IETF Logo Mail Archive

RE: OCSP Algorithm Agility

Stephen Kent <kent@bbn.com> Fri, 21 September 2007 18:59 UTC

Return-path: <owner-ietf-pkix@mail.imc.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IYnjK-0004l6-7O for pkix-archive@lists.ietf.org; Fri, 21 Sep 2007 14:59:58 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IYnjD-0002v9-U5 for pkix-archive@lists.ietf.org; Fri, 21 Sep 2007 14:59:53 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l8LI8qI2076552 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 21 Sep 2007 11:08:52 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l8LI8qgl076551; Fri, 21 Sep 2007 11:08:52 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mx11.bbn.com (mx11.bbn.com [128.33.0.80]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l8LI8pn3076545 for <ietf-pkix@imc.org>; Fri, 21 Sep 2007 11:08:51 -0700 (MST) (envelope-from kent@bbn.com)
Received: from dhcp89-089-071.bbn.com ([128.89.89.71]) by mx11.bbn.com with esmtp (Exim 4.60) (envelope-from <kent@bbn.com>) id 1IYmvq-0002FK-5F for ietf-pkix@imc.org; Fri, 21 Sep 2007 14:08:50 -0400
Mime-Version: 1.0
Message-Id: <p0624050dc319b62dedaf@[128.89.89.71]>
In-Reply-To: <p0624080ec319a977190d@[165.227.249.200]>
References: <2788466ED3E31C418E9ACC5C3166155703DF57@mou1wnexmb09.vcorp.ad.vrsn.com> <p0624080ec319a977190d@[165.227.249.200]>
Date: Fri, 21 Sep 2007 14:07:44 -0400
To: ietf-pkix@imc.org
From: Stephen Kent <kent@bbn.com>
Subject: RE: OCSP Algorithm Agility
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: de4f315c9369b71d7dd5909b42224370

Folks,

How about defining an extension to be included in the cert issued to 
an OCSP responder by a CA.  The extension would have an ordered list 
of algorithms (hash and signature if we want to address more than the 
hash agility issue) accepted by the OCSP responder.  An OCSP client 
can use this info to determine what is the "best" algorithm (or alg 
pair) that it and the responder share. The combination of this 
extension and an OCSP negotiation procedure will allow the client to 
detect MITM downgrade attacks. In fact, if the client acquires the 
responder's cert prior to making a request, there would not even be a 
need for real negotiation, since the client would know what alg to 
request in a response.

Steve

v2.23.0 | Report a Bug | By Email