IETF Logo Mail Archive

Re: [pkix] Proposed resolution to non-issued certificates - 2560bis

"Piyush Jain" <piyush@ditenity.com> Fri, 02 November 2012 19:53 UTC

Return-Path: <piyush@ditenity.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4135D11E80D3 for <pkix@ietfa.amsl.com>; Fri, 2 Nov 2012 12:53:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rQA3+GkWKLos for <pkix@ietfa.amsl.com>; Fri, 2 Nov 2012 12:53:39 -0700 (PDT)
Received: from mail-ie0-f172.google.com (mail-ie0-f172.google.com [209.85.223.172]) by ietfa.amsl.com (Postfix) with ESMTP id AB70111E80BF for <pkix@ietf.org>; Fri, 2 Nov 2012 12:53:39 -0700 (PDT)
Received: by mail-ie0-f172.google.com with SMTP id 9so6272643iec.31 for <pkix@ietf.org>; Fri, 02 Nov 2012 12:53:39 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-type:content-transfer-encoding:x-mailer :thread-index:content-language:x-gm-message-state; bh=jsD0osUO2ozBlfCzzkPsXXpU7S1dW6VteBO+qMN95ms=; b=OXhA1xQNeqNC7iJR7vOudgmMjHTun53F546vjHCwpF1MMyRNB5sFtL29gE7PWwjItW sq4i2sVuE5KGPYUM+OoBA4tHS33of6IiTIZUoraKzC2gMk5p0sivWZrr3UzlDa1gUn52 N7M0UYyPYLvvNvHYu90qfWZxo8cJCTyMKu4rQvXic6Z4ujgoZe95faAFUS8vssK5N2AK ahIHcwTK5Esc4oV9kRfuEJla+EFNhdAD6XFjkyoOlDqc3ALjQuvxcZUgp9K+08Po9ZK3 Lw0oacH3seBkVJ/dDCnek01ooDCegHvayh9FD6ftrbLG+Sug6z0SPzjXl2OxjuJvcWCe P2MA==
Received: by 10.50.95.167 with SMTP id dl7mr2812974igb.8.1351886019126; Fri, 02 Nov 2012 12:53:39 -0700 (PDT)
Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id y10sm2087779igc.13.2012.11.02.12.53.36 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 02 Nov 2012 12:53:38 -0700 (PDT)
From: Piyush Jain <piyush@ditenity.com>
To: mrex@sap.com
References: <044901cdb91b$e1b407a0$a51c16e0$@ditenity.com> <20121102184644.444221A323@ld9781.wdf.sap.corp>
In-Reply-To: <20121102184644.444221A323@ld9781.wdf.sap.corp>
Date: Fri, 02 Nov 2012 12:53:33 -0700
Message-ID: <048601cdb933$bf3848e0$3da8daa0$@ditenity.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-index: AQJEiJilXmVWcNKd2AuhG4Lt91OVIJbpST2g
Content-Language: en-us
X-Gm-Message-State: ALoCoQko57DFLMWXV5ccQ7KFHWiWXu7ZToJciXQCq0ikfKCsP0uX8fqxRVJdMEt9YXqDTaBjLN4u
Cc: 'Peter Rybar' <peterryb@gmail.com>, pkix@ietf.org, 'Stefan Santesson' <stefan@aaa-sec.com>
Subject: Re: [pkix] Proposed resolution to non-issued certificates - 2560bis
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Nov 2012 19:53:40 -0000

> But somewhat ignorant of how X.509 defines the meaning of revocationDate.

Don't know how you concluded this from either mine or Peter's comments.

> revocationDate of a CRL does not give you either of the two interesting
times: (a) when a certificate was revoked and (b) since when a certificate
is  supposed to be invalid.

My interpretation was that revocationDate tells you a) but not b). For b)
you need invalidity date extension. Your assertion is that revocationDate
does not tell you the revocation time. I think it is incorrect.  Here is the
excerpt from 5280 section 5.1.2.6
  "Certificates revoked by the CA are uniquely identified by the certificate
serial number.  The date on which the revocation occurred is specified.  The
time for revocationDate MUST  be expressed as described in section 5.1.2.4."


> OCSP was designed to report on status _other_ than revocation, but didn't
define any codepoints to convey "reject this cert"  other than those defined
for CRLs.  

OCSP explicitly states that good status implies that certificate was never
revoked and does not necessarily imply that cert was issued or valid. And
that response extension may be used to convey additional information
regarding the status such as positive statements about issuance and
validity.  The code points were not defined but the provision for including
those additional statuses is clearly stated - by defining response
extension, not by overloading the meaning of revoked. 

>And from that list, in order to interoperate with the installed base
"certificateHold, reject" appears to be the most sensible choice.
I fail to understand how this helps interoperability. And what "install
base" are you talking about - public CA deployments, enterprise OCSP
deployments or something else.

> There is no such thing as a strict sequence of OCSP responses, so the
> conventions that apply to the relation of revocationDate to thisUpdate for
a
> serial listed on a CRL do not apply to OCSP.  FWIW, they also apply only
to the
> very first CRL that this serial appears on, so in general, this is a
pretty
> irrelevant characteristic for code that processes CRLs and OCSP responses.

All the more reason to add sections in OCSP to clarify the meaning of
revcationTime and revocationReason in OCSP. Currently there is no text for
these fields in OCSP and people fallback to 5280 to figure out what it means
and how it should be set.

v2.23.0 | Report a Bug | By Email