Re: [pkix] Authorised responders OCSP and id-kp-OCSPSigning
Stefan Santesson <stefan@aaa-sec.com> Sun, 28 February 2021 20:11 UTC
Return-Path: <stefan@aaa-sec.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2311C3A1BB8 for <pkix@ietfa.amsl.com>; Sun, 28 Feb 2021 12:11:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.005
X-Spam-Level:
X-Spam-Status: No, score=0.005 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MVpzpdEOER0i for <pkix@ietfa.amsl.com>; Sun, 28 Feb 2021 12:11:05 -0800 (PST)
Received: from smtp.outgoing.loopia.se (smtp.outgoing.loopia.se [93.188.3.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B992D3A1BB3 for <pkix@ietf.org>; Sun, 28 Feb 2021 12:11:04 -0800 (PST)
Received: from s807.loopia.se (localhost [127.0.0.1]) by s807.loopia.se (Postfix) with ESMTP id AA8882467084 for <pkix@ietf.org>; Sun, 28 Feb 2021 21:11:00 +0100 (CET)
Received: from s645.loopia.se (unknown [172.22.191.5]) by s807.loopia.se (Postfix) with ESMTP id 8C19F2E27747; Sun, 28 Feb 2021 21:11:00 +0100 (CET)
Received: from s476.loopia.se (unknown [172.22.191.6]) by s645.loopia.se (Postfix) with ESMTP id 826991579F86; Sun, 28 Feb 2021 21:11:00 +0100 (CET)
X-Virus-Scanned: amavisd-new at amavis.loopia.se
Received: from s500.loopia.se ([172.22.191.6]) by s476.loopia.se (s476.loopia.se [172.22.190.16]) (amavisd-new, port 10024) with LMTP id 7rAcBD_dnuzt; Sun, 28 Feb 2021 21:10:59 +0100 (CET)
X-Loopia-Auth: user
X-Loopia-User: mailstore2@aaa-sec.com
X-Loopia-Originating-IP: 90.229.17.25
Received: from [192.168.0.106] (unknown [90.229.17.25]) (Authenticated sender: mailstore2@aaa-sec.com) by s500.loopia.se (Postfix) with ESMTPSA id 95E7D1E32E6A; Sun, 28 Feb 2021 21:10:59 +0100 (CET)
User-Agent: Microsoft-MacOutlook/16.46.21021202
Date: Sun, 28 Feb 2021 21:10:58 +0100
From: Stefan Santesson <stefan@aaa-sec.com>
To: ryan@sleevi.com
CC: IETF PKIX <pkix@ietf.org>
Message-ID: <571CE4F3-38BB-4E3C-AA8C-336D40C2BB9B@aaa-sec.com>
Thread-Topic: [pkix] Authorised responders OCSP and id-kp-OCSPSigning
References: <66550DC7-EE88-4F56-B491-03C6D3249720@aaa-sec.com> <CAErg=HFu1hkJytkJ5TiRq0SUH0uObwWESyynoTkm_PLBkg31jw@mail.gmail.com>
In-Reply-To: <CAErg=HFu1hkJytkJ5TiRq0SUH0uObwWESyynoTkm_PLBkg31jw@mail.gmail.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3697391459_512609495"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/e-Zv5OtlPBhy5u6AGYFhhDGlbpE>
Subject: Re: [pkix] Authorised responders OCSP and id-kp-OCSPSigning
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Feb 2021 20:11:08 -0000
Thanks Ryan. For all practical uses I meant what you first stated. That is, the OCSP response is validated directly by the CA certificate. The OCSP standard does not explicitly say anything about the CA certificate and from my perspective that is not strictly needed. As long as the OCSP response and the certificate is signed with the same key, I can validate the response using the CA certificate. So in all important aspects of this, you confirm my assumptions. Stefan Santesson From: Ryan Sleevi <ryan@sleevi.com> Reply to: <ryan@sleevi.com> Date: Sunday, 28 February 2021 at 20:52 To: Stefan Santesson <stefan@aaa-sec.com> Cc: IETF PKIX <pkix@ietf.org> Subject: Re: [pkix] Authorised responders OCSP and id-kp-OCSPSigning On Sun, Feb 28, 2021 at 2:27 PM Stefan Santesson <stefan@aaa-sec.com> wrote: Came across this question on OCSP where I wander how various implementers chose to interpret the requirements. And shamefully I can’t recall how we thought when we published this. The text says that a CA can choose to either: Sign the OCSP response itself, or Explicitly delegate OCSP signing to another entity It then states that delegation SHALL be indicated by inclusion of the id-kp-OCSPSigning extended key usage So, as I read this, the id-kp-OCSPSigning extended key usage is NOT required if the CA issues OCSP responses itself using the same key as was used to sign the certificate. This because there is no delegation taking place. So I wander: Do people here agree with my interpretation Do implementations in general agree with this interpretation, or do they all enforce id-kp-OCSPSigning always? As worded, no to both. This may seem like a minor nit, but is an incredibly important and meaningful detail: it's not sufficient to say "same key", because that allows for (implicitly) the existence of a responder certificate that shares the same key, but otherwise different attributes, than the issuing CA. If you meant "OCSP response directly signed by the CA certificate that signed the certificate being verified", then yes, there is no need for id-kp-OCSPSigning on the issuing CA certificate. I realize that keys sign, not certificates, but for purposes of this discussion, I mean the same (DN+SPKI) tuple, with the same X.509 issuer, serialNumber, and attributes as used to issue the certificate (i.e. the same certificate). Given the recent confusion around intermediate/subordinate and the somewhat confused attempt to read organization distinctions rather than technical into terms like "CA", it seems an important bit to correct, to make sure we're talking about the same thing, unambiguously. As to your second question, the answer is that there is significant divergence in what attributes are seen as essential with a directly-delegated responder (i.e. a certificate directly signed by the CA certificate that issued the certificate being verified). I am not aware of implementations that enforce id-kp-OCSPSigning always when the OCSP response is directly signed by the issuing CA certificate of the certificate being verified, but whether or not implementations consistently enforce id-kp-OCSPSigning, or require other, additional properties (e.g. the absence of a basicConstraints/the cA boolean being false, the presence of certain keyUsage attributes, direct-or-transitively signed) varies for those responses-issued-by-a-responder-issued-by-the-issuing-CA. There is further variance for when systems allow local policy to locally configure responder certificates (i.e. without the CAs direct knowledge/participation/issuance), as this is expanded upon in RFC 6960, 4.2.2.2. From the RFC 6960 perspective, such locally configured responders are not required to present the EKU, but implementations may vary and otherwise require it.
- [pkix] Authorised responders OCSP and id-kp-OCSPS… Stefan Santesson
- Re: [pkix] Authorised responders OCSP and id-kp-O… Joel Kazin
- Re: [pkix] Authorised responders OCSP and id-kp-O… Ryan Sleevi
- Re: [pkix] Authorised responders OCSP and id-kp-O… Stefan Santesson
- Re: [pkix] Authorised responders OCSP and id-kp-O… Santosh Chokhani