Re: [pkix] A question regarding certificate status service delegation
Santosh Chokhani <santosh.chokhani@gmail.com> Mon, 23 November 2020 18:50 UTC
Return-Path: <santosh.chokhani@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E39E03A0C3F; Mon, 23 Nov 2020 10:50:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.196
X-Spam-Level:
X-Spam-Status: No, score=-0.196 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r-rWXhZD-ZyL; Mon, 23 Nov 2020 10:49:59 -0800 (PST)
Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD3C53A0C02; Mon, 23 Nov 2020 10:49:58 -0800 (PST)
Received: by mail-qk1-x72d.google.com with SMTP id i199so4510471qke.5; Mon, 23 Nov 2020 10:49:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:thread-index:content-language; bh=9KDGaQmeLx6l/0RcZON9RZOSRemy6pxgwxpw+RD1ycA=; b=V2IjptESL+UvgcSjBuJSbHepYAZxeoFDAsS0jL7oyOqTa5rr7RBesetX+HX6U3NYiA z9MA8MW9abAZodUoBz43q0QNhRRs9HfCH0TAix4X62EIj9W/8QOaWUTp/sbSKAwULDIn 4JeCOnJ/cGLGYRw5MFvzrD61pY2trPlrTiy5nExatXlWa3WGQKoqnuMfUeio7YdLl0oO 970BgA+xMRQIFosy/1XqyiQZ4Hp03KXLcduBtVmRiHjoG3y3iS6LFRmLYth4CjYj+ujf tPe/PDPbnZefYq3CYmoJQ1g27Ujvd+dWimbTqnLimajleN/jWwAplpkLn6Roj4x5bRpg 5ipg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:thread-index:content-language; bh=9KDGaQmeLx6l/0RcZON9RZOSRemy6pxgwxpw+RD1ycA=; b=NzzJ38VBFWphPAotencAL3t8XpeUOaQBn340An2QpBiFxii41bRQh5vo2Gn3ChQD7+ PvZyDx3JkrL10K8Kae/cSieNxw6OaZ83jhONdV6BErX6una1psvUUuOczrVN1dxlSvhA oH5ele35W4iTAAL9BqV0HFXmKXnZWtHe4ICvUW/lZB+F6QzyCwBit7PXgAiAMgMYQdqV gn8DHvgst/AMqKccH6aeKGIG+v/v9RKTXZf82TDN569y2bC43TylzWOPF2tCF4ZjW/wD Uf88lArGZo6nE+9El54PUud2qJObft0sUSPg4EstBtDaLJCN/qHF2xMIMkAyyEs0zSAb ENqg==
X-Gm-Message-State: AOAM5300ogpM7dK9rpcjR0dlc4rISzvRPKxAuEzr9kM0qTXMDkEGaxBS woL/3718RI7qEDSNixKkIuztRvUjB0g=
X-Google-Smtp-Source: ABdhPJyccbOsowmQps3ymciNEiAn5S6IGSvhQBh2562DVjFbPZSotAlSrM/pfjSuXwfPfI1MK+/W5A==
X-Received: by 2002:a37:586:: with SMTP id 128mr860037qkf.135.1606157397651; Mon, 23 Nov 2020 10:49:57 -0800 (PST)
Received: from SantoshBrain (pool-173-73-187-14.washdc.fios.verizon.net. [173.73.187.14]) by smtp.gmail.com with ESMTPSA id z52sm11065655qtz.29.2020.11.23.10.49.56 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 23 Nov 2020 10:49:56 -0800 (PST)
From: Santosh Chokhani <santosh.chokhani@gmail.com>
To: 'Thomas Kopp' <thomas.kopp@luxtrust.lu>, 'pkix' <pkix-bounces@ietf.org>
Cc: pkix@ietf.org, rfc-editor@rfc-editor.org
References: <a2436a14b48c4db8af1ba5d0d550695c@luxtrust.lu>
In-Reply-To: <a2436a14b48c4db8af1ba5d0d550695c@luxtrust.lu>
Date: Mon, 23 Nov 2020 13:49:55 -0500
Message-ID: <08d601d6c1c9$6f882930$4e987b90$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----=_NextPart_000_08D7_01D6C19F.86B22130"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQIexZoz4/HWue7Wek5MP321WJUHC6lGBdrg
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/QEXYiE_WY55tWyqo9OFSHNi1FkQ>
Subject: Re: [pkix] A question regarding certificate status service delegation
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2020 18:50:04 -0000
On CRL, it is not a different CA, it is a different Authority (e.g., it need not be authorized to issue certificates). Both indirect CRL and OCSP delegation suffer from a class of errors or attacks without crypto binding. In 6960, some of us requested that the OCSP have crypto binding by requiring the CA to sign the Responder delegation certificate using the same key that the CA used to sign the certificate for which the Responder is authoritative. The language you see is compromise since some folks did not want to mandate crypto binding. Indirect CRLs are inherently vulnerable to lack of crypto binding problem and I would recommend against their usage. There is a mitigation I proposed in 2004 but no known client uses that mitigation. From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Thomas Kopp Sent: Monday, November 23, 2020 10:39 AM To: pkix <pkix-bounces@ietf.org> Cc: pkix@ietf.org; rfc-editor@rfc-editor.org Subject: [pkix] A question regarding certificate status service delegation Dear all, According to RFC 5280, a certificate issuer can delegate CRL issuance to a different CA which may particularly be part of a different hierarchy than the one the certificate issuer belongs to (cf. the crlDistributionPoints extension, specifically sections 4.2.1.13 and 6.3.3. (b) 1) of the RFC). By contrast, in the case of OCSP delegation, it is required that an OCSP responder belongs to the same hierarchy like the certificate issuer (cf. section 2.6 of RFC 6960). Which is the motivation for this latter limitation? Is it just the lack of an OCSP-specific certificate extension that corresponds to the CRL-related crlDistributionPoints extension or are there any other reasons; if yes, which ones ? Thomas KOPP Chief Scientist Email: <mailto:thomas.kopp@luxtrust.lu> thomas.kopp@luxtrust.lu Mobile:+352 621 229 316 Office: +352 26 68 15 - 574 LuxTrust S.A. | IVY Building | 13-15, Parc dactivités | L-8308 Capellen | Luxembourg | ww <http://www.luxtrust.lu/> w.luxtrust.lu
- [pkix] A question regarding certificate status se… Thomas Kopp
- Re: [pkix] A question regarding certificate statu… Santosh Chokhani
- Re: [pkix] A question regarding certificate statu… Peter Gutmann
- Re: [pkix] A question regarding certificate statu… Santosh Chokhani
- Re: [pkix] A question regarding certificate statu… Peter Gutmann
- Re: [pkix] A question regarding certificate statu… Todd E. Johnson
- Re: [pkix] A question regarding certificate statu… Peter Gutmann
- Re: [pkix] A question regarding certificate statu… Santosh Chokhani
- Re: [pkix] A question regarding certificate statu… Peter Gutmann
- Re: [pkix] A question regarding certificate statu… Niklas Matthies
- Re: [pkix] A question regarding certificate statu… Peter Rybár