IETF Logo Mail Archive

Re: [pkix] Proposed resolution to non-issued certificates - 2560bis

Peter Rybar <peterryb@gmail.com> Fri, 02 November 2012 15:52 UTC

Return-Path: <peterryb@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9331011E80A2 for <pkix@ietfa.amsl.com>; Fri, 2 Nov 2012 08:52:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qJ7FsFAPbn3P for <pkix@ietfa.amsl.com>; Fri, 2 Nov 2012 08:52:42 -0700 (PDT)
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com [209.85.160.44]) by ietfa.amsl.com (Postfix) with ESMTP id 126F411E80DC for <pkix@ietf.org>; Fri, 2 Nov 2012 08:52:39 -0700 (PDT)
Received: by mail-pb0-f44.google.com with SMTP id ro8so2556844pbb.31 for <pkix@ietf.org>; Fri, 02 Nov 2012 08:52:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=t+7A5a1WU7byEvdw4TpZxs8RC1gelMIW1+PBP9Au2kE=; b=pVEv+LnBtHO++FCDO1ScUyuZV6IieupLiWrA7Tnbj5hPaaPlpZnPDzGsnvykQKpLq8 dIA1rj3x8lHFNHJzOD85ddMn9yQBiSBOA4g9MVe91f8BK9gEVXVA1VlQ5Y2hfpIhzedi 7WNB9mMIhxsZThAPRUI4T4//T7W9ROWCK0RM4oLapZHgrEJ98sNCPXK4O5gmil72ye1l VJqZVB1t9fvtFXQtBQbsKiY1ilpbpmST79QitaHWqyr+jqSOC0POgZ+IIR/DcnZ12z0S tAIMe/rV0dLv+I4ietm3Sf9x0f2UXbbsgmesIARdk6xpPHLkpMt1tyuhh4eyWGrwMuT2 /+Iw==
MIME-Version: 1.0
Received: by 10.66.81.199 with SMTP id c7mr6477845pay.19.1351871071567; Fri, 02 Nov 2012 08:44:31 -0700 (PDT)
Received: by 10.66.235.102 with HTTP; Fri, 2 Nov 2012 08:44:31 -0700 (PDT)
In-Reply-To: <CANkYYy5TsTajY4hztaHaFeWsUYd+d+7st_yKCcqUAkdWNY6BMw@mail.gmail.com>
References: <034701cdb87e$0f083a80$2d18af80$@ditenity.com> <201211021016.qA2AGYZA000373@mail.nbusr.sk> <CANkYYy5TsTajY4hztaHaFeWsUYd+d+7st_yKCcqUAkdWNY6BMw@mail.gmail.com>
Date: Fri, 02 Nov 2012 16:44:31 +0100
Message-ID: <CAFD47=oddnrbHepUX4PHi8zLqjqE=_vvOzP1wmZ+kRANNAEvdw@mail.gmail.com>
From: Peter Rybar <peterryb@gmail.com>
To: Simon Tardell <simon@tardell.se>
Content-Type: text/plain; charset="UTF-8"
Cc: Stefan Santesson <stefan@aaa-sec.com>, "pkix@ietf.org" <pkix@ietf.org>
Subject: Re: [pkix] Proposed resolution to non-issued certificates - 2560bis
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Nov 2012 15:52:43 -0000

It means the time value in thisUpdate field is a time when CA database
was locked in the process of creating CRL/OCSP response. CRL contains
only revocations with time which were before time value of thisUpdate
field. Any revocatins registered while database was locked must not be
included and are included after next lock of CA database when a new
CRL will be generated.
Peter Rybar

2012/11/2, Simon Tardell <simon@tardell.se>:
> On Fri, Nov 2, 2012 at 11:16 AM, Peter Rybar <rybar@nbusr.sk> wrote:
>
>> ** **
>>
>> Stefan,****
>>
>> ** **
>>
>> I agree with David A. Cooper and Piyush.****
>>
>> ** **
>>
>> And also retroactive revocation is not allowed in X.509.****
>>
>> The certificate status "revoked" in OCSP must be consistent with the
>> status in CRL.****
>>
>> In this case it is not consistent because status "revoked" is proposed to
>> be in OCSP but in the same time it is not included in CRL.****
>>
>> Validation will be different by CRL/OCSP!
>>
> So a CA that does answer revoked for never issued MUST NOT use CRLs.
>
>> **
>>
>> Don't forget that also thisUpdate MUST be correctly used and included in
>> OCSP response.****
>>
>> ** **
>>
>>    - thisUpdate: The time at which the status being indicated is known to
>> be correct.****
>>
>> ** **
>>
>> It mans any new "correct" revocation MUST be with revocation value which
>> is greater than value thisUpdate of any issued CRL/OCSP.
>>
> Including revocation date/time before value thisUpdate (of any already
>> issued CRL/OCSP) is destruction of X.509 fundamental rules for
>> validations.
>> ****
>>
>> Date and time of revocation MUST be only after value thisUpdate which is
>> included in last issued CRL or OCSP.****
>>
>> **
>>
>
> I don't quite understand. The revocationTime of a RevokedInfo must
> logically be earlier than the thisUpdate of the response, unless we assume
> that we are dealing with a precog OCSP responder. The OCSP responder should
> try to keep the thisUpdate as close to "now" as it can, to limit the window
> where compromised keys can be used.
>
> /Simon
>

v2.23.0 | Report a Bug | By Email