IETF Logo Mail Archive

Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15

"Peter Rybar" <rybar@nbusr.sk> Wed, 10 April 2013 09:01 UTC

Return-Path: <prvs=081265783d=rybar@nbusr.sk>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0CD021F9060 for <pkix@ietfa.amsl.com>; Wed, 10 Apr 2013 02:01:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.694
X-Spam-Level:
X-Spam-Status: No, score=-0.694 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SK=1.35, HOST_EQ_SK=0.555]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YdkCVzSmKWVx for <pkix@ietfa.amsl.com>; Wed, 10 Apr 2013 02:01:02 -0700 (PDT)
Received: from mail.nbusr.sk (mail.nbusr.sk [84.245.65.227]) by ietfa.amsl.com (Postfix) with ESMTP id E800321F901B for <pkix@ietf.org>; Wed, 10 Apr 2013 02:01:01 -0700 (PDT)
Message-Id: <201304100900.r3A90w4g094451@mail.nbusr.sk>
From: Peter Rybar <rybar@nbusr.sk>
To: mrex@sap.com, 'Sean Turner' <turners@ieca.com>
Date: Wed, 10 Apr 2013 11:01:00 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
In-Reply-To: <20130408211035.C2B3E1A698@ld9781.wdf.sap.corp>
Thread-Index: Ac40nY7D1TBi9ftUQEKfX+/D+zgR7gBHlgig
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level: ***
X-NAI-Spam-Threshold: 6
X-NAI-Spam-Score: 3.6
X-NAI-Spam-Version: 2.3.0.9362 : core <4544> : streams <938246> : uri <1389954>
Cc: pkix@ietf.org, sts@aaa-sec.com, 'Stefan Santesson' <stefan@aaa-sec.com>
Subject: Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2013 09:01:02 -0000

The value of thisUpdate is important and must contain correct time value according to the time when information about the certificate status was updated from CA issuing certificates whose status CRL or OCSP provides.

When OCSP is based on database then thisUpdate contains the time when OCSP database was updated according to information from CA.
When OCSP is based on CRL then thisUpdate of OCSP contains the same value as is included in thisUpdate field of last CRL or delta CRL available for OCSP responder.
It means the value of thisUpdate is not actual time and must be also correct for non-issued cert status. But, which time is correct for non-issued cert status? It must be also the time value when white list was updated in OCSP database with data provided by issuer CA of certificates whose status OCSP provides.

Practical usage:

In case when the validation system must provide information about the certificate status which is stable and will not be later changed, then the system must provide also the point of the time in the past when such certificate status was declared as correct.

Such point of the time is indicated in CRL or in OCSP response by the time value in the field thisUpdate.

ITU-T X.509 defines rules for CRL about the time value of thisUpdate when the revocation time revocationDate is included in first CRL (subsequent CRL contains this value of revocationDate).

RFC 2560 defines semantics of thisUpdate field as:
   - thisUpdate: The time at which the status being indicated is known to be correct.

According to such semantics of thisUpdate fields in CRL or in OCSP the validation system provides the value of thisUpdate field in the validation result as the time to which the status of certificate is known as correct while any time later the certificate status can be changed if thisUpdate is not after the expiration time of the certificate.

Peter Rybar


-----Original Message-----
From: Martin Rex [mailto:mrex@sap.com] 
Sent: Monday, April 08, 2013 11:11 PM
To: Sean Turner
Cc: Peter Rybar; mrex@sap.com; pkix@ietf.org; sts@aaa-sec.com; 'Stefan Santesson'
Subject: Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15

Sean Turner wrote:
> 
> I don't see any requirement in RFC 2560 or 2560bis for clients to order 
> requests according to thisUpdate.

Correct observation.

After this discussion, I believe this lack of documented requirement(s)
(for OCSP response caching and updating of that cache) to be a defect
of rfc2560/rfc2560bis.

rfc2560 provides exactly zero guidance on OCSP response caching,
and when an OCSP responder obtains certificate serial status information
from different information sources, then this creates a potential and
non-obvious ambiguity for implementors.

rfc2560bis introduces the explicit notion of OCSP responders feeding
on multiple information sources (such as CRLs _plus_ direct access
to cert issue records), so I think continued silence on OCSP response
caching and the exact semantics of thisUpdate for OCSP cache updates
a bad idea that may result in real interop problems.

  http://www.ietf.org/mail-archive/web/pkix/current/msg32617.html

-Martin

v2.23.0 | Report a Bug | By Email