IETF Logo Mail Archive

Re: [pkix] OCSP reponses without nexUpdate

Thomas Kopp <thomas.kopp@luxtrust.lu> Mon, 24 February 2020 12:49 UTC

Return-Path: <thomas.kopp@luxtrust.lu>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18AFB3A0A20 for <pkix@ietfa.amsl.com>; Mon, 24 Feb 2020 04:49:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C90yigvDkupS for <pkix@ietfa.amsl.com>; Mon, 24 Feb 2020 04:49:01 -0800 (PST)
Received: from mx1.luxtrust.lu (mx1.luxtrust.lu [185.69.225.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71AC03A0A1C for <pkix@ietf.org>; Mon, 24 Feb 2020 04:49:01 -0800 (PST)
Received: from SV-1447WVP05.corp.1447.local (sv-1447wvp05.corp.1447.local [10.82.96.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mx1.luxtrust.lu (MTA) with ESMTPS id 48R21k4Vd4z25m6; Mon, 24 Feb 2020 13:48:58 +0100 (CET)
Received: from SV-1447WVP06.corp.1447.local (10.82.96.76) by SV-1447WVP05.corp.1447.local (10.82.96.75) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1847.3; Mon, 24 Feb 2020 13:48:58 +0100
Received: from SV-1447WVP06.corp.1447.local ([10.82.96.76]) by SV-1447WVP06.corp.1447.local ([10.82.96.76]) with mapi id 15.01.1847.003; Mon, 24 Feb 2020 13:48:58 +0100
From: Thomas Kopp <thomas.kopp@luxtrust.lu>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "pkix@ietf.org" <pkix@ietf.org>
Thread-Topic: OCSP reponses without nexUpdate
Thread-Index: AdXq547Yj5JHBOWqRKivA/b474BBgwACl3bgAASbi/AAAEgzLwACzuyA
Date: Mon, 24 Feb 2020 12:48:58 +0000
Message-ID: <451e8a8a260640d5858f7dcb6fcf689c@luxtrust.lu>
References: <ae45cae10fe24054b56af6af5a629f9a@luxtrust.lu> <1582535446443.55285@cs.auckland.ac.nz>, <83b22afec0ed4ced9bdbcc90d6be6e6f@luxtrust.lu> <1582543781851.26991@cs.auckland.ac.nz>
In-Reply-To: <1582543781851.26991@cs.auckland.ac.nz>
Accept-Language: en-US, en-GB
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.82.96.71]
x-tm-as-product-ver: SMEX-14.0.0.3006-8.5.1024-25250.007
x-tm-as-result: No-10--19.661800-8.000000
x-tmase-matchedrid: HLMPCFyIyBPuo96mfIBuopzEHTUOuMX33dCmvEa6IiGoLZarzrrPmfHz e89PLksNoYg/qeYu7ouyHAQ4LHNtQYiyP6gHWR1GwrUhv0kAAvHtjZF0DaZLCWA5wZjJx9Gwm8v RekL51zanZc9e41urlJC1TqckX+qaePs/Cx1DJd1LIfps09VJ27vHoEoNlEQfvGAx/1ATZ5vr/4 kj2gjNvwuvmY78pZoLEKiYcQfAT4KeH1x0y0x/SqPdDP4XISMGHfmCperUs2X/MiRbve4ADjwUF T3MiCQn+LeALoqqVEmCvyTTWEZMvOEPdUuOu429k3rl+MaNgxBR3sGN+j7mNPD2ovoq2qto4Zxk PtBlIAhHeQQDmUpegJk0t4TFYrTkHoSVM1aVdxHaize54oCwVAILzOoe9wbadz3bnI4leYX2n2B csltpualO8QSEwd94tNrOifEzkK68Sm0lAaO40B3EEAbn+GRbDvc/j9oMIgXOgl7GwkcgALJrtL 2EVzyom+cP2QHSFAeEKo/f8TI4j+VsdeNpdvi/GMNE+ke6qFpT49v2xjh3s5sNUcVCGgTGLUwee W1jbU6VDKtvJy6u7FPq3ZXQ/UYcCCLgd2TBNZqx4uUWI50BKCEF1RdqrHVdOF0RIPSotdMVCXnW fc2FdzmMu28v6yIWbJMQUVpUSR7nC5LyYJwD3+IICJnFMBGyQaH4g4P6Ota6pZ/o2Hu2Yd+QoUP 6UdpNoHYmTxxOCv5DsYdt/b6Qo+RsO3/KQYNmq5uw61JZjZBftuJwrFEhTY2j49Ftap9Eymsk/w UE4hoMFsa+1wyh/JRMZUCEHkRt
x-tm-as-user-approved-sender: Yes
x-tm-as-user-blocked-sender: No
x-tmase-result: 10--19.661800-8.000000
x-tmase-version: SMEX-14.0.0.3006-8.5.1024-25250.007
x-tm-snts-smtp: 17B8F2918ADA7EBD258C1EE44DB700F94A77167256F8703F745DFAE00003E6AC2000:8
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
x-msw-jemd-newsletter: false
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/SUtofhY6zdLhg_WVi-TC3xdfp6o>
Subject: Re: [pkix] OCSP reponses without nexUpdate
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Feb 2020 12:49:03 -0000

Indeed, this makes sense. Thanks, again!

Thomas KOPP
Chief Scientist

Email: thomas.kopp@luxtrust.lu
Mobile:+352 621 229 316
Office: +352 26 68 15 - 574
LuxTrust S.A. |  IVY Building | 13-15, Parc d'activités | L-8308 Capellen | Luxembourg | www.luxtrust.lu




The information in this e-mail and any attachment is confidential and for use by the addressee only. Access to this e-mail by anyone else is not authorized. If you are not the intended recipient, please inform the sender and erase all copies of it from your system. Internet communications are by default not secure. LuxTrust S.A. cannot guarantee the integrity and origin of e-mails unless they have been properly digitally signed. Confidentiality of e-mails can only be guaranteed if they are encrypted properly using a secure digital certificate.LuxTrust S.A. takes precautions to ensure that e-mails are scanned for viruses but cannot accept liability for any damage sustained as a result of software viruses.



-----Original Message-----
From: Peter Gutmann [mailto:pgut001@cs.auckland.ac.nz] 
Sent: Monday, February 24, 2020 12:30 PM
To: Thomas Kopp; pkix@ietf.org
Subject: Re: OCSP reponses without nexUpdate

The point is that no-one can agree on an interpretation, so if one person says
X then the next person you ask might say ~X.  That's why I suggested putting
it in your CPS, at least then it's documented for anyone who wants to see it.

Peter.

________________________________________
From: Thomas Kopp <thomas.kopp@luxtrust.lu>
Sent: Tuesday, 25 February 2020 00:27
To: Peter Gutmann; pkix@ietf.org
Subject: RE: OCSP reponses without nexUpdate

Thanks a lot Peter for this obviously very flexible interpretation of the RFC's "newer" semantics.
Hopefully also others, in particular authors of RFC 6960, might provide some complementary advice.

Thomas KOPP
Chief Scientist

Email: thomas.kopp@luxtrust.lu
Mobile:+352 621 229 316
Office: +352 26 68 15 - 574
LuxTrust S.A. |  IVY Building | 13-15, Parc d'activités | L-8308 Capellen | Luxembourg | www.luxtrust.lu




The information in this e-mail and any attachment is confidential and for use by the addressee only. Access to this e-mail by anyone else is not authorized. If you are not the intended recipient, please inform the sender and erase all copies of it from your system. Internet communications are by default not secure. LuxTrust S.A. cannot guarantee the integrity and origin of e-mails unless they have been properly digitally signed. Confidentiality of e-mails can only be guaranteed if they are encrypted properly using a secure digital certificate.LuxTrust S.A. takes precautions to ensure that e-mails are scanned for viruses but cannot accept liability for any damage sustained as a result of software viruses.


-----Original Message-----
From: Peter Gutmann [mailto:pgut001@cs.auckland.ac.nz]
Sent: Monday, February 24, 2020 10:11 AM
To: Thomas Kopp; pkix@ietf.org
Subject: Re: OCSP reponses without nexUpdate

Thomas Kopp <thomas.kopp@luxtrust.lu> writes:

>Does it mean for subsequent requests that one of the fields  thisUpdate or
>producedAt must change even if certificate status has not changed?

Yes, no, and maybe.  If you're applying strict CRL compatibility, you set it
to the CRL nextUpdate time.  If you decide that since it's an online service
another update can become available at any time, you set it the current time.
If you're running CRLs at the same time, you set it to the next CRL production
time.  If you're doing batch signing to deal with OCSP's non-scalability, in
other words pre-producing responses, you set it to when the next batch of
responses get signed.  If you believe the Martians are coming, you set it to
just before they land so there's no expectations of OCSP responses after
they've killed us all.

If you don't believe any of the above then feel free to come up with another
interpretation and use that.  See long-ago threads on this list for more
suggestions on how this field can be interpreted (I can't remember all of the
variants).

Another interpretation is to do whatever makes sense to you and put it in your
CPS.

Peter.

v2.23.0 | Report a Bug | By Email