Re: [pkix] Optimizing OCSP - Time for some spec work ?

Peter Gutmann <> Sat, 26 October 2019 11:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A6269120048 for <>; Sat, 26 Oct 2019 04:07:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dq8TKpIYHQZK for <>; Sat, 26 Oct 2019 04:07:21 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1291E12002F for <>; Sat, 26 Oct 2019 04:07:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1572088042; x=1603624042; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=V0dKGsdrt9UzC0dQ6Y1ki20TlLv7CReH7lvmOrpLK0U=; b=eC+UpAsSFFmVHBKjNTJQClMQZoOHsGgQpwi9QbuF45Nyqjkw5XIHQCjc AtwUKSxh7VihSY/elCgaQdfnKzfxCW8FFhONAK9FfvnGsCOxgLgVuFfGr LjgiZviRGw15rSiYMJCA+nUPFaajFsVQJFN5x5JzzE/mu0FdRSQEIoO7M wbInur7gwIo1YS18Uo+LvI/xHsE2Z0AT8NIMDEdRDX8zDHV7UN8Nf24sI slN4wDKIzRQNjtVPdifMveDXYodXhP2u5ioe+ehABvlPKPETKBEvNx03x lV8WbWbE19KKeY5OU3hn9FmwHUPostSM+WgamR5TEyBqbBwcGYT6InaSI g==;
X-IronPort-AV: E=Sophos;i="5.68,232,1569240000"; d="scan'208";a="96225091"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES256-SHA; 27 Oct 2019 00:07:17 +1300
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1395.4; Sun, 27 Oct 2019 00:07:15 +1300
Received: from ([]) by ([]) with mapi id 15.00.1395.000; Sun, 27 Oct 2019 00:07:15 +1300
From: Peter Gutmann <>
To: Niklas Matthies <>, "" <>
Thread-Topic: [pkix] Optimizing OCSP - Time for some spec work ?
Thread-Index: AQHVinrq4I5nEcgfh0O9xU1lviUJBKdqnCAD///+JoCAAAZCgIACJUto
Date: Sat, 26 Oct 2019 11:07:15 +0000
Message-ID: <>
References: <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [pkix] Optimizing OCSP - Time for some spec work ?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 26 Oct 2019 11:07:24 -0000

Niklas Matthies <> writes:

>To make the additional responses optional (controlled by the client), a
>corresponding request extension could be defined. Hence that aspect could be
>covered by specifying a profile of the current OCSP protocol.

You could also do a simpler version where the responder includes an extension
that says "I've checked the entire chain from the cert you requested all the
way up to the root.  You're welcome".  It'd be fully compatible with current
deployments, and if clients are able to process the extension they get extra
value from it.

>OCSP responses are allowed to include additional single responses that
>weren't explicitly requested by the client, see RFC 6960 section last

At one point this was tested and the it was found that the number of
responders/clients who could handle more than one entry per OCSP query and who
hadn't been set up explicitly to work with the Indentrus trust model, which
requires multiple entries, was approximately zero.  So possibly the "I've
verified all the certs up to the root" extension would be easier to get