Re: [pkix] technical question about RFC 6960

Tom Hans <tomhans18@gmail.com> Thu, 30 April 2020 22:36 UTC

Return-Path: <tomhans18@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46E093A1494 for <pkix@ietfa.amsl.com>; Thu, 30 Apr 2020 15:36:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.847
X-Spam-Level:
X-Spam-Status: No, score=-0.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id taevBDyxhK0e for <pkix@ietfa.amsl.com>; Thu, 30 Apr 2020 15:36:41 -0700 (PDT)
Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 598203A14A8 for <pkix@ietf.org>; Thu, 30 Apr 2020 15:36:41 -0700 (PDT)
Received: by mail-pj1-x1030.google.com with SMTP id hi11so1519836pjb.3 for <pkix@ietf.org>; Thu, 30 Apr 2020 15:36:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=mqCZtme7QA9e9PviNkFV/7rPtCPMY80TgzfJZKx83CI=; b=hbBCH/rgNOrX6IWnSM3ZZ09bcaKwFVfWme6tBoydxjjZwjQQERWCGmE03ALUQygLXl r2S9Bnwnb7UYtao2BeYx7CTN8/NO7pUtLBzY4NSWx1oSBiBWd/MTpdroWPZydqLPi6KO QeEyZ19J/7A5j+KwkR6uoZidt0tCDshVTlqMCQBj8TMssAxQ0gHm9zzfZqrBikz5x9NG lWC9OI3Dod+G3OBIYHG53ZyJdzWaJe3Ra9ggrKf3rWM6ZObW5M/1CKol5A/vOBosZHwr IbwG0nmkywjtiLvHCSviRQ0gG5qK6jwBGwGyvQFbRcJQZqHuEW3IcnbOfPy7+QTXcjGJ +Puw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=mqCZtme7QA9e9PviNkFV/7rPtCPMY80TgzfJZKx83CI=; b=k2TN2hJ5BOjYR/ttpMgszBBiPs5M6pd7/9qeRb/yk0NfiY9GDkcjVYITN3FcoWJIIY 9r6Kt4Kl109CfwsasqJmOc7uQ+ljKVI7+7YwE08Oj9p/e6K8CrpPTO8tCAGeQcI8Cfv7 2DuP2+jAZZrZOxIWXx+dnONiVrPFxHuovr5TjCcgPahD7gAlxh5qFrlr4I+kOV37DYsN cHTVBCRScpGCAPqI9oxhmuxW0rrVFjDFlFMXq2Ash2Aseel7tp/diwpoj2ABIy/S47Ta ITBxFCecdn85yfWWidg0kUAcSGocUAUg04mMd5c0hNjzwqVyNRrab2oNGW2p8gdN7o7l PfTw==
X-Gm-Message-State: AGi0PuaJpOz1ziZnDciF3sY14COlgjLnG5yFRmNRdpLEVTcQ3kJD6iir MMQ0/OxCQueBydWuLJ3SrAwch1aNOGwWqRSK/zAF0A==
X-Google-Smtp-Source: APiQypLXGYqzPQV4lD3ziePdFzCd43L8YQUlmqjc5Axa+5kyxE88XznYCKAtbtRExrHgeuUHso4YEKs0/DtU3eon1rg=
X-Received: by 2002:a17:90a:eb05:: with SMTP id j5mr1176646pjz.86.1588286200359; Thu, 30 Apr 2020 15:36:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a17:90a:5d0b:0:0:0:0 with HTTP; Thu, 30 Apr 2020 15:36:39 -0700 (PDT)
In-Reply-To: <D541C15F-7A90-4CFB-8B13-774067A84ECA@vigilsec.com>
References: <CAGWHT=YHzJTafq7yk2KSMLdy5oFw=O4K+Xru+=C7d_by+WT5ow@mail.gmail.com> <632020ED-4708-4AD7-9F4A-069E294CA5B7@vigilsec.com> <8aaa80ca-9da0-784e-a1fa-9f7ce039abb1@nthpermutation.com> <CAGWHT=ZxiM313TNkv1sbo_COw9o=-nCz1qeFeRHMxvjOpm0oZw@mail.gmail.com> <CAK6vND_v3ALiJqV_uA-QRCE0S5fZCPKU8KxDf1gN-Rae4ydaog@mail.gmail.com> <CAGWHT=Yha2tmbb-VmDfbZs6sc8R5FzzfVpTU=DEV8BKJM1ExwQ@mail.gmail.com> <D541C15F-7A90-4CFB-8B13-774067A84ECA@vigilsec.com>
From: Tom Hans <tomhans18@gmail.com>
Date: Fri, 01 May 2020 00:36:39 +0200
Message-ID: <CAGWHT=aMLYR2zuw9oQkPrqZ5JWT2E661oQo87gtoVbgEyfBrnA@mail.gmail.com>
To: pkix@ietf.org
Content-Type: multipart/alternative; boundary="000000000000c6302405a489b2b8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/ZJZPSpZPyGSAA3M5h8eebwKbgUg>
Subject: Re: [pkix] technical question about RFC 6960
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Apr 2020 22:36:47 -0000

@russ

Excuse me I forgot to mention that the URLs are used for both CAs, root A
and B.

Both roots do belong to the same company.


Am Donnerstag, 30. April 2020 schrieb Russ Housley <housley@vigilsec.com>:

> Tom:
>
> Since these details do not align with the names used in your earlier
> message, it is not as helpful as I expected.
>
> Russ
>
>
> On Apr 30, 2020, at 2:58 AM, Tom Hans <tomhans18@gmail.com> wrote:
>
> @Russ
> The AIA extension of EndCert A contains:
> [1]Authority Info Access
>      Access Method=Certification Authority Issuer (1.3..6.1.5.5.7.48.2)
>      Alternative Name:
>           URL=https://pki.spi-cloud.com/issuer
> [2]Authority Info Access
>      Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
>      Alternative Name:
>           URL=http://ocsp.spi-cloud.com/status/
> RI:http://ocsp.spi-cloud.com/status/
>
>
> @Peter thank you for your explanation. This helps a lot :)
> So the only "out of band" knowledge I would have is that I saw the signer
> through Wireshark nothing else.
> Consequently this is a bad behavior of the CA itself.
>
> Am Mi., 29. Apr. 2020 um 16:56 Uhr schrieb Peter Bowen <pzbowen@gmail.com
> >:
>
>> On Tue, Apr 28, 2020 at 11:17 PM Tom Hans <tomhans18@gmail.com> wrote:
>> >
>> > Hello,
>> >
>> > thank you for your answers.
>> >
>> > I know that the OCSP response cannot be validated because I do not have
>> the Root CA B installed.
>> > If I do this the response is validatable.
>> >
>> > What I like to know is if this is RFC conform?
>> > In RFC 6960 section 4.2.2.2. there are mentioned the following three
>> possibilities:
>> >
>> >    1. Matches a local configuration of OCSP signing authority for the
>> >       certificate in question, or
>> >
>> >    2. Is the certificate of the CA that issued the certificate in
>> >       question, or
>> >
>> >    3. Includes a value of id-kp-OCSPSigning in an extended key usage
>> >       extension and is issued by the CA that issued the certificate in
>> >       question as stated above.
>> >
>> >
>> > Point 2 and 3 are not used because the certificate in request is issued
>> by Root CA A and point one is not really clear for me.
>>
>> There are two different architectures here.  Points two and three
>> cover "first party" status checking - asking the issuer of the
>> certificate or someone authorized by the issuer to tell you the
>> status.  Point on covers "third party" status checking - asking an
>> unrelated party about the certificate.
>>
>> Comparing this to the process of driver's licenses in the US, you can
>> ask the state government department or agency that issues licenses
>> about the status of a license.  That is point 2.  You could also ask a
>> police department about the license and also ask the police for a
>> certificate that they are authorized to provide license status.  That
>> is point 3.  However a license is also frequently used as
>> identification.  A private club could have a membership list.  You
>> could ask the club secretary whether license matches someone on the
>> membership list.  It doesn't necessarily tell you that the person is
>> authorized to drive a car, but they can tell you if the person is
>> authorized to enter the clubhouse.  That is point 1.
>>
>> You hit a OCSP responder that is covered under point 1.  Unless you
>> have out of band knowledge that the answers it is providing are
>> relevant to your use case, then having B tell you about status of
>> things A issues probably is not what you want.
>>
>> Thanks,
>> Peter
>>
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix
>
>
>