Re: [pkix] Review of 2560-bis draft 8. Answer to WGLC
Sean Turner <turners@ieca.com> Wed, 13 March 2013 19:54 UTC
Return-Path: <turners@ieca.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B34611E80F3 for <pkix@ietfa.amsl.com>; Wed, 13 Mar 2013 12:54:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.928
X-Spam-Level:
X-Spam-Status: No, score=-100.928 tagged_above=-999 required=5 tests=[AWL=-1.329, BAYES_00=-2.599, J_CHICKENPOX_23=0.6, J_CHICKENPOX_31=0.6, J_CHICKENPOX_33=0.6, J_CHICKENPOX_64=0.6, J_CHICKENPOX_66=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nY1C6Nb8tthB for <pkix@ietfa.amsl.com>; Wed, 13 Mar 2013 12:54:24 -0700 (PDT)
Received: from gateway04.websitewelcome.com (gateway04.websitewelcome.com [64.5.38.14]) by ietfa.amsl.com (Postfix) with ESMTP id 3908711E80D2 for <pkix@ietf.org>; Wed, 13 Mar 2013 12:54:24 -0700 (PDT)
Received: by gateway04.websitewelcome.com (Postfix, from userid 5007) id 19BE19F345F6E; Wed, 13 Mar 2013 14:54:17 -0500 (CDT)
Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway04.websitewelcome.com (Postfix) with ESMTP id 05DB59F345F2A for <pkix@ietf.org>; Wed, 13 Mar 2013 14:54:17 -0500 (CDT)
Received: from [198.180.150.142] (port=54885 helo=dhcp-5422.meeting.ietf.org) by gator1743.hostgator.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80) (envelope-from <turners@ieca.com>) id 1UFrkk-0000pE-S7; Wed, 13 Mar 2013 14:54:23 -0500
Message-ID: <5140D96C.9070807@ieca.com>
Date: Wed, 13 Mar 2013 15:54:20 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130307 Thunderbird/17.0.4
MIME-Version: 1.0
To: Denis Pinkas <denis.pinkas@bull.net>
References: <CD54579F.5C53B%stefan@aaa-sec.com> <513DA081.7050404@bull.net>
In-Reply-To: <513DA081.7050404@bull.net>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator1743.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (dhcp-5422.meeting.ietf.org) [198.180.150.142]:54885
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 12
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20=
Cc: Stefan Santesson <stefan@aaa-sec.com>, pkix <pkix@ietf.org>
Subject: Re: [pkix] Review of 2560-bis draft 8. Answer to WGLC
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2013 19:54:30 -0000
Denis, You probably saw version -15 was published. I reviewed your comments and I think it's time to move this draft down to IETF LC. spt On 3/11/13 5:14 AM, Denis Pinkas wrote: > *Stefan,* > > ** > > *The review of your individual draft, took me the time I had during the > week for the IETF stuff; > hence, why this reply has been delayed.* > > *The situation is rather simple, if we forget about the editorial comments, > you have accepted one minor text change and that’s all.* > > ** > > *So the major problems are not solved to my satisfaction.* > > ** > > *I have maintained below the portion of the text which needs to be > further discussed. ** > **My comments are in blue.* > > ** > > *There is a new and very important issue that I discovered while reading > your comments. ** > **See the discussion about singleExtensions and of responseExtensions.* > > *Comment 8*: You have changed the meaning of the revoked state in a way > that is not what I requested. > > The original text was: > > *The "revoked" state indicates that the certificate has been revoked* > > *(either permanantly or temporarily (on hold)).* > > The new text is: > > * The "revoked" state indicates that the certificate has been revoked* > > * either permanently or temporarily on hold (i.e. the revocation reason* > > * is certificateHold).* > > By doing this, you do not allow any other case in the future to have a > temporary revocation: “*temporarily on hold”***is not the same > as*“**temporarily revoked”**.* > > I propose the following rewording: > > *The "revoked" state indicates that the certificate has been revoked * > > * either permanently or temporarily (e.g. placed on hold).* > > I substituted "temporarily on hold" with "temporarily. The rest > unchanged since the only existing reason code for temporary revocation > is certificateHold. > > *As you say, the only CURRENT existing reason code for temporary > revocation is certificateHold. ** > **We must not PREVENT other reasons in the future to mean “temporary > revocation”, hence why the change is needed.* > > The way the text from draft 13 is now written seems to allow using > either *“unknown”*or *“revoked”*for non-issued certificates. > If this is the intent, then the good news is that this does not come > anymore into conflict with the French rules which apply > for the Administration since OCSP responders from CAs used by the French > Ministries having a direct access to the database of issued certificates > will be able to use *“unknown*”, rather than *“revoked”*and the reason > code *“onhold”.* > > However, the current text is still mandating the use of *Extended > Revoked Definition*, but the rational for its need it is very poor. > As I have said on the PKIX list, the fact that the revocation date is > January 1rst, 1970 is fully sufficient to know that we are in that very > special case, > and you have not provided a rational to say the contrary. > > I have. And I have pointed you to the minutes of the last PKIC meeting. > > The consensus of the WG is to have the extension for just those reasons. > > As implementer, I don't like heuristics. A date of Jan 1st 1970 may > indicate this behaviour, > but may just be a misconfiguration. It is not an explicit statement. > > So we could get rid of it, … but the text from section 4.4.8 states: > > * This extension MAY be present in other responses to signal that the* > > * responder implements the extended revoked definition in section 2.2.* > > I have difficulties to understand what is really meant there (“other > responses” ?), since the text states: > > * This extension indicates that the responder supports the extended* > > * definition of the "revoked" status to also include non-issued* > > * certificates according to section 2.2.* > > Since both “unknown” and revoked” can be used, it would be desirable to > be able to include the same extension in both cases, > but in that case that extension should be renamed. > > This extension can be included in all responses to signal that a > responder implements the expanded definition of revoked. > > Doing so makes this fact auditable without having to ask for a > non-issued cert. > > I would propose to rename it: "*non-issued certificate*” which means > that the associated CA has no record of ever having issued a certificate > with the certificate serial number in the request (I still consider it > as unnecessary in the case of “revoked”, but it would be very useful in > the case of “unknown”). > Of course, the text from section 4.4.8 would need to be revised. > > I propose the following: > > * * > > *4.4.8 Non-issued certificate extension* > > * This extension MUST be included in the OCSP response when the OCSP* > > * responder knows that the CA identified in the request has no record* > > * of ever having issued a certificate with the certificate serial* > > * number indicated in the request.* > > * Clients do not have to parse this extension in order to determine* > > * the status of certificates in responses.* > > * This extension is identified by the object identifier id-pkix-ocsp-* > > * non-issued-cert.* > > * id-pkix-ocsp-non-issued-cert OBJECT IDENTIFIER ::= {id-pkix-ocsp 9}* > > * The value of the extension SHALL be NULL. This extension MUST NOT be* > > * marked critical.* > > Then the text on page 8 would need to be rearranged. > > Your extension variant is a significant change to what has been agreed. > > Your extension would need to be a single response extension, and can't > be used to audit the behaviour of the OCSP responder > unless you send a request for a non-issued cert. > > *Hummm !!! We have a very important point there. Thanks to your comment, > I now realize that the proposed extension > applies to the whole response. However, this is not possible and I will > now explain why. An OCSP responder may receive > a delegation from several CAs. With some of them, it can use a direct > access to the database of certificates, > while for some others, it will use CRLs. So the meaning of “revoked” > will depend of the CA. * > > ** > > *This means that the indication cannot be global to the OCSP response. > If we use an extension, it can only apply ** > **to an individual response and thus MUST in singleExtensions instead of > responseExtensions.* > > ** > > *Since it is singleExtension, it can used to “audit the behaviour of the > OCSP responder” and I do not grasp your rational ** > **when you say “unless you send a request for a non-issued cert”. There > is no need for sending anything.* > > We want to avoid sending such fake requests for audit purposes as it may > interfere with systems at the responder trying to detect existence of > rouge certificates. > > *There is no need to sending fake requests.* > > This is a type of change that I can't make unless you get support from a > majority of the WG for the change of direction you propose. > > *The important point is that the text states:* > > ** > > *“The "revoked" state (…) _MAY also be returned_ if the associated CA > has no record of ever having issued a certificate > with the certificate serial number in the request, using any current or > previous issuing key (referred to as a > "non-issued" certificate in this document).”* > > ** > > *The test does **_not_**state “**_MUST_**also be returned”. This means > that it is also possible to reply “unknown” if the associated CA ** > **has no record of ever having issued a certificate with the certificate > serial number in the request. However, this is not ** > **straightforward when reading the text and thus the text should be made > more explicit.* > > ** > > *Now, we get to the main point. The reason for adding an extension is > NOT to say that an extended meaning of revoked ** > **is being used, but that the INDIVIDUAL response is given using a > direct access to the records of the certificates issued by the CA.* > > The current text is: > > * This state MAY also be returned if the* > > * associated CA has no record of ever having issued a certificate with* > > * the certificate serial number in the request, using any current or* > > * previous issuing key (referred to as a "non-issued" certificate in* > > * this document).* > > * The "unknown" state indicates that the responder doesn't know about* > > * the certificate being requested.* > > * NOTE: The "revoked" state for known non-issued certificate serial* > > * numbers is allowed in order to reduce the risk of relying* > > * parties using CRLs as a fall back mechanism, which would be* > > * considerably higher if an "unknown" response was returned.* > > * When a responder responds revoked to a status request for a non-* > > * issued certificate, the responder MUST include the extended revoked* > > * definition response extension (section 4.4.8) in the response,* > > * indicating that the OCSP responder supports the extended definition* > > * of revoked state to also cover non-issued certificates. In addition,* > > * the SingleResponse related to this non-issued certificate;* > > * - MUST provide the revocation reason certificateHold (6),* > > * - MUST specify the revocationTime January 1, 1970, and;* > > * - MUST NOT include a CRL References extension (section 4.4.2) or any* > > * CRL Entry Extensions (section 4.4.5).* > > Proposed text for a replacement: > > * The "unknown" state indicates that the responder doesn't know about* > > * the certificate being requested.* > > > > * If the OCSP responder knows that CA identified in the request has* > > * no record of ever having issued a certificate with the certificate* > > * serial number in the request, using any current or previous issuing* > > * key (referred to as a "non-issued" certificate in this document),* > > * the OCSP responder SHALL respond either “revoked “ or “unknown”.* > > This is unfortunately very common in your rewording efforts. When trying > to fix one thing, you create new even bigger problems. > > An infrastructure that provides reproduced responses will respond > "unauthorized". This text may be interpreted to interfere with such > operations. > > *I fear I don’t understand your argument about “unauthorized”, but > before replying see below my next comment.* > > Further, and worse. This is not backwards compatible. Current OCSP > responders may respond "good" even if they have access to CA records. > > *You say: “Current OCSP responders may respond "good" even if they have > access to CA records”. Originally RFC 2560 allowed > returning “good” for OCSP responder using CRLs. Since RFC 2560 provided > no way to indicate that a direct access to the database > was being used or not, it was not possible to do better. * > > ** > > *Now, if an OCSP responder has a direct access and indicates in the > response that it has such an access, do you really believe > that it will return good ? I don’t. * > > ** > > *If an OCSP responder wants to return “good”, it can still do it, but in > that case it will not signal that it is using a direct access ** > **and this is perfectly backwards compatible. So I do not “buy” your > argumentation.* > > ** > > *Now, may be you understand better why I propose to rename the extension > “4.4.8 Non-issued certificate extension” and ** > **also to change its semantics.* > > * Note: The "revoked" state for known non-issued certificate serial* > > * numbers is allowed in order to reduce the risk of relying parties* > > * using CRLs as a fall back mechanism, which would be possible when* > > * the "unknown" response is returned.* > > * When a responder responds revoked or unknown to a status request* > > * for a non-issued certificate, the responder MUST include the* > > * non-issued certificate extension (see section 4.4.8) in the* > > * response.* > > * When a responder responds revoked to a status request for a non-* > > * issued certificate, in addition, the responder:* > > * - MUST provide the revocation reason certificateHold (6),* > > * - MUST specify the revocationTime January 1, 1970, and;* > > * - MUST NOT include a CRL References extension (section 4.4.2) or any* > > * CRL Entry Extensions (section 4.4.5).* > > Finally, the last bullet on page 4 should be reworded: > > Current text: > > * o Section 4.4.8 specifies a new extension that indicates that the* > > * responder supports the extended use of the "revoked" response* > > * for non-issued certificates defined in section 2.2.* > > Proposed replacement text: > > * o Section 4.4.8 specifies a new extension that indicates that* > > * the OCSP responder knows that CA identified in the request* > > * has no record of ever having issued a certificate with the* > > * certificate serial number present in the request, as defined* > > * in section 2.2.* > > No. Again, this changes the scope of the extension and its audit properties. > > Such change requires WG consensus. > > *See earlier comments.* > > *Comment 9:*Solved, if the comment above may be solved. > > *Comment 20*:This comment is preliminary classified by you as “not > broken”. However, since you asked: “If you don’t replace 4.2.2.3, > then what really are you missing ?”, I will provide you with an answer. > > This is the wrong way to state the question. Providing an ASN.1 syntax > as in 4.2.1 is not enough: the use of every parameter MUST be explained > using English words. So if you explain the use of every parameter after > the description of the ASN.1 syntax in section 4.2.1. then section 4.2.2.3 > is no more needed and thus can be deleted. > > The answer to your question “what is really missing” is a description of > the use of every parameter listed in the ASN.1 in section 4.2.1 > > There are sufficient descriptions in the subsections following the ASN.1 > description. Your change proposals are not compatible with the minimalistic > approach adopted by the WG. > > *The key point is whether we want a “good” document or maintain the low > quality of the original document.*** > > *Comment 26*: You asked for explanations. Let me provide you with an > example when CRLs are being used by the OCSP responder in the background. > The OCSP responder needs to make sure that the CRL it uses is valid. If > it is simply using published CRLs (i.e. no trusted link with the CA), it > needs > to make sure that the CA which has issued the CRL has no been revoked. > > No, this is a misstatement. You don't revoke CAs. You revoke CA > certificates. > > *Right.* > > There might be a CA certificate that has been revoked for a reason that > does not affect the OCSP responder. > > * ..but the contrary may also apply.* > > These are operational policies that are outside the scope of the protocol. > > *The proposed text does not affect the protocol.* > > The proposed text in comment 26 is plain wrong, or at least misleading. > The OCSP responder does not have to validate the CRL up to any > particular root. > It may for example have been configured to directly trust the public key > used to validate the CRL. > > *T**his depends how it makes sure that it is reading the right CRL. It > may or may not use a root CA.* > > In France, there is a root CA for the Administration. However, the use > of that root CA is optional. Thus a Ministry may have its own root, > but may also have its key certified by the root CA of the > Administration. The OCSP responder may use the root CA of the Ministry, > while a relying party may use the root CA of the Administration (or the > reverse) to validate the CRL for the target certificate. > Thus the revocation status will be different if the certificate of the > CA of the Ministry is revoked by the root CA of the Administration. > > Which reinforces my point. How the OCSP responder is configured to trust > its information source is outside the scope of the protocol. > > The OCSP protocol never claims to provide the same conclusion about > revocation than another source the relying party may use. > > *We both agree; however would you point me where this is said in the > current draft? Since I could not find it, > I believe it is useful to highlight the point in the security > considerations section. > * > > * > * > > *Finally, I believe that the major point indicated earlier comes from > the original "bad writing" of RFC 2560.* > > *There is no clear distinction between what applies to > ***BasicOCSPResponse* and ***what applies *to Single Response.* > > *On page 15 from draft-14, the text still states in section 4.2.2.2 > Authorized Responder: > > "It is necessary however to ensure that the entity signing this > information is authorized to do so". > > This is vague. What is "this information " ? This text is within section > "4.2.2 Notes on OCSP Responses". > This does not help much. > > Is it BasicOCSPResponse ? If it is , this is wrong. > > It is SingleResponse, since a single response may be signed by the right > key and/or the right certificate, > but not another single response. > > How can a reader guess that it is SingleResponse ? > > Once again the quality of the text is really bad, and that text and some > other portions (3.2 Signed Response Acceptance Requirements) > would need to be changed. > * > > ** > > *Denis* > > > >> Denis, >> >> My replies in line; >> >> From: Denis Pinkas <denis.pinkas@bull.net <mailto:denis.pinkas@bull.net>> >> Date: Monday, February 11, 2013 3:18 PM >> To: Stefan Santesson <stefan@aaa-sec.com <mailto:stefan@aaa-sec.com>> >> Cc: Stephen Kent <kent@bbn.com <mailto:kent@bbn.com>>, pkix >> <pkix@ietf.org <mailto:pkix@ietf.org>> >> Subject: Re: [pkix] Review of 2560-bis draft 8. Answer to WGLC >> >> Stefan, >> >> I have finally reviewed your disposition of comments. I have used >> draft 13. >> >> I will not address the comments in sequence, but I will consider >> four categories: >> >> *Category 1)*Some comments which seem to be solved. Yes indeed, >> they may be a few of them ! >> >> *Category 2)*Some comments which might possibly be solved at the >> WG level. >> >> *Category 3)*Some comments that I will address at the IETF last >> call level, rather than the WG last call level, since I disagree >> that it is “new ways to say the same thing” and it is likely to be >> a waste of time for both of us to argue again at the WG level >> (these comments are commented as “not broken”). >> >> *Category 4)*Some typos and editorials found while reading draft 13. >> >> *CATEGORY 1* >> >> *Comment 4*(was editorial). >> >> *Comment 5.* >> >> ** >> >> *Comment 6. * >> >> *Comment 19*. Solved, since *“unknown”*seems now to be also >> allowed for non-issued certificates >> (even if the OCSP responder is using a direct access to the >> certificate database). See comment 8. >> >> *Comment 13*: Acceptable, since the text uses *“MAY”.* >> >> *Comment 18. * >> >> *Comment 22.* >> >> *Comment 23.* >> >> *Comment 28.* >> >> *CATEGORY 1* >> >> *Comment 8*: You have changed the meaning of the revoked state in >> a way that is not what I requested. >> >> The original text was: >> >> *The "revoked" state indicates that the certificate has been revoked* >> >> *(either permanantly or temporarily (on hold)).* >> >> The new text is: >> >> ** >> >> * The "revoked" state indicates that the certificate has been revoked* >> >> * either permanently or temporarily on hold (i.e. the revocation reason* >> >> * is certificateHold).* >> >> By doing this, you do not allow any other case in the future to >> have a temporary revocation: “*temporarily on hold”** >> *is not the same as*“**temporarily revoked”**.* >> >> I propose the following rewording: >> >> *The "revoked" state indicates that the certificate has been revoked * >> >> * either permanently or temporarily (e.g. placed on hold).* >> >> >> I substituted "temporarily on hold" with "temporarily. The rest >> unchanged since the only existing reason code for temporary revocation >> is certificateHold. >> >> >> >> The way the text from draft 13 is now written seems to allow using >> either *“unknown”*or *“revoked”*for non-issued certificates. >> If this is the intent, then the good news is that this does not >> come anymore into conflict with the French rules which apply for >> the Administration since OCSP responders from CAs used by the >> French Ministries having a direct access to the database >> of issued certificates will be able to use *“unknown*”, rather >> than *“revoked”*and the reason code *“onhold”.* >> >> However, the current text is still mandating the use of *Extended >> Revoked Definition*, but the rational for its need it is very poor. >> As I have said on the PKIX list, the fact that the revocation date >> is January 1rst, 1970 is fully sufficient to know that we are in that >> very special case, and you have not provided a rational to say the >> contrary. >> >> >> I have. And I have pointed you to the minutes of the last PKIC meeting. >> The consensus of the WG is to have the extension for just those reasons. >> >> As implementer, I don't like heuristics. A date of Jan 1st 1970 may >> indicate this behaviour, but may just be a misconfiguration. It is not >> an explicit statement. >> >> So we could get rid of it, … but the text from section 4.4.8 states: >> >> * This extension MAY be present in other responses to signal that the* >> >> * responder implements the extended revoked definition in section 2.2.* >> >> I have difficulties to understand what is really meant there >> (“other responses” ?), since the text states: >> >> * This extension indicates that the responder supports the extended* >> >> * definition of the "revoked" status to also include non-issued* >> >> * certificates according to section 2.2.* >> >> Since both “unknown” and revoked” can be used, it would be >> desirable to be able to include the same extension in both cases, >> but in that case that extension should be renamed. >> >> >> This extension can be included in all responses to signal that a >> responder implements the expanded definition of revoked. >> Doing so makes this fact auditable without having to ask for a >> non-issued cert. >> >> >> I would propose to rename it: "*non-issued certificate*” which >> means that the associated CA has no record of ever having issued >> a certificate with the certificate serial number in the request (I >> still consider it as unnecessary in the case of “revoked”, but it >> would be >> very useful in the case of “unknown”). Of course, the text from >> section 4.4.8 would need to be revised. >> >> I propose the following: >> >> *4.4.8 Non-issued certificate extension* >> >> * * >> >> * This extension MUST be included in the OCSP response when the OCSP* >> >> * responder knows that the CA identified in the request has no record* >> >> * of ever having issued a certificate with the certificate serial* >> >> * number indicated in the request.* >> >> * * >> >> * Clients do not have to parse this extension in order to determine* >> >> * the status of certificates in responses.* >> >> * * >> >> * This extension is identified by the object identifier id-pkix-ocsp-* >> >> * non-issued-cert.* >> >> * * >> >> * id-pkix-ocsp-non-issued-cert OBJECT IDENTIFIER ::= {id-pkix-ocsp 9}* >> >> * * >> >> * The value of the extension SHALL be NULL. This extension MUST NOT be* >> >> * marked critical.* >> >> Then the text on page 8 would need to be rearranged. >> >> >> Your extension variant is a significant change to what has been agreed. >> Your extension would need to be a single response extension, and can't >> be used to audit the behaviour of the OCSP responder unless you send a >> request for a non-issued cert. >> We want to avoid sending such fake requests for audit purposes as it >> may interfere with systems at the responder trying to detect existence >> of rouge certificates. >> >> This is a type of change that I can't make unless you get support from >> a majority of the WG for the change of direction you propose. >> >> The current text is: >> >> * This state MAY also be returned if the* >> >> * associated CA has no record of ever having issued a certificate with* >> >> * the certificate serial number in the request, using any current or* >> >> * previous issuing key (referred to as a "non-issued" certificate in* >> >> * this document).* >> >> * * >> >> * The "unknown" state indicates that the responder doesn't know about* >> >> * the certificate being requested.* >> >> * * >> >> * NOTE: The "revoked" state for known non-issued certificate serial* >> >> * numbers is allowed in order to reduce the risk of relying* >> >> * parties using CRLs as a fall back mechanism, which would be* >> >> * considerably higher if an "unknown" response was returned.* >> >> * * >> >> * When a responder responds revoked to a status request for a non-* >> >> * issued certificate, the responder MUST include the extended revoked* >> >> * definition response extension (section 4.4.8) in the response,* >> >> * indicating that the OCSP responder supports the extended definition* >> >> * of revoked state to also cover non-issued certificates. In addition,* >> >> * the SingleResponse related to this non-issued certificate;* >> >> * * >> >> * - MUST provide the revocation reason certificateHold (6),* >> >> * * >> >> * - MUST specify the revocationTime January 1, 1970, and;* >> >> * * >> >> * - MUST NOT include a CRL References extension (section 4.4.2) or any* >> >> * CRL Entry Extensions (section 4.4.5).* >> >> Proposed text for a replacement: >> >> * The "unknown" state indicates that the responder doesn't know about* >> >> * the certificate being requested.* >> >> * * >> >> * If the OCSP responder knows that CA identified in the request has* >> >> * no record of ever having issued a certificate with the certificate* >> >> * serial number in the request, using any current or previous issuing* >> >> * key (referred to as a "non-issued" certificate in this document),* >> >> * the OCSP responder SHALL respond either “revoked “ or “unknown”.* >> >> >> This is unfortunately very common in your rewording efforts. When >> trying to fix one thing, you create new even bigger problems. >> >> An infrastructure that provides reproduced responses will respond >> "unauthorized". This text may be interpreted to interfere with such >> operations. >> Further, and worse. This is not backwards compatible. Current OCSP >> responders may respond "good" even if they have access to CA records. >> >> * * >> >> * Note: The "revoked" state for known non-issued certificate serial* >> >> * numbers is allowed in order to reduce the risk of relying parties* >> >> * using CRLs as a fall back mechanism, which would be possible when* >> >> * the "unknown" response is returned.* >> >> * * >> >> * When a responder responds revoked or unknown to a status request* >> >> * for a non-issued certificate, the responder MUST include the* >> >> * non-issued certificate extension (see section 4.4.8) in the* >> >> * response.* >> >> * * >> >> * When a responder responds revoked to a status request for a non-* >> >> * issued certificate, in addition, the responder:* >> >> * * >> >> * - MUST provide the revocation reason certificateHold (6),* >> >> * * >> >> * - MUST specify the revocationTime January 1, 1970, and;* >> >> * * >> >> * - MUST NOT include a CRL References extension (section 4.4.2) or any* >> >> * CRL Entry Extensions (section 4.4.5).* >> >> Finally, the last bullet on page 4 should be reworded: >> >> Current text: >> >> * o Section 4.4.8 specifies a new extension that indicates that the* >> >> * responder supports the extended use of the "revoked" response* >> >> * for non-issued certificates defined in section 2.2.* >> >> ** >> >> Proposed replacement text: >> >> * o Section 4.4.8 specifies a new extension that indicates that* >> >> * the OCSP responder knows that CA identified in the request* >> >> * has no record of ever having issued a certificate with the* >> >> * certificate serial number present in the request, as defined* >> >> * in section 2.2.* >> >> >> No. Again, this changes the scope of the extension and its audit >> properties. >> Such change requires WG consensus. >> >> >> *Comment 9:*Solved, if the comment above may be solved. >> >> *Comment 20*:This comment is preliminary classified by you as “not >> broken”. However, since you asked: “If you don’t replace 4.2.2.3, >> then what really are you missing ?”, I will provide you with an >> answer. >> >> This is the wrong way to state the question. Providing an ASN.1 >> syntax as in 4.2.1 is not enough: the use of every parameter >> MUST be explained using English words. So if you explain the use >> of every parameter after the description of the ASN.1 syntax >> in section 4.2.1. then section 4.2.2.3 is no more needed and thus >> can be deleted. >> >> The answer to your question “what is really missing” is a >> description of the use of every parameter listed in the ASN.1 in >> section 4.2.1 >> >> >> There are sufficient descriptions in the subsections following the >> ASN.1 description. Your change proposals are not compatible with the >> minimalistic approach adopted by the WG. >> >> >> *Comment 21.* >> >> While I can agree in general with the intent of the text, I do not >> understand the first sentence of the Note which speaks of “CA key >> rollover” >> and is copied below: >> >> * Note: CA key rollover is not prohibited when issuing a certificate* >> >> * for an authorized responder for backwards compatibility with* >> >> * RFC 2560 [RFC2560]. That is, it is not prohibited to issue a* >> >> * certificate for an authorized responder using a different* >> >> * issuing key than the key used to issued the certificate being* >> >> * checked for revocation. However, such practice is strongly* >> >> * discouraged since clients are not required to recognize a* >> >> * responder with such certificate as an authorized responder.* >> >> I would propose to delete it, since it does not add anything and >> thus to have: >> >> * Note: For backwards compatibility with RFC 2560 [RFC2560], it is* >> >> * not prohibited to issue a certificate for an authorized* >> >> * responder using a different issuing key than the key used to* >> >> * issued the certificate being checked for revocation.* >> >> * However, such practice is strongly discouraged since clients* >> >> * are not required to recognize a responder with such* >> >> * certificate as an authorized responder.* >> >> >> I agree, your text is better. Updated. >> >> *Comment 24*: The ASN.1 module in annex B.1 is still wrong, since >> it does not define NoCheck. >> >> >> No you are wrong. We have confirmed with several ASN.1 experts that >> definition of NoCheck is not necessary to define null content. >> The current definition is perfectly valid ASN.1 >> >> *Comment 26*: You asked for explanations. Let me provide you with >> an example when CRLs are being used by the OCSP responder >> in the background. The OCSP responder needs to make sure that the >> CRL it uses is valid. If it is simply using published CRLs >> (i.e. no trusted link with the CA), it needs to make sure that the >> CA which has issued the CRL has no been revoked. >> >> >> No, this is a misstatement. You don't revoke CAs. You revoke CA >> certificates. There might be a CA certificate that has been revoked >> for a reason that does not affect the OCSP responder. >> These are operational policies that are outside the scope of the protocol. >> >> The proposed text in comment 26 is plain wrong, or at least >> misleading. The OCSP responder does not have to validate the CRL up to >> any particular root. It may for example have been configured to >> directly trust the public key used to validate the CRL. >> >> >> In France, there is a root CA for the Administration. However, the >> use of that root CA is optional. Thus a Ministry may have its own >> root, >> but may also have its key certified by the root CA of the >> Administration. The OCSP responder may use the root CA of the >> Ministry, >> while a relying party may use the root CA of the Administration >> (or the reverse) to validate the CRL for the target certificate. >> Thus the revocation status will be different if the certificate of >> the CA of the Ministry is revoked by the root CA of the >> Administration. >> >> >> Which reinforces my point. How the OCSP responder is configured to >> trust its information source is outside the scope of the protocol. >> >> The OCSP protocol never claims to provide the same conclusion about >> revocation than another source the relying party may use. >> >> I skip category 3 as this will be dealt with in IESG last call. >> >> >> *CATEGORY 3* >> >> *Comments*2, 3, 7, 10, 12, 14, 15, 16, 17, 25 and 27. >> >> *CATEGORY 4* >> >> Page 4. The indentation of the bullets in section 1 is not uniform. >> Bullets 1, 4, 5 and 9 have problems. >> >> Page 4. The fact that there is now an Annex B.2 dealing with the >> 2008 ASN.1 syntax is missing. This should be added. >> >> Page 10. Change “*Se further section 4.2.2.2”*into “*See further >> section 4.2.2.2” >> * >> >> >> >> Thanks. I have fixed them all. >> >> /Stefan >> >> >> Denis >> ** >> >> ===================================================================================== >> >> >> >>> Denis, >>> >>> Responding to your comments below. >>> >>> However, one general remark to make recurring comments easier to >>> understand. >>> >>> The WG decided to adopt a minimalistic approach to updating RFC >>> 2560. That means that >>> >>> 1. We don't change anything from RFC 2560 unless it is broken, >>> or the industry clearly need clarifications in order to avoid >>> interoperability issues. >>> 2. We retain the document structure of RFC 2560 as much as >>> possible to allow easy comparison of what the changes are in >>> comparison with RFC 2560. >>> >>> >>> One can always think up more clever ways to write things out in >>> words. But that also comes with a risk. >>> The current words has been around for a long time and we know >>> from experience which words worked to produce working >>> implementations, and which did not. >>> Introducing new ways to say the same thing may introduce new >>> problems and people might disagree on what the new perfect >>> wording should be. And this could go on forever. >>> >>> So when my reply is "Not broken", then that is because the >>> current wording does not have such problems that is merits a change. >>> >>> >>> >>> From: Denis Pinkas <denis.pinkas@bull.net >>> <mailto:denis.pinkas@bull.net>> >>> Date: Sunday, January 20, 2013 5:12 PM >>> To: Stefan Santesson <stefan@aaa-sec.com >>> <mailto:stefan@aaa-sec.com>>, Stephen Kent <kent@bbn.com >>> <mailto:kent@bbn.com>> >>> Cc: pkix <pkix@ietf.org <mailto:pkix@ietf.org>> >>> Subject: Re: [pkix] Review of 2560-bis draft 8. Answer to WGLC >>> >>> Please find 32 comments on draft-ietf-pkix-rfc2560bis >>> >>> 1.The document states: >>> >>> **<Cut away issue 1 regarding authorship etc, as it has been >>> responded to separately> >>> >>> >>> Responded to separately. >>> >>> 2.The current text from section 2 states: >>> >>> 2. Protocol Overview >>> >>> >>> >>> In lieu of or as a supplement to checking against a periodic CRL, it >>> >>> may be necessary to obtain*timely information* regarding the >>> >>> revocation status of a certificate (cf. RFC5280], Section 3.3). >>> >>> Examples include high-value funds transfer or large stock trades. >>> >>> >>> >>> The Online Certificate Status Protocol (OCSP) enables applications to >>> >>> determine the (revocation) state of an identified certificate. OCSP >>> >>> may be used to satisfy some of the operational requirements of >>> >>> providing*more timely revocation information* than is possible with >>> >>> CRLs and may also be used to obtain additional status information. >>> >>> >>> >>> This text is misleading because readers may think that OCPS necessarily provides “timely information”. >>> >>> >>> >>> >>> "may" does not mean "necessarily". >>> >>> Proposed text replacement: >>> >>> >>> >>> *The Online Certificate Status Protocol (OCSP) is a >>> client-server * >>> >>> *protocol which enables applications to obtain the revocation >>> status * >>> >>> *of one or more certificates either "good", "revoked", or >>> "unknown".* >>> >>> ** >>> >>> *The revocation status may be provided by the server either >>> using a * >>> >>> *real time access to a database of issued certificates, or >>> using a * >>> >>> *batch access to a database of issued certificates, or using a * >>> >>> *real time access to a database of revocation statuses of >>> issued * >>> >>> *certificates, or using a batch access to a database of >>> revocation * >>> >>> *statuses of issued certificates, or using CRLs, or using a * >>> >>> *combination of base CRLs and delta CRLs.* >>> >>> ** >>> >>> *In the first case, it is possible to obtain timely >>> revocation status * >>> >>> *information, whereas in the other cases, the freshness of the * >>> >>> *revocation status is not better than the mechanisms it is >>> based on.* >>> >>> >>> >>> >>> >>> >>> Not broken >>> >>> 3.The current text from section 2 states: >>> >>> >>> >>> An OCSP client issues a status request to an OCSP responder and >>> >>> Suspends acceptance of*the certificate in question* until the >>> >>> responder provides a response. >>> >>> >>> >>> This protocol specifies the data that needs to be exchanged between >>> >>> an application checking the status of a certificate and the server >>> >>> providing that status. >>> >>> >>> >>> Thus is insufficient for an overview. More details are needed to know what the document provides, >>> in particular that the request may contain several requests for several certificates issued by different CAs. >>> The possibility of using extensions should also be advertised. >>> >>> >>> >>> Proposed text replacement: >>> >>> >>> >>> When using OCSP, an OCSP client issues a certificate revocation >>> >>> status request to an OCSP responder *for one or more >>> certificates * >>> >>> *issued by the same CA or for one or more certificates issued >>> by * >>> >>> *different CAs *and then suspends acceptance of the >>> certificate(s) >>> >>> in question until the responder provides a response. >>> >>> This document specifies the data that needs to be exchanged >>> between >>> >>> an application checking the status of a certificate and the >>> server >>> >>> providing that status. >>> >>> *OCSP may also provide additional status information using * >>> >>> *extensions. * >>> >>> >>> Not broken >>> >>> 4.Page 6. Editorial. Punctuation and a CR/LF are missing. >>> >>> The text states: >>> >>> * 3. the request contains the information needed by the responder If* >>> >>> * any one of the prior conditions are not met, the OCSP responder* >>> >>> * produces an error message; otherwise, it returns a definitive* >>> >>> * response.* >>> >>> It should state: >>> >>> * 4. the request contains the information needed by the responder.* >>> >>> * * >>> >>> * If any one of the prior conditions are not met, the OCSP responder* >>> >>> * produces an error message; otherwise, it returns a definitive* >>> >>> * response.* >>> >>> >>> Fixed in draft 10. >>> >>> 5.On page 7, the text states: >>> >>> ** >>> >>> *All definitive response messages SHALL be digitally signed. >>> The key* >>> >>> *used to sign the response MUST belong to one of the following:* >>> >>> * * >>> >>> * - the CA who issued the certificate in question* >>> >>> * - a Trusted Responder whose public key is trusted by the requester* >>> >>> * - a CA Designated Responder (Authorized Responder) who holds a* >>> >>> * specially marked certificate issued directly by the CA, indicating* >>> >>> * that the responder may issue OCSP responses for that CA.* >>> >>> ** >>> >>> The paragraph is ambiguous on several aspects. >>> >>> Delegation is addressed in at least three different places, >>> but with different terms and conditions. >>> If some one picks a sentence in one paragraph rather than >>> another, it will lead to a different conclusion. >>> RFCs are supposed to be clear. >>> >>> On page 10, the current text states in section*2.6 OCSP >>> Signature Authority Delegation *states: >>> >>> >>> >>> *The key that signs a certificate's status information need >>> not be the* >>> >>> *same key that signed the certificate.**A certificate's issuer* >>> >>> *explicitly delegates OCSP signing authority by issuing a >>> certificate* >>> >>> *containing a unique value for extendedKeyUsage in the OCSP >>> signer's* >>> >>> *certificate. This certificate MUST be issued directly to the* >>> >>> *responder by the cognizant CA.* >>> >>> >>> >>> On page 16, there is a section >>> *4.2.2.2***called*“**Authorized Responders”*dealing with the >>> same topic. >>> >>> Section 4.2.2.2 states: >>> >>> *The key that signs a certificate's status information need >>> not be the* >>> >>> *same key that signed the certificate**. It is necessary >>> however to* >>> >>> *ensure that the entity signing this information is >>> authorized to do* >>> >>> *so.Therefore, a certificate's issuer MAY either sign the OCSP* >>> >>> *responses itself or it MAY explicitly designate this >>> authority to* >>> >>> *another entity.OCSP signing delegation SHALL be designated >>> by the* >>> >>> *inclusion of id-kp-OCSPSigning in an extendedKeyUsage >>> certificate* >>> >>> *extension included in the OCSP response signer's >>> certificate.This* >>> >>> *certificate MUST be issued directly by the CA that issued the* >>> >>> *certificate in question.* >>> >>> ** >>> >>> *The CA SHOULD use the same issuing key to issue a delegation* >>> >>> *certificate as was used to sign the certificate being >>> checked for* >>> >>> *revocation. Systems relying on OCSP responses MUST recognize a* >>> >>> *delegation certificate as being issued by the CA that issued >>> the* >>> >>> *certificate in question only if the delegation certificate >>> and the* >>> >>> *certificate being checked for revocation was signed by the >>> same key.*** >>> >>> The last sentence above in yellow is the key sentence that is >>> missing in the two other sections. >>> >>> >>> >>> Most implementations only support the case where the OCSP Responder receives an OCSP certificate that is signed by the same key >>> that was used to sign the target certificate. They do not support the case where the OCSP Responder receives an OCSP certificate >>> that is signed by a key that is different from the one that was used to sign the target certificate. >>> >>> It is inappropriate to have three sections dealing with the >>> same topic with a slightly different meaning. >>> >>> It is proposed the following. >>> >>> On page 7, after: >>> >>> * - a CA Designated Responder (Authorized Responder) who holds a* >>> >>> * specially marked certificate issued directly by the CA, indicating* >>> >>> * that the responder may issue OCSP responses for that CA.* >>> >>> it is proposed to add “(*see section 4.2.2.2 for further >>> details**)”*, so that the reader knows that more details are >>> provided later on. >>> >>> Then we do not need two sections to address delegation which >>> start with the same sentence: >>> >>> >>> “*The key that signs a certificate's status information need >>> not be the same key that signed the certificate”.* >>> >>> ** >>> >>> It is thus proposed to delete section 2.6. >>> >>> Section 4.2.2.2 will thus remain the single section providing >>> full details. >>> >>> >>> >>> >>> I have added references to section 4.2.2.2 in the quoted sections >>> in 2.2 and 2.6. >>> (will be included in draft 11) >>> >>> >>> 6. Page 7, the text states: >>> >>> * A definitive response message is composed of:* >>> >>> * * >>> >>> * - version of the response syntax* >>> >>> * - name of the responder* >>> >>> * - responses for each of the certificates in a request* >>> >>> * - optional extensions* >>> >>> * - signature algorithm OID* >>> >>> * - signature computed across hash of the response* >>> >>> This description does not fit with the ASN.1 syntax which is >>> detailed later on, and in particular: >>> >>> * ResponseData ::= SEQUENCE {* >>> >>> * version [0] EXPLICIT Version DEFAULT v1,* >>> >>> * **responderID ResponderID,* >>> >>> * producedAt GeneralizedTime,* >>> >>> * responses SEQUENCE OF SingleResponse,* >>> >>> * responseExtensions [1] EXPLICIT Extensions OPTIONAL }* >>> >>> Proposed text replacement: >>> >>> *A definitive response message is composed of:* >>> >>> ** >>> >>> *- a response status and if there is no error, the following:* >>> >>> *- the version of the response syntax,* >>> >>> *- an identifier of the OCSP server,* >>> >>> *- the time at which the response was produced,* >>> >>> *- single responses for each of the target certificates,* >>> >>> *- optional extensions,* >>> >>> *- the signature algorithm OID,* >>> >>> *- the signature computed across hash of the response, and* >>> >>> *- optional certificates.* >>> >>> >>> This is an overview section. We ought not try to duplicate the >>> level of detail provided in the detailed protocol section. >>> A "definitive response" according to tho 2.1 is a response to an >>> error-free request, so your first remark is redundant. >>> >>> I have added a note about time to the current list, and changed >>> "name" to identifier in bullet 2. >>> (will be included in draft 11) >>> >>> 7.The text states on page 7: >>> >>> *The response for each of the certificates in a request >>> consists of* >>> >>> ** >>> >>> *-target certificate identifier* >>> >>> *-certificate status value* >>> >>> *-response validity interval* >>> >>> *-optional extensions* >>> >>> However, there are no explanations for the purpose of these >>> parameters and how they should be processed. >>> >>> There are also no explanations on how to process a single >>> response and how to verify that it is its presence within the >>> signed structure >>> is valid or not valid. This is a major deficiency of the >>> current description of RC 2560 where there is no explanation >>> on how to validate >>> a single response. >>> >>> Text proposal to be added after: >>> >>> *The purpose of the identifier of the OCSP server is to allow >>> OCSP * >>> >>> *clients to find whether the definitive response was signed >>> by a CA * >>> >>> *or by an OCSP Responder.* >>> >>> ** >>> >>> *The identifier of the OCSP server SHOULD either be the name >>> or the * >>> >>> *key from a CA, or the name or the key from a OCSP Responder.* >>> >>> ** >>> >>> *Unless there exist local rules (which are outside the scope >>> of this * >>> >>> *document) for verifying that a single response is correctly >>> signed, * >>> >>> *the following applies:* >>> >>> *When the identifier matches with the name of the CA which >>> has issued * >>> >>> *the target certificate or corresponds to the key used to >>> issue the * >>> >>> *target certificate, then a single response is correctly signed * >>> >>> *only if the digital signature of the OCSP response is valid >>> using the * >>> >>> *key used to sign the target certificate.* >>> >>> ** >>> >>> *When the identifier does not match with the name of the CA >>> which has * >>> >>> *issued the target certificate or does not correspond to the >>> key used * >>> >>> *to issue the target certificate, then an single response is >>> correctly * >>> >>> *signed only if :* >>> >>> ** >>> >>> *(a) there exists in the response an OCSP certificate issued by * >>> >>> *the CA which has issued the target certificate which is * >>> >>> *signed by the same key as the one used to issue the * >>> >>> *target certificate, and* >>> >>> ** >>> >>> *(b) the digital signature of the OCSP response is valid using * >>> >>> *the subjectPublicKey contained in this OCSP certificate.* >>> >>> >>> Not broken. >>> All of this is already covered by the document. >>> >>> 8.The text states on page 7: >>> >>> The "revoked" state indicates that the certificate has been >>> revoked >>> >>> *(either permanently or temporarily (on hold)). *This state >>> MAY also be >>> >>> returned if the responder knows that the requested >>> certificate has >>> >>> *never been issued during the history of the associated CA >>> *using any >>> >>> current or previous issuing key. ** >>> >>> The text is ambiguous because there are two embedded >>> parenthesis and it is unclear whether the inner parenthesis >>> means “i.e” or “e.g”. >>> This single sentence may let think that on hold is the single >>> case for temporarily revocation. Since neither X.509 nor RFC >>> 5280 address >>> the case of a temporary revocation in the context of an OCSP >>> response (but only in the context of CRLs), we are able to >>> add another case >>> of temporary revocation which will only apply in the context >>> of OCSP. >>> >>> The above sentence using the terms“*never been issued during >>> the history of the associated CA*“does not capture the fact >>> that it could be issued in the future, hence why using“*not >>> yet been used”*would be more appropriate. >>> >>> Finally, it would have been more logical to use “unknown”. So >>> it is important to add a note to explain why we have chosen >>> that case for “legacy clients”, >>> otherwise the people who have not participate to the >>> exchanges will not understand. >>> >>> Proposed text replacement: >>> >>> *The "revoked" state indicates that the certificate has been revoked,* >>> >>> * either permanently or temporarily.* >>> >>> >>> >>> A certificate may be temporarily revoked either because it is >>> >>> placed on hold (*i.e. the revocation reason is certificateHold*) or >>> >>> because the responder is able to know, using a positive list of >>> >>> issued certificates, that the serial number from the requested >>> >>> certificate has*not yet been used* by the CA to issue a certificate >>> >>> (*i.e. the revocation reason is notIssuedOrIrregularlyIssued*). >>> >>> >>> >>> *NOTE: The "revoked" state is used rather than the “unknown” state, to* >>> >>> * make sure that relying parties that were conformant to RFC 2560* >>> >>> * will not use CRLs as a fall back mechanism.* >>> >>> >>> >>> >>> I removed the double parenthesis and adopted your clarification >>> with regard to "on hold". >>> >>> The text in draft 10 has changed from what you have commented on. >>> I believe that text is better. >>> >>> You "Note" has problems. >>> >>> 1. We do not prevent responders to respond "unknown" if their >>> assessment is that this is an appropriate response, >>> considering what they know about the requested serial number. >>> Thus the term "is used" is misleading. >>> 2. This mechanisms does not "make sure" that the clients do >>> anything. It's up to the discretion of the relying party to >>> decide what source of revocation checking they rely on. This >>> does however reduce the risk of clients falling back to CRL:s >>> 3. This mechanism is not just relevant to old clients, but also >>> to new one for the same reason. >>> >>> >>> I have adopted a modified version of your Note: >>> >>> NOTE: The "revoked" state for known non-issued certificate serial >>> numbers is allowed in order to reduce the risk of relying >>> parties using CRLs as a fall back mechanism, which would be >>> considerably higher if an "unknown" response was returned. >>> >>> >>> >>> 9.The text states on page 8: >>> >>> *When a responder responds revoked to a status request for a >>> non-* >>> >>> *issued certificate, the responder MUST also;* >>> >>> ** >>> >>> *- include the extended revoked definition response extension* >>> >>> *(section 4.8), indicating that the OCSP responder supports the* >>> >>> *extended definition of revoked state to also cover non-issued* >>> >>> *certificates,* >>> >>> ** >>> >>> *- provide the revocation reason certificateHold (6), and;* >>> >>> ** >>> >>> *- specify the revocation date January 1, 1970. * >>> >>> As already explained on the PKIX list, using the revocation >>> reason**certificateHold is not appropriate >>> because it changes the meaning of certificateHold. >>> >>> The extended revoked definition response extension is a means >>> to signal that it not a true certificate hold but a “not >>> issued certificate”. >>> Legacy applications cannot take advantage of it. >>> >>> Some applications which handle non repudiation enter a >>> waiting state when the revocation reason certificateHold is >>> used thus >>> it is not appropriate to overload the meaning. >>> >>> ** >>> >>> It is possible to use another enumeration for signalling that >>> specific case: >>> >>> notIssuedOrIrregularlyIssued (7). >>> >>> ** >>> >>> Thus for new applications it would be much better to use >>> notIssuedOrIrregularlyIssued (7) as already proposed on the >>> PKIX list. >>> >>> The above sentence uses the text: >>> >>> >>> >>> “a status request for a*non-issued certificate*” >>> >>> >>> >>> whereas it would be more appropriate to state: >>> >>> >>> >>> “a status request for a* serial number which has not been used by the CA or used irregularly to issue a certificate”.* >>> >>> * * >>> >>> Placing the ASN.1 description at such a place in the document is inappropriate since the ASN.1 structures have not yet been described. >>> Thus only the functional aspects should be mentioned, but not the ASN.1 implications. >>> >>> * * >>> >>> BTW, the description should follow the same order as the ASN.1. This is not the case. >>> >>> >>> >>> This text should be deleted from this section and the appropriate text should be added when the parameters of the response are described. >>> >>> >>> >>> The text proposed in the previous comment should be sufficient at this time of reading. >>> >>> >>> >>> In addition, section*4.4.8Extended Revoked Definition *should >>> be deleted.** >>> >>> >>> >>> >>> >>> >>> The referred text has been updates in draft 09. >>> >>> This has been discussed on the list and you have yet to convince >>> the list of your new reason code. >>> I disagree as the risk of running into problems with the deployed >>> base of application is hugely larger with introduction of a new >>> reason code, rather than using certificateHold. >>> No application should be broken, since no application have >>> business asking for non-issued cert serial numbers in the first >>> place. Secondly, no application can assume that a certificateHold >>> reason will be cleared any time soon. >>> >>> >>> 10.The text states on page 8: >>> >>> *2.4Semantics of thisUpdate, nextUpdate and producedAt* >>> >>> This section is misplaced. At this time of reading, the >>> reader does not know that thisUpdate, nextUpdate and >>> producedAt are values >>> used by the ASN.1 structures. It is appropriate to describe >>> what theses parameters mean when the ASN.1 syntax is described. >>> The current ASN.1 syntax is very badly described. One would >>> expect that after every ASN.1 structure description every >>> parameter is described. >>> Unfortunately this is not the case. >>> >>> The text from this section is not aligned with the text that >>> is present in section 4.2.2.1. >>> >>> In particular, in section 2.4: >>> >>> ** >>> >>> *If nextUpdate is not set, the responder is indicating that >>> newer* >>> >>> *revocation information is available all the time.* >>> >>> While in section 4.2.2.1: >>> >>> *Responses where the nextUpdate value is not set are equivalent * >>> >>> *to a CRL with no time for nextUpdate (see Section 2.4).* >>> >>> It is not appropriate to have two different descriptions in >>> two different places. >>> >>> Delete section 2.4. See comment number 19 for the description >>> of these parameters. >>> >>> >>> Not broken. >>> The current text segments fits well into a protocol overview section. >>> >>> 11.Section 2.5 is also misplaced. They use values from the >>> ASN.1 syntax which has not yet been described. >>> They should be moved or incorporated in the document once the >>> ASN.1 description has been done. >>> >>> >>> Not broken. >>> >>> 12.Remainder: Section 2.6 should be deleted (see comment >>> number 5). >>> >>> >>> Not broken. >>> >>> 13.Section 2.7 states: >>> >>> *2.7CA Key Compromise* >>> >>> ** >>> >>> *If an OCSP responder knows that a particular CA's private >>> key has* >>> >>> *been compromised, it MAY return the revoked state for all* >>> >>> *certificates issued by that CA.* >>> >>> This section is misleading and should be removed. The reason >>> is the following: >>> >>> The relying party must verify that the singleResponse is >>> signed by a responder which is entitled to do so. >>> >>> a) If the CA key has been compromised and if the response is >>> signed by that CA key then the singleResponse will be discarded >>> when performing the certification path validation _whatever >>> the content of the response may be_. >>> >>> b) If the CA key which has issued the OCSP certificate has >>> been compromised and if the response is signed by the key >>> present >>> in the OCSP certificate then the singleResponse will be >>> discarded when performing the certification path validation >>> _whatever the content of the response may be_. >>> >>> Security must be provided using the validation of the >>> certification path. Thus it does not matter what the OCSP >>> responder states. >>> >>> >>> >>> Not broken. >>> An OCSP responder does not have to be chained to the broken CA. >>> The relying party may have other trust configuration at choice. >>> >>> >>> >>> 14.The text states on page 11: >>> >>> *3.2Signed Response Acceptance Requirements* >>> >>> ** >>> >>> *Prior to accepting a signed response as valid, OCSP clients >>> SHALL* >>> >>> *confirm that:* >>> >>> ** >>> >>> *1. The certificate identified in a received response >>> corresponds to* >>> >>> *that which was identified in the corresponding request;* >>> >>> ** >>> >>> *2. The signature on the response is valid;* >>> >>> ** >>> >>> *3. The identity of the signer matches the intended recipient >>> of the* >>> >>> *request.* >>> >>> ** >>> >>> *4. The signer is currently authorized to sign the response.* >>> >>> ** >>> >>> *5. The time at which the status being indicated is known to be* >>> >>> *correct (thisUpdate) is sufficiently recent.* >>> >>> ** >>> >>> *6. When available, the time at or before which newer >>> information will* >>> >>> *be available about the status of the certificate >>> (nextUpdate) is* >>> >>> *greater than the current time.* >>> >>> This section is misplaced since it uses terms from the ASN.1 >>> syntax and the protocol description has not yet been made, >>> since it is the next section 4. Its text is not correct either. >>> >>> This description does not take into account the fact that >>> a*BasicOCSPResponse *may contain one or several >>> *SingleResponses. * >>> In particular, the sentence“*The signer is currently >>> authorized to sign the response*” is misleading because a signer >>> may be authorized to include some***SingleResponses *but not >>> necessarily all of them. >>> >>> The appropriate explanations should be done after the >>> description of the response, when describing the processing >>> of the response. >>> >>> Delete that section. >>> >>> >>> Not broken. >>> >>> 15.On page 12, after the ASN.1 description, the only >>> parameters which are described are: >>> >>> *hashAlgorithm,**issuerNameHash, issuerKeyHash and serialNumber.* >>> >>> ** >>> >>> This is insufficient.In order to cover the full list of >>> parameters, the following text is proposed: >>> >>> *requestorName is optional and MAY be used by the server for >>> access * >>> >>> *control and audit purposes.* >>> >>> ** >>> >>> *requestList contains one or more single requests.* >>> >>> ** >>> >>> *requestExtensions is OPTIONAL.Any specific extension is >>> OPTIONAL.* >>> >>> *The critical flag SHOULD NOT be set for any of them. Section >>> 4.4 * >>> >>> *suggests several useful extensions.Additional extensions MAY >>> be * >>> >>> *defined in additional RFCs.* >>> >>> ** >>> >>> *reqCert contains the identifier of a target certificate.* >>> >>> ** >>> >>> *issuerNameHash is the hash of the Issuer's distinguished >>> name.The * >>> >>> *hash shall be calculated over the DER encoding of the >>> issuer's name * >>> >>> *field in the certificate being checked. * >>> >>> ** >>> >>> *issuerKeyHash is the hash of the Issuer's public key.The hash * >>> >>> *shall be calculated over the value (excluding tag and >>> length) of the * >>> >>> *subject public key field in the issuer's certificate.The hash * >>> >>> *algorithm used for both these hashes, is identified in * >>> >>> *hashAlgorithm. * >>> >>> ** >>> >>> *The primary reason to use the hash of the CA's public key in * >>> >>> *addition to the hash of the CA's name, to identify the issuer, * >>> >>> *is that it is possible that two CAs may choose to use the same * >>> >>> *name (uniqueness in the Name is a recommendation that cannot >>> be * >>> >>> *enforced). Two CAs will never, however, have the same public >>> key * >>> >>> *unless the CAs either explicitly decided to share their >>> private * >>> >>> *key, or the key of one of the CAs was compromised.* >>> >>> ** >>> >>> *serialNumber is the serial number of the certificate for which * >>> >>> *status is being requested.* >>> >>> ** >>> >>> *singleRequestExtensions is OPTIONAL.Any specific extension is * >>> >>> *OPTIONAL.The critical flag SHOULD NOT be set for any of them. * >>> >>> ** >>> >>> *The requestor MAY choose to sign the OCSP request.In that >>> case, the* >>> >>> *signature is computed over the tbsRequest structure.If the >>> request* >>> >>> *is signed, the requestor SHALL specify its name in the >>> requestorName* >>> >>> *field.Also, for signed requests, the requestor MAY include* >>> >>> *certificates that help the OCSP responder verify the >>> requestor's* >>> >>> *signature in the certs field of Signature.* >>> >>> >>> Not broken. >>> The current text is short, but it is actually sufficient from the >>> context of the ASN.1 definitions of the section. This is a >>> detailed protocol section and the reader need to understand ASN.1 >>> in any case to understand and implement the section. >>> The information about criticality is already covered in the >>> extension section. >>> >>> >>> 16.Section 4.1.2 is called:“*Notes on the Request Syntax”* >>> >>> The first paragraph has been moved after the description >>> of*issuerKeyHash *and thus is no more needed. >>> >>> The second paragraph has been moved after the description >>> of*requestExtensions. * >>> However, the sentence >>> “ *Unrecognized extensions MUST be ignored (unless they have >>> the critical flag set and are not understood)*” >>> has been deleted since it applies to the OCSP responder and >>> not to the OCSP client. Thus it is no more needed. >>> >>> The third paragraph applies to signed requests. However, it >>> should belong to a section dedicated on how clients should >>> build OCPS requests, >>> which is currently missing. See the next comment. >>> >>> This section should be deleted. >>> >>> >>> Not broken. >>> >>> 17.There should be a new section called: “*Requirements for >>> OCSP clients”. * >>> >>> It is important first to re-advertise that the request may be >>> about several certificates. >>> Thus it is important to describe the process for building a >>> request, which is currently missing. >>> >>> *An OCSP request allows getting in the same response the >>> revocation * >>> >>> *status of one or more certificates.In order to request the * >>> >>> *status of one or more certificates in a single request, OCSP * >>> >>> *clients SHALL follow the following rules :* >>> >>> ** >>> >>> *For each candidate certificate, OCSP clients SHALL verify * >>> >>> *whether there exists a locally defined rule for the >>> certificate in * >>> >>> *question which indicates the URI where the OCSP responder is * >>> >>> *located.If this rule exists, it SHALL be followed. * >>> >>> ** >>> >>> *Otherwise, OCSP clients SHALL determine whether the candidate * >>> >>> *certificate contains an AIA extension with an accessMethod >>> which * >>> >>> *contains the id-ad-ocsp OID.If it is the case, the >>> accessLocation * >>> >>> *contains a uniformResourceIdentifier (URI) which indicates the * >>> >>> *location of the OCSP server for that certificate. * >>> >>> ** >>> >>> *Certificates that contain the same URI MAY be grouped in a >>> single * >>> >>> *request.* >>> >>> ** >>> >>> *Note:For each candidate certificate, when performing the path * >>> >>> *validation algorithm, the OCSP client SHOULD verify that the * >>> >>> *current time is within the validity period of the target * >>> >>> *certificate.Certificates which are outside their validity * >>> >>> *period SHOULD NOT be included in the request.* >>> >>> *The requestor MAY choose to sign the OCSP request. In that >>> case, the* >>> >>> *signature is computed over the tbsRequest structure. If the >>> request* >>> >>> *is signed, the requestor SHALL specify its name in the >>> requestorName* >>> >>> *field. Also, for signed requests, the requestor MAY include* >>> >>> *certificates that help the OCSP responder verify the >>> requestor's* >>> >>> *signature in the certs field of Signature.* >>> >>> >>> Not broken. >>> >>> Your text may provide guidance that could be useful to some >>> implementers, but is completely beyond this document and further, >>> not generally applicable or true. >>> As an example, an organisation may setup an in house locally >>> configured OCSP responder that responds to all certificates "out >>> there" that is relevant to that organisation. >>> Such clients would just blindly send OCSP requests to their local >>> responder, disregarding any information in the cert. >>> It's totally beyond this spec to have an opinion about this. >>> >>> >>> 18.The text states on page 14: >>> >>> *The responder MAY include certificates in the* >>> >>> *certs field of BasicOCSPResponse that help the OCSP client >>> verify the* >>> >>> *responder's signature. If no certificates are included then >>> certs* >>> >>> *SHOULD be absent.* >>> >>> While this sentence is true, it is not sufficient. In order >>> to allow verifying every *SingleResponse*, >>> it is important to include the relevant certificates which >>> are pertinent to every *SingleResponse.* >>> >>> Proposed full text replacement: >>> >>> The responder MAY include certificates in the certs field of >>> >>> BasicOCSPResponse that help the OCSP client verify the >>> responder's >>> >>> signature. >>> >>> *For every SingleResponse where the responder is not a CA, the * >>> >>> *responder SHALL include the relevant OCSP certificate in the >>> certs * >>> >>> *field of BasicOCSPResponse in order to allow the OCSP client * >>> >>> *verifying the responder was entitled to include that >>> SingleResponse * >>> >>> *in the signed BasicOCSPResponse.* >>> >>> ** >>> >>> **If no certificates are included then certs SHOULD be absent. >>> >>> >>> Not broken. >>> >>> This requirement would break backwards compatibility with RFC 2560. >>> Further this would not be needed for a locally configured responder. >>> >>> 19.Page 15. The ASN.1 syntax should be changed in order to be >>> able to use the enumeration case 7 that is not used for CRLs. >>> This leads to the following change: >>> >>> Current text: >>> >>> ** >>> >>> *revocationReason[0]EXPLICIT CRLReason OPTIONAL }* >>> >>> Proposed text change: >>> >>> Current text: >>> >>> ** >>> >>> *revocationReason [0]EXPLICIT RevocationReason OPTIONAL }* >>> >>> *RevocationReason ::= ENUMERATED {* >>> >>> *unspecified(0),* >>> >>> *keyCompromise(1),* >>> >>> *cACompromise(2),* >>> >>> *affiliationChanged(3),* >>> >>> *superseded(4),* >>> >>> *cessationOfOperation(5),* >>> >>> *certificateHold(6),* >>> >>> *notIssuedOrIrregularlyIssued (7),* >>> >>> *removeFromCRL(8),* >>> >>> *privilegeWithdrawn(9),* >>> >>> *aACompromise(10) }* >>> >>> >>> Not broken. >>> >>> You have to convince the list about your new reason code. >>> >>> 20.Page 15. After the ASN.1 syntax, there is no description >>> of every parameter, neither on its use >>> (except a few words in section*4.2.2.1 Time >>> *about*thisUpdate, nextUpdate and producedAt).* >>> >>> ** >>> >>> Every parameter needs to be described and explained. >>> >>> ** >>> >>> *responderID indicates either the name or the key from a CA, >>> or the * >>> >>> *name or the key from a OCSP Responder.* >>> >>> ** >>> >>> *producedAt indicates the time at which this response was >>> signed.* >>> >>> ** >>> >>> *responses contains one or more single responses.* >>> >>> ** >>> >>> *responseExtensions is OPTIONAL.Any specific extension is >>> OPTIONAL.* >>> >>> *The critical flag may or may not be set.* >>> >>> ** >>> >>> *certID is usually a copy of the same field which was placed >>> in the * >>> >>> *request, but for OCSP responders which pre-produce signed >>> responses * >>> >>> *certID may be the identifier of a target certificate that >>> was not * >>> >>> *present in the request (see the end of section 4.2).* >>> >>> ** >>> >>> *certStatus indicates the status of the certificate: either >>> good, * >>> >>> *revoked or unknown.* >>> >>> ** >>> >>> *thisUpdate indicates the time at which the status being >>> indicated * >>> >>> *is known to be correct.* >>> >>> ** >>> >>> *nextUpdate indicates the time at or before which newer >>> information * >>> >>> *will be available about the status of the certificate.If * >>> >>> *nextUpdate is not set, the server is indicating that newer * >>> >>> *revocation information is available all the time. * >>> >>> ** >>> >>> *If nextUpdate is set, it often corresponds to the {thisUpdate, * >>> >>> *nextUpdate} interval in CRLs.Responses whose nextUpdate >>> value is * >>> >>> *earlier than the local UTC time value SHOULD be considered * >>> >>> *unreliable.Responses whose thisUpdate time is later than the >>> local * >>> >>> *UTC time SHOULD be considered unreliable.* >>> >>> ** >>> >>> *singleExtensions is OPTIONAL.Any specific extension is >>> OPTIONAL.* >>> >>> *The critical flag SHOULD NOT be set for any of them.* >>> >>> ** >>> >>> *revocationTime indicates the time at which the certificate was * >>> >>> *revoked.* >>> >>> ** >>> >>> *revocationReason is OPTIONAL. It includes all the cases that >>> are * >>> >>> *present in CRLReason used for CRLs and an additional case 7 >>> which is* >>> >>> *not used for CRLs.Case 7 is called >>> notIssuedOrIrregularlyIssued. * >>> >>> ** >>> >>> *- "notIssued" corresponds to the case where the certificate * >>> >>> *serial number that was sent was erroneous and has not yet * >>> >>> *been used by the CA at the time of the query,* >>> >>> ** >>> >>> *- "irregularlyIssued" corresponds to the case where the * >>> >>> *certificate serial number that was sent really exists in a * >>> >>> *certificate that is correctly signed, but to its knowledge * >>> >>> *the CA has not issued a certificate with such a serial * >>> >>> *number. As an example, it may have been issued by the CA * >>> >>> *because the RA was compromised. * >>> >>> ** >>> >>> * When a responder responds revoked to a status request for which it* >>> >>> * knows that the serial number has not been used by the CA or has* >>> >>> * been irregularly used irregularly to issue a certificate, then* >>> >>> * in RevokedInfo the responder MUST:* >>> >>> * * >>> >>> * - specify the revocationTime : January 1, 1970,* >>> >>> * - provide the revocationReason: notIssuedOrIrregularlyIssued (7).* >>> >>> * * >>> >>> * and in SingleResponse the responder MUST NOT include the nextUpdate.* >>> >>> ** >>> >>> *The response MUST include a SingleResponse for each >>> certificate in* >>> >>> *the request and SHOULD NOT include any additional >>> SingleResponse* >>> >>> *elements.However, there is one exception: * >>> >>> ** >>> >>> *OCSP responders MAY pre-produce signed responses specifying >>> the * >>> >>> *status of certificates at a specified time.The time at which * >>> >>> *the status was known to be correct SHALL be reflected in the * >>> >>> *thisUpdate field of the response. * >>> >>> ** >>> >>> *OCSP responders that pre-generate status responses MAY return * >>> >>> *responses that include additional SingleResponse elements if* >>> >>> *necessary to improve response pre-generation performance or >>> cache* >>> >>> *efficiency (as permitted in [RFC5019]).* >>> >>> Since the text above provides all the explanations at the >>> level of the ASN.1 parameters, the general text >>> from section*4.2.2.3 Basic Response *is no more need and >>> should be deleted.** >>> >>> ** >>> >>> >>> Preliminary I would say "not broken". >>> If you don't replace 4.2.2.3, then what really are you missing? >>> >>> 21.0n page 16, there is a section >>> *4.2.2.2***called*“**Authorized Responders”*** >>> >>> Section 4.2.2.2 states: >>> >>> *(…)* >>> >>> *This certificate MUST be issued directly by the CA that >>> issued the* >>> >>> *certificate in question.* >>> >>> ** >>> >>> *The CA SHOULD use the same issuing key to issue a delegation* >>> >>> *certificate as was used to sign the certificate being >>> checked for* >>> >>> *revocation. Systems relying on OCSP responses MUST recognize a* >>> >>> *delegation certificate as being issued by the CA that issued >>> the* >>> >>> *certificate in question only if the delegation certificate >>> and the* >>> >>> *certificate being checked for revocation was signed by the >>> same key.* >>> >>> This section would need to reformatted to address CA >>> requirements first and then OCSP responder requirements: >>> >>> *(…)* >>> >>> *This certificate MUST be issued directly by the CA that >>> issued the* >>> >>> *certificate in question.The CA SHOULD use the same issuing >>> key to * >>> >>> *issue a delegation certificate as was used to sign the >>> certificate * >>> >>> *being checked for revocation. * >>> >>> ** >>> >>> *Systems relying on OCSP responses MUST _be able to_ >>> recognize a * >>> >>> *delegation certificate as being issued by the CA that issued >>> the * >>> >>> *certificate in question if the delegation certificate and * >>> >>> *the certificate being checked _were_ signed by the same key.* >>> >>> >>> I disagree. The CA is actually free to do anything, but cannot >>> expect the client to recognise the responder as authorised unless >>> the same private key is used. >>> The current text places the requirement where they belong. >>> >>> 22.On page 17, the text states: >>> >>> *They MUST reject the* >>> >>> *response if the certificate required to validate the >>> signature on the* >>> >>> *response fails to meet at least one of the following criteria:* >>> >>> This is ambiguous. It is inappropriate to have a negative >>> statement like“*They MUST reject”. * >>> The sentence should be turned in the positive form“*They >>> SHALL accept”* >>> >>> Since the ASN.1 syntax has now be described, it is possible >>> to be more specific. >>> >>> The first occurrence of the word “response” should be changed >>> into “singleResponse”, while the second occurrence >>> of the word “response” should be changed into “ResponseData” >>> >>> Proposed text replacement: >>> >>> *They SHALL accept a singleResponse if the certificate >>> required to * >>> >>> *validate the signature placed on the ResponseData meets one >>> of the * >>> >>> *following criteria:* >>> >>> >>> >>> No, this change is not backwards compatible. >>> So state the requirements for rejection is not equivalent to >>> stating requirements for acceptance. >>> There may be other locally configured reasons to reject in >>> addition to those listed in the standard. >>> >>> >>> 23.On page 17, the text states: >>> >>> *3. Includes a value of id-kp-OCSPSigning in an ExtendedKeyUsage* >>> >>> *extension and is issued by the CA that issued the >>> certificate in* >>> >>> *question as stated above."* >>> >>> In order to be crystal clear, it is proposed to change the >>> wording in the following way: >>> >>> *3. Includes a value of id-kp-OCSPSigning in an ExtendedKeyUsage* >>> >>> *extension and was signed by the CA using the same key that >>> used * >>> >>> *to issue the certificate in question.* >>> >>> >>> No, issuing with another key is not prohibited, and may be >>> accepted by some clients as an authorised responder. >>> >>> 24.On page 17, the text states: >>> >>> *This SHOULD be a non-critical extension. The value of the >>> extension * >>> >>> *SHALL be NULL.* >>> >>> ** >>> >>> The ASN.1 syntax is missing. Add: >>> >>> ** >>> >>> *NoCheck ::= NULL* >>> >>> ** >>> >>> >>> Moving this to a separate discussion. >>> I'm not sure what the preferred way to describe this is. >>> >>> >>> 25.Remainder: On page 18, the general text from >>> section***4.2.2.3 Basic Response***is no more needed and >>> should be deleted. See comment 20. >>> >>> ** >>> >>> >>> Not broken. >>> >>> 26.On page 24, text should be added to the Security >>> consideration section: >>> >>> *Different results when using OCSP and CRLs* >>> >>> ** >>> >>> *OCSP clients or verifiers must build and verify a >>> certification path * >>> >>> *for each target certificate up to a trusted root.When an OCSP * >>> >>> *Responder is using published CRLs, it must also build and >>> verify a * >>> >>> *certification path for the CRLs it uses up to a trusted root.* >>> >>> ** >>> >>> *However, it should be realized that the root used by an OCSP * >>> >>> *Responder to verified these CRLs is not necessarily the same >>> as the * >>> >>> *one that would be used by the OCSP client, if it were going >>> to verify * >>> >>> *the CRLs itself.Hence the revocation status may not be >>> identical * >>> >>> *in both cases.* >>> >>> ** >>> >>> ** >>> >>> >>> I don't understand this one. >>> >>> 27.On page 24, text should be added to the Security >>> consideration section: >>> >>> ** >>> >>> *Denial of service attack using a flood of queries* >>> >>> ** >>> >>> *A denial of service vulnerability is evident with respect to >>> a flood * >>> >>> *of queries.The production of a cryptographic signature * >>> >>> *significantly affects response generation cycle time, thereby * >>> >>> *exacerbating the situation. * >>> >>> ** >>> >>> *The flood of queries may either come from a flood attack or >>> from the * >>> >>> *fact that there are too many certificates supported by the >>> same OCSP * >>> >>> *responder.In the later case, the number of queries can be * >>> >>> *reduced by using a technique similar to the splitting of CRLs: * >>> >>> ** >>> >>> *When a block of certificates have been issued with the same * >>> >>> *accessLocation in the AIA extension field of these >>> certificates, * >>> >>> *then the accessLocation should be changed.In this way, a given * >>> >>> *OCSP server will only be responsible for a block of >>> certificates.* >>> >>> ** >>> >>> >>> If the security considerations section is talking about splitting >>> OCSP responders in this way, then the document itself need to >>> introduce the subject. >>> I would suggest that it is beyond this update to do so. >>> >>> ** >>> >>> 28.On page 31, the text states. >>> >>> *An alternative to this module that conforms to the 2002 >>> version of * >>> >>> *ASN.1 may be found in Section 4 of [RFC5912]. * >>> >>> ** >>> >>> RFC 5912 omits to define the nocheck extension. Thus it is >>> inappropriate to refer to RFC 5912. >>> >>> The corrected module should be defined in this new draft. >>> A corrected module is providedin *draft-pinkas-rfc2560bis-03.* >>> >>> >>> Will move this (as stated above) to a separate discussion. >>> >>> 29.Different topics are not covered by the document. These >>> topics are important. >>> The following comments propose text to be placed in annexes. >>> Three annexes are being proposed. >>> >>> Note: The texts are extracted from*draft-pinkas-rfc2560bis-03.* >>> >>> >>> Not broken. >>> Each such amendment need to be thoroughly reviewed and motivated. >>> >>> >>> 30.First annex being proposed. This annex is important, >>> because key rollover is not addressed in the draft. >>> >>> *KEY ROLLOVER* >>> >>> ** >>> >>> *1. CA that directly supports an OCSP service* >>> >>> ** >>> >>> *When a CA that directly supports an OCSP service performs a >>> key * >>> >>> *rollover:* >>> >>> ** >>> >>> *- for certificates issued under the old key, the CA SHALL >>> continue * >>> >>> *to sign the revocation status of OCSP responses with that >>> old key * >>> >>> *at least until all these certificates are expired, and* >>> >>> ** >>> >>> *- for certificates issued under the new key, the CA SHALL >>> change the * >>> >>> *accessLocation in the AIA extension field of these >>> certificates * >>> >>> *and sign the revocation status of OCSP responses with that >>> new key * >>> >>> *at least until all these certificates are expired.* >>> >>> ** >>> >>> *Note: The change in accessLocation is necessary when the CA >>> rekeys * >>> >>> *to meet the following constraints imposed by this standard: * >>> >>> ** >>> >>> *1) a BasicOCSPResponse can only be signed using a single * >>> >>> *private key; * >>> >>> ** >>> >>> *2) the response must be signed using the same CA key that * >>> >>> *was used to sign the certificate in question; and* >>> >>> ** >>> >>> *3) the OCSP response needs to cover all the certificates * >>> >>> *queried in the OCSP request.* >>> >>> *2. CA that uses OCSP responders* >>> >>> *When a CA that uses OCSP Responders performs a key rollover, >>> then * >>> >>> *it MUST either designate a new OCSP Responder or keep the >>> current * >>> >>> *OCSP Responder(s).* >>> >>> ** >>> >>> *If the CA designates a new OCSP Responder, then it SHALL >>> change the * >>> >>> *accessLocation in the AIA extension field for the newly issued * >>> >>> *certificates and issue an OCSP certificate to the new OCSP >>> Responder * >>> >>> *using its new key.* >>> >>> ** >>> >>> *If the CA keeps the same OCSP Responder(s), then it SHALL >>> continue * >>> >>> *to use the same accessLocation(s) in the AIA extension field >>> for the * >>> >>> *newly issued certificates and issue an OCSP certificate to the * >>> >>> *appropriate OCSP Responder(s) using its new key.* >>> >>> ** >>> >>> *Note: The CA may need to continue issuing certificates to >>> the OCSP * >>> >>> *Responder(s) using the old CA key until all the certificates >>> issued * >>> >>> *under the CA' old key for which the OCSP Responder(s) are * >>> >>> *authoritative have expired.* >>> >>> ** >>> >>> *3. OCSP Responder key rollover* >>> >>> ** >>> >>> *When an OCSP Responder performs a key rollover >>> (asynchronously from * >>> >>> *a CA key rollover), then each CA which has designated an OCSP * >>> >>> *Responder SHALL issue a new certificate for that OCSP >>> Responder and * >>> >>> *for each of its issuing keys which meets the following >>> property: * >>> >>> ** >>> >>> *- the issuing key has been used to sign at least one >>> certificate * >>> >>> *which contains an AIA extension designating that OCSP >>> Responder * >>> >>> *and that certificate is not yet expired.* >>> >>> ** >>> >>> *An OCSP Responder key rollover does not affect the values of >>> the * >>> >>> *URIs that are placed in the accessLocation field from the >>> target * >>> >>> *certificates.One or more OCSP Responder MAY respond to an OCSP * >>> >>> *request addressed at a given URI picked from the >>> accessLocation * >>> >>> *field from a target certificate.Each OCSP Responder MAY use a * >>> >>> *different signing key, as long as it got an OCSP certificate * >>> >>> *appropriate for that signing key and for the target >>> certificate. * >>> >>> 31.Second annex being proposed. This annex is important >>> because it describes the validation of an OCSP response in >>> the past >>> which is of a particular importance when validating >>> electronic signatures. >>> >>> *Response processing by an OCSP client* >>> >>> ** >>> >>> *OCSP responses can be verified at the current time by an >>> OCSP client * >>> >>> *when receiving a response, whereas old responses can be >>> verified at * >>> >>> *a time in the past by a verifier.The algorithm below addresses * >>> >>> *both cases.* >>> >>> ** >>> >>> *Prior to processing a basic response, OCSP clients MUST >>> determine * >>> >>> *the checking time, which may be either the current time or a >>> time * >>> >>> *in the past.* >>> >>> ** >>> >>> *OCSP clients or verifiers SHALL check if the response contains * >>> >>> *responseExtensions. If such an extension is found and is >>> recognized, * >>> >>> *it MUST be processed.If such a critical extension is found and * >>> >>> *is not recognized, the whole OCSP response MUST be >>> considered as * >>> >>> *invalid.* >>> >>> ** >>> >>> *If the checking time is the current time, and if a nonce >>> extension * >>> >>> *has been used in the request and is recognized (see section >>> 4.5.1), * >>> >>> *OCSP clients MUST check whether the same nonce is present in >>> the * >>> >>> *response.If the nonce is not present or is different, then the * >>> >>> *OCSP response MUST be discarded.* >>> >>> ** >>> >>> *Only the single response(s) which are/is of interest SHALL be * >>> >>> *checked.* >>> >>> ** >>> >>> *STEP 1* >>> >>> ** >>> >>> *OCSP clients or verifiers SHALL verify that the certificate * >>> >>> *identified in a single response is of interest.Otherwise, >>> proceed * >>> >>> *to step 3.* >>> >>> ** >>> >>> *If the certificate status included in a single certificate >>> response * >>> >>> *is "unknown", then the revocation status of that certificate >>> is * >>> >>> *"unknown", and proceed to step 3.* >>> >>> ** >>> >>> *If the certificate status from the single certificate >>> response is * >>> >>> *either "good" or "revoked", OCSP clients or verifiers SHALL >>> check * >>> >>> *that the checking time is within the validity period of the >>> target * >>> >>> *certificate.If it is not the case, then the revocation >>> status of * >>> >>> *that certificate is "unknown" and proceed to step 3.* >>> >>> ** >>> >>> *If the checking time is the current time, and if a nonce has >>> been * >>> >>> *used in the request, then proceed to step 2.* >>> >>> ** >>> >>> *If the checking time is the current time, and if no nonce >>> has been * >>> >>> *used in the request, OCSP clients MUST check that the >>> producedAt* >>> >>> *field is within a time window that is "close enough" to the >>> current * >>> >>> *time. * >>> >>> ** >>> >>> *Note: the notion of "close enough" is a local matter.It can >>> be set * >>> >>> *to a few minutes to allow for small UTC time differences * >>> >>> *between the client and the server or to a few hours in case * >>> >>> *the server is producing pre-computed responses.* >>> >>> ** >>> >>> *If the checking time is a time in the past, verifiers MUST >>> check * >>> >>> *that the producedAt field is in accordance with the >>> verification * >>> >>> *rules (e.g. close and/or after the date of a time-stamp token).* >>> >>> ** >>> >>> *In addition, if the nextUpdate field is present, OCSP >>> clients MUST * >>> >>> *check that the time which is indicated is greater than the >>> checking * >>> >>> *time, otherwise the single response MUST be discarded.* >>> >>> ** >>> >>> *If checks are successful, then OCSP clients MUST process the * >>> >>> *singleExtensions field, if it is present. * >>> >>> ** >>> >>> *If the criticality flag is set and the extension is not >>> understood, * >>> >>> *then the status of the certificate shall be "unknown" and >>> proceed to * >>> >>> *step 3.Otherwise, proceed to step 2. * >>> >>> ** >>> >>> *If the extension is understood, then the extension MUST be * >>> >>> *processed.According to its content proceed either to step 2 >>> or to * >>> >>> *step 3. * >>> >>> ** >>> >>> *STEP 2* >>> >>> ** >>> >>> *OCSP clients or verifiers MUST build and verify a >>> certification path * >>> >>> *for that certificate up to a trusted root, so that they have >>> the * >>> >>> *knowledge of the CA public key value that was used to sign the * >>> >>> *target certificate.The revocation status of each certificate >>> of * >>> >>> *that certification path (except the target certificate) >>> SHALL be * >>> >>> *checked.* >>> >>> ** >>> >>> *If no path can be built or if one of the certificates of the >>> path is * >>> >>> *revoked, then the revocation status of that certificate is >>> "unknown", * >>> >>> *and proceed to step 3. * >>> >>> ** >>> >>> *If the certification path (except the target certificate) is >>> valid, * >>> >>> *then two cases need to be considered:* >>> >>> ** >>> >>> *a) If the responderID matches with the name or the key from >>> the CA * >>> >>> *which has issued the target certificate, then check whether >>> the * >>> >>> *OCSP response is signed by the same key that was used to sign * >>> >>> *the target certificate.* >>> >>> ** >>> >>> *If it is the case, then the revocation status of that * >>> >>> *certificate as indicated in the certStatus field is * >>> >>> *accepted and proceed to step 3.* >>> >>> ** >>> >>> *If it is not the case, then the revocation status of that * >>> >>> *certificate is "unknown" and proceed to step 3.* >>> >>> ** >>> >>> *b) If the responderID does not match with the name or the >>> key from * >>> >>> *the CA which has issued the target certificate, then it >>> indicates * >>> >>> *the name or the key from an OCSP Responder.Check whether there * >>> >>> *exists a local rule which applies to this target certificate >>> to * >>> >>> *verify that the signature of the BasicOCSPResponse is valid >>> for * >>> >>> *that single response.If this rule exists, it SHALL be >>> followed. * >>> >>> ** >>> >>> *Otherwise check whether there is an OCSP certificate (i.e. >>> which * >>> >>> *has both the ocspSigning OID in the extended key usage >>> extension * >>> >>> *and the digitalSignature bit in the key usage extension) >>> signed * >>> >>> *by the same key that was used to sign the target certificate. * >>> >>> *This certificate MUST be present in the certs field from the * >>> >>> *BasicOCSPResponse. * >>> >>> ** >>> >>> *If such certificate is not found or is invalid, then the * >>> >>> *revocation status of that certificate is "unknown" and * >>> >>> *proceed to step 3.* >>> >>> ** >>> >>> *If such certificate exists and if the checking time is * >>> >>> *within the validity period of this certificate, then it MUST * >>> >>> *be verified whether the OCSP response can be verified using * >>> >>> *the public key that is present in the OCSP Certificate. * >>> >>> ** >>> >>> *If it is not the case, then the revocation status of that * >>> >>> *certificate is "unknown" and proceed to step 3.* >>> >>> ** >>> >>> *If it is the case, then it MUST be verified that the OCSP * >>> >>> *Certificate has not been revoked.* >>> >>> ** >>> >>> *If one of these conditions is met, then the status for the >>> target * >>> >>> *certificate as indicated in the certStatus field is accepted, * >>> >>> *otherwise the revocation status is "unknown".* >>> >>> ** >>> >>> *STEP 3* >>> >>> ** >>> >>> *If there exists another single certificate status response >>> for a * >>> >>> *target certificate that is of interest, then proceed to step >>> 1. * >>> >>> *Otherwise the basic response is now processed.* >>> >>> 32.Third annex being proposed. This annex is important >>> because it provides guidance on how to build an OCSP >>> responder in the three cases. >>> Many text portions are similar, but three full texts are >>> provided in order to provide a better clarity for each of the >>> three cases. >>> >>> *1. Request processing by OCSP servers* >>> >>> ** >>> >>> *The behavior of an OCSP server will be different whether the >>> OCSP * >>> >>> *server is a CA acting as an OCSP responder, is an OCSP >>> Responder * >>> >>> *which received a delegation from one or more CAs, or is a >>> locally * >>> >>> *trusted Responder.* >>> >>> ** >>> >>> *1.1. Processing by a CA acting as an OCSP responder* >>> >>> ** >>> >>> *The OCSP responder SHALL maintain a list of entries. Each >>> entry * >>> >>> *SHALL contain:* >>> >>> ** >>> >>> *- the URI associated to the OCSP responder, from which the >>> OCSP * >>> >>> *requests are received, * >>> >>> ** >>> >>> *- the DN from a CA,* >>> >>> ** >>> >>> *- an issuing public key from a CA,* >>> >>> ** >>> >>> *- the method(s) used to know for which subset of certificates * >>> >>> *issued by the CA it is responsible for, * >>> >>> ** >>> >>> *- the method(s) used to obtain the revocation status of that * >>> >>> *subset of certificates issued under that CA issuing public >>> key, * >>> >>> *and* >>> >>> ** >>> >>> *- the method used to gain access and sign with the private key * >>> >>> *corresponding to the issuing public key.* >>> >>> ** >>> >>> *For a given URI value, the OCSP responder SHALL only use one >>> CA * >>> >>> *key pair value. * >>> >>> ** >>> >>> *When it receives an OCSP request on that URI, the OCSP >>> responder * >>> >>> *SHALL handle exceptions according to section 2.3. * >>> >>> ** >>> >>> *If the OCSP request contains the name of a requestor, the OCSP * >>> >>> *responder SHALL verify whether there exists a locally >>> defined rule * >>> >>> *which regulates access control.If this rule exists, it SHALL >>> be * >>> >>> *followed.* >>> >>> ** >>> >>> *Then, for each target certificate, the OCSP responder SHALL >>> verify * >>> >>> *whether both the hash of the issuer's DN and the hash of the >>> issuer * >>> >>> *public key which are present in the request are eligible to a * >>> >>> *locally defined rule which indicates that the OCSP responder >>> is * >>> >>> *responsible to provide the revocation status of that target * >>> >>> *certificate.If this rule exists, it SHALL be followed.* >>> >>> ** >>> >>> *Otherwise, the OCSP responder SHALL determine whether it is * >>> >>> *responsible to provide the revocation status of that target * >>> >>> *certificate according to the following rule.* >>> >>> ** >>> >>> *For each target certificate, the OCSP responder SHALL verify >>> whether * >>> >>> *both the hash of the issuer's DN and the hash of the issuer >>> public * >>> >>> *key which are present in the request match respectively with >>> the DN * >>> >>> *and the hash of the public key of contained in an entry from >>> the * >>> >>> *list of entries maintained by this OCSP responder. * >>> >>> ** >>> >>> *When there is no match, then the OCSP responder SHALL >>> indicate the * >>> >>> *"unknown" status and proceed with the next target >>> certificate from * >>> >>> *the OCSP request.* >>> >>> ** >>> >>> *When there is a match, then the OCSP responder SHALL use the >>> serial * >>> >>> *number of the target certificate that is present in the >>> request and * >>> >>> *determine the revocation status of that certificate >>> according to * >>> >>> *the method(s) defined in the entry. * >>> >>> ** >>> >>> *When the revocation status is provided by the server using a >>> real * >>> >>> *time access to a database of revocation statuses of issued * >>> >>> *certificates, then the thisUpdate field SHALL be present in the* >>> >>> *SingleResponse response whereas the nextUpdate field SHALL be * >>> >>> *missing. * >>> >>> ** >>> >>> *Otherwise, both the thisUpdate and the nextUpdate fields >>> SHALL be * >>> >>> *present in the SingleResponse. * >>> >>> ** >>> >>> *The time at which this response will be signed MUST be >>> indicated in * >>> >>> *the producedAt field from the SingleResponse.* >>> >>> ** >>> >>> *If a singleRequestExtensions is present in the request it >>> MUST be * >>> >>> *processed.* >>> >>> ** >>> >>> *If there is another target certificate present in the >>> request, it * >>> >>> *SHALL be processed in the same way.* >>> >>> ** >>> >>> *If a requestExtensions is present in the request it MUST be * >>> >>> *processed.* >>> >>> ** >>> >>> *The OCSP response MUST be signed using the CA issuing >>> private key.* >>> >>> ** >>> >>> ** >>> >>> *1.2. Processing by an OCSP Responder* >>> >>> ** >>> >>> *For each CA from which the OCSP Responder has received a >>> delegation, * >>> >>> *the OCSP Responder SHALL maintain a list of entries. * >>> >>> ** >>> >>> *Each entry SHALL contain:* >>> >>> ** >>> >>> *- the URI associated to this OCSP Responder, from which the >>> OCSP * >>> >>> *requests are received, * >>> >>> ** >>> >>> *- the DN from a CA,* >>> >>> ** >>> >>> *- an issuing public key from a CA,* >>> >>> ** >>> >>> *- the method(s) used to know for which subset of certificates * >>> >>> *issued by the CA it is responsible for, * >>> >>> ** >>> >>> *- the method(s) used to obtain the revocation status of that * >>> >>> *subset of certificates issued under that CA issuing public key,* >>> >>> ** >>> >>> *- an OCSP certificate, * >>> >>> ** >>> >>> *- the OCSP public key contained in that OCSP certificate, and* >>> >>> ** >>> >>> *- the method used to gain access and sign with the OCSP >>> private * >>> >>> *key corresponding to that OCSP certificate.* >>> >>> ** >>> >>> *For a given URI value, the OCSP Responder SHALL only use one >>> OCSP * >>> >>> *key pair value.Therefore there cannot be two entries with the * >>> >>> *same URI value and a different OCSP public key value.* >>> >>> ** >>> >>> *NOTE: a BasicOCSPResponse can only be signed using a single >>> private * >>> >>> *key. * >>> >>> ** >>> >>> *The OCSP certificate SHALL be signed by the CA issuing >>> private key * >>> >>> *which corresponds to the issuing CA public key that is in this * >>> >>> *entry.* >>> >>> ** >>> >>> *When it receives an OCSP request, the OCSP responder SHALL >>> handle * >>> >>> *exceptions according to section 2.3. * >>> >>> ** >>> >>> *If the OCSP request contains the name of a requestor, the OCSP * >>> >>> *responder SHALL verify whether there exists a locally >>> defined rule * >>> >>> *which regulates access control.If this rule exists, it SHALL >>> be * >>> >>> *followed.* >>> >>> ** >>> >>> *For each target certificate, the OCSP Responder SHALL verify * >>> >>> *whether both the hash of the issuer's DN and the hash of the >>> issuer * >>> >>> *public key which are present in the OCSP request match with >>> those * >>> >>> *from an entry.* >>> >>> ** >>> >>> *When there is no match, then the OCSP Responder SHALL >>> indicate the * >>> >>> *"unknown" status and proceed with the next target >>> certificate from * >>> >>> *the OCSP request.* >>> >>> ** >>> >>> *When there is a match, the OCSP Responder SHALL use the serial * >>> >>> *number of the target certificate this is present in the OCSP * >>> >>> *request to determine the revocation status of that certificate * >>> >>> *according to the method(s) indicated in the entry. * >>> >>> ** >>> >>> *When the revocation status is provided by the server using a >>> real * >>> >>> *time access to a database of revocation statuses of issued * >>> >>> *certificates, then the thisUpdate field SHALL be present in the* >>> >>> *SingleResponse response whereas the nextUpdate field SHALL be * >>> >>> *missing. * >>> >>> ** >>> >>> *Otherwise, both the thisUpdate and the nextUpdate fields >>> SHALL be * >>> >>> *present in the SingleResponse. * >>> >>> ** >>> >>> *The time at which this response will be signed MUST be >>> indicated in * >>> >>> *the producedAt field from the SingleResponse.* >>> >>> ** >>> >>> *If a singleRequestExtensions is present in the request it >>> MUST be * >>> >>> *processed.* >>> >>> ** >>> >>> *If there is another target certificate present in the >>> request, it * >>> >>> *SHALL be processed in the same way.* >>> >>> ** >>> >>> *If a requestExtensions is present in the request it SHALL be * >>> >>> *processed.* >>> >>> ** >>> >>> *The OCSP response MUST be signed using the OCSP private key.* >>> >>> ** >>> >>> *Unless there is a local rule which states differently, for >>> every * >>> >>> *target certificate which matches both with the hash of a CA >>> DN and an * >>> >>> *issuing public key from an entry, the OCSP certificate of >>> that entry * >>> >>> *SHALL be placed in the certs field.* >>> >>> ** >>> >>> *It may happen, that none of the target certificates from the >>> OCSP* >>> >>> *request matches both with the hash of a CA DN and an issuing >>> public * >>> >>> *key from an entry.In that case and unless a local rule states * >>> >>> *differently, the certs field from the BasicOCSPResponse >>> SHOULD be * >>> >>> *kept empty (to limit the disclose of the names of the CAs >>> from which * >>> >>> *the OCSP Responder received a delegation from).* >>> >>> ** >>> >>> *1.3. Processing by a locally trusted Responder* >>> >>> ** >>> >>> *For each CA for which the locally trusted Responder is * >>> >>> *authoritative, the OCSP Responder SHALL maintain a list of >>> entries. * >>> >>> ** >>> >>> *Each entry SHALL contain:* >>> >>> ** >>> >>> *- the URI associated to this OCSP Responder, from which the >>> OCSP * >>> >>> *requests are received, * >>> >>> ** >>> >>> *- the DN from a CA,* >>> >>> ** >>> >>> *- an issuing public key from a CA,* >>> >>> ** >>> >>> *- the method(s) used to know for which subset of certificates * >>> >>> *issued by the CA it is responsible for, * >>> >>> ** >>> >>> *- the method(s) used to obtain the revocation status of that * >>> >>> *subset of certificates issued under that CA issuing public key,* >>> >>> ** >>> >>> *- the method used to gain access to the private key in order >>> to * >>> >>> *sign the OCSP response. * >>> >>> ** >>> >>> *For a given URI value, the OCSP Responder SHALL only use one >>> private * >>> >>> *key.Therefore there cannot be two entries with the same URI >>> value * >>> >>> *and a different method to gain access to the appropriate >>> private key.* >>> >>> ** >>> >>> *NOTE: a BasicOCSPResponse can only be signed using a single >>> private * >>> >>> *key. * >>> >>> ** >>> >>> *When it receives an OCSP request, the OCSP responder SHALL >>> handle * >>> >>> *exceptions according to section 2.3. * >>> >>> ** >>> >>> *If the OCSP request contains the name of a requestor, the OCSP * >>> >>> *responder SHALL verify whether there exists a locally >>> defined rule * >>> >>> *which regulates access control.If this rule exists, it SHALL >>> be * >>> >>> *followed.* >>> >>> ** >>> >>> *For each target certificate, the OCSP Responder SHALL verify * >>> >>> *whether both the hash of the issuer's DN and the hash of the >>> issuer * >>> >>> *public key which are present in the OCSP request match with >>> those * >>> >>> *from an entry.* >>> >>> ** >>> >>> *When there is no match, then the OCSP Responder SHALL >>> indicate the * >>> >>> *"unknown" status and proceed with the next target >>> certificate from * >>> >>> *the OCSP request.* >>> >>> ** >>> >>> *When there is a match, the OCSP Responder SHALL use the serial * >>> >>> *number of the target certificate this is present in the OCSP * >>> >>> *request to determine the revocation status of that certificate * >>> >>> *according to the method(s) indicated in the entry. * >>> >>> ** >>> >>> *When the revocation status is provided by the server using a >>> real * >>> >>> *time access to a database of revocation statuses of issued * >>> >>> *certificates, then the thisUpdate field SHALL be present in the* >>> >>> *SingleResponse response whereas the nextUpdate field SHALL be * >>> >>> *missing. * >>> >>> ** >>> >>> *Otherwise, both the thisUpdate and the nextUpdate fields >>> SHALL be * >>> >>> *present in the SingleResponse. * >>> >>> ** >>> >>> *The time at which this response will be signed MUST be >>> indicated in * >>> >>> *the producedAt field from the SingleResponse.* >>> >>> ** >>> >>> *If a singleRequestExtensions is present in the request it >>> MUST be * >>> >>> *processed.* >>> >>> ** >>> >>> *If there is another target certificate present in the >>> request, it * >>> >>> *SHALL be processed in the same way.* >>> >>> ** >>> >>> *If a requestExtensions is present in the request it SHALL be * >>> >>> *processed.* >>> >>> ** >>> >>> *The OCSP response MUST be signed using the OCSP private key.* >>> >>> ** >>> >>> *The certs field may contain no, one or several OCSP >>> certificates * >>> >>> *according to local rules followed by the locally trusted >>> Responder.* >>> >>> >>> Not broken. >>> >>> /Stefan >>> >>> End of comments >>> >>> >>> Denis >>> >>> _______________________________________________ pkix mailing >>> list pkix@ietf.org <mailto:pkix@ietf.org> >>> https://www.ietf.org/mailman/listinfo/pkix >>> >> >
- [pkix] Agenda posted Stefan Santesson
- Re: [pkix] Review of 2560-bis draft 8. Answer to … Denis Pinkas
- Re: [pkix] Review of 2560-bis draft 8. Answer to … Stefan Santesson
- [pkix] Authorship of draft-ietf-pkix-rfc2560bis Paul Hoffman
- Re: [pkix] Review of 2560-bis draft 8. Answer to … Stefan Santesson
- [pkix] ASN.1 expression of extensions with absent… Stefan Santesson
- [pkix] The new RFC2560bis drafts Stefan Santesson
- Re: [pkix] ASN.1 expression of extensions with ab… Peter Sylvester
- Re: [pkix] ASN.1 expression of extensions with ab… Paul Hoffman
- Re: [pkix] ASN.1 expression of extensions with ab… Jim Schaad
- Re: [pkix] ASN.1 expression of extensions with ab… Russ Housley
- Re: [pkix] ASN.1 expression of extensions with ab… Stefan Santesson
- Re: [pkix] ASN.1 expression of extensions with ab… Carl Wallace
- Re: [pkix] ASN.1 expression of extensions with ab… Jim Schaad
- Re: [pkix] ASN.1 expression of extensions with ab… Stefan Santesson
- Re: [pkix] ASN.1 expression of extensions with ab… Jim Schaad
- Re: [pkix] ASN.1 expression of extensions with ab… Carl Wallace
- Re: [pkix] ASN.1 expression of extensions with ab… Stefan Santesson
- Re: [pkix] ASN.1 expression of extensions with ab… Stefan Santesson
- Re: [pkix] ASN.1 expression of extensions with ab… Stefan Santesson
- Re: [pkix] ASN.1 expression of extensions with ab… Carl Wallace
- Re: [pkix] ASN.1 expression of extensions with ab… Michael StJohns
- Re: [pkix] ASN.1 expression of extensions with ab… Michael StJohns
- Re: [pkix] ASN.1 expression of extensions with ab… Jim Schaad
- Re: [pkix] ASN.1 expression of extensions with ab… Michael StJohns
- Re: [pkix] ASN.1 expression of extensions with ab… Peter Sylvester
- Re: [pkix] The new RFC2560bis drafts Alexey Melnikov
- Re: [pkix] ASN.1 expression of extensions with ab… Stefan Santesson
- Re: [pkix] ASN.1 expression of extensions with ab… Erik Andersen
- Re: [pkix] ASN.1 expression of extensions with ab… Russ Housley
- Re: [pkix] ASN.1 expression of extensions with ab… Jim Schaad
- Re: [pkix] Review of 2560-bis draft 8. Answer to … Henry B. Hotz
- Re: [pkix] ASN.1 expression of extensions with ab… Stefan Santesson
- Re: [pkix] Review of 2560-bis draft 8. Answer to … Simon Tardell
- Re: [pkix] Review of 2560-bis draft 8. Answer to … Stefan Santesson
- Re: [pkix] ASN.1 expression of extensions with ab… Peter Sylvester
- Re: [pkix] ASN.1 expression of extensions with ab… Manger, James H
- Re: [pkix] ASN.1 expression of extensions with ab… Stefan Santesson
- Re: [pkix] [Spam] Re: ASN.1 expression of extensi… Erik Andersen
- Re: [pkix] Review of 2560-bis draft 8. Answer to … Denis Pinkas
- Re: [pkix] Review of 2560-bis draft 8. Answer to … Stefan Santesson
- Re: [pkix] Review of 2560-bis draft 8. Answer to … Stefan Santesson
- Re: [pkix] Agenda posted Max Pritikin (pritikin)
- Re: [pkix] Review of 2560-bis draft 8. Answer to … Denis Pinkas
- Re: [pkix] Review of 2560-bis draft 8. Answer to … Sean Turner