IETF Logo Mail Archive

Re: [pkix] Last Call: <draft-ietf-pkix-rfc2560bis-15.txt> (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard

Sean Turner <turners@ieca.com> Mon, 08 April 2013 14:34 UTC

Return-Path: <turners@ieca.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A20C921F935B for <pkix@ietfa.amsl.com>; Mon, 8 Apr 2013 07:34:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.218
X-Spam-Level:
X-Spam-Status: No, score=-102.218 tagged_above=-999 required=5 tests=[AWL=0.047, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GckW-XxCU25w for <pkix@ietfa.amsl.com>; Mon, 8 Apr 2013 07:34:24 -0700 (PDT)
Received: from gateway01.websitewelcome.com (gateway01.websitewelcome.com [69.93.126.19]) by ietfa.amsl.com (Postfix) with ESMTP id 6624E21F9774 for <pkix@ietf.org>; Mon, 8 Apr 2013 07:34:23 -0700 (PDT)
Received: by gateway01.websitewelcome.com (Postfix, from userid 5007) id 0601087AB6203; Mon, 8 Apr 2013 09:34:20 -0500 (CDT)
Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway01.websitewelcome.com (Postfix) with ESMTP id EE71787AB61E2 for <pkix@ietf.org>; Mon, 8 Apr 2013 09:34:19 -0500 (CDT)
Received: from [108.45.16.214] (port=52313 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80) (envelope-from <turners@ieca.com>) id 1UPD9H-0001nt-Ls; Mon, 08 Apr 2013 09:34:19 -0500
Message-ID: <5162D56B.9060404@ieca.com>
Date: Mon, 08 Apr 2013 10:34:19 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: mrex@sap.com
References: <20130323065208.090391A65A@ld9781.wdf.sap.corp>
In-Reply-To: <20130323065208.090391A65A@ld9781.wdf.sap.corp>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator1743.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (thunderfish.local) [108.45.16.214]:52313
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 8
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20=
Cc: pkix@ietf.org, ietf@ietf.org
Subject: Re: [pkix] Last Call: <draft-ietf-pkix-rfc2560bis-15.txt> (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2013 14:34:25 -0000

Martin,

I went all the way to Sam's original message about his discuss on the 
draft that became RFC 5019:

https://www.ietf.org/mail-archive/web/pkix/current/msg03627.html

and reviewed the 60 or so messages in the thread.

Aside: I think when you're referring to "updating" RFC 5019 you're 
referring to the updates header.  I'd not put a lot of weight in the 
presence or absence of the updates header.  The IESG has waffled 
including it, authors forgetting about including it, etc.  What's clear 
in the thread was that there was a WGLC issued with the understanding 
that pre-RFC 5109 was going update the semantics of the error code in 
RFC 2560.  I can't find any objections and the WG consensus was to 
proceed.  Should the header have been added - maybe, but I don't 
actually find any messages asking for it to be added and push back on 
it.  What the text in 5019 says is that "this profile extends the RFC 
2560 [OCSP] definition of "unauthorized" as follows:"

Your issue, at least to me, seems to be that you'd prefer that new error 
codes be defined instead of double-upping on unauthorized error.  I've 
been letting this exchange go to see if anybody else rallies to your 
flag (i.e., joins your cause, gets on your bandwagon, etc).  I've not 
seen that and I think you're in the rough here.

But, as one of my fellow ADs constantly reminds everyone, one person can 
blow up consensus if they're right.  So...

I think all of this is based on your message to PKIX in late January:

"
The "unauthorized" response of rfc2560 means

"this is not a public service, and your OCSP request is outside of
  our terms-of-service.  Go away."
"

I think you're reading a whole lot in to definition from RFC 2560:

  The response "unauthorized" is returned in cases where the client is
  not authorized to make this query to this server.

I find it really hard to make the leap to if client sends a request to a 
non-public server and continues to request status information that it 
means they've violated the terms of use of the private server and by 
doing so the client has committed a crime.

If we're about interoperability, then I'm waiting for those that think 
this change breaks things.  To date I've not see folks say that it does.

Yes, this is all an odd way to use an error code for application
specific reasons. However, there really is no point is us moving away
from that (again, admittedly odd) behavior if there's no sign that any
client will be updated for this. The lack of implementers backing
your point seems to put you even deeper in the rough.

Unless I've misconstrued something, that's the rough consensus.

spt

On 3/23/13 2:52 AM, Martin Rex wrote:
> The IESG wrote:
>>
>> The IESG has received a request from the Public-Key Infrastructure
>> (X.509) WG (pkix) to consider the following document:
>> - 'X.509 Internet Public Key Infrastructure Online Certificate Status
>>     Protocol - OCSP'
>>    <draft-ietf-pkix-rfc2560bis-15.txt> as Proposed Standard
>>
>> The IESG plans to make a decision in the next few weeks, and solicits
>> final comments on this action. Please send substantive comments to the
>> ietf@ietf.org mailing lists by 2013-03-27.
>
> I'm having an issue with a subtle, backwards-incompatible change
> of the semantics of the exception case with the error code
> "unauthorized", which tries to rewrite history 13 years into the
> without actually fitting the OCSP spec.
>
> It's about the second change from the introduction:
>
>       o  Section 2.3 extends the use of the "unauthorized" error
>           response, as specified in [RFC5019].
>
> While it is true that the error code abuse originally first appeared
> in rfc5019, the change was never declared as an update to rfc2560,
> nor filed as an errata to rfc2560.
>
> The original Exception cases in rfc2560 define the following semantics:
>
>    http://tools.ietf.org/html/rfc2560#section-2.3
>
>     2.3 Exception Cases
>
>     In case of errors, the OCSP Responder may return an error message.
>     These messages are not signed. Errors can be of the following types:
>
>     -- malformedRequest
>     -- internalError
>     -- tryLater
>     -- sigRequired
>     -- unauthorized
>
>   [...]
>
>     The response "sigRequired" is returned in cases where the server
>     requires the client sign the request in order to construct a
>     response.
>
>     The response "unauthorized" is returned in cases where the client is
>     not authorized to make this query to this server.
>
>
> The proposed "extended" semantics from the rfc2560bis draft:
>
>    http://tools.ietf.org/html/draft-ietf-pkix-rfc2560bis-15#page-9
>
>     The response "unauthorized" is returned in cases where the client is
>     not authorized to make this query to this server or the server is not
>     capable of responding authoritatively (cf. [RFC5019], Section 2.2.3).
>
> The rfc5019 semantics "The server can not provide an authoritative response
> to this specific request" is incompatible with the semantics "you are not
> authorized to sumbit OCSP requests to this service".
>
> There is another serious conflict with the rfc5019 repurposed error code
> semantics and rfc2560.  While rfc5019 is limited to a single status request,
> rfc2560 and rfc2560bis both allow a list of several Requests to
> be sent in a single OCSPRequest PDU.  An OCSP response, however, is
> not allowed to contain responseBytes when an error code is returned
> inthe response status:
>
>    http://tools.ietf.org/html/draft-ietf-pkix-rfc2560bis-15#section-4.2.1
>
>     4.2.1 ASN.1 Specification of the OCSP Response
>
>     An OCSP response at a minimum consists of a responseStatus field
>     indicating the processing status of the prior request. If the value
>     of responseStatus is one of the error conditions, responseBytes are
>     not set.
>
>     OCSPResponse ::= SEQUENCE {
>        responseStatus         OCSPResponseStatus,
>        responseBytes          [0] EXPLICIT ResponseBytes OPTIONAL }
>
>
> So it is impossible to convey "OCSP responder is not capable of
> responding authoritatively" for a subset of Requests in the requestList
> and regular status for the remaining Requests in the List by using
> a repurposed "unauthorized" error code.
>
> The current draft neither mention this contradiction, nor does it
> provide any guidance how an implementation should behave in this
> situation.
>
>
> I would appreciate if this problem of draft-*-rfc2560bis could be fixed
> prior to making it a successor for rfc2560.
>
>
> -Martin
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix
>

v2.23.0 | Report a Bug | By Email