Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15

[Sean Turner <turners@ieca.com>]

Piyush,

(David's on the "to:" line because the text in question showed up as a 
result of the gen-art review and it's now in -16)

I've been following this thread trying to figure out what if anything 
needs to be changed to address your concerns in -17.  (Note the thread 
forked later, but I'm addressing the "times" issue in another thread.)

The sentence in questions was added to address the gen-art review is the 
following (it's in a "note" paragraph and there's actually more to it):

   The "revoked" status is still optional in this context in
   order to maintain backwards compatibility with deployments
   of RFC 2560.

1) The first bit I'd like to discuss is this part of your concern:

   And it gives the impression that best course of action
   for 2560bis responders is to start issuing revoked for
   "not-issued", which is far from the originally stated
   goal to provide a way for CAs to be able to return
   revoked for such serial numbers.

and:

   I believe that Stefan is trying to convey that requiring
   servers to return revoked in this context will make them
   non-compliant with 2560 and 5019 as opposed to breaking
   interoperability with legacy clients.

I honestly don't see how you get to your impression, because the 2119 
language about when a responder might used revoked for not-issued is:

  This state MAY also be returned if the associated
  CA has no record of ever having issued a certificate with the
  certificate serial number in the request, using any current or
  previous issuing key (referred to as a "non-issued" certificate in
  this document).

MAY being the operable word here.  That's clear to implementers because 
if you read 2119 for MAY it says:  This word, or the adjective 
"OPTIONAL", mean that an item is truly optional.  One vendor may choose 
to include the item because a particular marketplace requires it or 
because the vendor feels that it enhances the product while another 
vendor may omit the same item. ...

For me this seems clear because the 2119 language trumps any note.

Even Stefan's response to David a couple of days earlier than when you 
posted this concerns includes:

   In theory we could possibly say that responding revoked
   is optional, but if you choose between revoked and unknown
   then you SHOULD favour revoked over unknown. But such nested
   requirements just feels bad and impossible to test compliance
   against. I'd much rather just leave it optional.

I'm not sure what else could be added to alliveate your concern on this 
point.  Maybe this one got over taken by events?

2) The second bit of your concern is that this is not an accurate 
characterization of the WG's rationale for the choices made.  This 
concern is easier to evaluate and I agree that it is important to 
capture the actual rationale.  I think you've suggested that the following:

   "maintain backwards compatibility with deployments of RFC 2560"

be replaced with:

   "maintain compliance with RFC 2560 and RFC 5019"

Using the word "compliance" might set of an entirely new debate. 
Servers/clients can claim compliance if they want to but I'm not sure 
that the primary goal was for a document to claim compliance with 
another set of RFCs.  These drafts for interoperability and that would 
lead me to compatibility and not conformance.

spt

On 4/3/13 1:38 PM, Piyush Jain wrote:
>> No, it does not make any sense at all.  An error code is unsigned and can
> be
>> easily inserted into the communication by an attacker.
>
> [Piyush] Funny that you make this argument. How does returning a signed
> revoked address this? Attacker can still replace signed revoked with an
> UNSIGNED TRY_LATER.
>
>> These kinds of argument are based on two very flawed premises:
>>
>>   (1) the premise that there exist only two possible states for a CA:
>>        (a) safe and pristine
>>        (b) full and thorough compromise of each and everything
> [Piyush] NIST has addressed RA compromise and CA key compromise separately
> so this is not true.
> And you have not listed what other breaches you are trying to address
> offering revoked for non-issued as the silver bullet for all those unknown
> security breaches.
>   You tendency to allude to vague problems to justify a particular solution,
> couple with a reluctance to engage in a discussion regarding the security
> implications continues to amuse me. List the other states and have a
> discussion around how this solution solves those problems.>
>>   (2) that a huge PKI (100k+ entities) can be nuked and
>>       re-personalized after a CA compromise at close to zero cost and
>>       within the blink of an eye
>
> and both premises exhibit a throrough cluelessness about security, risk
>> management and the real world.
>
> Let's get this right.
> Only possible benefit of revoked for non-issued exists when there are CA
> SIGNED certificates floating in the wild and CA has no clue that it has
> issued it and therefore cannot revoke it.
>
> Now, to say that clients are secure and CA can continue to operate if it
> issues revoked OCSP response for such certificate indicates cluelessness
> about security.
>
> Customers pay a lot of money for certificates for which the marginal cost of
> issuance is almost 0. CAs obligation is to make sure that they are secure
> and to address any breach securely.
> To say that customers will tolerate a CA security breach just because it
> issues revoked for non-issued and continues to publish CRLs that imply
> fraudulent certificates as good indicates cluelessness about risk management
> and real world.
>
>
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix
>