IETF Logo Mail Archive

Re: [pkix] Straw-poll on OCSP responses for non-revoked certificates.

Denis Pinkas <denis.pinkas@bull.net> Wed, 31 October 2012 11:46 UTC

Return-Path: <denis.pinkas@bull.net>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 490AC21F86A6 for <pkix@ietfa.amsl.com>; Wed, 31 Oct 2012 04:46:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.248
X-Spam-Level:
X-Spam-Status: No, score=-6.248 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VfJK9x3OHYpC for <pkix@ietfa.amsl.com>; Wed, 31 Oct 2012 04:46:43 -0700 (PDT)
Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by ietfa.amsl.com (Postfix) with ESMTP id 2098621F8511 for <pkix@ietf.org>; Wed, 31 Oct 2012 04:46:43 -0700 (PDT)
Received: from MSGC-007.bull.fr (unknown [129.184.87.136]) by odin2.bull.net (Bull S.A.) with ESMTP id 9D7491C5B1 for <pkix@ietf.org>; Wed, 31 Oct 2012 12:46:41 +0100 (CET)
Received: from [127.0.0.1] ([129.184.39.15]) by MSGC-007.bull.fr (Lotus Domino Release 8.5.3FP1) with ESMTP id 2012103112464051-6140 ; Wed, 31 Oct 2012 12:46:40 +0100
Message-ID: <50910F9E.6000703@bull.net>
Date: Wed, 31 Oct 2012 12:46:38 +0100
From: Denis Pinkas <denis.pinkas@bull.net>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:16.0) Gecko/20121026 Thunderbird/16.0.2
MIME-Version: 1.0
To: pkix@ietf.org
References: <CCB55CA3.52588%stefan@aaa-sec.com>
In-Reply-To: <CCB55CA3.52588%stefan@aaa-sec.com>
X-MIMETrack: Itemize by SMTP Server on MSGC-007/SRV/BULL(Release 8.5.3FP1|March 07, 2012) at 31/10/2012 12:46:40, Serialize by Router on MSGC-007/SRV/BULL(Release 8.5.3FP1|March 07, 2012) at 31/10/2012 12:46:41, Serialize complete at 31/10/2012 12:46:41
X-TNEFEvaluated: 1
Content-Type: multipart/alternative; boundary="------------080101090604090301060306"
Subject: Re: [pkix] Straw-poll on OCSP responses for non-revoked certificates.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Oct 2012 11:46:44 -0000

Response #3 : status : unknown

Response #1 would also be acceptable, but as a second choice.

Quick explanation: "unknown" is the right status.


If the OCSP client verifies that the response is from an authorized 
responder for the CA which has issued the certificate:
unknown is a definite response and is safe (no other mechanism SHALL be 
used).

On the contrary, if the OCSP client does not verify that the response is 
from an authorized responder for the CA which has
issued the certificate, then another mechanism will be used : either 
another OCSP server or CRLs.


If CRLs are used, "revoked" is safer, but it is semantically incorrect. 
So a change in its semantics would be mandatory.

The problem is that the change should be "revoked or unknown" which may 
be rather confusing.

v2.23.0 | Report a Bug | By Email