IETF Logo Mail Archive

Re: [pkix] Proposed resolution to non-issued certificates - 2560bis

Tom Ritter <tom@ritter.vg> Wed, 31 October 2012 19:32 UTC

Return-Path: <tom@ritter.vg>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C4E521F8821 for <pkix@ietfa.amsl.com>; Wed, 31 Oct 2012 12:32:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BegoSolRDwjI for <pkix@ietfa.amsl.com>; Wed, 31 Oct 2012 12:32:44 -0700 (PDT)
Received: from mail-vb0-f44.google.com (mail-vb0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id 92E7021F85CE for <pkix@ietf.org>; Wed, 31 Oct 2012 12:32:44 -0700 (PDT)
Received: by mail-vb0-f44.google.com with SMTP id fc26so2147137vbb.31 for <pkix@ietf.org>; Wed, 31 Oct 2012 12:32:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=FYuWCO0StKohiV1FUd5nYZ1gx8i+0rHpY+wGP9jbvzk=; b=VIT2OXsyJeGr1RJjJpya0vKaDfO/58awPzxhCF9d4DSzlXj32xrUoa2H1z3l4sZ2Jc lDXMbJlDFGAsFi+UZ1T9NxU9yjjTPU/9wofBzBKA1JWgluJwJTTOYhBfDIfnxXiNiX49 akaH6bYvNXQZlAd9VyUPgWcFtxsIUTnwdfJqA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=FYuWCO0StKohiV1FUd5nYZ1gx8i+0rHpY+wGP9jbvzk=; b=NXz6DL7frIn9TBrkoksZpZ/C6MBRefIHY9H3F69Ctmut7e8jHqKeKOfWoSwX/oW9bu JsKS7We7JBynGPW0wMEuWOji/eHzvxIEb/dYRyYVvz8r3rXg1hgR3OpAvE2DeT1BQJhp fRaQP7Lz9xAXHzge7CQcnzwaehVo77nTL9++anBWA5mbXMD/1pQddXFCUXit9ZU6GG7b yV7dIJUtNPUzA+bGVf9zzrHuPamC8e0bsmBhioL5oIV4M9GzKdyZTBlQDSINaUlUkuw8 Q/OC//X5nToDQBUUNSxHQmWg9Dl9tTpDwM8up793AVhG8D0oO/KXQ6Qyh27fuB5WQkjr bItA==
Received: by 10.52.96.6 with SMTP id do6mr48651600vdb.84.1351711963925; Wed, 31 Oct 2012 12:32:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.58.151.178 with HTTP; Wed, 31 Oct 2012 12:32:23 -0700 (PDT)
In-Reply-To: <CCB72811.5281A%stefan@aaa-sec.com>
References: <CA+i=0E6yVQT3P0Dbqizgvv+Rt-zCbx_FUjAAinW=MNF5nvTmQQ@mail.gmail.com> <CCB72811.5281A%stefan@aaa-sec.com>
From: Tom Ritter <tom@ritter.vg>
Date: Wed, 31 Oct 2012 15:32:23 -0400
Message-ID: <CA+cU71mdeGhkuLBxdkYFD98Hvk=WMROB0C5TZQhLYy5RhYXAAg@mail.gmail.com>
To: Stefan Santesson <stefan@aaa-sec.com>
Content-Type: multipart/alternative; boundary="20cf307abe3d72cded04cd5ff7ef"
X-Gm-Message-State: ALoCoQmyqKFY0JresHOvbnE0d9e8/elQ0YnGZbpstI1WdEhzod3igA8n6nynbNyVQheQSrdkjOrK
Cc: IETF PKIX <pkix@ietf.org>
Subject: Re: [pkix] Proposed resolution to non-issued certificates - 2560bis
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Oct 2012 19:32:45 -0000

Think I missed this email while sending in my vote, sorry.

On 31 October 2012 14:46, Stefan Santesson <stefan@aaa-sec.com> wrote:

> 1) Extend the "revoked" response to also be allowed for non-issued
> certificates. Clearly stating that this is optional if and only if the
> OCSP responder knows that the requested serial number has never been
> issued.
>

Cool.


> 2) Specify that a "revoked" status for a non-issued certificate serial
> number MUST have revocationTime set to Jan 1, 1970 and MUST set the
> revocationReason to certificateHold (6).
>

Is the 0 unix epoch overloaded/used in other contexts?  Have CAs set this
date as the revocation date in other situations/for legacy reasons?  Would
it be better to use something similar like Jan 2, 1970?  It's another magic
value which is crappy but...


> 2) Define a new optional non-critical extension declaring that OCSP
> responder returns "revoked" for non-issued certificates according to the
> updated standard. This extension MUST be present in all responses where
> the "revoked" response is returned as a result of a status request for a
> non-issued certificate.
>

Cool.



> Question:
> Would it make sense to require an OCSP responder that adopts the expanded
> use of "revoked" to always include the new extension?
> It would add the benefit that someone receiving "good" can know that the
> OCSP responder has checked that the certificate in fact has been issued by
> the CA.
>
In such case it may be reasonable to add an optional data structure which
> MAY contain a hash of the cert.
> Such hash would make the positive confirmation even stronger, adding proof
> of existence of the certificate.
>

I'll register my vote for all these items also - I like the idea of
providing transparency into the operations of the responders.

-tom.

v2.23.0 | Report a Bug | By Email