IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00

Mike Ounsworth <Mike.Ounsworth@entrust.com> Fri, 19 May 2023 20:44 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B946C14CE53 for <spasm@ietfa.amsl.com>; Fri, 19 May 2023 13:44:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.994
X-Spam-Level:
X-Spam-Status: No, score=-1.994 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l49RcKsWTogC for <spasm@ietfa.amsl.com>; Fri, 19 May 2023 13:44:09 -0700 (PDT)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C2DAC14CF17 for <spasm@ietf.org>; Fri, 19 May 2023 13:44:08 -0700 (PDT)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 34JHEKVU021433; Fri, 19 May 2023 15:44:06 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=mail1; bh=V2m89nffl0IDhBDk35ioQBXsGXr3MrAzplDnGxRAxcU=; b=cVu9meKFiA8nMJ1fB8mLgcSOQ71zNbfuEt0kdhP7H8WmJTpLR+YgeTIQSB0mPP8PBnME zdHBebYOhUQXGbzmbbhvvhBJvCSxK5LOJObVdekHz49+X0gz4JEvI5InKLUCb3xpJPB1 g/fTFioeZpbpgWo5nUdsZB8FBmtWzCeulNPlzccw894aMU1StYEW2/eV7QbiChXilFWu fT0nBsCvn+RdQjAp2OmEzrA+hHqlfWmY+YPkrX/tXbr6Cbnp4cUoheHyiMeHZ+VIo7tz GC/wEJSiKWPZhVRUZnbT1FOOz3fu6jXKN9tbAZQD6yGADEGxpk9qZtMi7cTwH+v0yjFM jw==
Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2042.outbound.protection.outlook.com [104.47.66.42]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3qj7820qhm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 19 May 2023 15:44:05 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OU0ezoVfOVQk2uw7txVJ8hd41s68Q2nfyyJ1p7jUUsUubMzmcT/Md/7W8/R7l4Urepn4tEVazMBpHGJWJqQXrXmLYu9sEKnSwukMdkF0+R3YZ6B2L3Q67UDJpG6+fkxmbycc85KUXIjdpaFCDkbpPr27RKLm5XANMOV1lChH7WppNs1amDdedDfJ69jRwFJqVDrORULwV5OcuCmPmH9/OwWyXcJmh57WtCRy1OE4IzozdQG6d6oOAgVO0+WwTxHH4z4ef386jipr189N3opR5n2xVbFCmySz3a4/bzK4YgDg5MwJ5NfPzXY4Rd7zP7NKr1q9uk2ZiWxrzJmPsTISUg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=V2m89nffl0IDhBDk35ioQBXsGXr3MrAzplDnGxRAxcU=; b=Cpw3Mnwf8YKtVUNJsoSHHs/r68Dlctpu1v1ExljFhx066ejTEcll9zDDE3HouO7wRRzNmnFtOs146S6npsCXlinBiWUTLdBMIKkSEpjKmNRhGGTAtLgLGOULgYxP/3Zm9hmDE71webWX7vvvKyFORsuam7HvZsgZd+3nviYxsfEW6oaBdCKNzJy1pu35JWk6gW/xcKAd+eCs92UytbM0wx0yc2g3LpgPljpqo+vHZEf6+KCtgaeIvaid5hqJByq6gAT+q05ZZ/4Trz8sH7RA/3eMp2W+uTZgIyKA+H0ledeYhd+QAuMo5ZeaBZq9V5ZiUX5Mm01TXSYVqnbpU7ffgw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by PH7PR11MB7571.namprd11.prod.outlook.com (2603:10b6:510:27e::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.19; Fri, 19 May 2023 20:43:59 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::6f08:9ebc:8857:74f7]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::6f08:9ebc:8857:74f7%6]) with mapi id 15.20.6411.021; Fri, 19 May 2023 20:43:59 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Russ Housley <housley@vigilsec.com>, Seo Suchan <tjtncks@gmail.com>
CC: LAMPS <spasm@ietf.org>
Thread-Topic: [EXTERNAL] Re: [lamps] draft-housley-lamps-norevavail-00
Thread-Index: AQHZioraYkFnP3oOSUulgF6LNbPMQa9iAsMAgAAKY6A=
Date: Fri, 19 May 2023 20:43:59 +0000
Message-ID: <CH0PR11MB5739CD4F7CCE62CE34E4B7319F7C9@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <168444309553.24047.14923062710269229403@ietfa.amsl.com> <E2BE1DCD-A241-4DDF-A5EC-DD3209C4CDA2@vigilsec.com> <a2122a10-fdfd-aabc-5c3c-242d90bd4175@gmail.com> <D18F7C58-EC30-4640-9AB7-94E428B79F62@vigilsec.com>
In-Reply-To: <D18F7C58-EC30-4640-9AB7-94E428B79F62@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|PH7PR11MB7571:EE_
x-ms-office365-filtering-correlation-id: 740c165e-be57-403a-5ff7-08db58a9c5e6
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: nrT90wSFXYcegIjiaEudoEAXaQDs3oWaLDzeiNFugAgxBuyM1/mQgOkcaU6cmNlbBJ5aPAaOmNz2LXIX+rZ7uSCrh6p4Mi+3LRUsk1pMa4SdrIZj8cOvlTprk8Kuagiebf1wHrGBIboQtvxOSZumbf9CYaoio4ll39tez7lenS1RP4vBhpNU7XVcMINi2rtrBLW62Ffg/M3cJ8CoB13kx7Uvz5osc80mDzRggs+ezan4NUF4jmBynpdqd5LRjHZDfbeZdBqlOKBMbqaEZC1dSQDk1K40m2FDQJhqPfrkjnf/6jHFJ4ZR+8bzfM2PEZpsOlPpTPV1LCfinBUIClzzYvyLaTl9qDF4QzCuG0Quko0RD6E6Qn9Eu4YVu213kkI4ZWcNWc5SmY+4MsP0xfs6bMsGfTuwXPBkypSV0Uuwuhzw7fK3kspyvjFPQ1A7Yd1iXaNQH3l+pCQKUmRo9WMmBQX/7U3Ue23ZfOZIFpq3LvnP6ajAlm1LbXQlCu3JRt59YTE45zlZpULSiJs3OeRjcnBvZemhfBnvJuOsHq4hy2h6oGwvgiTAVmZzYviiqtgsQ8quzwQxT0SSYDZ+rnGm3ub+DWshlHoH1BzpUxewAntDLqRMKv/idwlFqZD6/5qvviRsk20HNph5n96Le7Pz1w==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(39860400002)(136003)(396003)(376002)(366004)(346002)(451199021)(5660300002)(71200400001)(41300700001)(66574015)(83380400001)(2906002)(86362001)(38100700002)(38070700005)(122000001)(166002)(9686003)(33656002)(8936002)(52536014)(6506007)(186003)(55016003)(8676002)(26005)(66446008)(53546011)(66946007)(66556008)(76116006)(7696005)(66476007)(64756008)(966005)(478600001)(4326008)(110136005)(316002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: w9mQhUEw6tTYi6THQYyWXkdaNkmPiiPkpWEbmxcqRC+jLunUkK1YJDEmN0+SWu1XZjKkJ1F2cekGvMxn7Z4SptUnCbD5wFRpCQatmxee4zNeNA+85Au6Rg+yKYshJvhdWov7AU6SvEhf5O3zm7W/k/+NlUOW5C+5wL/C2FQochyp46/+56CGAzf9d1HpDFRtyQHHfROdcr1HIfblkOi5IOCstVG/cOF99HQLxDZgYkCBPVHkoQO8Rmg9juoTJDD3RWAgtaGYenvSa2D2k4cu/MJ4Wlq3v5m0CtSPwWUwCDoELFFKoY7/nhShCBVp7kHnfg7EmrpaoF8roqeUDOKpgue2Q+jldFtBrM/itIwCu+bj7OhCKTzes1P4bW6uj5gn8qvOL9pBmW1/YM4fXSPMGUEFTTqnfDatpJuSn2WC2IC/P7+8WsTXn/kGiRoo+scN4rJJ8+LbuqwYKC1BLB0kNgycpT9g6C/RgBjJxHBS97wYS9p2+hQ+QFpS8euSj2kLJmUaH5oV1y8zvuj/ZscqqJeLCpUW0ytNAXaEQxrl+2XRD7BzKcrFChPkgmsNSEG4EJozGyFh8WDwr8rMLtFgOcie5edEcoqGsEEzTnuCfRMNkPRLiA2BzWZFglnYIQMg3Cu0a+j3IsB/e3VQAV1/xy0sP/MYi3wYYIAClEGB6wFU6zLHlk5PJ/xbT60tX+DS5momqoaPD9CzzidIxzgvO+Rl+fvFpw5uw+slmFR4cDmu27DXmEV4YhyWAso1X2UGE92JTxnloF4mhwIvhaO5XJCNYFYeWFGGkUM4ZEND+L8RDKX95WajmgmkiRXv4VnYO72sACNuhqHLyt4X4F4VcQMzl5mL+oxj3y8f7BQzY1kyuZALwbUQeb0PWjC7gxbc5qoDDmVDwiiuDnflrnmDNPG9kMkyBm5l4U2wcrQUHGleaKsTEDn2VrALolmKUEcn32B4aG9CqkkrcfmoejTdp4xQhCRT2dksxF+2aGCzmorWFOtdq32QOtwMyHFohUZQS9GShY0wp6YQ+Tku8WfoiEX689lpxT2TIFAfKBJ387YK+vLuWFIOrzy3Vf9LI6VS2mRMj7rmyeY+qaEzUftrr07p3HkNObka4Pr7aUWzSnvPk++l0IohE9MTh6YjUOOIm1i/HBxwEZ5emmspl1XTirrdTsN5BRwQWBgK4pfI2HdEHhSF7Q+Iq4PF4JGflROXsGMgmLidVMPcXAYI60rLctYAl7yeeJa55bdHYCMTEngE8tco6Ui+RPqQLr9WB1aricBaMbB8ibrRjhfGTXi7aDcwHg/jY3Hj6mcmyDytEzQPTpRLmjyle4FEcTsZdqCZ4b8PNOFaI2HGIIS41/AiOZzKh23K3YB6y1KHVaNIQef8ZBDf9Z3CDVu5qBebvSc0hVKeSQpJzvciGhdcAYeyis+3EU6MJ0Si0eVzEgn4JFmruiU3XvRvX/tfW9mRdu7IN30jDeOcFDw2xcFLT6FUkuf5/IpT8tRcbKGz0tVJnyNWBam0+WPtcHRMOxL2/3onkxerf/SD/OZA+fsfOvvKfR+ZHNyBRHHEM4i98470/n//jO7dgGi60WARw2OfT8l9
Content-Type: multipart/alternative; boundary="_000_CH0PR11MB5739CD4F7CCE62CE34E4B7319F7C9CH0PR11MB5739namp_"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 740c165e-be57-403a-5ff7-08db58a9c5e6
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 May 2023 20:43:59.5913 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: efWJx2PHLq465SFNmiWZKe4NWbLmxRlLZdAzS1+OEIgt09iAvxlZV8QoW6DtEIwPKJ020NSb+7YcocI8CXMBIkDZ51r4S71szSBTcuhlQKY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR11MB7571
X-Proofpoint-GUID: srVsN3UPrewSqMge92HDt-JKtBfTAyfT
X-Proofpoint-ORIG-GUID: srVsN3UPrewSqMge92HDt-JKtBfTAyfT
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-05-19_15,2023-05-17_02,2023-02-09_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 bulkscore=0 phishscore=0 lowpriorityscore=0 impostorscore=0 adultscore=0 clxscore=1011 spamscore=0 malwarescore=0 mlxlogscore=999 mlxscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305190179
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/2zVmU_KtEHs8hWUUh06SSuEuG8c>
Subject: Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 May 2023 20:44:13 -0000

Interesting


RFC6960, section “4.2.2.2.1<https://www.rfc-editor.org/rfc/rfc6960#section-4.2.2.2.1>.  Revocation Checking of an Authorized Responder”


“A CA may specify that an OCSP client can trust a responder for the
     lifetime of the responder's certificate.  The CA does so by
     including the extension id-pkix-ocsp-nocheck”

Are you allowed to put an id-pkix-ocsp-nocheck extension in end entity certs? If so, what does that mean?

I did a quick skim of the rest of the document and did not see this addressed (ie it’s undefined). The correct answer is probably that that is an invalid cert; that an extension id-pkix-ocsp-nocheck MUST NOT appear in a certificate unless it has an EKU id-kp-OCSPSigning.

Am I missing something? Is this addressed somewhere? If not then should that be an erratum for 6960?

---
Mike Ounsworth

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
Sent: Friday, May 19, 2023 2:56 PM
To: Seo Suchan <tjtncks@gmail.com>
Cc: LAMPS <spasm@ietf.org>
Subject: [EXTERNAL] Re: [lamps] draft-housley-lamps-norevavail-00

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________
Seo:

id-pkix-ocsp-nocheck is to avoid asking an OCSP Responder for status for its own certificate.

Russ



On May 19, 2023, at 3:47 PM, Seo Suchan <tjtncks@gmail.com<mailto:tjtncks@gmail.com>> wrote:

I thought id-pkix-ocsp-nocheck already remove revocation check, but realized that's only for ocsp check - clients seeing certs with id-pkix-ocsp-nocheck extension expected to check CRL for that certificate? only thing it currently used is for designated OCSP responder(for root iirc?). and don't think it runs CRL for it.

2023-05-19 오전 6:23에 Russ Housley 이(가) 쓴 글:
I want the LAMPS WG to be aware of this I-D.  However, I do not think we should adopt it until the event predicted in the History section actually comes to pass:

   With greater use of short-lived certificates in the Internet, the
   next revision of ITU-T Recommendation X.509 [X.509-TBD] is expected
   to allow the noRevAvail certificate extension to be used with public
   key certificates as well as attribute certificates.

Russ



From: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>
Subject: New Version Notification for draft-housley-lamps-norevavail-00.txt
Date: May 18, 2023 at 4:51:35 PM EDT
To: "Joseph Mandel" <joe.mandel@secureg.io<mailto:joe.mandel@secureg.io>>, "Russ Housley" <housley@vigilsec.com<mailto:housley@vigilsec.com>>, "Tomofumi Okubo" <tomofumi.okubo+ietf@gmail.com<mailto:tomofumi.okubo+ietf@gmail.com>>


A new version of I-D, draft-housley-lamps-norevavail-00.txt
has been successfully submitted by Russ Housley and posted to the
IETF repository.

Name:                 draft-housley-lamps-norevavail
Revision:            00
Title:                    No Revocation Available for Short-lived X.509 Certificates
Document date:              2023-05-18
Group:                Individual Submission
Pages:                 8
URL:            https://www.ietf.org/archive/id/draft-housley-lamps-norevavail-00.txt<https://urldefense.com/v3/__https:/www.ietf.org/archive/id/draft-housley-lamps-norevavail-00.txt__;!!FJ-Y8qCqXTj2!Yqu9wyE0-zIwpBqoYCo8Z4pKh987HbA5NEk_0q7E6RXmBM9n_Nt2cL9g7IWpb6o3JA4Pih-A1yZCPQOWRZGdmYcXd3xw$>
Status:         https://datatracker.ietf.org/doc/draft-housley-lamps-norevavail/<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-housley-lamps-norevavail/__;!!FJ-Y8qCqXTj2!Yqu9wyE0-zIwpBqoYCo8Z4pKh987HbA5NEk_0q7E6RXmBM9n_Nt2cL9g7IWpb6o3JA4Pih-A1yZCPQOWRZGdmRgHMOPz$>
Html:           https://www.ietf.org/archive/id/draft-housley-lamps-norevavail-00.html<https://urldefense.com/v3/__https:/www.ietf.org/archive/id/draft-housley-lamps-norevavail-00.html__;!!FJ-Y8qCqXTj2!Yqu9wyE0-zIwpBqoYCo8Z4pKh987HbA5NEk_0q7E6RXmBM9n_Nt2cL9g7IWpb6o3JA4Pih-A1yZCPQOWRZGdmXSmohtq$>
Htmlized:       https://datatracker.ietf.org/doc/html/draft-housley-lamps-norevavail<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/draft-housley-lamps-norevavail__;!!FJ-Y8qCqXTj2!Yqu9wyE0-zIwpBqoYCo8Z4pKh987HbA5NEk_0q7E6RXmBM9n_Nt2cL9g7IWpb6o3JA4Pih-A1yZCPQOWRZGdmRzVEkGB$>


Abstract:
  Short-lived X.509v3 public key certificates as profiled in RFC 5280
  are seeing greater use in the Internet.  The Certification Authority
  (CA) that issues these short-lived certificates do not publish
  revocation information because the certificate lifespan that is
  shorter than the time needed to detect, report, and distribute
  revocation information.  This specification defines the noRevAvail
  certificate extension so that a relying party can readily determine
  that the CA does not publish revocation information for the
  certificate.



_______________________________________________

Spasm mailing list

Spasm@ietf.org<mailto:Spasm@ietf.org>

https://www.ietf.org/mailman/listinfo/spasm<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!Yqu9wyE0-zIwpBqoYCo8Z4pKh987HbA5NEk_0q7E6RXmBM9n_Nt2cL9g7IWpb6o3JA4Pih-A1yZCPQOWRZGdmVFN8X86$>

Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

v2.23.0 | Report a Bug | By Email