IETF Logo Mail Archive

Re: [pkix] New draft-ietf-pkix-rfc2560bis-06

Simon Tardell <simon@tardell.se> Mon, 22 October 2012 14:35 UTC

Return-Path: <simon@tardell.se>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37F0A21F8BA5 for <pkix@ietfa.amsl.com>; Mon, 22 Oct 2012 07:35:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oI0opUWHHIFH for <pkix@ietfa.amsl.com>; Mon, 22 Oct 2012 07:35:22 -0700 (PDT)
Received: from mail-qa0-f51.google.com (mail-qa0-f51.google.com [209.85.216.51]) by ietfa.amsl.com (Postfix) with ESMTP id E767021F8B6C for <pkix@ietf.org>; Mon, 22 Oct 2012 07:35:21 -0700 (PDT)
Received: by mail-qa0-f51.google.com with SMTP id j40so1287550qab.10 for <pkix@ietf.org>; Mon, 22 Oct 2012 07:35:21 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=QBhm9I71wcknnVsd8eHmxf6l6Pq/GyGPs4On89lvpj4=; b=KUV7J527CXA3kk/q4DpjjQLgTTaSjHP+5WAMnvdvoOzZ6oWdJp9w3r8D6my5XPBQxn 1+7Hii06HCIoNc/MTX1Bpg4fnpLPHXjte2LEzwXwp1lknZFkMSDQ+qA+XGHgWPkcEEpM 70ygB3XaHMFokBNUHWjQvXIeUa1t+i9EHArnoKAlTmgeD2uDg3/NQ0g6W3CgiLstFaz9 aH+BQA967zPRr3kreJwWax4a9GwOXsyy0wv4/aIbIyEzQWgEEHA0sCLRWIA3VfqPbDUP 27B7UCSQi+6Eru6KvQ+sZNTRZ+XJE4eS6XlXgqoApZLWuBKIv13lUd5XtU2wyGA3X23B VaOA==
MIME-Version: 1.0
Received: by 10.49.127.115 with SMTP id nf19mr5014122qeb.36.1350916521191; Mon, 22 Oct 2012 07:35:21 -0700 (PDT)
Received: by 10.49.94.116 with HTTP; Mon, 22 Oct 2012 07:35:21 -0700 (PDT)
In-Reply-To: <50855225.1030202@bull.net>
References: <CCAA01E3.51B2A%stefan@aaa-sec.com> <50855225.1030202@bull.net>
Date: Mon, 22 Oct 2012 16:35:21 +0200
Message-ID: <CANkYYy6HF-9pT94uwAUFHa619b4xWydBani0xRtcMKAeYMnhhQ@mail.gmail.com>
From: Simon Tardell <simon@tardell.se>
To: Denis Pinkas <denis.pinkas@bull.net>
Content-Type: multipart/alternative; boundary="047d7b5d58d25deaae04cca6c3ee"
X-Gm-Message-State: ALoCoQnVGPG5FoUGL3lgm+sbPac/iAGJzq/7yx3UD75+I8kL6iRGeDCCRpAuX1UGREHBh+IHNhv8
Cc: pkix@ietf.org
Subject: Re: [pkix] New draft-ietf-pkix-rfc2560bis-06
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Oct 2012 14:35:23 -0000

>  If the meaning of "revoked"
> is changed it is also necessary to say what should be the values of both
> revocationTime and revocationReason:
>
[…]


> CRLReason is defined in RFC 5280 as:
>
>    CRLReason ::= ENUMERATED {
>         unspecified             (0),
>         keyCompromise           (1),
>         cACompromise            (2),
>         affiliationChanged      (3),
>         superseded              (4),
>         cessationOfOperation    (5),
>         certificateHold         (6),
>              -- value 7 is not used
>         removeFromCRL           (8),
>         privilegeWithdrawn      (9),
>         aACompromise           (10) }
>
>
For the revocationTime should we use the content of notBefore field from the
> certificate ?
>

The certificate that was not issued could have any time. It is also not
seen by the responder. The reasonable revocationTime would be "the
beginning of time". Any time which is before any reasonable issuance time
of any certificate in the PKI would do. The issuance time of the issuing CA
would do, or for that matter the battle of Hastings.


> For the revocationReason should we use unspecified or keyCompromise ?
>

revocationReason must be certificateHold, since, in principle, the
certificate may be issued at a later point in time. If a key was
compromised, it would be the CA key, not the key that the certificate.

>

> In any case, guidance should be given.
>
> Although I understand that changing the meaning of "revoked" may be seen
> as "safer"
> for old implemenations, changing the meaning of "unknown" also seems to be
> a reasonable alternative.
>
> In this case, it might be useful (and sufficient) to say that if an OCSP
> responder is authoritative
> for the target certificate, then the OCSP client SHOULD NOT use an
> alternative source
> of revocation information like CRLs.
>

Which would be putting requirements on the behavior of already existing
OCSP clients out there that we know are not true and are out of the control
of most people setting up PKIs.

Simon Tardell,
Technology Nexus.

v2.23.0 | Report a Bug | By Email