Re: [pkix] Straw-poll on OCSP responses for non-revoked certificates.

"Ben Wilson" <ben@digicert.com> Wed, 31 October 2012 15:35 UTC

Return-Path: <ben@digicert.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51C6621F8792 for <pkix@ietfa.amsl.com>; Wed, 31 Oct 2012 08:35:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CS81iQJUHb6c for <pkix@ietfa.amsl.com>; Wed, 31 Oct 2012 08:35:53 -0700 (PDT)
Received: from mail.digicert.com (mail.digicert.com [64.78.193.232]) by ietfa.amsl.com (Postfix) with ESMTP id 3EA8721F8716 for <pkix@ietf.org>; Wed, 31 Oct 2012 08:35:43 -0700 (PDT)
Received: from BWILSONL1 (unknown [64.78.193.228]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.digicert.com (Postfix) with ESMTPSA id C9B937FC05F for <pkix@ietf.org>; Wed, 31 Oct 2012 09:35:42 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digicert.com; s=mail; t=1351697742; bh=dyHhNpYsaX5kwnEJfdKP2EdALsNTM8eL3gGpBdYRnTw=; h=Reply-To:From:To:References:In-Reply-To:Subject:Date:Message-ID: MIME-Version:Content-Type; b=VqlEHQ8Im8JSSyVckdbew37FtYcplApEuNdbOcjnVDeZtZARfafghDnWMj4G2kZu7 Xxv/lXK5lH9BehjsLRSO776f/d51RLE1x1jtkMmwN8H4fdp9+L5+P+x1ngWyIpIhhN 25R7lOqQpe+BGsw/VqSfotoRVWoHWbbLSzwlvWIQ=
From: Ben Wilson <ben@digicert.com>
To: pkix@ietf.org
References: <CCB55CA3.52588%stefan@aaa-sec.com> <50910F9E.6000703@bull.net> <4C120EAB-B95B-4DEE-8DE7-9CDC45089C34@globalsign.com>
In-Reply-To: <4C120EAB-B95B-4DEE-8DE7-9CDC45089C34@globalsign.com>
Date: Wed, 31 Oct 2012 09:35:40 -0600
Organization: DigiCert
Message-ID: <00b701cdb77d$61d29c80$2577d580$@digicert.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_00B8_01CDB74B.1738EFD0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQH1lk8JvbcDsEaFAmhBI+dpk+GPywH7Y6+AAkWmwayXYcTjMA==
Content-Language: en-us
Subject: Re: [pkix] Straw-poll on OCSP responses for non-revoked certificates.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ben@digicert.com
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Oct 2012 15:35:54 -0000

I don’t think the original ballot changed.  #1 was to allow revoked.  #3 was do nothing.  So, a vote that they favor “3 – unknown” is out of scope, but hopefully everyone understands that this is the nature of a straw poll?

 

From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Ryan Hurst
Sent: Wednesday, October 31, 2012 8:42 AM
To: Denis Pinkas
Cc: pkix@ietf.org
Subject: Re: [pkix] Straw-poll on OCSP responses for non-revoked certificates.

 

Same as Dennis.

Sent from my iPhone


On Oct 31, 2012, at 4:46 AM, Denis Pinkas <denis.pinkas@bull.net> wrote:

Response #3 : status : unknown

 

Response #1 would also be acceptable, but as a second choice.

 

Quick explanation: “unknown” is the right status. 


If the OCSP client verifies that the response is from an authorized responder for the CA which has issued the certificate: 
unknown is a definite response and is safe (no other mechanism SHALL be used).

 

On the contrary, if the OCSP client does not verify that the response is from an authorized responder for the CA which has 
issued the certificate, then another mechanism will be used : either another OCSP server or CRLs. 


If CRLs are used, “revoked” is safer, but it is semantically incorrect. So a change in its semantics would be mandatory.

The problem is that the change should be "revoked or unknown" which may be rather confusing.



_______________________________________________
pkix mailing list
pkix@ietf.org
https://www.ietf.org/mailman/listinfo/pkix