IETF Logo Mail Archive

Re: [pkix] Straw-poll on OCSP responses for non-revoked certificates.

Erwann Abalea <eabalea@gmail.com> Tue, 30 October 2012 14:26 UTC

Return-Path: <eabalea@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CA3621F8539 for <pkix@ietfa.amsl.com>; Tue, 30 Oct 2012 07:26:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DVKAblgav1Pf for <pkix@ietfa.amsl.com>; Tue, 30 Oct 2012 07:26:20 -0700 (PDT)
Received: from mail-la0-f44.google.com (mail-la0-f44.google.com [209.85.215.44]) by ietfa.amsl.com (Postfix) with ESMTP id 438A321F851A for <pkix@ietf.org>; Tue, 30 Oct 2012 07:26:20 -0700 (PDT)
Received: by mail-la0-f44.google.com with SMTP id b11so279834lam.31 for <pkix@ietf.org>; Tue, 30 Oct 2012 07:26:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=5hIwATJtZ4XM83W17xTkU2Ef8031LOAwlDYRUqsKQbA=; b=GWNJMwfObJyom+zWpbufOC2ONMbkRdQIns3HBWCWZokM92Wj1XSzHMcdDksmWaU4aS 6iYTizx2bEnhBvfXhGXsgZNvIlOFGp0FYc6fuSIzuhOilHvirCXDQeg69Uqu3Dqv9MWq 9ZoZBgmlH9P5QC/Qivj9pZPN1c1k1BYd9DVsb5iJLOI1kUzz1vSfFSpDg4Z3+eWZ7ofd FEIXmNWqQVZfZyjmv2caz2jZiJSFQX9DHy2pPmfuBX7BKTCuO8+QIPgUnkjEk/93ka4z 9dcMISrc91zM/LvKo311hdWvyIuY4LJ92fdqxCNUG6HntRObtDesdEBm7nJIn+9D0l1k ZvmA==
MIME-Version: 1.0
Received: by 10.112.99.37 with SMTP id en5mr13396071lbb.1.1351607179140; Tue, 30 Oct 2012 07:26:19 -0700 (PDT)
Received: by 10.114.25.74 with HTTP; Tue, 30 Oct 2012 07:26:19 -0700 (PDT)
In-Reply-To: <195DB2510AAA004391F58E28FCE21200066E2071@IMCMBX01.MITRE.ORG>
References: <CCB55CA3.52588%stefan@aaa-sec.com> <71C9EC0544D1F64D8B7D91EDCC62202005EB6544@NABSREX027324.NAB.ORG> <195DB2510AAA004391F58E28FCE21200066E2071@IMCMBX01.MITRE.ORG>
Date: Tue, 30 Oct 2012 15:26:19 +0100
Message-ID: <CA+i=0E6bc36uVxuKZiOq=NAB1EM4ucUcPMNUJowjvxWhTXTn5w@mail.gmail.com>
From: Erwann Abalea <eabalea@gmail.com>
To: "Miller, Timothy J." <tmiller@mitre.org>
Content-Type: text/plain; charset="UTF-8"
Cc: "pkix@ietf.org" <pkix@ietf.org>
Subject: Re: [pkix] Straw-poll on OCSP responses for non-revoked certificates.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Oct 2012 14:26:21 -0000

2012/10/30 Miller, Timothy J. <tmiller@mitre.org>:
[...]
> I disagree in re: lying.  The OCSP responder can respond REVOKED and the CA could add it to the CRL afterward, and a relying party wouldn't be able to tell the difference.

You'll then have to set a revocation date to be set in the CRL, which
might be different than the one defined here. Some asked for epoch,
some asked for 1950, but since you can't use as a revocation date for
a certificate a date earlier than the thisUpdate of a previous CRL in
which that certificate wasn't revoked, a RP will be able to tell the
difference (that's normative).
Of course, this certificate won't be removed from the CRL since you
don't know its expiration date (nice to make a CRL grow indefinitely).
And if the CA has some sort of constraints in its DB (which can be
considered as good practice), then a false certificate may have to be
created and inserted before being able to revoke it.

-- 
Erwann.

v2.23.0 | Report a Bug | By Email