IETF Logo Mail Archive

Re: [pkix] Straw-poll on OCSP responses for non-revoked certificates.

Simon Tardell <simon@tardell.se> Tue, 30 October 2012 16:02 UTC

Return-Path: <simon@tardell.se>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7521621F85FD for <pkix@ietfa.amsl.com>; Tue, 30 Oct 2012 09:02:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id drLafeEi38JH for <pkix@ietfa.amsl.com>; Tue, 30 Oct 2012 09:02:02 -0700 (PDT)
Received: from mail-lb0-f172.google.com (mail-lb0-f172.google.com [209.85.217.172]) by ietfa.amsl.com (Postfix) with ESMTP id 8D16121F85A0 for <pkix@ietf.org>; Tue, 30 Oct 2012 09:02:01 -0700 (PDT)
Received: by mail-lb0-f172.google.com with SMTP id k13so385144lbo.31 for <pkix@ietf.org>; Tue, 30 Oct 2012 09:02:00 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=5Y10VtEKP8uaZCtQy66Xz6BjpTvHg23qa5J6nAUBfUs=; b=kGVTXRo5xQdHaL1VEhLpdoYdBMCnkwMWyQd/q7IaCR0D3gXUiaf6YZgMCxhXx71ax6 lD7GJKfzBcnYoQLCKj6Kqlg7CHNWIRNDbkfh3tUvWXHtmotUv51A+s3EHr2GJ+dZm8h6 gBBg5WuJxzSk2NAZMcxHxNsJ4seV8jZQ/IGbsIoqHNJFWn9KzjE6xWjkzCjwo+63mr3m 5Q2MBhnZbMRHny9sJYdy68ozNLMYBs0/++dBuobSCU250pDLyA09DE3UbkUzj/i/5K4H Tp2yLgY39NlZClTENYBimjs34zTMCapABphvZYeTO5msqqnUyVy+tlZyZzii9AXUTRWt 5RKw==
MIME-Version: 1.0
Received: by 10.112.102.196 with SMTP id fq4mr13269586lbb.125.1351612920294; Tue, 30 Oct 2012 09:02:00 -0700 (PDT)
Received: by 10.112.134.102 with HTTP; Tue, 30 Oct 2012 09:02:00 -0700 (PDT)
In-Reply-To: <CCB55CA3.52588%stefan@aaa-sec.com>
References: <20121029232328.BF5D91A309@ld9781.wdf.sap.corp> <CCB55CA3.52588%stefan@aaa-sec.com>
Date: Tue, 30 Oct 2012 17:02:00 +0100
Message-ID: <CANkYYy5sLLqK=bV6h5YsANR1TMKw_SXU5fb_6E=TwqDi=r+Jfg@mail.gmail.com>
From: Simon Tardell <simon@tardell.se>
To: Stefan Santesson <stefan@aaa-sec.com>
Content-Type: multipart/alternative; boundary="f46d04016ae5fcebff04cd48e78b"
X-Gm-Message-State: ALoCoQmgizIiEhEm/aCa+jepH3GYTU4zw6tY12TPDKMWsN7dDgGy5Gy9tF8WzBHFb5DX4w2/m0qo
Cc: pkix@ietf.org
Subject: Re: [pkix] Straw-poll on OCSP responses for non-revoked certificates.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Oct 2012 16:02:02 -0000

On Tue, Oct 30, 2012 at 10:52 AM, Stefan Santesson <stefan@aaa-sec.com>wrote:

>
> Please reply with either:
>
> 1. Allow "revoked" response for a certificate that has not been "revoked"
> but where that OCSP responder for any other reason knows the certificate
> to be "bad".
>
> 2. Require that the OCSP responder MUST respond "good" in this situation.
>
> 3. Neither 1 or 2 (motivate).
>
>
1.

I see some people saying 3/ "unknown", because "revoked" would be lying.
Well, "unknown" be lying so much more, if you let it be an assertion that
the certificate has never been issued. Furthermore it would open security
holes by prompting some client implementations to fall back to CRLs or try
later.

/Simon

v2.23.0 | Report a Bug | By Email