Re: [pkix] technical question about RFC 6960
Russ Housley <housley@vigilsec.com> Wed, 29 April 2020 14:34 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD0163A09A0 for <pkix@ietfa.amsl.com>; Wed, 29 Apr 2020 07:34:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EflQvvftgkCi for <pkix@ietfa.amsl.com>; Wed, 29 Apr 2020 07:34:34 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0B1F3A11CC for <pkix@ietf.org>; Wed, 29 Apr 2020 07:34:17 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 3CF83300AED for <pkix@ietf.org>; Wed, 29 Apr 2020 10:34:15 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id FZ34jDJrSJyF for <pkix@ietf.org>; Wed, 29 Apr 2020 10:34:12 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-72-66-113-56.washdc.fios.verizon.net [72.66.113.56]) by mail.smeinc.net (Postfix) with ESMTPSA id 382F4300AEF; Wed, 29 Apr 2020 10:34:12 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <75B00B08-7C04-452C-8A90-2B3D99FA2664@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_74559AB5-5115-4E82-B74B-261D3690F43B"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\))
Date: Wed, 29 Apr 2020 10:34:12 -0400
In-Reply-To: <CAGWHT=ZxiM313TNkv1sbo_COw9o=-nCz1qeFeRHMxvjOpm0oZw@mail.gmail.com>
Cc: IETF PKIX <pkix@ietf.org>
To: Tom Hans <tomhans18@gmail.com>
References: <CAGWHT=YHzJTafq7yk2KSMLdy5oFw=O4K+Xru+=C7d_by+WT5ow@mail.gmail.com> <632020ED-4708-4AD7-9F4A-069E294CA5B7@vigilsec.com> <8aaa80ca-9da0-784e-a1fa-9f7ce039abb1@nthpermutation.com> <CAGWHT=ZxiM313TNkv1sbo_COw9o=-nCz1qeFeRHMxvjOpm0oZw@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.14)
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/da7Vw7Qh0GMDO2tRU5wNquhRjKY>
Subject: Re: [pkix] technical question about RFC 6960
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Apr 2020 14:34:37 -0000
What is in the AIA extension of EndCert A? > On Apr 29, 2020, at 2:17 AM, Tom Hans <tomhans18@gmail.com> wrote: > > Hello, > > thank you for your answers. > > I know that the OCSP response cannot be validated because I do not have the Root CA B installed. > If I do this the response is validatable. > > What I like to know is if this is RFC conform? > In RFC 6960 section 4.2.2.2. there are mentioned the following three possibilities: > 1. Matches a local configuration of OCSP signing authority for the > certificate in question, or > > 2. Is the certificate of the CA that issued the certificate in > question, or > > 3. Includes a value of id-kp-OCSPSigning in an extended key usage > extension and is issued by the CA that issued the certificate in > question as stated above. > > Point 2 and 3 are not used because the certificate in request is issued by Root CA A and point one is not really clear for me. > > > Kind regards, > Tom > > > Am Di., 28. Apr. 2020 um 20:37 Uhr schrieb Michael StJohns <msj@nthpermutation.com <mailto:msj@nthpermutation.com>>: > I'm also assuming from the description that you don't actually have a > trust anchor (e.g. Root CA B) for the B chain installed and my guess is > that's ultimately the problem leading to the OCSP check failing. Mike > > > On 4/28/2020 1:43 PM, Russ Housley wrote: > > OCSP provides the status of one certificate. So, two OCSP queries are needed in path A, one for the Intermediate A, and another for EndCert A. The AIA extension in each of these certificates tells where to send the query. I assume from the short description that you provided that at lease one of the AIA extensions is pointing to EndCert B as the OCSP responder. > > > > Russ > > > > > >> On Apr 28, 2020, at 10:33 AM, Tom Hans <tomhans18@gmail.com <mailto:tomhans18@gmail.com>> wrote: > >> > >> Dear Ladies and Gentlemen, > >> > >> I was forwarded from the IETF Secretariat to this mailing list. I hope you can help me. > >> Currently I have some technical issues regarding to RFC 6960 and maybe I just misunderstand the described standards. > >> Therefore I kindly like to ask if someone could help me to understand if the scenario below is RFC conform or not. > >> > >> I hope you will help me. > >> > >> Kind regards, > >> Tom Hans > >> > >> > >> > >> Scenario: > >> We have the following certificate chains given: > >> Root CA A -> Intermediate A -> EndCert A > >> Root CA B -> EndCert B > >> > >> Now I check the revocation status of EndCert A using Windows certutil or Linux openssl with OCSP. > >> If the full chain of EndCert A is existing I can send a valid OCSP request and get an OCSP response which contains "good". > >> But even if the response contains "good" Windows and openssl tells me that the OCSP check is not good. > >> And here is the interesting Part: > >> The OCSP response is signed with the EndCert B and I do not see any kind of context between the two certificate chains. Moreover the response only contains the EndCert B and does not deliver the Root CA b which is not existing on my test environment. > >> So in no case it would be possible to check EndCert B for validity.. > >> If I check the RFC 6960 I get stuck with 4.2.2.2. Authorized Responders and I think it is not allowed to sign the OCSP response with EndCert B. > >> _______________________________________________ > >> pkix mailing list > >> pkix@ietf.org <mailto:pkix@ietf.org> > >> https://www.ietf.org/mailman/listinfo/pkix <https://www.ietf.org/mailman/listinfo/pkix> > > _______________________________________________ > > pkix mailing list > > pkix@ietf.org <mailto:pkix@ietf.org> > > https://www.ietf.org/mailman/listinfo/pkix <https://www.ietf.org/mailman/listinfo/pkix> > > > _______________________________________________ > pkix mailing list > pkix@ietf.org <mailto:pkix@ietf.org> > https://www.ietf.org/mailman/listinfo/pkix <https://www.ietf.org/mailman/listinfo/pkix> > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix
- [pkix] technical question about RFC 6960 Tom Hans
- Re: [pkix] technical question about RFC 6960 Russ Housley
- Re: [pkix] technical question about RFC 6960 Michael StJohns
- Re: [pkix] technical question about RFC 6960 Tom Hans
- Re: [pkix] technical question about RFC 6960 Russ Housley
- Re: [pkix] technical question about RFC 6960 Peter Bowen
- Re: [pkix] technical question about RFC 6960 Tom Hans
- Re: [pkix] technical question about RFC 6960 Russ Housley
- Re: [pkix] technical question about RFC 6960 Tom Hans
- Re: [pkix] technical question about RFC 6960 Russ Housley