Changes to the TSP protocol
Denis Pinkas <Denis.Pinkas@bull.net> Tue, 23 January 2001 12:57 UTC
Received: from ns.secondary.com ([208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id HAA10038 for <pkix-archive@odin.ietf.org>; Tue, 23 Jan 2001 07:57:02 -0500 (EST)
Received: from localhost (daemon@localhost) by ns.secondary.com (8.9.3/8.9.3) with SMTP id EAA10584; Tue, 23 Jan 2001 04:50:15 -0800 (PST)
Received: by mail.imc.org (bulk_mailer v1.12); Tue, 23 Jan 2001 04:50:12 -0800
Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id EAA10539 for <ietf-pkix@imc.org>; Tue, 23 Jan 2001 04:50:10 -0800 (PST)
Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id OAA35980 for <ietf-pkix@imc.org>; Tue, 23 Jan 2001 14:03:25 +0100
Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id NAA19342 for <ietf-pkix@imc.org>; Tue, 23 Jan 2001 13:55:43 +0100
Message-ID: <3A6D7F51.89FCC107@bull.net>
Date: Tue, 23 Jan 2001 13:55:45 +0100
From: Denis Pinkas <Denis.Pinkas@bull.net>
Organization: Bull
X-Mailer: Mozilla 4.7 [fr] (Win98; I)
X-Accept-Language: fr
MIME-Version: 1.0
To: IETF-PXIX <ietf-pkix@imc.org>
Subject: Changes to the TSP protocol
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-Archive: http://www.imc.org/ietf-pkix/mail-archive/
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe
Content-Transfer-Encoding: 7bit
Summary of the changes to TSP to produce <draft-ietf-pkix-time-stamp-13.txt> The following changes have been provided in order to respond to several comments raised by Jeff Schiller, our Security Area Director, who has reviewed the document before its presentation to the IESG. Jeff has indicated that these changes were correctly addressing his concerns. 1. What does it mean to be a "known" algorithm ? The current text states the following, which was not precise enough: " The hash algorithm indicated in the hashAlgorithm field MUST be a known hash algorithm (one-way and collision resistant)." The new text is the following (changing a MUST into a SHOULD): The hash algorithm indicated in the hashAlgorithm field SHOULD be a strong hash algorithm. That means that it SHOULD be one-way and collision resistant. The Time Stamp Authority SHOULD check whether or not the given hash algorithm is known to be "sufficient" (based on the current state of knowledge in cryptanalysis and the current state of the art in computational resources, for example). If the TSA does not recognize the hash algorithm or knows that the hash algorithm is weak (a decision left to the discretion of each individual TSA), then the TSA SHOULD refuse to provide the Time Stamp Token. 2. PKIStatus values The current text states the following: " Compliant servers MUST NOT produce any other values. Compliant clients MAY ignore any other values." This would create a problem if other values were added. The new text is the following (changing a MUST into a SHOULD): " Compliant servers SHOULD NOT produce any other values. Compliant clients MUST generate an error if values it does not understand are present." 3. PKIFailureInfo The current text states the following: " These are the only values of PKIFailureInfo that are supported. Compliant servers MUST NOT produce any other values. Compliant clients MAY ignore any other values." As above, this would create a problem if other values were added. The new text is the following (changing a MUST into a SHOULD): " These are the only values of PKIFailureInfo that SHALL be supported. Compliant servers SHOULD NOT produce any other values. Compliant clients MUST generate an error if values it does not understand are present." Note: In order to align the document with RFC1510bis (CMP) an additional error has been added (initial request from Francois Rousseau): systemFailure (25) -- the request cannot be handled due to system failure 4. Big Typo left. The following temporary explanatory text was left and has been deleted. " should read: 'Such syntax, .... to represent time *within* one second, may be used here' (omit 'to')." 5. Removal of Annex C. This annex C which contains the MIME Registrations forms to IANA for timestamp-query and timestamp-reply will be removed as soon as an RFC number is obtained and will be sent to IANA. 6. Unsigned integer The text states: The "time-to-check-back" parameter is a 32-bit integer, defined to be the number of seconds that have elapsed since midnight, January 1, 1970, coordinated universal time. The word "unsigned" has been added before integer. 7. Security consideration section cases 1 and 2. In the security consideration section the difference between case 1 and case 2 was not clear enough, in particular because the first sentence was misleading, stating :" the TSA can no longer be trusted". In order to distinguish better between the two cases, the text replacement is: 1. When a TSA shall not be used anymore, but the TSA private key has not been compromised, the authority's certificate SHALL be revoked. When the reasonCode extension relative to the revoked certificate from the TSA is present in the CRL entry extensions, it SHALL be set either to unspecified (0), affiliationChanged (3), superseded (4) or cessationOfOperation (5). In that case, at any future time, the tokens signed with the corresponding key will be considered as invalid, but tokens generated before the revocation time will remain valid. When the reasonCode extension relative to the revoked certificate from the TSA is not present in the CRL entry extensions, then all the tokens that have been signed with the corresponding key SHALL be considered as invalid. For that reason, it is recommended to use the reasonCode extension. 2. When the TSA private key has been compromised, then the corresponding certificate SHALL be revoked. In that case, the reasonCode extension relative to the revoked certificate from the TSA may or may not be present in the CRL entry extensions. When it is present then it SHALL be set to keyCompromise (1). Any token signed by the TSA using that private key cannot be trusted anymore. For this reason, it is imperative that the TSA's private key be guarded with proper security and controls in order to minimize the possibility of compromise. In case the private key does become compromised, an audit trail of all tokens generated by the TSA MAY provide a means to discriminate between genuine and false backdated tokens. A double time stamping from two different TSAs is another way to address this issue. 8. Security consideration section case 4. In the security consideration section, case 4, it was not clear enough in which case the attack was applicable. The new text explains that the case applies in case a nonce and no local clock is being used. The original first sentence was: 4. An application using the TSA service SHOULD be concerned about the amount of time it is willing to wait for a response. The new sentence is: 4. A client application using only a nonce and no local clock SHOULD be concerned about the amount of time it is willing to wait for a response. Denis
- Changes to the TSP protocol Denis Pinkas