Re: [pkix] New draft-ietf-pkix-rfc2560bis-06
"Piyush Jain" <piyush@ditenity.com> Thu, 25 October 2012 04:26 UTC
Return-Path: <piyush@ditenity.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D8A611E80E5 for <pkix@ietfa.amsl.com>; Wed, 24 Oct 2012 21:26:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.334
X-Spam-Level:
X-Spam-Status: No, score=-3.334 tagged_above=-999 required=5 tests=[AWL=0.265, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DtPRBZgzplkI for <pkix@ietfa.amsl.com>; Wed, 24 Oct 2012 21:26:16 -0700 (PDT)
Received: from mail-ie0-f172.google.com (mail-ie0-f172.google.com [209.85.223.172]) by ietfa.amsl.com (Postfix) with ESMTP id 2A07D11E80E2 for <pkix@ietf.org>; Wed, 24 Oct 2012 21:26:16 -0700 (PDT)
Received: by mail-ie0-f172.google.com with SMTP id 9so1966936iec.31 for <pkix@ietf.org>; Wed, 24 Oct 2012 21:26:15 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-type:content-transfer-encoding:x-mailer :thread-index:content-language:x-gm-message-state; bh=kwVvWfFABAKcKJHbekPUPEqz1KSDimX7lpQCe1lwuW4=; b=orwrE2RyQZJK8oiIW9lmw6WYOsf/v/VB+0nxYMpHzReJX3Hq7WLkJC6t1xEddoXz9n +ychaEPg+NaQi/70K29Vgyynp8IKtPj0wwmrj88smsrNszInBsYLJP1P05euBN0ufA4r DxZbny6phHQIhy3oZ59XhILotwEKDSCUbmXD5SetWh8kvHQmXIiqt6XRKFmqu7xN7grS kYLS35SiPpe9J3eTKIzLS9wTtxFMMWxGhlt4G0bHQaXJkJSfqxZJrz3HfAXqvSPwrcTC +6tdNTMavWlacMWk80Xr9//8rhBjGNUGbuNkLmo9mySMjPE1LJaluQBsCU80Wtl4XKRz 2gGA==
Received: by 10.50.149.234 with SMTP id ud10mr4782075igb.12.1351139175722; Wed, 24 Oct 2012 21:26:15 -0700 (PDT)
Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id uz12sm3530033igb.16.2012.10.24.21.26.13 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 24 Oct 2012 21:26:14 -0700 (PDT)
From: Piyush Jain <piyush@ditenity.com>
To: mrex@sap.com
References: <010201cdb06a$7a37c670$6ea75350$@ditenity.com> <20121024224035.E6D7E1A2F3@ld9781.wdf.sap.corp>
In-Reply-To: <20121024224035.E6D7E1A2F3@ld9781.wdf.sap.corp>
Date: Wed, 24 Oct 2012 21:26:10 -0700
Message-ID: <053201cdb268$ddf9a200$99ece600$@ditenity.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQHr541m+Xr4o75zYM33iPWFWU2pC5eM+nJA
Content-Language: en-us
X-Gm-Message-State: ALoCoQkuQoLv0GO3KJbqXEE8S8xizEIPsDmCeeW6SiyCsaUZXID1dxdlfYqy68hUh5/GoRdXKZ7H
Cc: 'Peter Rybar' <peterryb@gmail.com>, 'Stefan Santesson' <stefan@aaa-sec.com>, pkix@ietf.org
Subject: Re: [pkix] New draft-ietf-pkix-rfc2560bis-06
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Oct 2012 04:26:17 -0000
> -----Original Message----- > From: Martin Rex [mailto:mrex@sap.com] > Sent: Wednesday, October 24, 2012 3:41 PM > To: Piyush Jain > Cc: 'Stefan Santesson'; 'Peter Rybar'; 'Carl Wallace'; 'Simon Tardell'; 'Peter > Rybar'; pkix@ietf.org > Subject: Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 > > Piyush Jain wrote: > > > > The people who are convinced that this is the way to go have not > > addressed the issues raised in this WG. The little extension does not > > hurt anyone but it does not provide any value in general except to a > > few implementations which are compromised. But it does take you down a > > slippery slope when you start promising that an OCSP responder can do > > much more than it is supposed to. > > > > I don't think that it is unreasonable for a smart implementer to stop > > signature checking if his responder claims that it checks issuance. > > > I completely fail to follow your argument here. [Piyush] I think your comments below indicate that you understand the argument. > > When you say "stop signature checking", do you mean checking the CA > signature on the certificate for which you perform the OCSP request? [Piyush] Yes. > > In the exceptional case that > - you exclusively use a securely preconfigured local OCSP responder, > - this securely preconfigured local OCSP responder uses the optional > cert hash extension in his responses and the hash returned with > a good response matches the cert in question > - you fully trust that securely preconfigured local OCSP responder > to issue any cert it pleases like an omnipotent universal CA > > then you may omit the signature check on the certificate in question. [Piyush] And this is the only exceptional case where the cert hash extension and returning revoked for not-issued has any value. In every other scenario it's just a hack providing no additional security. > > In all other situations, you MUST verify the CA signature of the certificate > before using any OCSP AIA in that cert to query its status -- or you > misunderstand the X.509 security architecture and why it is vitally important > that (a) (1) is the very first step in the certificate processing specified in > PKIX/rfc5280: > > http://tools.ietf.org/html/rfc5280#section-6.1.3 > [Piyush] And yet you are arguing for an extension which enables responders to say that certificate can be non-issued even though the RP has verified that the CA issued it by performing signature verification. All this extension does is creates a paradox. If signature on the payload certificate verifies certificate is issued. If you cannot trust this cryptographic binding, you cannot trust the cryptographic binding on the responder's cert because the responder cert is also issued by the same CA. If the little extension benefits a small number of people who obviously do not have too much confidence in the security of their CA deployments, they can publish an informational RFC to accommodate this. Putting it in the standard just adds overhead for majority of vendors out there who at the minimum need to justify the reason for not including this feature in their implementation. > > -Martin
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Denis Pinkas
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Simon Tardell
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Denis Pinkas
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Denis Pinkas
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Simon Tardell
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Simon Tardell
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Denis Pinkas
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Peter Rybar
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- [pkix] Straw-poll on OCSP responses for non-revok… Stefan Santesson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Yngve Nysaeter Pettersen
- Re: [pkix] Straw-poll on OCSP responses for non-r… Yoav Nir
- Re: [pkix] Straw-poll on OCSP responses for non-r… Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Miller, Timothy J.
- Re: [pkix] Straw-poll on OCSP responses for non-r… David Chadwick
- Re: [pkix] Straw-poll on OCSP responses for non-r… Art Allison
- Re: [pkix] Straw-poll on OCSP responses for non-r… Miller, Timothy J.
- Re: [pkix] Straw-poll on OCSP responses for non-r… Santosh Chokhani
- Re: [pkix] Straw-poll on OCSP responses for non-r… Erwann Abalea
- Re: [pkix] Straw-poll on OCSP responses for non-r… Yoav Nir
- Re: [pkix] Straw-poll on OCSP responses for non-r… Peter Rybar
- Re: [pkix] Straw-poll on OCSP responses for non-r… Paul Hoffman
- Re: [pkix] Straw-poll on OCSP responses for non-r… Juan Gonzalez
- Re: [pkix] Straw-poll on OCSP responses for non-r… Max Pritikin (pritikin)
- Re: [pkix] Straw-poll on OCSP responses for non-r… Simon Tardell
- Re: [pkix] Straw-poll on OCSP responses for non-r… Carl Wallace
- Re: [pkix] Straw-poll on OCSP responses for non-r… Paul Hoffman
- Re: [pkix] Straw-poll on OCSP responses for non-r… Rick Robinson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Jeremy Rowley
- Re: [pkix] Straw-poll on OCSP responses for non-r… Melinda Shore
- Re: [pkix] Straw-poll on OCSP responses for non-r… Martin Rex
- Re: [pkix] Straw-poll on OCSP responses for non-r… Russ Housley
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] Straw-poll on OCSP responses for non-r… Tom Ritter
- Re: [pkix] Straw-poll on OCSP responses for non-r… Dr Stephen Henson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Ryan Sleevi
- Re: [pkix] Straw-poll on OCSP responses for non-r… Johannes Merkle
- Re: [pkix] Straw-poll on OCSP responses for non-r… Denis Pinkas
- Re: [pkix] Straw-poll on OCSP responses for non-r… Art Allison
- Re: [pkix] Straw-poll on OCSP responses for non-r… Ryan Hurst
- Re: [pkix] Straw-poll on OCSP responses for non-r… Ben Wilson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] Straw-poll on OCSP responses fornon-re… Art Allison
- [pkix] Proposed resolution to non-issued certific… Stefan Santesson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Tom Ritter
- Re: [pkix] Proposed resolution to non-issued cert… Tom Ritter
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… David A. Cooper
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Peter Gutmann
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Phillip Hallam-Baker
- Re: [pkix] Proposed resolution to non-issued cert… David A. Cooper
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Peter Rybar
- Re: [pkix] Proposed resolution to non-issued cert… Simon Tardell
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… David A. Cooper
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Peter Rybar
- Re: [pkix] Proposed resolution to non-issued cert… Simon Tardell
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Martin Rex
- Re: [pkix] Proposed resolution to non-issued cert… Martin Rex
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Martin Rex
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Straw-poll on OCSP responses for non-r… Tom Gindin
- Re: [pkix] Straw-poll on OCSP responses for non-r… Phillip Hallam-Baker