IETF Logo Mail Archive

Re: [pkix] New draft-ietf-pkix-rfc2560bis-06

Stefan Santesson <stefan@aaa-sec.com> Mon, 22 October 2012 22:19 UTC

Return-Path: <stefan@aaa-sec.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D78811E80E1 for <pkix@ietfa.amsl.com>; Mon, 22 Oct 2012 15:19:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.326
X-Spam-Level:
X-Spam-Status: No, score=-101.326 tagged_above=-999 required=5 tests=[AWL=0.923, BAYES_00=-2.599, HELO_EQ_SE=0.35, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RYvtNeCD2xDP for <pkix@ietfa.amsl.com>; Mon, 22 Oct 2012 15:19:21 -0700 (PDT)
Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id A02C111E809C for <pkix@ietf.org>; Mon, 22 Oct 2012 15:19:20 -0700 (PDT)
Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id 8F5381D399 for <pkix@ietf.org>; Tue, 23 Oct 2012 00:19:07 +0200 (CEST)
X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se
Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id QG8UxFYT3TmJ for <pkix@ietf.org>; Tue, 23 Oct 2012 00:19:07 +0200 (CEST)
Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id 2EA4A1D1A4 for <pkix@ietf.org>; Tue, 23 Oct 2012 00:19:07 +0200 (CEST)
Received: (qmail 67334 invoked from network); 22 Oct 2012 22:19:06 -0000
Received: from gw.aaa-sec.ideon.se (HELO [192.168.1.214]) (stefan@fiddler.nu@[85.235.7.89]) (envelope-sender <stefan@aaa-sec.com>) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for <mrex@sap.com>; 22 Oct 2012 22:19:06 -0000
User-Agent: Microsoft-MacOutlook/14.2.4.120824
Date: Tue, 23 Oct 2012 00:19:04 +0200
From: Stefan Santesson <stefan@aaa-sec.com>
To: mrex@sap.com, Simon Tardell <simon@tardell.se>
Message-ID: <CCAB91F7.51E21%stefan@aaa-sec.com>
Thread-Topic: [pkix] New draft-ietf-pkix-rfc2560bis-06
In-Reply-To: <20121022215319.55EC71A2EB@ld9781.wdf.sap.corp>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Cc: Peter Rybar <peterryb@gmail.com>, pkix@ietf.org
Subject: Re: [pkix] New draft-ietf-pkix-rfc2560bis-06
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Oct 2012 22:19:21 -0000

Martin,

What you say here makes sense to me.

I do in particular support the 1 jan 1970 time as it is the time zero
point for may Date formats.

/Stefan

On 10/22/12 11:53 PM, "Martin Rex" <mrex@sap.com> wrote:

>Simon Tardell wrote:
>>
>> I suggest that we use your current text plus that, if "revoked" is used
>> to say "never issued/not in database", the revocationReason should be
>> certificateHold and that revocationTime should be set to midnight Jan 1
>> 1950 (or some other time before the rise of PKI).
>
>I support the "revoked, ReasonCode=CertificateHold" for OCSP responders
>that can not find proof/indication that the cert in question was properly
>issued.
>
>The CertificateHold reason code is vitally important, because otherwise
>the CA would have to keep track of OCSP responses given out from the
>CA's OCSP responder that declared a serial as "permanently revoked"
>in order to ensure that the CA will never issue a cert with that serial
>in the future.  Looks like an unnecessary and easily avoidable burden to
>me.
>
>
>I don't like the particular date Jan 1, 1950, for safety, a date >= 1970
>ought to be chosen (so that it does not get negative when converted
>to time_t, which has potential to confuse some code).
>
>And since the timestamp is a GeneralizedTime, the date ought to be
>given in exactly that format, e.g.  "700101010101Z"
>
>
>What also should be noted is that the optional OCSP
>SingleResponseExtension
>"CrlID" must not be used when this "not issued" certificate was not
>conveyed through a CRL--and there currently is no means to convey
>proof-of-cert-existence through CRLs unless they're revoked, and in the
>latter case there would be no "not issued" OCSP response to convey.
>
>
>> 
>> On the other hand, I think we should consider Denis' comment:
>> 
>> *Saying that the certificate has not been issued is not fully
>>appropriate.*
>
>
>I believe it is very inappropriate for the spec to make any assumptions
>about why exactly the OCSP responder believes that a cert (serial) has not
>ever been issued.  The reason can be manyfold.  Besides an accidental or
>fraudulent deletion (attack), it may be something as simple as a
>database software bug.
>
>What we might want to say is that failures to access the database
>of issued certs ought to result in an unknown rather than revoked
>OCSP response.
>
>The records of issuance, that the OCSP responder has access to,
>need not contain the whole certificate.  The information may be
>limited to serial numbers of issued certificates, and it SHOULD
>include a hash of the cert (at least SHA-1, preferably SHA-256 as well).
>In particular, the OCSP responder may not have access to the
>validity of issued certs or any other certificate characteristics or
>certificate attributes.
>
>
>-Martin

v2.23.0 | Report a Bug | By Email