Re: [pkix] New draft-ietf-pkix-rfc2560bis-06
Denis Pinkas <denis.pinkas@bull.net> Mon, 22 October 2012 14:53 UTC
Return-Path: <denis.pinkas@bull.net>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36D6421F8BDB for <pkix@ietfa.amsl.com>; Mon, 22 Oct 2012 07:53:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.556
X-Spam-Level:
X-Spam-Status: No, score=-4.556 tagged_above=-999 required=5 tests=[AWL=0.808, BAYES_00=-2.599, HELO_EQ_FR=0.35, HTML_FONT_FACE_BAD=0.884, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ouwZj0CG7EfN for <pkix@ietfa.amsl.com>; Mon, 22 Oct 2012 07:53:50 -0700 (PDT)
Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by ietfa.amsl.com (Postfix) with ESMTP id 3577F21F8BD2 for <pkix@ietf.org>; Mon, 22 Oct 2012 07:53:50 -0700 (PDT)
Received: from MSGC-007.bull.fr (unknown [129.184.87.136]) by odin2.bull.net (Bull S.A.) with ESMTP id 97ACE1C37A; Mon, 22 Oct 2012 16:53:49 +0200 (CEST)
Received: from [127.0.0.1] ([129.184.39.15]) by MSGC-007.bull.fr (Lotus Domino Release 8.5.3FP1) with ESMTP id 2012102216534812-1596 ; Mon, 22 Oct 2012 16:53:48 +0200
Message-ID: <50855DFB.1060704@bull.net>
Date: Mon, 22 Oct 2012 16:53:47 +0200
From: Denis Pinkas <denis.pinkas@bull.net>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20120907 Thunderbird/15.0.1
MIME-Version: 1.0
To: Ryan Hurst <ryan.hurst@globalsign.com>
References: <CCAA01E3.51B2A%stefan@aaa-sec.com> <50855225.1030202@bull.net> <DE55B1AD-3B86-4CD7-A304-1E40CBD3B722@globalsign.com>
In-Reply-To: <DE55B1AD-3B86-4CD7-A304-1E40CBD3B722@globalsign.com>
X-MIMETrack: Itemize by SMTP Server on MSGC-007/SRV/BULL(Release 8.5.3FP1|March 07, 2012) at 22/10/2012 16:53:48, Serialize by Router on MSGC-007/SRV/BULL(Release 8.5.3FP1|March 07, 2012) at 22/10/2012 16:53:49, Serialize complete at 22/10/2012 16:53:49
X-TNEFEvaluated: 1
Content-Type: multipart/alternative; boundary="------------060306080803010402030907"
Cc: pkix <pkix@ietf.org>
Subject: Re: [pkix] New draft-ietf-pkix-rfc2560bis-06
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Oct 2012 14:53:52 -0000
Ryan, Given your argumentation, let us go for "revoked", rather than "unknown ". However, adding a note in the draft to record why this choice was made might be useful. Denis > Though I prefer the Unknown approach today all OCSP capable browsers > other than Opera ignore Unknown OCSP responses. > > Given the arguable limited value of changing the response definitions > at all it seems accommodating this seems the most prudent approach. > > This is why the CABFORUM accepted the revoked response approach even > though it is not as pure. > > Sent from my iPhone > > On Oct 22, 2012, at 7:03 AM, Denis Pinkas <denis.pinkas@bull.net > <mailto:denis.pinkas@bull.net>> wrote: > >> To the PKIX list: >> >>   Without changing the meaning of "good" and of either "revoked" or >>   "unknown", it is not possible to address the case of what is >>    presently called "non-issued certificates". >> >> The current text from RFC 2560 is: >> >>   "The "good" state indicates a positive response to the state >> inquiry. >>   At a minimum, this positive response indicates that the certificate >>   is not revoked, but does not necessarily mean that the certificate >>   was ever issued or that the time at which the response was produced >>   is within the certificate's validity interval. Response extensions >>   may be used to convey additional information on assertions made by >>   the responder regarding the state of the certificate such as >>   positive statement about issuance, validity, etc. >> >>   The "revoked" state indicates that the certificate has been revoked >>   (either permanantly or temporarily (on hold)). >> >>   The "unknown" state indicates that the responder doesn't know about >>   the certificate being requested". >> >> >>   A minor change should be done to advertise that "good" may be >>   returned when the certificate was never issued and CRLs are being >>   used. >> >> >> Replacement text for the definition of the "good" state: >> >>   "The "good" state indicates a positive response to the state >> inquiry. >>   At a minimum, this positive response indicates that the certificate >>   is not revoked, but does not necessarily mean that the certificate >>   was ever issued *(e.g. when CRLs are used by the OCSP responders)* >>  or that the time at which the response was produced is within the >>   certificate's validity interval. Response extensions may be used >>   to convey additional information on assertions made by the OCSP >>   responder regarding the state of the certificate such as *an ** >> **  indication that the OCSP responder has a direct access to the ** >> **  database of issued certificates*, validity, etc ... " >> >>   Then either the meaning of "rekoved" or of "unknown" needs to be >>   changed. >> >>   draft-ietf-pkix-rfc2560bis-06 attempts to address the issue and >>   proposes to keep the meaning of "unknown" unchanged and to change >>   the meaning of "revoked" in the following way: >> >>   "The "revoked" state indicates that the certificate has been revoked >>   (either permanently or temporarily (on hold)). This state SHOULD >> also >>   be returned if the responder *knows that the requested >> certificate has ** >> **  never been issued*. Note that the receiver of a response may >> have to >>   consult out-of-band knowledge, or information in an extension >> defined >>   outside of this standard, to know whether a particular responder has >>   knowledge about whether a requested certificate has been issued or >>   not and whether it responds "good" or "revoked" to a state request >>   for a non-issued certificate". >> >>   There is a door opened for a future extension "to know whether a >>   particular responder has knowledge about whether a requested >>   certificate has been issued or not". >> >>   However, the extension proposed in >> draft-pinkas-2560bis-certinfo-00.txt, >>   carries a slightly different meaning: >> >>      - an indication that the serial number of the target >>        certificate is not present in the database, >> >> *Saying that the certificate has not been issued is not fully >> appropriate.* >> >> The text should be modified in the following way: >> >>   "The "revoked" state indicates that the certificate has been >> revoked >>   (either permanently or temporarily (on hold)). This state SHOULD >>   also be returned if the responder *has an access to the database >>   of **issued certificates and if the serial number of the target ** >> **  certificate is not present in that database. * >> >>   *In this case, the "revoked" state indicates either that the ** >> **  certificate has never been issued or that it has been issued >> but ** >> **  subsequently removed (by an attack or by accident) from the >>   database **of issued certificates.* >> >>   Response extensions may be used to convey additional information >>   on assertions made by the OCSP responder regarding the state >> of the >>   certificate such as *an **indication that the OCSP responder has >>   a direct access to the **database of issued certificates*, >> validity, etc ... " >> >> An alternative is to keep the meaning of "revoked" and to change >> the meaning of "unknown" in the following way: >> >>   "The "unknown" status indicates either that the server doesn't know >>   about the certificate being requested *or the revocation status >>   of the certificate being requested* >> >>   Response extensions may be used to convey additional information >>   on assertions made by the OCSP responder regarding the state >> of the >>   certificate such as *an **indication that the OCSP responder has >>   a direct access to the **database of issued certificates*, >> validity, etc ..." >> >> There are pros and cons for each alternative. If the meaning of >> "revoked" >> is changed it is also necessary to say what should be the values of both >> revocationTime and revocationReason: >> >>   CertStatus ::= CHOICE { >>       good       [0]    IMPLICIT NULL, >>       revoked    [1]    IMPLICIT RevokedInfo, >>       unknown    [2]    IMPLICIT UnknownInfo } >> >>   RevokedInfo ::= SEQUENCE { >>       revocationTime             GeneralizedTime, >>       revocationReason   [0]    EXPLICIT CRLReason >>                                   >> OPTIONAL } >> >>   UnknownInfo ::= NULL >> >> CRLReason is imported from PKIX1Implicit88 { iso(1) >> identified-organization(3) >> dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) >> id-pkix1-implicit(19) } >> >> CRLReason is defined in RFC 5280 as: >> >>   CRLReason ::= ENUMERATED { >>        unspecified            (0), >>        keyCompromise          (1), >>        cACompromise           (2), >>        affiliationChanged     (3), >>        superseded             (4), >>        cessationOfOperation   (5), >>        certificateHold        (6), >>             -- value 7 is not used >>        removeFromCRL          (8), >>        privilegeWithdrawn     (9), >>        aACompromise          (10) } >> >> >> For the revocationTime should we use the content of notBefore field >> from the certificate ? >> >> For the revocationReason should we use unspecified or keyCompromise ? >> >> In any case, guidance should be given. >> >> Although I understand that changing the meaning of "revoked" may be >> seen as "safer" >> for old implemenations, changing the meaning of "unknown" also seems >> to be a reasonable alternative. >> >> In this case, it might be useful (and sufficient) to say that if an >> OCSP responder is authoritative >> for the target certificate, then the OCSP client SHOULD NOT use an >> alternative source >> of revocation information like CRLs. >> >> Denis >> >> >>> In line; >>> >>> From: Piyush Jain <piyush@ditenity.com <mailto:piyush@ditenity.com>> >>> Date: Sunday, October 21, 2012 7:42 PM >>> To: Stefan Santesson <stefan@aaa-sec.com >>> <mailto:stefan@aaa-sec.com>>, 'Peter Rybar' <rybar@nbusr.sk >>> <mailto:rybar@nbusr.sk>>, 'Carl Wallace' <carl@redhoundsoftware.com >>> <mailto:carl@redhoundsoftware.com>>, 'Simon Tardell' >>> <simon@tardell.se <mailto:simon@tardell.se>> >>> Cc: 'Peter Rybar' <peterryb@gmail.com <mailto:peterryb@gmail.com>>, >>> <pkix@ietf.org <mailto:pkix@ietf.org>> >>> Subject: RE: [pkix] New draft-ietf-pkix-rfc2560bis-06 >>> >> _______________________________________________ >> pkix mailing list >> pkix@ietf.org <mailto:pkix@ietf.org> >> https://www.ietf.org/mailman/listinfo/pkix
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Denis Pinkas
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Simon Tardell
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Denis Pinkas
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Denis Pinkas
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Simon Tardell
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Simon Tardell
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Denis Pinkas
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Peter Rybar
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- [pkix] Straw-poll on OCSP responses for non-revok… Stefan Santesson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Yngve Nysaeter Pettersen
- Re: [pkix] Straw-poll on OCSP responses for non-r… Yoav Nir
- Re: [pkix] Straw-poll on OCSP responses for non-r… Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Miller, Timothy J.
- Re: [pkix] Straw-poll on OCSP responses for non-r… David Chadwick
- Re: [pkix] Straw-poll on OCSP responses for non-r… Art Allison
- Re: [pkix] Straw-poll on OCSP responses for non-r… Miller, Timothy J.
- Re: [pkix] Straw-poll on OCSP responses for non-r… Santosh Chokhani
- Re: [pkix] Straw-poll on OCSP responses for non-r… Erwann Abalea
- Re: [pkix] Straw-poll on OCSP responses for non-r… Yoav Nir
- Re: [pkix] Straw-poll on OCSP responses for non-r… Peter Rybar
- Re: [pkix] Straw-poll on OCSP responses for non-r… Paul Hoffman
- Re: [pkix] Straw-poll on OCSP responses for non-r… Juan Gonzalez
- Re: [pkix] Straw-poll on OCSP responses for non-r… Max Pritikin (pritikin)
- Re: [pkix] Straw-poll on OCSP responses for non-r… Simon Tardell
- Re: [pkix] Straw-poll on OCSP responses for non-r… Carl Wallace
- Re: [pkix] Straw-poll on OCSP responses for non-r… Paul Hoffman
- Re: [pkix] Straw-poll on OCSP responses for non-r… Rick Robinson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Jeremy Rowley
- Re: [pkix] Straw-poll on OCSP responses for non-r… Melinda Shore
- Re: [pkix] Straw-poll on OCSP responses for non-r… Martin Rex
- Re: [pkix] Straw-poll on OCSP responses for non-r… Russ Housley
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] Straw-poll on OCSP responses for non-r… Tom Ritter
- Re: [pkix] Straw-poll on OCSP responses for non-r… Dr Stephen Henson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Ryan Sleevi
- Re: [pkix] Straw-poll on OCSP responses for non-r… Johannes Merkle
- Re: [pkix] Straw-poll on OCSP responses for non-r… Denis Pinkas
- Re: [pkix] Straw-poll on OCSP responses for non-r… Art Allison
- Re: [pkix] Straw-poll on OCSP responses for non-r… Ryan Hurst
- Re: [pkix] Straw-poll on OCSP responses for non-r… Ben Wilson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] Straw-poll on OCSP responses fornon-re… Art Allison
- [pkix] Proposed resolution to non-issued certific… Stefan Santesson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Tom Ritter
- Re: [pkix] Proposed resolution to non-issued cert… Tom Ritter
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… David A. Cooper
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Peter Gutmann
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Phillip Hallam-Baker
- Re: [pkix] Proposed resolution to non-issued cert… David A. Cooper
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Peter Rybar
- Re: [pkix] Proposed resolution to non-issued cert… Simon Tardell
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… David A. Cooper
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Peter Rybar
- Re: [pkix] Proposed resolution to non-issued cert… Simon Tardell
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Martin Rex
- Re: [pkix] Proposed resolution to non-issued cert… Martin Rex
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Martin Rex
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Straw-poll on OCSP responses for non-r… Tom Gindin
- Re: [pkix] Straw-poll on OCSP responses for non-r… Phillip Hallam-Baker