IETF Logo Mail Archive

Re: [pkix] New draft-ietf-pkix-rfc2560bis-06

Denis Pinkas <denis.pinkas@bull.net> Mon, 22 October 2012 14:53 UTC

Return-Path: <denis.pinkas@bull.net>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B576C21F8B80 for <pkix@ietfa.amsl.com>; Mon, 22 Oct 2012 07:53:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.967
X-Spam-Level:
X-Spam-Status: No, score=-4.967 tagged_above=-999 required=5 tests=[AWL=1.281, BAYES_00=-2.599, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VsepSbG6BYMn for <pkix@ietfa.amsl.com>; Mon, 22 Oct 2012 07:53:04 -0700 (PDT)
Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by ietfa.amsl.com (Postfix) with ESMTP id D59EB21F8BB7 for <pkix@ietf.org>; Mon, 22 Oct 2012 07:53:01 -0700 (PDT)
Received: from MSGC-007.bull.fr (unknown [129.184.87.136]) by odin2.bull.net (Bull S.A.) with ESMTP id 831C41C37A; Mon, 22 Oct 2012 16:52:57 +0200 (CEST)
Received: from [127.0.0.1] ([129.184.39.15]) by MSGC-007.bull.fr (Lotus Domino Release 8.5.3FP1) with ESMTP id 2012102216525665-1594 ; Mon, 22 Oct 2012 16:52:56 +0200
Message-ID: <50855DC5.6010609@bull.net>
Date: Mon, 22 Oct 2012 16:52:53 +0200
From: Denis Pinkas <denis.pinkas@bull.net>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20120907 Thunderbird/15.0.1
MIME-Version: 1.0
To: Simon Tardell <simon@tardell.se>
References: <CCAA01E3.51B2A%stefan@aaa-sec.com> <50855225.1030202@bull.net> <CANkYYy6HF-9pT94uwAUFHa619b4xWydBani0xRtcMKAeYMnhhQ@mail.gmail.com>
In-Reply-To: <CANkYYy6HF-9pT94uwAUFHa619b4xWydBani0xRtcMKAeYMnhhQ@mail.gmail.com>
X-MIMETrack: Itemize by SMTP Server on MSGC-007/SRV/BULL(Release 8.5.3FP1|March 07, 2012) at 22/10/2012 16:52:56, Serialize by Router on MSGC-007/SRV/BULL(Release 8.5.3FP1|March 07, 2012) at 22/10/2012 16:52:57, Serialize complete at 22/10/2012 16:52:57
X-TNEFEvaluated: 1
Content-Type: multipart/alternative; boundary="------------060306030306040807030403"
Cc: pkix@ietf.org
Subject: Re: [pkix] New draft-ietf-pkix-rfc2560bis-06
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Oct 2012 14:53:06 -0000

Simon,

You said:

"revocationReason must be certificateHold, since, in principle, the 
certificate may be issued at a later point in time".

I don't believe this is appropriate. If you have certificateHold then 
the OCSP client may make other calls later on
to check if the suspension state has finished or not.

The less controversial revocationReason is "unspecified".Let us go for 
"unspecified".

Denis

>
>      If the meaning of "revoked"
>     is changed it is also necessary to say what should be the values
>     of both
>     revocationTime and revocationReason:
>
> […]
>
>     CRLReason is defined in RFC 5280 as:
>
>        CRLReason ::= ENUMERATED {
>             unspecified             (0),
>             keyCompromise           (1),
>             cACompromise            (2),
>             affiliationChanged      (3),
>             superseded              (4),
>             cessationOfOperation    (5),
>             certificateHold         (6),
>                  -- value 7 is not used
>             removeFromCRL           (8),
>             privilegeWithdrawn      (9),
>             aACompromise           (10) }
>
>
>     For the revocationTime should we use the content of notBefore
>     field from the certificate ?
>
>
> The certificate that was not issued could have any time. It is also 
> not seen by the responder. The reasonable revocationTime would be "the 
> beginning of time". Any time which is before any reasonable issuance 
> time of any certificate in the PKI would do. The issuance time of the 
> issuing CA would do, or for that matter the battle of Hastings.
>
>     For the revocationReason should we use unspecified or keyCompromise ?
>
>
> revocationReason must be certificateHold, since, in principle, the 
> certificate may be issued at a later point in time. If a key was 
> compromised, it would be the CA key, not the key that the certificate.
>
>     In any case, guidance should be given.
>
>     Although I understand that changing the meaning of "revoked" may
>     be seen as "safer"
>     for old implemenations, changing the meaning of "unknown" also
>     seems to be a reasonable alternative.
>
>     In this case, it might be useful (and sufficient) to say that if
>     an OCSP responder is authoritative
>     for the target certificate, then the OCSP client SHOULD NOT use an
>     alternative source
>     of revocation information like CRLs.
>
>
> Which would be putting requirements on the behavior of already 
> existing OCSP clients out there that we know are not true and are out 
> of the control of most people setting up PKIs.
>
> Simon Tardell,
> Technology Nexus.
>

v2.23.0 | Report a Bug | By Email