IETF Logo Mail Archive

RE: OCSP Algorithm Agility

Paul Hoffman <paul.hoffman@vpnc.org> Fri, 21 September 2007 21:24 UTC

Return-path: <owner-ietf-pkix@mail.imc.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IYpzK-0001LD-9t for pkix-archive@lists.ietf.org; Fri, 21 Sep 2007 17:24:38 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IYpzF-0007dB-0H for pkix-archive@lists.ietf.org; Fri, 21 Sep 2007 17:24:34 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l8LKcsWn089815 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 21 Sep 2007 13:38:54 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l8LKcsG8089814; Fri, 21 Sep 2007 13:38:54 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from [165.227.249.200] (adsl-66-125-125-65.dsl.pltn13.pacbell.net [66.125.125.65]) (authenticated bits=0) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l8LKcgnf089788 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 21 Sep 2007 13:38:43 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p06240814c319da7d9330@[165.227.249.200]>
In-Reply-To: <p0624050dc319b62dedaf@[128.89.89.71]>
References: <2788466ED3E31C418E9ACC5C3166155703DF57@mou1wnexmb09.vcorp.ad.vrsn.com> <p0624080ec319a977190d@[165.227.249.200]> <p0624050dc319b62dedaf@[128.89.89.71]>
Date: Fri, 21 Sep 2007 13:38:39 -0700
To: Stephen Kent <kent@bbn.com>, ietf-pkix@imc.org
From: Paul Hoffman <paul.hoffman@vpnc.org>
Subject: RE: OCSP Algorithm Agility
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9182cfff02fae4f1b6e9349e01d62f32

At 2:07 PM -0400 9/21/07, Stephen Kent wrote:
>How about defining an extension to be included in the cert issued to 
>an OCSP responder by a CA.  The extension would have an ordered list 
>of algorithms (hash and signature if we want to address more than 
>the hash agility issue) accepted by the OCSP responder.  An OCSP 
>client can use this info to determine what is the "best" algorithm 
>(or alg pair) that it and the responder share. The combination of 
>this extension and an OCSP negotiation procedure will allow the 
>client to detect MITM downgrade attacks. In fact, if the client 
>acquires the responder's cert prior to making a request, there would 
>not even be a need for real negotiation, since the client would know 
>what alg to request in a response.

Imagine the list of algorithms is RSA-with-SHA1 first and 
DSA-with-SHA1 second. How does your negotiation work? The client asks 
for this message to be signed with RSA-with-SHA1. But the server 
knows that RSA-with-SHA1 has been compromised since it got that 
certificate from the CA. What does the server say to the client to 
indicate that it only wants to sign with DSA-with-SHA1? What prevents 
Mallory from saying the same thing to the client?

--Paul Hoffman, Director
--VPN Consortium

v2.23.0 | Report a Bug | By Email