Re: [pkix] technical question about RFC 6960
Tom Hans <tomhans18@gmail.com> Thu, 30 April 2020 22:36 UTC
Return-Path: <tomhans18@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46E093A1494 for <pkix@ietfa.amsl.com>; Thu, 30 Apr 2020 15:36:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.847
X-Spam-Level:
X-Spam-Status: No, score=-0.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id taevBDyxhK0e for <pkix@ietfa.amsl.com>; Thu, 30 Apr 2020 15:36:41 -0700 (PDT)
Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 598203A14A8 for <pkix@ietf.org>; Thu, 30 Apr 2020 15:36:41 -0700 (PDT)
Received: by mail-pj1-x1030.google.com with SMTP id hi11so1519836pjb.3 for <pkix@ietf.org>; Thu, 30 Apr 2020 15:36:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=mqCZtme7QA9e9PviNkFV/7rPtCPMY80TgzfJZKx83CI=; b=hbBCH/rgNOrX6IWnSM3ZZ09bcaKwFVfWme6tBoydxjjZwjQQERWCGmE03ALUQygLXl r2S9Bnwnb7UYtao2BeYx7CTN8/NO7pUtLBzY4NSWx1oSBiBWd/MTpdroWPZydqLPi6KO QeEyZ19J/7A5j+KwkR6uoZidt0tCDshVTlqMCQBj8TMssAxQ0gHm9zzfZqrBikz5x9NG lWC9OI3Dod+G3OBIYHG53ZyJdzWaJe3Ra9ggrKf3rWM6ZObW5M/1CKol5A/vOBosZHwr IbwG0nmkywjtiLvHCSviRQ0gG5qK6jwBGwGyvQFbRcJQZqHuEW3IcnbOfPy7+QTXcjGJ +Puw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=mqCZtme7QA9e9PviNkFV/7rPtCPMY80TgzfJZKx83CI=; b=k2TN2hJ5BOjYR/ttpMgszBBiPs5M6pd7/9qeRb/yk0NfiY9GDkcjVYITN3FcoWJIIY 9r6Kt4Kl109CfwsasqJmOc7uQ+ljKVI7+7YwE08Oj9p/e6K8CrpPTO8tCAGeQcI8Cfv7 2DuP2+jAZZrZOxIWXx+dnONiVrPFxHuovr5TjCcgPahD7gAlxh5qFrlr4I+kOV37DYsN cHTVBCRScpGCAPqI9oxhmuxW0rrVFjDFlFMXq2Ash2Aseel7tp/diwpoj2ABIy/S47Ta ITBxFCecdn85yfWWidg0kUAcSGocUAUg04mMd5c0hNjzwqVyNRrab2oNGW2p8gdN7o7l PfTw==
X-Gm-Message-State: AGi0PuaJpOz1ziZnDciF3sY14COlgjLnG5yFRmNRdpLEVTcQ3kJD6iir MMQ0/OxCQueBydWuLJ3SrAwch1aNOGwWqRSK/zAF0A==
X-Google-Smtp-Source: APiQypLXGYqzPQV4lD3ziePdFzCd43L8YQUlmqjc5Axa+5kyxE88XznYCKAtbtRExrHgeuUHso4YEKs0/DtU3eon1rg=
X-Received: by 2002:a17:90a:eb05:: with SMTP id j5mr1176646pjz.86.1588286200359; Thu, 30 Apr 2020 15:36:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a17:90a:5d0b:0:0:0:0 with HTTP; Thu, 30 Apr 2020 15:36:39 -0700 (PDT)
In-Reply-To: <D541C15F-7A90-4CFB-8B13-774067A84ECA@vigilsec.com>
References: <CAGWHT=YHzJTafq7yk2KSMLdy5oFw=O4K+Xru+=C7d_by+WT5ow@mail.gmail.com> <632020ED-4708-4AD7-9F4A-069E294CA5B7@vigilsec.com> <8aaa80ca-9da0-784e-a1fa-9f7ce039abb1@nthpermutation.com> <CAGWHT=ZxiM313TNkv1sbo_COw9o=-nCz1qeFeRHMxvjOpm0oZw@mail.gmail.com> <CAK6vND_v3ALiJqV_uA-QRCE0S5fZCPKU8KxDf1gN-Rae4ydaog@mail.gmail.com> <CAGWHT=Yha2tmbb-VmDfbZs6sc8R5FzzfVpTU=DEV8BKJM1ExwQ@mail.gmail.com> <D541C15F-7A90-4CFB-8B13-774067A84ECA@vigilsec.com>
From: Tom Hans <tomhans18@gmail.com>
Date: Fri, 01 May 2020 00:36:39 +0200
Message-ID: <CAGWHT=aMLYR2zuw9oQkPrqZ5JWT2E661oQo87gtoVbgEyfBrnA@mail.gmail.com>
To: pkix@ietf.org
Content-Type: multipart/alternative; boundary="000000000000c6302405a489b2b8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/ZJZPSpZPyGSAA3M5h8eebwKbgUg>
Subject: Re: [pkix] technical question about RFC 6960
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Apr 2020 22:36:47 -0000
@russ Excuse me I forgot to mention that the URLs are used for both CAs, root A and B. Both roots do belong to the same company. Am Donnerstag, 30. April 2020 schrieb Russ Housley <housley@vigilsec.com>: > Tom: > > Since these details do not align with the names used in your earlier > message, it is not as helpful as I expected. > > Russ > > > On Apr 30, 2020, at 2:58 AM, Tom Hans <tomhans18@gmail.com> wrote: > > @Russ > The AIA extension of EndCert A contains: > [1]Authority Info Access > Access Method=Certification Authority Issuer (1.3..6.1.5.5.7.48.2) > Alternative Name: > URL=https://pki.spi-cloud.com/issuer > [2]Authority Info Access > Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1) > Alternative Name: > URL=http://ocsp.spi-cloud.com/status/ > RI:http://ocsp.spi-cloud.com/status/ > > > @Peter thank you for your explanation. This helps a lot :) > So the only "out of band" knowledge I would have is that I saw the signer > through Wireshark nothing else. > Consequently this is a bad behavior of the CA itself. > > Am Mi., 29. Apr. 2020 um 16:56 Uhr schrieb Peter Bowen <pzbowen@gmail.com > >: > >> On Tue, Apr 28, 2020 at 11:17 PM Tom Hans <tomhans18@gmail.com> wrote: >> > >> > Hello, >> > >> > thank you for your answers. >> > >> > I know that the OCSP response cannot be validated because I do not have >> the Root CA B installed. >> > If I do this the response is validatable. >> > >> > What I like to know is if this is RFC conform? >> > In RFC 6960 section 4.2.2.2. there are mentioned the following three >> possibilities: >> > >> > 1. Matches a local configuration of OCSP signing authority for the >> > certificate in question, or >> > >> > 2. Is the certificate of the CA that issued the certificate in >> > question, or >> > >> > 3. Includes a value of id-kp-OCSPSigning in an extended key usage >> > extension and is issued by the CA that issued the certificate in >> > question as stated above. >> > >> > >> > Point 2 and 3 are not used because the certificate in request is issued >> by Root CA A and point one is not really clear for me. >> >> There are two different architectures here. Points two and three >> cover "first party" status checking - asking the issuer of the >> certificate or someone authorized by the issuer to tell you the >> status. Point on covers "third party" status checking - asking an >> unrelated party about the certificate. >> >> Comparing this to the process of driver's licenses in the US, you can >> ask the state government department or agency that issues licenses >> about the status of a license. That is point 2. You could also ask a >> police department about the license and also ask the police for a >> certificate that they are authorized to provide license status. That >> is point 3. However a license is also frequently used as >> identification. A private club could have a membership list. You >> could ask the club secretary whether license matches someone on the >> membership list. It doesn't necessarily tell you that the person is >> authorized to drive a car, but they can tell you if the person is >> authorized to enter the clubhouse. That is point 1. >> >> You hit a OCSP responder that is covered under point 1. Unless you >> have out of band knowledge that the answers it is providing are >> relevant to your use case, then having B tell you about status of >> things A issues probably is not what you want. >> >> Thanks, >> Peter >> > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix > > >
- [pkix] technical question about RFC 6960 Tom Hans
- Re: [pkix] technical question about RFC 6960 Russ Housley
- Re: [pkix] technical question about RFC 6960 Michael StJohns
- Re: [pkix] technical question about RFC 6960 Tom Hans
- Re: [pkix] technical question about RFC 6960 Russ Housley
- Re: [pkix] technical question about RFC 6960 Peter Bowen
- Re: [pkix] technical question about RFC 6960 Tom Hans
- Re: [pkix] technical question about RFC 6960 Russ Housley
- Re: [pkix] technical question about RFC 6960 Tom Hans
- Re: [pkix] technical question about RFC 6960 Russ Housley