IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00

Mike Ounsworth <Mike.Ounsworth@entrust.com> Tue, 23 May 2023 12:41 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FF93C151710 for <spasm@ietfa.amsl.com>; Tue, 23 May 2023 05:41:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.995
X-Spam-Level:
X-Spam-Status: No, score=-1.995 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gX20GUVgJWfG for <spasm@ietfa.amsl.com>; Tue, 23 May 2023 05:41:17 -0700 (PDT)
Received: from mx08-0015a003.pphosted.com (mx08-0015a003.pphosted.com [185.183.30.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60BFCC15170B for <spasm@ietf.org>; Tue, 23 May 2023 05:41:17 -0700 (PDT)
Received: from pps.filterd (m0242863.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 34N9PRmA002820; Tue, 23 May 2023 07:41:14 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=mail1; bh=WM31X2xF89SSt6rXDpSieGmHZpQGroIdgENTbfGKvKM=; b=ZcVCQ8TlyvYYO7kGTYD/k2S2Axtydm8H9G2TQXhwRBDeYwGWP6mEFcRlQNO5oDs9Y22k Z73PURp/Du4eIodpTf1k9AhVo6i3gFVxu67dHebntbLImvU4F5Iy10zYehg5cHmRnb+D /bO4Cobixx+jTzYvYMyKoCFfkHZjTZ2nzhdzbOSVP2zrUvSGl+S6MbVR0GU69766cwKx +smBlFbZcPzFx3tTQ/ppd+Plv6FA2qAhude/onOQq5O8qVojXW13JDGFVQMMsMBO7LMt iexeyPtVtBejK67eFfywcqx40Cgcf7fcIGfTgDYI5KhTRPMZWgCpwIg+NW1nJe1KJ9S3 6A==
Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2169.outbound.protection.outlook.com [104.47.57.169]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3qr7dtc894-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 23 May 2023 07:41:14 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AxdI9sjyjby8m2GmEYrbZJyt7D8X404DjrXaUOpsY+6fK3Tnu9ZDlvgDLlpZi+WS9JVaPjSUKECooEQz/6J+dE58PSEVRFoV+ykmvcyYXgRXmYUE2nVefmF2pKj2JKnM8J4ktbRfBg2rCtb/tA5DQRjjhA5mFO+irfoUCgM5dzA0WyY25ykDczc3uxsqr2DrR6SQYB3SuLQ7/9MOzkMY3WnnUhkLaqGmPeBK4uvcm8AHrB19wlMVvQQjajsitM8BppzzaVY+TEYh0FHg9ivoRslWoEYFktLk1zp6LEvtwurck9GDborA9oUH3zPYK24fdaq8l1ad0qUREw3vfRq44w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WM31X2xF89SSt6rXDpSieGmHZpQGroIdgENTbfGKvKM=; b=QDt6C2Psy0VnLeF44zo72MGOV3pSvK/58eAlj3OHs2OGt1V+hbydOP/CnMm9p21LFzG9nZoEtLmdykUlo/vb3C1vsN13uGu3+Xp3oZwYMX3KG65MtWVIHFSCaQKnaNaB6akVn1Q8rsvLB64ZE1wFVhLOwCb9fGoJG32KxT81LWNxjuJm+X+33c5O+8qd/02A+gdTrO8CjT+ymDxDAyvp1NNmmPJ+g2JfFoo6e+fwjQI2I1Lak9wdVdBZbbYDzAkF5znhNcbdNZNcnc3PPdAzmjsgXjat2xwwZ+tB+PIFxjL8HDYopuZXHwLeWqoMIwV/PW2QWxI3iMhXhyih6x2Otg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by BN9PR11MB5420.namprd11.prod.outlook.com (2603:10b6:408:101::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.28; Tue, 23 May 2023 12:41:11 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::6f08:9ebc:8857:74f7]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::6f08:9ebc:8857:74f7%6]) with mapi id 15.20.6411.028; Tue, 23 May 2023 12:41:11 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Deb Cooley <debcooley1@gmail.com>
CC: 'LAMPS' <spasm@ietf.org>
Thread-Topic: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00
Thread-Index: AQHZjN+8F5XN4zHjmEKBAA/LHVkVjq9mpePQgAESq4CAABQOoA==
Date: Tue, 23 May 2023 12:41:10 +0000
Message-ID: <CH0PR11MB5739CB5F2027A11A21D3CC2A9F409@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <168444309553.24047.14923062710269229403@ietfa.amsl.com> <E2BE1DCD-A241-4DDF-A5EC-DD3209C4CDA2@vigilsec.com> <a2122a10-fdfd-aabc-5c3c-242d90bd4175@gmail.com> <D18F7C58-EC30-4640-9AB7-94E428B79F62@vigilsec.com> <CH0PR11MB5739CD4F7CCE62CE34E4B7319F7C9@CH0PR11MB5739.namprd11.prod.outlook.com> <3FEBFDE6-1AA9-4615-AFA7-FB0B650A5DAB@vigilsec.com> <CAGgd1OcKA4gU0GBPwNar5gmh4tGtfneWjH624T6OoDRp8ODXFA@mail.gmail.com> <CH0PR11MB573907B8BDE80A42202289619F439@CH0PR11MB5739.namprd11.prod.outlook.com> <CAGgd1OeBza=6PPda6N9utHMX+6xP9DVn7D5_ZxVdsN07RKfHzQ@mail.gmail.com>
In-Reply-To: <CAGgd1OeBza=6PPda6N9utHMX+6xP9DVn7D5_ZxVdsN07RKfHzQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|BN9PR11MB5420:EE_
x-ms-office365-filtering-correlation-id: 0d6a1a8a-cdc8-4a49-d8f7-08db5b8afcd2
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: npqlx59yIYlALcQyDfAA8VK1q99UCw6GLU3b4WWVaOQ098eC7fPgyecOeohsIyZ2d/ny7HoaWVzARjinPtgIHZllb7ZVyk/Nlj/WZZRUItsvrO4AnPpPWNzsXC43Abubw3jAh/e3BrDZ5uM4XIcFoMvHspRj28pvG70q5Kr3Fw6vOC1JB/n6pINPR89Wb0oop6E17Mcy6vG4pGwgCQVut9o6Y6mOxqYLglyZJDqp/mVqxVJn8mMSeyh6kGsOk2zPhe8ZtNkfDgR+Yg8hZvXTms0dL6981At61WsPzceDodLx126gNnDN515Ya6VVLZTJDpsXdoFJPjnNRcE6mt8TyucH5yudu84KZvEdkQiVBRlvL61FbYW/BFkmdfYOdF7DtejvO5xrRXtr/Pz7ey3n7P/iEFviq8NuLT0/o8u/m2+4H1+e0spWYZQ6F6h1vwIuBLIDHJ6C6JDi+nOTOP8tYEkTBHzYgfMBVRjFiQuVFvhrUUR9+tVaBlgQhiGaAFmTPZ7STR3dvp7/A35msU5IncF4dHL4u2ChcmHZy6gI/PD3iwA7gyMGksn5qyX/vyt6du66sr13/eIQKjChpZpPEtAwXX3MXTbI+dLlc5VLQGk=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(39850400004)(366004)(376002)(396003)(136003)(346002)(451199021)(38100700002)(316002)(478600001)(71200400001)(76116006)(166002)(66476007)(66446008)(64756008)(66946007)(66556008)(6916009)(4326008)(41300700001)(122000001)(38070700005)(7696005)(966005)(86362001)(52536014)(8936002)(8676002)(5660300002)(55016003)(186003)(33656002)(53546011)(9686003)(6506007)(26005)(83380400001)(2906002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: LoVla/0sXS2m05fjvOpunIbcrNbDIZOEhtSsSIFzRViNyt+4NohVEdv2FXNdL9F1vmcs/3LkgkP+f7dkjAVHXDw7RectyQiJ5Y4ClVoK0t4tQRJpbKgKecPu+HHgM1gpWQHTqMMCGIRmnYu9ZFTMsP9kw+92mR7NIFC0iD+/sqE0Mlv9V4l2cRqNXSuPzI81b42OsyBKAzIViaO2TrBL3AaAIPDfdCDvqU62STGaxSF+GaVOfSTUvFdolrDrKdC3LLN9Zusty3rejVGWiyQEDKhI3Ktmg3gbD1xGgaKQyrpHjRH9a6nWp7lHsCh30pYg7R6aqdO2QtPyKtebXRzdH1m1hjmrOMgS8vsFCBQ+j1RJ9OazD7lueod1W4vhmoWKusLcLxWdm1ee6bOc2WgnLFQHNuLiZBNk3j0GX2UE1Uxt/neoNTa4aayYh1+yzGQmodQJRSMHZJ/PTxdfSUyc2orrXd00K2G8+L1xvBc3g1eLTUaUQLlMNyBKLzuH9tu3srSfoi7Ae8lKfAJ66VQdrRbbIcKzMM5TSjjTn/sMDnkDOME5gUsmYmkr1jk4oALgXWFguqibN4GepecxTYlR5+TS71BNMxYMGJxd4KZYjvtQmljzqwFy5aq9jvwzQFS2LZulMdeIJUYbBeD6iYrDRenojsKlVghwh7aJvLmu2DGNk5TYxMk5/Nzjcn3k0DK/TD0z9CujghIZAUD2AEEkb02/7h4yDFKQc25UmO4mksYyhIjFxeqAmnEiiEW+Ntu05MfkilA7AAeLkY+J0NXqmcTOrhBWdNoMi2yOk1omlj5narOburFUlrOkz/YbCTj8qTMk2ybXG7n8ijvcv1C53tRejcFH+8CBYb2GHwUjx2T1DARvQzkTtIsBCXfjjGLzaOa+jK0O5p3kC9+qgNdicPgp53DSdOHWbRSVILgxFHdzAZztAGOMRwU3xxxJIxZkAn0D/OZ79VXUKBnnbjVSPZB2i2t6Hoy8Gp+9hyhQw3WagrpTnivUWsEeUlKUCTISTNO4QkyhnQOycVtHGQqjL0lrPAB7kyj1zZURr8/bfGHEmbCNXzOiGegEStXPWM1qv/05Rn1bvi8532OElkA/JZeRPOEsDQRgRBHjcOmS9W9EReRMQkhKWvMWhbUg666ZDnlkW04BrUMeMTxHPuCw7Wbcx3XGK11bS8O3/PlGIxdwqwHmDSj/+WMvqdPmU74+rBnXsPmoe3CCsElMg+t2M+aEuwTG3j4kHd+NXIW35lfRVGSNDnA+UQmEMeVV0wdvYZ27QgzRxRAliYukZhX3RgKATMqUK2Js20H1+AaDasvW0+c+n4bx3o0F/tq9x4NqTLFsfC8gmNlklHmQSuhixu8RRWhjEbhZ7SDwMJ+OZcNcf+VtN4e+JhvEBf8DPQ+shBVXHK/0MyNXh6nSGNANjRb6hKMEudHU0FuUoUdAoWixxIly4mFmPVjopA7FbJj+Vz+OIpVSnYkCxZwnJFeS6DlBF0cNEE6ydY74fMv6bpnzcUDekR6OwzGEC0SB++o1CCJqmDy67AtfHNBIc6Dn3MOFDmfrWZukPI2QHuJBvR7xy8oPtBCiDCO9jXTwNln8
Content-Type: multipart/alternative; boundary="_000_CH0PR11MB5739CB5F2027A11A21D3CC2A9F409CH0PR11MB5739namp_"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0d6a1a8a-cdc8-4a49-d8f7-08db5b8afcd2
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 May 2023 12:41:10.8294 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: WSHPOt3CaaOOK9VurlgTBZlM3Ui5Amax6iBm6SB7NZfn1jX+6D4lFC/jmv7RwJrqM7/qimzdIk0M6gUHV8EjzTLHUFV3iUYLVDMdX3UmoI4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN9PR11MB5420
X-Proofpoint-GUID: 2meNpeV1BOVMu28d6f66PAV5i2_Q1Wbi
X-Proofpoint-ORIG-GUID: 2meNpeV1BOVMu28d6f66PAV5i2_Q1Wbi
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.176.26 definitions=2023-05-23_08,2023-05-23_02,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 bulkscore=0 spamscore=0 adultscore=0 impostorscore=0 malwarescore=0 mlxlogscore=999 mlxscore=0 suspectscore=0 priorityscore=1501 clxscore=1015 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305230099
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/J-LF4cdptl2mtsyvDwJyRIm7d_w>
Subject: Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2023 12:41:22 -0000

Deb,

> I would not use an extension that clearly states 'OCSP nocheck' for something that isn't OCSP.  It leads to confusion at a minimum.

I’m not the one petitioning here, but I’ll play devil’s advocate. I don’t think that’s quite the right argument. If I have an EE cert for which I know there is no OCSP info available and I want an extension to state that explicitly. That’s clearly OCSP-related, so why is “OCSP nocheck” not appropriate?

I was hoping that 6960 would have strong language about whether id-pkix-ocsp-nocheck is or is not allowed in EE certs, but didn’t find it.

---
Mike Ounsworth

From: Deb Cooley <debcooley1@gmail.com>
Sent: Tuesday, May 23, 2023 6:25 AM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
Subject: Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00

The fact that the extension says 'OCSP' in it  and is defined in the OCSP RFC should be enough of a clue.

I would not use an extension that clearly states 'OCSP nocheck' for something that isn't OCSP.  It leads to confusion at a minimum.  The spider web of RFCs is already confusing enough in this space.

Obviously only my opinion.
Deb

On Mon, May 22, 2023 at 3:02 PM Mike Ounsworth <Mike.Ounsworth@entrust.com<mailto:Mike.Ounsworth@entrust.com>> wrote:
Thanks Deb,

> Please don't overload the OCSP no check extension.  That extension is only for OCSP certs to avoid a circular loop.    Not for end entity certificates.

My question is whether that is sufficiently well-stated in 6960?

---
Mike Ounsworth

From: Deb Cooley <debcooley1@gmail.com<mailto:debcooley1@gmail.com>>
Sent: Monday, May 22, 2023 2:01 PM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com<mailto:Mike.Ounsworth@entrust.com>>; Seo Suchan <tjtncks@gmail.com<mailto:tjtncks@gmail.com>>
Cc: LAMPS <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00

I haven't read this whole chain, but my ears perked up when this extension was mentioned.

Please don't overload the OCSP no check extension.  That extension is only for OCSP certs to avoid a circular loop.    Not for end entity certificates.

Care needs to be taken here to avoid unintended consequences.  Jumping up to implement the first idea is seldom wise.

On Sun, May 21, 2023 at 1:16 PM Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>> wrote:
Mike:

Interesting


RFC6960, section “4.2.2.2.1<https://urldefense.com/v3/__https:/www.rfc-editor.org/rfc/rfc6960*section-4.2.2.2.1__;Iw!!FJ-Y8qCqXTj2!eN1XFIDygllmXhilJYCiPQPWDVICeaJUQVQ_XzxdZXSelYUNxb11J1RK7WAkEQTyrVPJFpUwwRo-KH4NN3r4ikEP$>.  Revocation Checking of an Authorized Responder”


“A CA may specify that an OCSP client can trust a responder for the
     lifetime of the responder's certificate.  The CA does so by
     including the extension id-pkix-ocsp-nocheck”

Are you allowed to put an id-pkix-ocsp-nocheck extension in end entity certs? If so, what does that mean?

My reading of the description is that id-pkix-ocsp-nocheck should only appear in a certificate issued to an OCSP responder.

Russ

_______________________________________________
Spasm mailing list
Spasm@ietf.org<mailto:Spasm@ietf.org>
https://www.ietf.org/mailman/listinfo/spasm<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!eN1XFIDygllmXhilJYCiPQPWDVICeaJUQVQ_XzxdZXSelYUNxb11J1RK7WAkEQTyrVPJFpUwwRo-KH4NN5nDwkC9$>
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

v2.23.0 | Report a Bug | By Email