Re: [pkix] Authorised responders OCSP and id-kp-OCSPSigning
Ryan Sleevi <ryan-ietf@sleevi.com> Sun, 28 February 2021 20:01 UTC
Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6793B3A1B9F for <pkix@ietfa.amsl.com>; Sun, 28 Feb 2021 12:01:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.501
X-Spam-Level:
X-Spam-Status: No, score=0.501 tagged_above=-999 required=5 tests=[FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C8CcIuRk2tQz for <pkix@ietfa.amsl.com>; Sun, 28 Feb 2021 12:01:53 -0800 (PST)
Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B6833A1B22 for <pkix@ietf.org>; Sun, 28 Feb 2021 12:01:53 -0800 (PST)
Received: by mail-pl1-f175.google.com with SMTP id d11so8589157plo.8 for <pkix@ietf.org>; Sun, 28 Feb 2021 12:01:53 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=E9GeJLJNAwKMD0Q2SiqCt7IADM3M/ixpKXLzT8iZXuk=; b=h+EX8lYTHhp6A6eRnvkuMqeppC8pQBtR/eChzjn8GvVLSfi7jCUUbC+At+PCZwnhR2 g55dMqBJnLkJotFdY0whK1XEFtOaMba1haaQ3EQ+deNv7B64tJwGDX9ohW7aAZrPzhE+ dehVatVnzv7G1PWFd4jNkCkX/V4LHQI4x0vswiRvjUzYYr6YyqE4exVJrFtKolhLPlQc S/QeIJHPMBm6X4zXNvD+CDTDJhUk/mLRY3RLJJZAoUBqFEf83VOXki3V3jaYP2JyqdK+ G5SniXwzTmnpfA1+KiuElgHr2MAL5f3qhlCqQ8B0lfvYHh56rYyeo221xTJvqUAebEGM Ji+w==
X-Gm-Message-State: AOAM5312D46msmK7bmJ+Y9SHssG0HmcPZZryflMyrL7HfgznvgMjQVtN l/8HlhVCO8EiqRqqaDJHytjLHebumr8=
X-Google-Smtp-Source: ABdhPJw9iqquVcOs1H28n7lyZnS7qfh2kcsE4zIQ5KOMHCSZlvgTiMTOBncxBZirqdyodReBk5Zjwg==
X-Received: by 2002:a17:90a:1485:: with SMTP id k5mr13689831pja.103.1614542512081; Sun, 28 Feb 2021 12:01:52 -0800 (PST)
Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com. [209.85.210.180]) by smtp.gmail.com with ESMTPSA id iq6sm5595885pjb.31.2021.02.28.12.01.51 for <pkix@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 28 Feb 2021 12:01:51 -0800 (PST)
Received: by mail-pf1-f180.google.com with SMTP id t29so10067608pfg.11 for <pkix@ietf.org>; Sun, 28 Feb 2021 12:01:51 -0800 (PST)
X-Received: by 2002:a65:6415:: with SMTP id a21mr11226688pgv.70.1614542511724; Sun, 28 Feb 2021 12:01:51 -0800 (PST)
MIME-Version: 1.0
References: <66550DC7-EE88-4F56-B491-03C6D3249720@aaa-sec.com>
In-Reply-To: <66550DC7-EE88-4F56-B491-03C6D3249720@aaa-sec.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Sun, 28 Feb 2021 15:01:42 -0500
X-Gmail-Original-Message-ID: <CAErg=HGtY-K19C2TvD7VgO8jOmb6n+-yzAo07hEAxCXWDei1aw@mail.gmail.com>
Message-ID: <CAErg=HGtY-K19C2TvD7VgO8jOmb6n+-yzAo07hEAxCXWDei1aw@mail.gmail.com>
To: Stefan Santesson <stefan@aaa-sec.com>
Cc: IETF PKIX <pkix@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e2ddcd05bc6af871"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/f2LVFAWx6z6LF63kR-jvmIQ-MGU>
Subject: Re: [pkix] Authorised responders OCSP and id-kp-OCSPSigning
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Feb 2021 20:01:54 -0000
On Sun, Feb 28, 2021 at 2:27 PM Stefan Santesson <stefan@aaa-sec.com> wrote: > Came across this question on OCSP where I wander how various implementers > chose to interpret the requirements. > > And shamefully I can’t recall how we thought when we published this. > > > > The text says that a CA can choose to either: > > > > - Sign the OCSP response itself, or > - Explicitly delegate OCSP signing to another entity > > > > It then states that delegation SHALL be indicated by inclusion of the > id-kp-OCSPSigning extended key usage > > > > So, as I read this, the id-kp-OCSPSigning extended key usage is NOT > required if the CA issues OCSP responses itself using the same key as was > used to sign the certificate. > > This because there is no delegation taking place. > > > > So I wander: > > > > 1. Do people here agree with my interpretation > 2. Do implementations in general agree with this interpretation, or do > they all enforce id-kp-OCSPSigning always? > > As worded, no to both. This may seem like a minor nit, but is an incredibly important and meaningful detail: it's not sufficient to say "same key", because that allows for (implicitly) the existence of a responder certificate that shares the same key, but otherwise different attributes, than the issuing CA. If you meant "OCSP response directly signed by the CA certificate that signed the certificate being verified", then yes, there is no need for id-kp-OCSPSigning on the issuing CA certificate. I realize that keys sign, not certificates, but for purposes of this discussion, I mean the same (DN+SPKI) tuple, with the same X.509 issuer, serialNumber, and attributes as used to issue the certificate (i.e. the same certificate). Given the recent confusion around intermediate/subordinate and the somewhat confused attempt to read organization distinctions rather than technical into terms like "CA", it seems an important bit to correct, to make sure we're talking about the same thing, unambiguously. As to your second question, the answer is that there is significant divergence in what attributes are seen as essential with a directly-delegated responder (i.e. a certificate directly signed by the CA certificate that issued the certificate being verified). I am not aware of implementations that enforce id-kp-OCSPSigning always when the OCSP response is directly signed by the issuing CA certificate of the certificate being verified, but whether or not implementations consistently enforce id-kp-OCSPSigning, or require other, additional properties (e.g. the absence of a basicConstraints/the cA boolean being false, the presence of certain keyUsage attributes, direct-or-transitively signed) varies for those responses-issued-by-a-responder-issued-by-the-issuing-CA. There is further variance for when systems allow local policy to locally configure responder certificates (i.e. without the CAs direct knowledge/participation/issuance), as this is expanded upon in RFC 6960, 4.2.2.2. From the RFC 6960 perspective, such locally configured responders are not required to present the EKU, but implementations may vary and otherwise require it.
- [pkix] Authorised responders OCSP and id-kp-OCSPS… Stefan Santesson
- Re: [pkix] Authorised responders OCSP and id-kp-O… Joel Kazin
- Re: [pkix] Authorised responders OCSP and id-kp-O… Ryan Sleevi
- Re: [pkix] Authorised responders OCSP and id-kp-O… Stefan Santesson
- Re: [pkix] Authorised responders OCSP and id-kp-O… Santosh Chokhani