FGwvwF001571 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <ietf-pkix@imc.org>; Mon, 15 Oct 2007 09:58:58 -0700 (MST) (envelope-from pbaker@verisign.com)
Received: from mou1wnexcn01.vcorp.ad.vrsn.com (mailer1.verisign.com [65.205.251.34]) by colibri.verisign.com (8.13.6/8.13.4) with ESMTP id l9FGtPMu006000; Mon, 15 Oct 2007 09:55:25 -0700
Received: from MOU1WNEXMB09.vcorp.ad.vrsn.com ([10.25.15.197]) by mou1wnexcn01.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 15 Oct 2007 09:58:46 -0700
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C80F4C.A6168FE2"
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject: RE: OCSP Algorithm Agility
Date: Mon, 15 Oct 2007 09:58:45 -0700
Message-ID: <2788466ED3E31C418E9ACC5C31661557084EC0@mou1wnexmb09.vcorp.ad.vrsn.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: OCSP Algorithm Agility
Thread-Index: Acf8l4NIxZexIh9rTveKgrEJmUDxVQAAJZEAAlba1eAAAH/7QAEC+OtgACFXyuAABd3wIAAA1HmAADQyQqAAIEoZEADVkoxj
References: <82D5657AE1F54347A734BDD33637C879096C9ABE@EXVS01.ex.dslextreme.net> <2788466ED3E31C418E9ACC5C31661557053771@mou1wnexmb09.vcorp.ad.vrsn.com> <82D5657AE1F54347A734BDD33637C879096CA5E3@EXVS01.ex.dslextreme.net> <E2339D02A340A546998AD2E6251332D605461816@csexchange1.corestreet.com> <E75F200AF1718F45B2024A88C3141A1D06438E5838@EA-EXMSG-C320.europe.corp.microsoft.com>
From: "Hallam-Baker, Phillip" <pbaker@verisign.com>
To: Stefan Santesson <stefans@microsoft.com>, Seth Hitchings <shitchings@corestreet.com>, Santosh Chokhani <chokhani@orionsec.com>, ietf-pkix@imc.org
X-OriginalArrivalTime: 15 Oct 2007 16:58:46.0928 (UTC) FILETIME=[A6BB4100:01C80F4C]
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
X-Spam-Score: 1.8 (+)
X-Scan-Signature: c54bc2f42d02429833c0ca4b8725abd7

From: owner-ietf-pkix@mail.imc.org on behalf of Stefan Santesson

>Security:
>None of the presented threats is not a great concern for me. 
>Downgrade attacks is only useful if we use algorithms that can be broken.
>I would expect an organization to only allow algorithms that provide adequate security.
>The stolen OCSP key is neither a problem for me from a protocol perspective. We have revocation.

Agreed, the issue here is not security, it is interoperability. 


>Practical matters:
>I can only find one practical matter that concerns me. I have an OCSP server and of 
>some reason I want to gradually transition responses to be based on say ECC with 
>SHA 256. Some clients can only verify RSA with SHA-1. The reason for doing this 
>transition may be entirely policy oriented. Now I would like to know which clients 
>that can actually verify my upgraded responses.

That is the concern that led to the proposal. 
 
The assumption that the OCSP client supports the same set of algorithms as the 
certificate relying application does not hold 
 

>What can I do today:
>The server can draw a number of conclusions today.

>1) Looking at the hashAlgorithm of the CertID
>2) Looking at the signatureAlgorithm used by the client to sign the response
>3) Looking at the certificate actually being validated

>None of these are 100% bulletproof to cover all corner cases. But are they 
>good enough and is the remaining gap big enough to motivate a protocol update?
 
As a design principle I prefer a protocol where the client can specify
what it wants over one where the only option is for the server to guess.
 
I find that approach is much more likely to lead to reliable interoperation.
 
 
The solution proposed is 100% backwards compatible, the old approach being:
1 Server guesses what algorithms the client supports
 
The new approach is:
1 Server looks to see if the client specified what algorithms are supported by the client
2 If none specified server guesses what algorithms the client supports as before

If either the client or the server does not support the proposed extension 
the other party simply downgrades to the status quo.

v2.23.0 | Report a Bug | By Email