Re: [pkix] Proposed resolution to non-issued certificates - 2560bis

mrex@sap.com (Martin Rex) Fri, 02 November 2012 18:46 UTC

Return-Path: <mrex@sap.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE1EC1F0C70 for <pkix@ietfa.amsl.com>; Fri, 2 Nov 2012 11:46:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.924
X-Spam-Level:
X-Spam-Status: No, score=-9.924 tagged_above=-999 required=5 tests=[AWL=0.325, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U-Gr-OQlj9kK for <pkix@ietfa.amsl.com>; Fri, 2 Nov 2012 11:46:55 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 6D7A01F0C6A for <pkix@ietf.org>; Fri, 2 Nov 2012 11:46:55 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id qA2Ikkb6012245 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 2 Nov 2012 19:46:51 +0100 (MET)
In-Reply-To: <044901cdb91b$e1b407a0$a51c16e0$@ditenity.com>
To: Piyush Jain <piyush@ditenity.com>
Date: Fri, 2 Nov 2012 19:46:44 +0100 (CET)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20121102184644.444221A323@ld9781.wdf.sap.corp>
From: mrex@sap.com (Martin Rex)
X-SAP: out
Cc: 'Peter Rybar' <peterryb@gmail.com>, pkix@ietf.org, 'Stefan Santesson' <stefan@aaa-sec.com>
Subject: Re: [pkix] Proposed resolution to non-issued certificates - 2560bis
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Nov 2012 18:46:56 -0000

Piyush Jain wrote:
>
> I think Peter's point is that most folks consider revocationTime in OCSP
> equivalent to revocationDate in CRL.
> 
> This interpretation is not ill-formed given that OCSP has no text describing
> what revocationTime means in OCSP context.

But somewhat ignorant of how X.509 defines the meaning of revocationDate.

  ITU-T Rec. X.509 (08/2005), page 34:

   8.5.1 Requirements

   The following requirements relate to CRLs:

   d) A CRL contains, for each revoked certificate, the date when the
      authority posted the revocation. Further information may be known
      as to when an actual or suspected key compromise occurred, and this
      information may be valuable to a certificate user. The revocation
      date is insufficient to solve some disputes because, assuming the
      worst, all signatures issued during the validity period of the
      certificate have to be considered invalid. However, it may be
      important for a user that a signed document be recognized as
      valid even though the key used to sign the message was compromised
      after the signature was produced. To assist in solving this problem,
      a CRL entry can include a second date which indicates when it was
      known or suspected that the private key was compromised.


X.509 is pretty clear that the "revocationDate" entry does *NOT* mean
when a certificate was revoked, but instead, that it means when a
revocation was first published for the cert serial.  And this refers
to "publication on CRL", because publishing a CRL is the X.509 method
to "publish a revocation".

revocationDate of a CRL does not give you either of the two interesting
times: (a) when a certificate was revoked and (b) since when a certificate
is supposed to be invalid.

For conveying the latter (b), an optional crlEntry extension was defined,
and it is explicitly defined to predate "revocationDate":

  ITU-T Rec. X.509 (08/2005), page 36:

   8.5.2.4 Invalidity date extension

   This CRL entry extension field indicates the date at which it is
   known or suspected that the private key was compromised or that
   the certificate should otherwise be considered invalid. This date
   may be earlier than the revocation date in the CRL entry, which is
   the date at which the authority processed the revocation.


But we're actually discussing a certificate status reported through
OCSP that is *NOT* based on a revocation on a CRL.  So CRL semantics
clearly do not apply.  Now since the OCSP responder will typically

  (a) not have access to the cert for which the status is requested,

  (b) not know for which point in time the client will perform
      the validity check when obtaining the OCSP response

  (c) not know whether the RP supports the InvalidityDate extension.

A sensible and safe approach to issue a OCSP status response, for a cert
for which no record of issue exists, that will cause the RP to reject
that cert with very high probability, is to fill revocationDate with
a value suffiently far in the past, like Jan 1st, 1970.



> 
> And if you go by this interpretation, according to 5280, revocationDate
> cannot precede thisUpdate of an earlier CRL if the revocation for the
> certificate is being reported the first time.

OCSP was designed to report on status _other_ than revocation,
but didn't define any codepoints to convey "reject this cert"
other than those defined for CRLs.  And from that list, in order
to interoperate with the installed base "certificateHold, reject"
appears to be the most sensible choice.

Look at the history of draft-ietf-pkix-ocsp:

Section 3/2 Protocol Overview

 01-05:
   The Online Certificate Status Protocol (OCSP) enables applications to
   determine the revocation state of an identified certificate.

 06-07:
   The Online Certificate Status Protocol (OCSP) enables applications to
   determine the state of an identified certificate. 

 rfc2560:
   The Online Certificate Status Protocol (OCSP) enables applications to
   determine the (revocation) state of an identified certificate.

OCSP is *NOT* limited to CRLs as information source.
But it is currently limited to CRL ReasonCodes to expressing
"reject this cert".


> 
> Not saying that OCSP has to follow these rules, but given that it is
> deviating from CRLs on the meaning of revocationTime and revocationReason, a
> separated section describing these fields should be added.


There is no such thing as a strict sequence of OCSP responses, so the
conventions that apply to the relation of revocationDate to thisUpdate
for a serial listed on a CRL do not apply to OCSP.  FWIW, they also
apply only to the very first CRL that this serial appears on, so in
general, this is a pretty irrelevant characteristic for code that
processes CRLs and OCSP responses.


-Martin