IETF Logo Mail Archive

Re: [pkix] Straw-poll on OCSP responses fornon-revoked certificates.

"Art Allison" <AAllison@nab.org> Wed, 31 October 2012 18:15 UTC

Return-Path: <aallison@nab.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6934E21F8868 for <pkix@ietfa.amsl.com>; Wed, 31 Oct 2012 11:15:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.249
X-Spam-Level:
X-Spam-Status: No, score=-6.249 tagged_above=-999 required=5 tests=[AWL=0.349, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TYBQBPtNIhWa for <pkix@ietfa.amsl.com>; Wed, 31 Oct 2012 11:15:38 -0700 (PDT)
Received: from p01c11o145.mxlogic.net (p01c11o145.mxlogic.net [208.65.144.68]) by ietfa.amsl.com (Postfix) with ESMTP id 2970621F888B for <pkix@ietf.org>; Wed, 31 Oct 2012 11:15:31 -0700 (PDT)
Received: from unknown [208.97.234.91] (EHLO NABSREX027324.NAB.ORG) by p01c11o145.mxlogic.net(mxl_mta-6.15.0-1) with ESMTP id 2ca61905.0.13758.00-319.33344.p01c11o145.mxlogic.net (envelope-from <aallison@nab.org>); Wed, 31 Oct 2012 12:15:32 -0600 (MDT)
X-MXL-Hash: 50916ac43597bc09-b5b11f3d274c1c747af1da36ef6c6159032a5b3b
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CDB793.B5ED130A"
Date: Wed, 31 Oct 2012 14:15:30 -0400
Message-ID: <71C9EC0544D1F64D8B7D91EDCC6220200CA725BD@NABSREX027324.NAB.ORG>
In-Reply-To: <00b701cdb77d$61d29c80$2577d580$@digicert.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [pkix] Straw-poll on OCSP responses fornon-revoked certificates.
Thread-Index: AQH1lk8JvbcDsEaFAmhBI+dpk+GPywH7Y6+AAkWmwayXYcTjMIAAK0GA
References: <CCB55CA3.52588%stefan@aaa-sec.com> <50910F9E.6000703@bull.net><4C120EAB-B95B-4DEE-8DE7-9CDC45089C34@globalsign.com> <00b701cdb77d$61d29c80$2577d580$@digicert.com>
From: Art Allison <AAllison@nab.org>
To: pkix@ietf.org
X-Spam: [F=0.2000000000; CM=0.500; S=0.200(2010122901)]
X-MAIL-FROM: <aallison@nab.org>
X-SOURCE-IP: [208.97.234.91]
X-AnalysisOut: [v=2.0 cv=Y/pPRGiN c=1 sm=0 a=tFGTPFZixTZ3yCXJchW01Q==:17 a]
X-AnalysisOut: [=ISpR88XC1-QA:10 a=BvPfnLs-15kA:10 a=BLceEmwcHowA:10 a=g0F]
X-AnalysisOut: [pLpFZAAAA:8 a=ealCiPDQX5oA:10 a=48vgC7mUAAAA:8 a=R93Jy7f2A]
X-AnalysisOut: [AAA:8 a=1ce2OFdlJGcH_mduuQMA:9 a=QEXdDO2ut3YA:10 a=8SgyfJx]
X-AnalysisOut: [rfqYA:10 a=-9UqKSle32gA:10 a=Qd0007q6B0YA:10 a=lZB815dzVvQ]
X-AnalysisOut: [A:10 a=O16jHPwEaCsA:10 a=Xst4EYqqeAMlhu9J:21 a=3CqetUEhMF3]
X-AnalysisOut: [xFuuR:21 a=yMhMjlubAAAA:8 a=SSmOFEACAAAA:8 a=-7lmGnbMd0Gsx]
X-AnalysisOut: [9hNXrgA:9 a=gKO2Hq4RSVkA:10 a=UiCQ7L4-1S4A:10 a=hTZeC7Yk6K]
X-AnalysisOut: [0A:10 a=frz4AuCg-hUA:10 a=0fFHKXHiQ9QxBp5c:21 a=LCkIwZW6E8]
X-AnalysisOut: [PTQmGl:21 a=Ml2Iap5TzBBK9BQq:21]
Subject: Re: [pkix] Straw-poll on OCSP responses fornon-revoked certificates.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Oct 2012 18:15:39 -0000

I answered the actual question asked. (I do not opine on what might have been intended to be asked.)

 

If the current scope prevents fixing the situation, expect lack of interoperability to continue. 

Changing the scope has a time line and, properly, should be justified.

Using the scope to ignore a problem has been done many times in the past, not just in IETF but elsewhere.  Contrast with allowing scope creep which prevents timely resolution of a problem.  Choose carefully.

 

Art

 

Art Allison 
Senior Director Advanced Engineering, Technology 
National Association of Broadcasters
1771 N Street NW
Washington, DC 20036
Phone  202 429 5418
Fax  202 775 4981 
www.nab.org <blocked::http://www.nab.org>  
Advocacy  Education  Innovation 

 

From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Ben Wilson
Sent: Wednesday, October 31, 2012 11:36 AM
To: pkix@ietf.org
Subject: Re: [pkix] Straw-poll on OCSP responses fornon-revoked certificates.

 

I don’t think the original ballot changed.  #1 was to allow revoked.  #3 was do nothing.  So, a vote that they favor “3 – unknown” is out of scope, but hopefully everyone understands that this is the nature of a straw poll?

 

From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Ryan Hurst
Sent: Wednesday, October 31, 2012 8:42 AM
To: Denis Pinkas
Cc: pkix@ietf.org
Subject: Re: [pkix] Straw-poll on OCSP responses for non-revoked certificates.

 

Same as Dennis.

Sent from my iPhone


On Oct 31, 2012, at 4:46 AM, Denis Pinkas <denis.pinkas@bull.net> wrote:

	Response #3 : status : unknown

	 

	Response #1 would also be acceptable, but as a second choice.

	 

	Quick explanation: “unknown” is the right status. 

	
	If the OCSP client verifies that the response is from an authorized responder for the CA which has issued the certificate: 
	unknown is a definite response and is safe (no other mechanism SHALL be used).

	 

	On the contrary, if the OCSP client does not verify that the response is from an authorized responder for the CA which has 
	issued the certificate, then another mechanism will be used : either another OCSP server or CRLs. 

	
	If CRLs are used, “revoked” is safer, but it is semantically incorrect. So a change in its semantics would be mandatory.

	The problem is that the change should be "revoked or unknown" which may be rather confusing.

	_______________________________________________
	pkix mailing list
	pkix@ietf.org
	https://www.ietf.org/mailman/listinfo/pkix

v2.23.0 | Report a Bug | By Email