IETF Logo Mail Archive

Re: [pkix] Proposed resolution to non-issued certificates - 2560bis

"Piyush Jain" <piyush@ditenity.com> Fri, 02 November 2012 17:02 UTC

Return-Path: <piyush@ditenity.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F19C211E80AD for <pkix@ietfa.amsl.com>; Fri, 2 Nov 2012 10:02:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M15orMseu5na for <pkix@ietfa.amsl.com>; Fri, 2 Nov 2012 10:02:49 -0700 (PDT)
Received: from mail-ie0-f172.google.com (mail-ie0-f172.google.com [209.85.223.172]) by ietfa.amsl.com (Postfix) with ESMTP id A206511E80A3 for <pkix@ietf.org>; Fri, 2 Nov 2012 10:02:49 -0700 (PDT)
Received: by mail-ie0-f172.google.com with SMTP id 9so6045782iec.31 for <pkix@ietf.org>; Fri, 02 Nov 2012 10:02:49 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-type:x-mailer:thread-index:content-language :x-gm-message-state; bh=aZEAemuTr9gE7tD2t4Jjoy6NS3+aN/vDKsw7JQx+E1A=; b=kHYT222v7a40tI4QLCY5B2fxDo/cprcBdmwumrN73uxe3XtLFJ/PkEHbSoo8gv7eyC zlSUzEA+CVB8tmpKg+AcOPS6cAaAFq/PH3xY1Vd6JcN73t1LR6QdSYJQLVGm+SJPJFSX +axH69lyOdYxpI/UGQydpTKhBFCLfvbx3R3G/OvpzYvO1+3RHZ8pL/wIp/xyBMId9qqK ETP4zmw2ncOH9HufjDriYVJyzBfHGmtUh9k/FCPCtqb9P8CVOn4gISflbnjtgbZBggX4 CHiix3qNdO15oh0akR66ytJpo9gDQXggBmBdHNkxb8TSD2TJ4Fx9VdtzfYmSGU4OpdZj ZvkA==
Received: by 10.50.189.193 with SMTP id gk1mr2427989igc.22.1351875769200; Fri, 02 Nov 2012 10:02:49 -0700 (PDT)
Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id eo7sm1886053igc.12.2012.11.02.10.02.46 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 02 Nov 2012 10:02:48 -0700 (PDT)
From: Piyush Jain <piyush@ditenity.com>
To: 'Simon Tardell' <simon@tardell.se>, 'Peter Rybar' <peterryb@gmail.com>
References: <034701cdb87e$0f083a80$2d18af80$@ditenity.com> <201211021016.qA2AGYZA000373@mail.nbusr.sk> <CANkYYy5TsTajY4hztaHaFeWsUYd+d+7st_yKCcqUAkdWNY6BMw@mail.gmail.com> <CAFD47=oddnrbHepUX4PHi8zLqjqE=_vvOzP1wmZ+kRANNAEvdw@mail.gmail.com> <CANkYYy6owHPy_CxEDK1yhNogED2+AYC-mE3neyio5VJcyn6CPg@mail.gmail.com>
In-Reply-To: <CANkYYy6owHPy_CxEDK1yhNogED2+AYC-mE3neyio5VJcyn6CPg@mail.gmail.com>
Date: Fri, 02 Nov 2012 10:02:43 -0700
Message-ID: <044901cdb91b$e1b407a0$a51c16e0$@ditenity.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_044A_01CDB8E1.35568F30"
X-Mailer: Microsoft Outlook 14.0
Thread-index: AQIIe7Oy5THsO0YxVy92Rnk80DqhjwGlPQVqApslMygCV19GXQHQ9WrIlx33MMA=
Content-Language: en-us
X-Gm-Message-State: ALoCoQlDynw2SDz67cWFB/Vv1GPUUJILHDmZB5oP2qI/IRPiI933eQFeubmoGuizSg9lHtIV/LlU
Cc: 'Stefan Santesson' <stefan@aaa-sec.com>, pkix@ietf.org
Subject: Re: [pkix] Proposed resolution to non-issued certificates - 2560bis
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Nov 2012 17:02:51 -0000

I think Peter's point is that most folks consider revocationTime in OCSP
equivalent to revocationDate in CRL.

This interpretation is not ill-formed given that OCSP has no text describing
what revocationTime means in OCSP context.

 

And if you go by this interpretation, according to 5280, revocationDate
cannot precede thisUpdate of an earlier CRL if the revocation for the
certificate is being reported the first time.

 

Not saying that OCSP has to follow these rules, but given that it is
deviating from CRLs on the meaning of revocationTime and revocationReason, a
separated section describing these fields should be added.

 

-Piyush

 

From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of
Simon Tardell
Sent: Friday, November 02, 2012 9:25 AM
To: Peter Rybar
Cc: Stefan Santesson; pkix@ietf.org
Subject: Re: [pkix] Proposed resolution to non-issued certificates - 2560bis

 

On Fri, Nov 2, 2012 at 4:44 PM, Peter Rybar <peterryb@gmail.com> wrote:

It means the time value in thisUpdate field is a time when CA database
was locked in the process of creating CRL/OCSP response. CRL contains
only revocations with time which were before time value of thisUpdate
field. Any revocatins registered while database was locked must not be
included and are included after next lock of CA database when a new
CRL will be generated.

 

I am not sure I follow you. Why does the OCSP responder have to care about
when the CRLs are produced (if there are any at all) if it has access to the
database?

 

/Simon

v2.23.0 | Report a Bug | By Email