Re: [pkix] New draft-ietf-pkix-rfc2560bis-06
Erwann Abalea <eabalea@gmail.com> Tue, 23 October 2012 07:07 UTC
Return-Path: <eabalea@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C91371F0C54 for <pkix@ietfa.amsl.com>; Tue, 23 Oct 2012 00:07:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K3A+Zav9xb3h for <pkix@ietfa.amsl.com>; Tue, 23 Oct 2012 00:07:06 -0700 (PDT)
Received: from mail-wg0-f44.google.com (mail-wg0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id E897E1F0429 for <pkix@ietf.org>; Tue, 23 Oct 2012 00:07:05 -0700 (PDT)
Received: by mail-wg0-f44.google.com with SMTP id dr13so1976226wgb.13 for <pkix@ietf.org>; Tue, 23 Oct 2012 00:07:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=C7WUn5n8h+3rOB4yhJypOLY9a1psVk81oo1K583eclc=; b=xb9kO6qy8sb96x5cgqGV7Sp6KIKb7peLcjOVLW6GkpBs4VohdSRxnxciQl0iDrqe2t h+FQr7kIA7ERj5bHSIACz0yLIE5GDGYqXDAA4VnvPhXirm7H5/fKd1srycb3dmpJK0Ss 1s++a62KDJRRW4V9MPTbsa7LkxopD+s0KOo4V5fYWrcqYXd1VaL0th02poS8PgIu3lD4 /Tf8nrnAoiVAGqRZwc/jrDbGnWt15DuF6aAgTkh4+pOGPIWc6UD830/cy0yxhmOjuCQY bL6ilafEBa8cvlkjgrF4NaBkUWDDFHaY7YnbEcc+pFsHudS7RY1/oihUNm23cgjSUNNo ZYOw==
MIME-Version: 1.0
Received: by 10.216.197.99 with SMTP id s77mr7280630wen.64.1350976024957; Tue, 23 Oct 2012 00:07:04 -0700 (PDT)
Received: by 10.223.133.194 with HTTP; Tue, 23 Oct 2012 00:07:04 -0700 (PDT)
In-Reply-To: <20121022215319.55EC71A2EB@ld9781.wdf.sap.corp>
References: <CANkYYy6nvWrE2U+xnnXa6kXu+WioE4+LZ+yd6cCiD8diBoHiLQ@mail.gmail.com> <20121022215319.55EC71A2EB@ld9781.wdf.sap.corp>
Date: Tue, 23 Oct 2012 09:07:04 +0200
Message-ID: <CA+i=0E5ELaACas2hJKAYKLJkZ8z3hS90z5PLOotCSCc35usQqA@mail.gmail.com>
From: Erwann Abalea <eabalea@gmail.com>
To: mrex@sap.com
Content-Type: text/plain; charset="UTF-8"
Cc: Peter Rybar <peterryb@gmail.com>, pkix@ietf.org, Stefan Santesson <stefan@aaa-sec.com>
Subject: Re: [pkix] New draft-ietf-pkix-rfc2560bis-06
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Oct 2012 07:07:06 -0000
Bonjour, 2012/10/22 Martin Rex <mrex@sap.com>: > Simon Tardell wrote: >> >> I suggest that we use your current text plus that, if "revoked" is used >> to say "never issued/not in database", the revocationReason should be >> certificateHold and that revocationTime should be set to midnight Jan 1 >> 1950 (or some other time before the rise of PKI). > > I support the "revoked, ReasonCode=CertificateHold" for OCSP responders > that can not find proof/indication that the cert in question was properly > issued. I don't think it's wise to use one reason code to cover two reasons. The latest CAs we deployed want to have certificates issued in a suspended state until the smartcard has been delivered, whence "certificateHold" reason code, with CRLs filled in that way. For these CAs, an OCSP responder will respond "certificateHold" for legitimate certificates, and you're proposing to also reply "certificateHold" for random serial numbers. > The CertificateHold reason code is vitally important, because otherwise > the CA would have to keep track of OCSP responses given out from the > CA's OCSP responder that declared a serial as "permanently revoked" > in order to ensure that the CA will never issue a cert with that serial > in the future. Looks like an unnecessary and easily avoidable burden to me. This is why I don't think that declaring an unknown and potentially random serial number as revoked is good. Nor useful. An attacker will most likely intercept communications with the responder and reply something like "unauthorized", or any unsigned error code. > I don't like the particular date Jan 1, 1950, for safety, a date >= 1970 > ought to be chosen (so that it does not get negative when converted > to time_t, which has potential to confuse some code). > > And since the timestamp is a GeneralizedTime, the date ought to be > given in exactly that format, e.g. "700101010101Z" > > What also should be noted is that the optional OCSP SingleResponseExtension > "CrlID" must not be used when this "not issued" certificate was not > conveyed through a CRL--and there currently is no means to convey > proof-of-cert-existence through CRLs unless they're revoked, and in the > latter case there would be no "not issued" OCSP response to convey. See, by declaring a non-issued certificate as revoked, you're asking the CA to lie about its revocation date and declare it's not been issued in a CRL. How can it be right? > I believe it is very inappropriate for the spec to make any assumptions > about why exactly the OCSP responder believes that a cert (serial) has not > ever been issued. The reason can be manyfold. Besides an accidental or > fraudulent deletion (attack), it may be something as simple as a > database software bug. Or invalid encoding in client, or wrong issuerKeyHash (the serial exists, but for another CA), or random serial, or specially crafted numbers, or unrecognized hash function, ... All these cases have been spotted on our responders, and we haven't wrongly issued certificates. -- Erwann.
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Denis Pinkas
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Simon Tardell
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Denis Pinkas
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Denis Pinkas
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Simon Tardell
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Simon Tardell
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Denis Pinkas
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Peter Rybar
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- [pkix] Straw-poll on OCSP responses for non-revok… Stefan Santesson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Yngve Nysaeter Pettersen
- Re: [pkix] Straw-poll on OCSP responses for non-r… Yoav Nir
- Re: [pkix] Straw-poll on OCSP responses for non-r… Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Miller, Timothy J.
- Re: [pkix] Straw-poll on OCSP responses for non-r… David Chadwick
- Re: [pkix] Straw-poll on OCSP responses for non-r… Art Allison
- Re: [pkix] Straw-poll on OCSP responses for non-r… Miller, Timothy J.
- Re: [pkix] Straw-poll on OCSP responses for non-r… Santosh Chokhani
- Re: [pkix] Straw-poll on OCSP responses for non-r… Erwann Abalea
- Re: [pkix] Straw-poll on OCSP responses for non-r… Yoav Nir
- Re: [pkix] Straw-poll on OCSP responses for non-r… Peter Rybar
- Re: [pkix] Straw-poll on OCSP responses for non-r… Paul Hoffman
- Re: [pkix] Straw-poll on OCSP responses for non-r… Juan Gonzalez
- Re: [pkix] Straw-poll on OCSP responses for non-r… Max Pritikin (pritikin)
- Re: [pkix] Straw-poll on OCSP responses for non-r… Simon Tardell
- Re: [pkix] Straw-poll on OCSP responses for non-r… Carl Wallace
- Re: [pkix] Straw-poll on OCSP responses for non-r… Paul Hoffman
- Re: [pkix] Straw-poll on OCSP responses for non-r… Rick Robinson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Jeremy Rowley
- Re: [pkix] Straw-poll on OCSP responses for non-r… Melinda Shore
- Re: [pkix] Straw-poll on OCSP responses for non-r… Martin Rex
- Re: [pkix] Straw-poll on OCSP responses for non-r… Russ Housley
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] Straw-poll on OCSP responses for non-r… Tom Ritter
- Re: [pkix] Straw-poll on OCSP responses for non-r… Dr Stephen Henson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Ryan Sleevi
- Re: [pkix] Straw-poll on OCSP responses for non-r… Johannes Merkle
- Re: [pkix] Straw-poll on OCSP responses for non-r… Denis Pinkas
- Re: [pkix] Straw-poll on OCSP responses for non-r… Art Allison
- Re: [pkix] Straw-poll on OCSP responses for non-r… Ryan Hurst
- Re: [pkix] Straw-poll on OCSP responses for non-r… Ben Wilson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] Straw-poll on OCSP responses fornon-re… Art Allison
- [pkix] Proposed resolution to non-issued certific… Stefan Santesson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Tom Ritter
- Re: [pkix] Proposed resolution to non-issued cert… Tom Ritter
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… David A. Cooper
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Peter Gutmann
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Phillip Hallam-Baker
- Re: [pkix] Proposed resolution to non-issued cert… David A. Cooper
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Peter Rybar
- Re: [pkix] Proposed resolution to non-issued cert… Simon Tardell
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… David A. Cooper
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Peter Rybar
- Re: [pkix] Proposed resolution to non-issued cert… Simon Tardell
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Martin Rex
- Re: [pkix] Proposed resolution to non-issued cert… Martin Rex
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Martin Rex
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Straw-poll on OCSP responses for non-r… Tom Gindin
- Re: [pkix] Straw-poll on OCSP responses for non-r… Phillip Hallam-Baker