Re: [pkix] Straw-poll on OCSP responses fornon-revoked certificates.
"Art Allison" <AAllison@nab.org> Wed, 31 October 2012 18:15 UTC
Return-Path: <aallison@nab.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6934E21F8868 for <pkix@ietfa.amsl.com>; Wed, 31 Oct 2012 11:15:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.249
X-Spam-Level:
X-Spam-Status: No, score=-6.249 tagged_above=-999 required=5 tests=[AWL=0.349, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TYBQBPtNIhWa for <pkix@ietfa.amsl.com>; Wed, 31 Oct 2012 11:15:38 -0700 (PDT)
Received: from p01c11o145.mxlogic.net (p01c11o145.mxlogic.net [208.65.144.68]) by ietfa.amsl.com (Postfix) with ESMTP id 2970621F888B for <pkix@ietf.org>; Wed, 31 Oct 2012 11:15:31 -0700 (PDT)
Received: from unknown [208.97.234.91] (EHLO NABSREX027324.NAB.ORG) by p01c11o145.mxlogic.net(mxl_mta-6.15.0-1) with ESMTP id 2ca61905.0.13758.00-319.33344.p01c11o145.mxlogic.net (envelope-from <aallison@nab.org>); Wed, 31 Oct 2012 12:15:32 -0600 (MDT)
X-MXL-Hash: 50916ac43597bc09-b5b11f3d274c1c747af1da36ef6c6159032a5b3b
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CDB793.B5ED130A"
Date: Wed, 31 Oct 2012 14:15:30 -0400
Message-ID: <71C9EC0544D1F64D8B7D91EDCC6220200CA725BD@NABSREX027324.NAB.ORG>
In-Reply-To: <00b701cdb77d$61d29c80$2577d580$@digicert.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [pkix] Straw-poll on OCSP responses fornon-revoked certificates.
Thread-Index: AQH1lk8JvbcDsEaFAmhBI+dpk+GPywH7Y6+AAkWmwayXYcTjMIAAK0GA
References: <CCB55CA3.52588%stefan@aaa-sec.com> <50910F9E.6000703@bull.net><4C120EAB-B95B-4DEE-8DE7-9CDC45089C34@globalsign.com> <00b701cdb77d$61d29c80$2577d580$@digicert.com>
From: Art Allison <AAllison@nab.org>
To: pkix@ietf.org
X-Spam: [F=0.2000000000; CM=0.500; S=0.200(2010122901)]
X-MAIL-FROM: <aallison@nab.org>
X-SOURCE-IP: [208.97.234.91]
X-AnalysisOut: [v=2.0 cv=Y/pPRGiN c=1 sm=0 a=tFGTPFZixTZ3yCXJchW01Q==:17 a]
X-AnalysisOut: [=ISpR88XC1-QA:10 a=BvPfnLs-15kA:10 a=BLceEmwcHowA:10 a=g0F]
X-AnalysisOut: [pLpFZAAAA:8 a=ealCiPDQX5oA:10 a=48vgC7mUAAAA:8 a=R93Jy7f2A]
X-AnalysisOut: [AAA:8 a=1ce2OFdlJGcH_mduuQMA:9 a=QEXdDO2ut3YA:10 a=8SgyfJx]
X-AnalysisOut: [rfqYA:10 a=-9UqKSle32gA:10 a=Qd0007q6B0YA:10 a=lZB815dzVvQ]
X-AnalysisOut: [A:10 a=O16jHPwEaCsA:10 a=Xst4EYqqeAMlhu9J:21 a=3CqetUEhMF3]
X-AnalysisOut: [xFuuR:21 a=yMhMjlubAAAA:8 a=SSmOFEACAAAA:8 a=-7lmGnbMd0Gsx]
X-AnalysisOut: [9hNXrgA:9 a=gKO2Hq4RSVkA:10 a=UiCQ7L4-1S4A:10 a=hTZeC7Yk6K]
X-AnalysisOut: [0A:10 a=frz4AuCg-hUA:10 a=0fFHKXHiQ9QxBp5c:21 a=LCkIwZW6E8]
X-AnalysisOut: [PTQmGl:21 a=Ml2Iap5TzBBK9BQq:21]
Subject: Re: [pkix] Straw-poll on OCSP responses fornon-revoked certificates.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Oct 2012 18:15:39 -0000
I answered the actual question asked. (I do not opine on what might have been intended to be asked.) If the current scope prevents fixing the situation, expect lack of interoperability to continue. Changing the scope has a time line and, properly, should be justified. Using the scope to ignore a problem has been done many times in the past, not just in IETF but elsewhere. Contrast with allowing scope creep which prevents timely resolution of a problem. Choose carefully. Art Art Allison Senior Director Advanced Engineering, Technology National Association of Broadcasters 1771 N Street NW Washington, DC 20036 Phone 202 429 5418 Fax 202 775 4981 www.nab.org <blocked::http://www.nab.org> Advocacy Education Innovation From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Ben Wilson Sent: Wednesday, October 31, 2012 11:36 AM To: pkix@ietf.org Subject: Re: [pkix] Straw-poll on OCSP responses fornon-revoked certificates. I don’t think the original ballot changed. #1 was to allow revoked. #3 was do nothing. So, a vote that they favor “3 – unknown” is out of scope, but hopefully everyone understands that this is the nature of a straw poll? From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Ryan Hurst Sent: Wednesday, October 31, 2012 8:42 AM To: Denis Pinkas Cc: pkix@ietf.org Subject: Re: [pkix] Straw-poll on OCSP responses for non-revoked certificates. Same as Dennis. Sent from my iPhone On Oct 31, 2012, at 4:46 AM, Denis Pinkas <denis.pinkas@bull.net> wrote: Response #3 : status : unknown Response #1 would also be acceptable, but as a second choice. Quick explanation: “unknown” is the right status. If the OCSP client verifies that the response is from an authorized responder for the CA which has issued the certificate: unknown is a definite response and is safe (no other mechanism SHALL be used). On the contrary, if the OCSP client does not verify that the response is from an authorized responder for the CA which has issued the certificate, then another mechanism will be used : either another OCSP server or CRLs. If CRLs are used, “revoked” is safer, but it is semantically incorrect. So a change in its semantics would be mandatory. The problem is that the change should be "revoked or unknown" which may be rather confusing. _______________________________________________ pkix mailing list pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Denis Pinkas
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Simon Tardell
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Denis Pinkas
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Denis Pinkas
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Simon Tardell
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Simon Tardell
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Stefan Santesson
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Denis Pinkas
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Peter Rybar
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- [pkix] Straw-poll on OCSP responses for non-revok… Stefan Santesson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Yngve Nysaeter Pettersen
- Re: [pkix] Straw-poll on OCSP responses for non-r… Yoav Nir
- Re: [pkix] Straw-poll on OCSP responses for non-r… Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Miller, Timothy J.
- Re: [pkix] Straw-poll on OCSP responses for non-r… David Chadwick
- Re: [pkix] Straw-poll on OCSP responses for non-r… Art Allison
- Re: [pkix] Straw-poll on OCSP responses for non-r… Miller, Timothy J.
- Re: [pkix] Straw-poll on OCSP responses for non-r… Santosh Chokhani
- Re: [pkix] Straw-poll on OCSP responses for non-r… Erwann Abalea
- Re: [pkix] Straw-poll on OCSP responses for non-r… Yoav Nir
- Re: [pkix] Straw-poll on OCSP responses for non-r… Peter Rybar
- Re: [pkix] Straw-poll on OCSP responses for non-r… Paul Hoffman
- Re: [pkix] Straw-poll on OCSP responses for non-r… Juan Gonzalez
- Re: [pkix] Straw-poll on OCSP responses for non-r… Max Pritikin (pritikin)
- Re: [pkix] Straw-poll on OCSP responses for non-r… Simon Tardell
- Re: [pkix] Straw-poll on OCSP responses for non-r… Carl Wallace
- Re: [pkix] Straw-poll on OCSP responses for non-r… Paul Hoffman
- Re: [pkix] Straw-poll on OCSP responses for non-r… Rick Robinson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Jeremy Rowley
- Re: [pkix] Straw-poll on OCSP responses for non-r… Melinda Shore
- Re: [pkix] Straw-poll on OCSP responses for non-r… Martin Rex
- Re: [pkix] Straw-poll on OCSP responses for non-r… Russ Housley
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Martin Rex
- Re: [pkix] Straw-poll on OCSP responses for non-r… Tom Ritter
- Re: [pkix] Straw-poll on OCSP responses for non-r… Dr Stephen Henson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Ryan Sleevi
- Re: [pkix] Straw-poll on OCSP responses for non-r… Johannes Merkle
- Re: [pkix] Straw-poll on OCSP responses for non-r… Denis Pinkas
- Re: [pkix] Straw-poll on OCSP responses for non-r… Art Allison
- Re: [pkix] Straw-poll on OCSP responses for non-r… Ryan Hurst
- Re: [pkix] Straw-poll on OCSP responses for non-r… Ben Wilson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Erwann Abalea
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Piyush Jain
- Re: [pkix] Straw-poll on OCSP responses fornon-re… Art Allison
- [pkix] Proposed resolution to non-issued certific… Stefan Santesson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Tom Ritter
- Re: [pkix] Proposed resolution to non-issued cert… Tom Ritter
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… David A. Cooper
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] New draft-ietf-pkix-rfc2560bis-06 Peter Gutmann
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Straw-poll on OCSP responses for non-r… Phillip Hallam-Baker
- Re: [pkix] Proposed resolution to non-issued cert… David A. Cooper
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Peter Rybar
- Re: [pkix] Proposed resolution to non-issued cert… Simon Tardell
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… David A. Cooper
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Peter Rybar
- Re: [pkix] Proposed resolution to non-issued cert… Simon Tardell
- Re: [pkix] Proposed resolution to non-issued cert… Stefan Santesson
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Martin Rex
- Re: [pkix] Proposed resolution to non-issued cert… Martin Rex
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Proposed resolution to non-issued cert… Martin Rex
- Re: [pkix] Proposed resolution to non-issued cert… Piyush Jain
- Re: [pkix] Straw-poll on OCSP responses for non-r… Tom Gindin
- Re: [pkix] Straw-poll on OCSP responses for non-r… Phillip Hallam-Baker