Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15
"Piyush Jain" <piyush@ditenity.com> Wed, 03 April 2013 14:27 UTC
Return-Path: <piyush@ditenity.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2525D21F8AF8 for <pkix@ietfa.amsl.com>; Wed, 3 Apr 2013 07:27:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.249
X-Spam-Level:
X-Spam-Status: No, score=-3.249 tagged_above=-999 required=5 tests=[AWL=0.350, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ge1-bLDuyZSm for <pkix@ietfa.amsl.com>; Wed, 3 Apr 2013 07:27:34 -0700 (PDT)
Received: from mail-gh0-f173.google.com (mail-gh0-f173.google.com [209.85.160.173]) by ietfa.amsl.com (Postfix) with ESMTP id D18BB21F8EBD for <pkix@ietf.org>; Wed, 3 Apr 2013 07:27:32 -0700 (PDT)
Received: by mail-gh0-f173.google.com with SMTP id g16so233602ghb.4 for <pkix@ietf.org>; Wed, 03 Apr 2013 07:27:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-type:content-transfer-encoding :x-mailer:thread-index:content-language:x-gm-message-state; bh=YHxf1tY/guVoK9LREuIVlVtjEaTE9oGU5gTCunom3x4=; b=j7h/18x20LnXlzCW2cft2QwTu8L4un3sSOelB/+EvobkB+v6SUumxh+icmnndF0/Pc 3nWWiJ6Stqip1E/kf4rzPou3vLahSej2r5TKuSBv8pJyCFxWHu4rtNYZIWz6MTkeVMmn HJbLqQdFVeSz1UJWVnKJWFQ3kCLtL8CD6xXD+Ogl62sGBdVNorWHMVC7PBVkunDcq1ZY rkdvcPJ+2fSr2wcf3RjTZXkWmoaYVZU4hcs4PeNxefBHH/gQ92dVcWnEW1bwsZr0Ei95 a9XHMCdjmw+heo6fp3i0fCoM2i9e9IuGHdz7A8TWJSSv7sxhfjY6okXEvZR3/RiUP/WL Owfg==
X-Received: by 10.236.222.69 with SMTP id s65mr1069481yhp.59.1364999252279; Wed, 03 Apr 2013 07:27:32 -0700 (PDT)
Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id u80sm9832978yhj.5.2013.04.03.07.27.30 (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 03 Apr 2013 07:27:31 -0700 (PDT)
From: Piyush Jain <piyush@ditenity.com>
To: mrex@sap.com
References: <017c01ce2cb3$7be35ff0$73aa1fd0$@ditenity.com> <20130403083722.3DEE51A68A@ld9781.wdf.sap.corp>
In-Reply-To: <20130403083722.3DEE51A68A@ld9781.wdf.sap.corp>
Date: Wed, 03 Apr 2013 07:27:20 -0700
Message-ID: <003e01ce3077$5b6329f0$12297dd0$@ditenity.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGP4C5YLbWgWb1CVXRipiGNWyqUf5lBI+fw
Content-Language: en-us
X-Gm-Message-State: ALoCoQmcKfe/30iA52diWud2gAmFocDUXJ8yRRhtMlWaWM3hiyPlOqQFk1fcwVRbZRONA9ltK4g/
X-Mailman-Approved-At: Wed, 03 Apr 2013 07:28:59 -0700
Cc: ambarish@gmail.com, slava.galperin@gmail.com, cadams@eecs.uottawa.ca, 'Stefan Santesson' <stefan@aaa-sec.com>, "'Black, David'" <david.black@emc.com>, sts@aaa-sec.com, pkix@ietf.org, gen-art@ietf.org
Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2013 14:27:39 -0000
> There is *NO* overloading of a revoked status. The change is making use of > an existing temporary revocation status (certificateHold) **EXACTLY** with > the original semantics for a temporary revocation, originating from X.509 > 08/2005 8.5.2.2 (a): > [Piyush] Revokes status is being used to communicate non-existent certificates. > > If you want to describe "an OCSP responder no longer responding 'good' > for certificate serial numbers for which no records of issuance exist" > as "breaking compatibility with older clients", then yes, this is what we want > to do. [Piyush] That is not what I implied. There were alternatives proposed to address fraudulently-issued certificates in OCSP (none of them solved the problem completely BTW). The reason cited by you along with a few others was that any other proposal would require clients to be updated. This is what breaking backward compatibility means. > > But in reality, this is change is about fixing a security problem that was > documented as such in rfc2560 for the "good" status. > [Piyush] What security problem? I don't see any security problem documented in RFC 2560 bis and repeated refusal to discuss how 2560bis solves any security problems. The only vague goal stated is - "it allows responders to return revoked for non-issued so clients do not fall back to CRL" I also see a creative way to circumvent responder trust issue by saying that servers indicate "non-issued" by setting the revocation date to 1970 but clients should not interpret the response as non-issued. > > > > > > > I believe that Stefan is trying to convey that requiring servers to > > return revoked in this context will make them non-compliant with 2560 > > and 5019 as opposed to breaking interoperability with legacy clients. [Piyush] This part I agree with as I stated in my original post. Backward compatibility is wrong choice of words. Compliance with other standards is the right choice. Standards are not backward compatible. Implementations of standards are. > > The proposed change primarily intends to _standardize_ how to report > revoked/certificateHold for "not-issued" certificate serial numbers, > something that has been found useful (and already been used) in dealing > with certain kinds of security breaches of CAs/RAs. > [Piyush] May be so. But that is not the goal cited for this update. Yes a few CA vendors may have adopted it but that no way indicates consensus among CA vendors. If you refer to CAB forum thread, most reputable CA vendors are reluctant to adopt it. > > Returning an error code response status would be > just dumb for an authoritative OCSP responder. > [Piyush] Really. And why is that. It actually makes a lot of sense and that is why CAs "who are not compromised" continue to return an error code for such responses. The only requirement for them is to be confident of the certificates they have issued. The only reason a CA would return a revoked for non-issued is that it is not sure if certificates are fraudulently issued using its key. > > Should rfc5019 be interpreted to suggest for authoritative OCSP responders > to returning an error code for "not-issued" certs does not make such > behaviour any less dumb. > [Piyush] The behavior that you are calling dumb has enabled the CAs to scale their OCSP infrastructure. What is dumb IMO is to continue to run the CA after being compromised and demanding that standards be updated to support such behavior. > > -Martin
- [pkix] Gen-ART review of draft-ietf-pkix-rfc2560b… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Sean Turner
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
- [pkix] Gen-ART review of draft-ietf-pkix-rfc2560b… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- [pkix] review of draft-ietf-pkix-rfc2560bis-15 Peter Rybar
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Stefan Santesson
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Andris Berzins
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Andris Berzins
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Piyush Jain
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Stefan Santesson
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Peter Rybar
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Peter Rybar
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Martin Rex
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Martin Rex
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Sean Turner
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Sean Turner
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Martin Rex
- Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15 Peter Rybar
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Sean Turner
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Black, David
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Piyush Jain
- Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2… Stefan Santesson