RE: OCSP Algorithm Agility

"Santosh Chokhani" <chokhani@orionsec.com> Fri, 21 September 2007 20:21 UTC

Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: OCSP Algorithm Agility
Date: Fri, 21 Sep 2007 12:22:47 -0700
Message-ID: <82D5657AE1F54347A734BDD33637C879093E3685@EXVS01.ex.dslextreme.net>
In-Reply-To: <p0624050dc319b62dedaf@[128.89.89.71]>
Thread-Topic: OCSP Algorithm Agility
Thread-Index: Acf8g+lSm4OdXAknTt2BXwIpRJkp9QAAN7VQ
References: <2788466ED3E31C418E9ACC5C3166155703DF57@mou1wnexmb09.vcorp.ad.vrsn.com> <p0624080ec319a977190d@[165.227.249.200]> <p0624050dc319b62dedaf@[128.89.89.71]>
From: Santosh Chokhani <chokhani@orionsec.com>
To: Stephen Kent <kent@bbn.com>, ietf-pkix@imc.org
Content-Transfer-Encoding: 8bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk

Agreed

-----Original Message-----
From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org]
On Behalf Of Stephen Kent
Sent: Friday, September 21, 2007 2:08 PM
To: ietf-pkix@imc.org
Subject: RE: OCSP Algorithm Agility

Folks,

How about defining an extension to be included in the cert issued to 
an OCSP responder by a CA.  The extension would have an ordered list 
of algorithms (hash and signature if we want to address more than the 
hash agility issue) accepted by the OCSP responder.  An OCSP client 
can use this info to determine what is the "best" algorithm (or alg 
pair) that it and the responder share. The combination of this 
extension and an OCSP negotiation procedure will allow the client to 
detect MITM downgrade attacks. In fact, if the client acquires the 
responder's cert prior to making a request, there would not even be a 
need for real negotiation, since the client would know what alg to 
request in a response.

Steve

OCSP Algorithm Agility Hallam-Baker, Phillip
RE: OCSP Algorithm Agility Stefan Santesson
RE: OCSP Algorithm Agility Michael Myers
RE: OCSP Algorithm Agility Santosh Chokhani
RE: OCSP Algorithm Agility Hallam-Baker, Phillip
RE: OCSP Algorithm Agility Santosh Chokhani
RE: OCSP Algorithm Agility Hallam-Baker, Phillip
RE: OCSP Algorithm Agility Santosh Chokhani
RE: OCSP Algorithm Agility Michael Myers
RE: OCSP Algorithm Agility Santosh Chokhani
RE: OCSP Algorithm Agility Andrews, Rick
RE: OCSP Algorithm Agility Santosh Chokhani
RE: OCSP Algorithm Agility Andrews, Rick
RE: OCSP Algorithm Agility Santosh Chokhani
RE: OCSP Algorithm Agility Hallam-Baker, Phillip
RE: OCSP Algorithm Agility Paul Hoffman
RE: OCSP Algorithm Agility Santosh Chokhani
RE: OCSP Algorithm Agility Stefan Santesson
RE: OCSP Algorithm Agility Stephen Kent
RE: OCSP Algorithm Agility Stefan Santesson
RE: OCSP Algorithm Agility Santosh Chokhani
RE: OCSP Algorithm Agility Paul Hoffman
RE: OCSP Algorithm Agility Stephen Kent
RE: OCSP Algorithm Agility Santosh Chokhani
RE: OCSP Algorithm Agility Paul Hoffman
RE: OCSP Algorithm Agility Andrews, Rick
RE: OCSP Algorithm Agility Santosh Chokhani
RE: OCSP Algorithm Agility Santosh Chokhani
RE: OCSP Algorithm Agility Hallam-Baker, Phillip
RE: OCSP Algorithm Agility Santosh Chokhani
RE: OCSP Algorithm Agility Hallam-Baker, Phillip
RE: OCSP Algorithm Agility Santosh Chokhani
RE: OCSP Algorithm Agility Seth Hitchings
RE: OCSP Algorithm Agility Stefan Santesson
RE: OCSP Algorithm Agility Hallam-Baker, Phillip
RE: OCSP Algorithm Agility Hallam-Baker, Phillip
RE: OCSP Algorithm Agility Santosh Chokhani