IETF Logo Mail Archive

Re: [pkix] New draft-ietf-pkix-rfc2560bis-06

mrex@sap.com (Martin Rex) Tue, 23 October 2012 10:38 UTC

Return-Path: <mrex@sap.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28A2921F86B4 for <pkix@ietfa.amsl.com>; Tue, 23 Oct 2012 03:38:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.208
X-Spam-Level:
X-Spam-Status: No, score=-10.208 tagged_above=-999 required=5 tests=[AWL=0.041, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LMvtpriRe5IJ for <pkix@ietfa.amsl.com>; Tue, 23 Oct 2012 03:38:40 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id DE40521F86BE for <pkix@ietf.org>; Tue, 23 Oct 2012 03:38:39 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id q9NAcV82028823 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 23 Oct 2012 12:38:36 +0200 (MEST)
In-Reply-To: <CA+i=0E7PGJgKb59djvanGR96WSbOyUe75=YsGM1ab=FZx_REnQ@mail.gmail.com>
To: Erwann Abalea <eabalea@gmail.com>
Date: Tue, 23 Oct 2012 12:38:29 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20121023103829.53FA01A2EE@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: Peter Rybar <peterryb@gmail.com>, pkix@ietf.org, Stefan Santesson <stefan@aaa-sec.com>
Subject: Re: [pkix] New draft-ietf-pkix-rfc2560bis-06
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Oct 2012 10:38:41 -0000

Erwann Abalea wrote:
> 
>>
>> CertificateHold is EXACTLY the correct ReasonCode:
>> It indicates that the CA has not issued a cert with the given serial
>> *YET*, but it MAY eventually issue such a cert in the future
>> (sometimes even in the _very_next_future_ ... i.e. it is about
>>  to become visible to the OCSP responder, but not visible yet).
> 
> 
> No. It indicates that the corresponding (existent) certificate has been put
> on hold.
> You're asking the CA to assert a status for a non-existent certificate.

Where exactly does X.509 or PKIX require that a serial on a CRL
will have to refer to an existing cert, i.e. one that the CA has
positive proof to have issued.  I (now) believe this is a completely
flawed assumption.

CRLs and OCSP only assert a state to a certificate serial.
Infering about existance/noexistance of certs is a logical fallacy.


> 
> What's next? Ask CAs to sign the next OCSP response with a "removeFromCRL"
> code for dumb serial numbers for which they replied "certificateHold"? Why
> not also add a holdInstructionCode extension to the OCSP response, and
> define proper codes?

removeFromCRL doesn't make sense in an OCSP response, because OCSP does
not hand out CRLs. 


> 
> The number of bogus requests far outweighs the number of bad certificates.
> In our case, as a public CA, it even outweighs the number of good public
> certificates we produced.
> 
> Asking for a signed response to a bogus request gives anonymous attackers
> much power. Consider big CAs that receive billions of OCSP requests a week,
> or even a day (that's reality). Do you really consider that asking for
> billions of signatures a day for bogus requests, asserting an authoritative
> status for nonexistent certificate is the right thing to do?
> 
> With my "CA" hat, I see that OCSP is a hidden cost, and you want to make it
> more costly.


Having an OCSP responder look at cert issuance logs and produce an
intelligible, risk-reducing response rather that an entirely useless
response will be a completely optional feature!

Nobody is pushing *YOU* to have your OCSP responder adopt this.

But why are you so obsessed in denying others that possibility?


If you're concerned about the load of creating signatures
for "not issued" requests, you may want to talk to Denis first,
who proposed to create signatures on errors, and in particular on
"not authorized" errors (which includes requests for status of
certs from other CAs).



-Martin

v2.23.0 | Report a Bug | By Email