RE: OCSP Algorithm Agility
Paul Hoffman <paul.hoffman@vpnc.org> Fri, 21 September 2007 22:43 UTC
Return-path: <owner-ietf-pkix@mail.imc.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IYrDO-00027K-Iu for pkix-archive@lists.ietf.org; Fri, 21 Sep 2007 18:43:14 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IYrDN-0001gh-9U for pkix-archive@lists.ietf.org; Fri, 21 Sep 2007 18:43:14 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l8LM50nA097633 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 21 Sep 2007 15:05:00 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l8LM502X097632; Fri, 21 Sep 2007 15:05:00 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from [165.227.249.200] (adsl-66-125-125-65.dsl.pltn13.pacbell.net [66.125.125.65]) (authenticated bits=0) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l8LM4nea097619 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 21 Sep 2007 15:04:50 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p06240816c319ef4471c5@[165.227.249.200]>
In-Reply-To: <p06240501c319eac56604@[192.168.0.103]>
References: <2788466ED3E31C418E9ACC5C3166155703DF57@mou1wnexmb09.vcorp.ad.vrsn.com> <p0624080ec319a977190d@[165.227.249.200]> <p0624050dc319b62dedaf@[128.89.89.71]> <p06240814c319da7d9330@[165.227.249.200]> <p06240501c319eac56604@[192.168.0.103]>
Date: Fri, 21 Sep 2007 15:04:46 -0700
To: Stephen Kent <kent@bbn.com>
From: Paul Hoffman <paul.hoffman@vpnc.org>
Subject: RE: OCSP Algorithm Agility
Cc: ietf-pkix@imc.org
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9466e0365fc95844abaf7c3f15a05c7d
At 5:49 PM -0400 9/21/07, Stephen Kent wrote: >You are correct that to impose a total ordering on what may be more >appropriately described as a lattice implies a value judgement, and >the responder and client might have different perspective. So, how does your solution help the client decide what to do with an OCSP response? It seems to me that it gives them one more piece of data that is open to disagreement. >Lookng at your example, the CA should revoke the OCSP responder's >cert with the newly compromised, bad algs, and issue a new one. yes, >this is imperfect because we an encounter a circular revocation >status problem for a responder. Others might say that a circular revocation status problem is "not helpful" or simply "broken". >but I think this can be managed in a practical way by establishing a >reasonable re-issue frequency for the responder's cert. ...thereby introducing a new point of failure for OCSP response validation. Maybe the problem of a MITM forging an OCSP response using a broken signing algorithm is not as bad as this solution. --Paul Hoffman, Director --VPN Consortium
- OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Stefan Santesson
- RE: OCSP Algorithm Agility Michael Myers
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Michael Myers
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Andrews, Rick
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Andrews, Rick
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Paul Hoffman
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Stefan Santesson
- RE: OCSP Algorithm Agility Stephen Kent
- RE: OCSP Algorithm Agility Stefan Santesson
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Paul Hoffman
- RE: OCSP Algorithm Agility Stephen Kent
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Paul Hoffman
- RE: OCSP Algorithm Agility Andrews, Rick
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Santosh Chokhani
- RE: OCSP Algorithm Agility Seth Hitchings
- RE: OCSP Algorithm Agility Stefan Santesson
- RE: OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility Santosh Chokhani