IETF Logo Mail Archive

Re: [pkix] New draft-ietf-pkix-rfc2560bis-06

Denis Pinkas <denis.pinkas@bull.net> Tue, 23 October 2012 09:59 UTC

Return-Path: <denis.pinkas@bull.net>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB7B621F865E for <pkix@ietfa.amsl.com>; Tue, 23 Oct 2012 02:59:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.017
X-Spam-Level:
X-Spam-Status: No, score=-5.017 tagged_above=-999 required=5 tests=[AWL=1.231, BAYES_00=-2.599, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DK6oBz2T6iNU for <pkix@ietfa.amsl.com>; Tue, 23 Oct 2012 02:59:05 -0700 (PDT)
Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by ietfa.amsl.com (Postfix) with ESMTP id EA96421F8654 for <pkix@ietf.org>; Tue, 23 Oct 2012 02:59:04 -0700 (PDT)
Received: from MSGC-007.bull.fr (unknown [129.184.87.136]) by odin2.bull.net (Bull S.A.) with ESMTP id C953F418155 for <pkix@ietf.org>; Tue, 23 Oct 2012 11:59:03 +0200 (CEST)
Received: from [127.0.0.1] ([129.184.39.15]) by MSGC-007.bull.fr (Lotus Domino Release 8.5.3FP1) with ESMTP id 2012102311590348-2318 ; Tue, 23 Oct 2012 11:59:03 +0200
Message-ID: <50866A61.3070404@bull.net>
Date: Tue, 23 Oct 2012 11:58:57 +0200
From: Denis Pinkas <denis.pinkas@bull.net>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20120907 Thunderbird/15.0.1
MIME-Version: 1.0
To: pkix@ietf.org
References: <20121023073125.CC0A91A2ED@ld9781.wdf.sap.corp>
In-Reply-To: <20121023073125.CC0A91A2ED@ld9781.wdf.sap.corp>
X-MIMETrack: Itemize by SMTP Server on MSGC-007/SRV/BULL(Release 8.5.3FP1|March 07, 2012) at 23/10/2012 11:59:03, Serialize by Router on MSGC-007/SRV/BULL(Release 8.5.3FP1|March 07, 2012) at 23/10/2012 11:59:03, Serialize complete at 23/10/2012 11:59:03
X-TNEFEvaluated: 1
Content-Type: multipart/alternative; boundary="------------040505000603060806010408"
Subject: Re: [pkix] New draft-ietf-pkix-rfc2560bis-06
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Oct 2012 09:59:05 -0000

Martin,

Erwann said:

"I don't think it's wise to use one reason code to cover two reasons.

The latest CAs we deployed want to have certificates issued in a
suspended state until the smartcard has been delivered, whence
"certificateHold" reason code, with CRLs filled in that way. For these
CAs, an OCSP responder will respond "certificateHold" for legitimate
certificates, and you're proposing to also reply "certificateHold" for
random serial numbers".

You said:

"CertificateHold is EXACTLY the correct ReasonCode:
It indicates that the CA has not issued a cert with the given serial
*YET*, but it MAY eventually issue such a cert in the future
(sometimes even in the_very_next_future_  ... i.e. it is about
  to become visible to the OCSP responder, but not visible yet)".

I am sorry, but I agree with Erwann and thus I disagree with you.

The certificateHold state was not created to have certificates issued
in a suspended state. It was created to allow a user to suspend its certificates
rather than revoking its certificates, in case a smart card was temporarily lost and
since after a revocation it may take a while to get a new smart card.

Some people, then used also the certificateHold state to have certificates issued
in a suspended state. This is legitimate since it complies with the semantics of
the certificateHold state.

We should not change/overload the meaning of CertificateHold.
.
Denis

v2.23.0 | Report a Bug | By Email