IETF Logo Mail Archive

Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15

mrex@sap.com (Martin Rex) Tue, 02 April 2013 18:16 UTC

Return-Path: <mrex@sap.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FF5521F8C5C for <pkix@ietfa.amsl.com>; Tue, 2 Apr 2013 11:16:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.249
X-Spam-Level:
X-Spam-Status: No, score=-10.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cf-pTdwwregg for <pkix@ietfa.amsl.com>; Tue, 2 Apr 2013 11:16:38 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 7553721F8C10 for <pkix@ietf.org>; Tue, 2 Apr 2013 11:16:38 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id r32IGYNl000018 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 2 Apr 2013 20:16:35 +0200 (MEST)
In-Reply-To: <20130402165122.975FC1A689@ld9781.wdf.sap.corp>
To: mrex@sap.com
Date: Tue, 02 Apr 2013 20:16:34 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20130402181634.C34A01A68A@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: 'Stefan Santesson' <stefan@aaa-sec.com>, sts@aaa-sec.com, pkix@ietf.org
Subject: Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2013 18:16:39 -0000

another followup to myself, in order to clarify.
Martin Rex wrote:
> Piyush Jain wrote:
> >  
> > > Anyhow, I think that rfc2560bis can not (and should not) make suggestions
> > > for specific values.  What values would your OCSP implementation use for
> > > "good" or "unknown" responses for the same CA?  Those values look like
> > > they might be from the right ballpark.
> > 
> > 2560-bis states that these values correspond to those in CRLs.
> > Implementations that I know of set these values from the CRL for good
> > responses and use current time for unknown responses.
> > 
> > This is how 2560 defines these fields
> > - thisUpdate: The time at which the status being indicated is known  to be
> > correct
> >  - nextUpdate: The time at or before which newer information will be
> > available about the status of the certificate


The original guidance in rfc2560 for thisUpdate/nextUpdate is fine with me.


> 
> > So for non-issued, thisUpdate should be start of CAs validity interval (all
> > certs are revoked until they get issued) and nextUpdate should be current
> > time (a certificate with that serial can be issued anytime). 
 
What I meant (and failed to clarify) is that rfc2560bis should *NOT* define
special values for thisUpdate/nextUpdate that are specific to the
"not issued reported as revoked/certificateHold" situation, so I
effectively disagree with the latter statement.


You specific guidance on nextUpdate := current Time is actually problematic!

  http://tools.ietf.org/html/rfc2560#section-4.2.2.1

               Responses whose nextUpdate value is earlier than
   the local system time value SHOULD be considered unreliable.

because a nextUpdate = "current Time" on the OCSP responder may often
result in nextUpdate < "current Time" on the OCSP client when processing
the OCSP response.

The semantics that you might have been looking for is "nextUpdate not set".


I believe, however, that the OCSP responder should not return
"nextUpdate not set" for the not-issued situation if it would return
nextUpdate several hours or days into the future for "good", "unknown"
or CRL-originated "certificateHold" situations.


-Martin

v2.23.0 | Report a Bug | By Email