RE: OCSP Algorithm Agility
"Santosh Chokhani" <chokhani@orionsec.com> Fri, 21 September 2007 20:21 UTC
Return-path: <owner-ietf-pkix@mail.imc.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IYozq-0006Qn-1y for pkix-archive@lists.ietf.org; Fri, 21 Sep 2007 16:21:06 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IYozc-0005U4-Ow for pkix-archive@lists.ietf.org; Fri, 21 Sep 2007 16:20:59 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l8LJNCEB084315 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 21 Sep 2007 12:23:12 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l8LJNCsZ084314; Fri, 21 Sep 2007 12:23:12 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from EXVS01.ex.dslextreme.net (exbe04.ex.dslextreme.net [66.51.199.86]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l8LJNBWM084307 for <ietf-pkix@imc.org>; Fri, 21 Sep 2007 12:23:12 -0700 (MST) (envelope-from chokhani@orionsec.com)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: RE: OCSP Algorithm Agility
Date: Fri, 21 Sep 2007 12:22:47 -0700
Message-ID: <82D5657AE1F54347A734BDD33637C879093E3685@EXVS01.ex.dslextreme.net>
In-Reply-To: <p0624050dc319b62dedaf@[128.89.89.71]>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: OCSP Algorithm Agility
Thread-Index: Acf8g+lSm4OdXAknTt2BXwIpRJkp9QAAN7VQ
References: <2788466ED3E31C418E9ACC5C3166155703DF57@mou1wnexmb09.vcorp.ad.vrsn.com> <p0624080ec319a977190d@[165.227.249.200]> <p0624050dc319b62dedaf@[128.89.89.71]>
From: Santosh Chokhani <chokhani@orionsec.com>
To: Stephen Kent <kent@bbn.com>, ietf-pkix@imc.org
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id l8LJNCWM084309
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 0bc60ec82efc80c84b8d02f4b0e4de22
Agreed -----Original Message----- From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org] On Behalf Of Stephen Kent Sent: Friday, September 21, 2007 2:08 PM To: ietf-pkix@imc.org Subject: RE: OCSP Algorithm Agility Folks, How about defining an extension to be included in the cert issued to an OCSP responder by a CA. The extension would have an ordered list of algorithms (hash and signature if we want to address more than the hash agility issue) accepted by the OCSP responder. An OCSP client can use this info to determine what is the "best" algorithm (or alg pair) that it and the responder share. The combination of this extension and an OCSP negotiation procedure will allow the client to detect MITM downgrade attacks. In fact, if the client acquires the responder's cert prior to making a request, there would not even be a need for real negotiation, since the client would know what alg to request in a response. Steve
- OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Stefan Santesson
- RE: OCSP Algorithm Agility Michael Myers
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Michael Myers
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Andrews, Rick
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Andrews, Rick
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Paul Hoffman
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Stefan Santesson
- RE: OCSP Algorithm Agility Stephen Kent
- RE: OCSP Algorithm Agility Stefan Santesson
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Paul Hoffman
- RE: OCSP Algorithm Agility Stephen Kent
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Paul Hoffman
- RE: OCSP Algorithm Agility Andrews, Rick
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Seth Hitchings
- RE: OCSP Algorithm Agility Stefan Santesson
- RE: OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Santosh Chokhani