Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00

Mike Ounsworth <Mike.Ounsworth@entrust.com> Tue, 23 May 2023 19:33 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E6C9C1519A4 for <spasm@ietfa.amsl.com>; Tue, 23 May 2023 12:33:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.695
X-Spam-Level:
X-Spam-Status: No, score=-2.695 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OuNALgn8ld3Q for <spasm@ietfa.amsl.com>; Tue, 23 May 2023 12:32:58 -0700 (PDT)
Received: from mx08-0015a003.pphosted.com (mx08-0015a003.pphosted.com [185.183.30.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B4FFC151543 for <spasm@ietf.org>; Tue, 23 May 2023 12:32:57 -0700 (PDT)
Received: from pps.filterd (m0242863.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 34NHSKil002820; Tue, 23 May 2023 14:32:51 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=mail1; bh=mzNul+VKWNKQyDtdKeas0Apf8lZmeZFWq+3OaIs4RRY=; b=HF1wVTmpSdD1BTM0tkBP3j0ADbzPezF43PGAa7GHtPM/uPSaSRkaqp30xLRjTWUgLSBg 7zEXEHENBf15Y+pCG2PPJqjSVEPbgoZNAr/eyVQxwjkyf1/GdCG+ZT3oB5+AHZIcKBOU jGdSti9VBHfNMEozfdexZc+NPnf6dGkUe3Wy1ipLuOjcbL4I6PGYnir4tJxiBAJOq3sX N7QSEim9pSSy0nKuzrFZ3nzdQRweA3M4HTcWS4LorrtoZhsxJwSBGn3EHvkt8v3O5+GS qfyuZDll/nat7I+n2FgPPIsMOr8+XSUzqbl9Iov3kB3beTPs/Iq5dNvmNDJgUpViSsDM pQ==
Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2106.outbound.protection.outlook.com [104.47.58.106]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3qr7dtdwfm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 23 May 2023 14:32:50 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PLmxgPN6WM8V7n36BDsZ5QVU6ib4o5CSmZpg+cpM6teofS6Ytq4RHMxYIoW+xoS5xJ/+Dt2WckAP4H8aSowUYiprQ5GgYZZj6orW8tnlFWvmx+Y1aFMn8F2rG7WtQ9Xia1qk0EJhb0yB6Lep/RMkzoIYUxbtcH8uvRAfvPNswWmTrJjm6qJWq2KYxIOP+zrhbJtAMFcaX9lgijxoie2lE5FNbiNLkzgGn3znVC5vDhndYItSTOzEp3GKQGmo0N9AGkGPMJ+djBd/e4zuy3l2pqKvGAYRtqb94/WWjJvkzlSXsFD0IWGwx/A900/S/gzYOA7/yULBEiSa7dGOrWwKTw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mzNul+VKWNKQyDtdKeas0Apf8lZmeZFWq+3OaIs4RRY=; b=QsbvS7lUyXMyjUW1hGlQkFoLirjxwaxXPt2E1HdOhoNqBTuiz9MwWZ6sra39yrvVfyWg1jhVmSuCNPEC3qx/TgsZZVriCVEFxLeIZeIW7gIgReYhAGD7fH9IiVVMN5gsTSu7Y6aIl9xyU65zSmEN/1zRetEquxKUDLm4C00Z3SNTGuPW07IdWNtlc2a0ffS932r92xa4zRX/BlKJJMtPKD3unltaV4QA1+lctIzs7RT9OCeXgfUSEic7keaqm5SVkcvtrI7OFji8F/jcai+uJtNnAHkcH4EzXBb1gQgqq0HXwrQQZLo+axXx4m4k2S3iM/dDaEWslPXg4PgBhxoiwA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from DM8PR11MB5736.namprd11.prod.outlook.com (2603:10b6:8:11::11) by PH0PR11MB4968.namprd11.prod.outlook.com (2603:10b6:510:39::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.29; Tue, 23 May 2023 19:32:47 +0000
Received: from DM8PR11MB5736.namprd11.prod.outlook.com ([fe80::abc2:71f2:8905:2118]) by DM8PR11MB5736.namprd11.prod.outlook.com ([fe80::abc2:71f2:8905:2118%3]) with mapi id 15.20.6411.028; Tue, 23 May 2023 19:32:47 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Russ Housley <housley@vigilsec.com>
CC: Tim Hollebeek <tim.hollebeek@digicert.com>, Seo Suchan <tjtncks@gmail.com>, LAMPS <spasm@ietf.org>
Thread-Topic: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00
Thread-Index: AQHZjYwDyIYYJ2h2006541P4G+o7xa9oLW0AgAAGM0CAAABKEIAAAPrwgAAIy4CAAAEqcA==
Date: Tue, 23 May 2023 19:32:47 +0000
Message-ID: <DM8PR11MB573617E10370BF46DD6C5B6D9F409@DM8PR11MB5736.namprd11.prod.outlook.com>
References: <168444309553.24047.14923062710269229403@ietfa.amsl.com> <E2BE1DCD-A241-4DDF-A5EC-DD3209C4CDA2@vigilsec.com> <a2122a10-fdfd-aabc-5c3c-242d90bd4175@gmail.com> <D18F7C58-EC30-4640-9AB7-94E428B79F62@vigilsec.com> <CH0PR11MB5739CD4F7CCE62CE34E4B7319F7C9@CH0PR11MB5739.namprd11.prod.outlook.com> <3FEBFDE6-1AA9-4615-AFA7-FB0B650A5DAB@vigilsec.com> <SN7PR14MB6492368040612089C83EB21983409@SN7PR14MB6492.namprd14.prod.outlook.com> <FBE4078F-33C0-49E0-A25C-69BCA88DC0E6@vigilsec.com> <DM8PR11MB5736036B93C87D3F6A719DE09F409@DM8PR11MB5736.namprd11.prod.outlook.com> <DM8PR11MB5736E02D5E52113CAD16A6289F409@DM8PR11MB5736.namprd11.prod.outlook.com> <DM8PR11MB573650B6F19B3443B54B5AF69F409@DM8PR11MB5736.namprd11.prod.outlook.com> <53D0D2FC-36AE-4D91-95D9-55CF93A7F278@vigilsec.com>
In-Reply-To: <53D0D2FC-36AE-4D91-95D9-55CF93A7F278@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM8PR11MB5736:EE_|PH0PR11MB4968:EE_
x-ms-office365-filtering-correlation-id: a0c3b729-871c-4d6c-027a-08db5bc47d35
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: UNfOQ2pwnsnqt9nBRfc4QOPiNeqYs0XYcOlwPCJpEQklJ3ELJEn6VH5y9Nsi97SxmX4cQ183QtvU1+SifqYNTa1ylgTXkl7bdsmr4pvUNDTC11vxrbORC4aQSETlxHoQTlghI3YtLtjAu+/bt/LgeyUvBf/sPE/+vBcBX8R7uJUu4lAC5UegJEaiCebj6eWkmIslvUYaCdfvkvrpZes7Z3zONWwN1jwC2dBd4YBxaUFcNtdABS/E5X72pum+WBZ9lp8L7/YjbsiiqI8VXEXBV6YdH4NyRiUzwAKMce7tTw/Edjmyn8MkCJvGeBVGVrLnRUjzB5Eiz8nmOkWHb/7fn9LTAfJpINZrOfPlskfhfuihYf32ZDPa1s40brnHV4y2PFhqv3mueI7b7Gjj2aOeBORlBlFHb7JWOhS8TcpVsRphz8SXitt13eXCcEfQWhuOcRxWsifvQkZkIxgSiPiOgW509SqAcEufANXR/YFnCKfOHxr/QZGK1rM/Yuhq75xLHUHvhrUYRfV5lilA/OD6dvVJcRApVI2+l4MFrUrdISr+wJrvRhl9BtW/cRK4O6I9g0qGsMJ3TW5qScT31Y506sb1KLFwaVIrZklPGp39Kc/bdSlDQX/8VbViMRZH+61UjG29gCWQwcn3m6Yuaiy+gg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM8PR11MB5736.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(346002)(136003)(366004)(396003)(376002)(39850400004)(451199021)(316002)(71200400001)(478600001)(966005)(38070700005)(64756008)(66446008)(66946007)(6916009)(4326008)(66476007)(66556008)(76116006)(55016003)(54906003)(8676002)(8936002)(7696005)(166002)(86362001)(41300700001)(5660300002)(52536014)(38100700002)(122000001)(9686003)(6506007)(26005)(33656002)(53546011)(186003)(2906002)(83380400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 3WY9c0yulOwCpSqvo6p11zCML6woZMhwaz8Rg4y49WR/8AjBwHvh0UABRtMFdBvoaInGSJacMeqXibh+Rq34yOJ/KsSjLG0n1+c4V/wKKf+stdtKcemm05hr2sAEpiQltTzqlqNnDWxCFz0v/Jk5GEqqPMwJ64yVNv3bozzmNyVX0f/AQharoVhj//8g5QRRgfC53RddnyGArvPZKF7xEj8op21yvmr1i3pdMjdf78QGUi37Zn8SHdMRd5A0LVL24yoKdhzM6x0tGQVu+kX7aaFDKMo5j6jiHPxQvtMjWcFau48ESaCdphEHd1OyC4vuov/pXLyX/vSQibMP/j7x0RmhNGcpSgL1JiIaW5KUXKixnXrJJKbbC9WQu5CRG20Zx5KAQ69LtXYNUC1JKKIlGNoGi4tsF6Iz/cDm2KA2dhxY6fBMqrf0M8zvRC3yoA+pM0gkEPAvuiZZw4K2ZJUCmjRyZTB9U9xdoHC0ujn6y3FKPpRwXuEwurzD/yHYizOc8tgsKj0RB9UWELJTlh0esDDnCZ8oW5b8Kr21+ukBjQJfwil/F+OQ2ujM084GI2+xFCsOy8+WZSkRsIsvw8I//zPf7spZL1IPtcTXRyKuN72AsJ2aUeE9yrcrL3CusAOEzhwbFdz5kKeVmJl/1K7suIUwffsZ3zu0rFmH8DfnIAY/w8jTUCt8HE+Xb7ev+ImHz9WL3JRKa/r0kzqiDhNWv/kyvOgml/JhkbHH1BkYiockT6KXI3Y4mWkVAS0tHzQD/2ztSumt3h/GZ3eJdhbkFMpTXT4t0G73tfgi813V0/8jkjoDvevucLsHf3WDnzNECdFAIJ6xtIajPaqKEY/x9yIulaAnfv5Qq1rPQnC9IMkaPAqiaPusFuY2ImB7s+e21BHfFdj5hOutUT7OuW2X0szdbDkXMdnfYQn/doGrRk/ovi+jOkfF3ampOj9SprvAZr7An3tYF1l5NzO/WDzzSoGA6Rw02lOdX0M0UXbmNIVsqNzinFLnOiJWNGn3BNwIaIuD56IS+y1DfCx+9zWOQpI5QhX+uI+gu8daN1P0jLY/bul/m3ZO9by4/h9kkmgPEp32SJPpC+AZ58JmLgm5HjZYjXpNGdJusmsvmwVeRkna9MsIDvBMDdyYfocHTwXuH021on/D1V+Y6Sa6brVHi6IHhXTn5U5BLsMCokKWxIfARrXkEAgK84UkS8jHZxerAAY6++6ABljdwHhY2hqgTd8PERnR2fycvxSyfU5qFAek0hno2wJGLQQbciGxpFkO5i7lDHYGd+CmJzchBnIcSISEN9QGk3lwIEmVtmuqu7VUltCAK8SdAS511FDB+6T0YOLuZjGdLgXIPYYAlwTZbI9ZL5i3xn8/fjARaJBS5jxQAgdmF1yIR2E/yOOuQ1ZwDaI4srvqMztCJZg/UAgchFA0jRJNozVYAxAMhfRKWNTgsfHyEpxVL1V0TNslF7qNRsm3QoVZ1SFeve5HANtoWrbob7fXsjLn6frIRwSg7WScSLKQgwBciw/x4/RYjtiLffjBt6L7cU++gsdUzqeef7wG+tqbYkcT+uEvFiQ/D7kWrw3dGbIAFtEHg0CznMLI
Content-Type: multipart/alternative; boundary="_000_DM8PR11MB573617E10370BF46DD6C5B6D9F409DM8PR11MB5736namp_"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM8PR11MB5736.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a0c3b729-871c-4d6c-027a-08db5bc47d35
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 May 2023 19:32:47.4933 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 7h7Q2VZUHw+Gwj72lwVijYaYU+NInuxfdXJz2LtfSP+sard39BxPZzwm8O5Yzh/Mz9/JpoCgOI8M+0EfarH38aEgAxjk8IKSbQpGMJ/GOvw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB4968
X-Proofpoint-GUID: ujrN8PGjSaMY9Ue9lunoCkHOuSwKLTTF
X-Proofpoint-ORIG-GUID: ujrN8PGjSaMY9Ue9lunoCkHOuSwKLTTF
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.176.26 definitions=2023-05-23_12,2023-05-23_02,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 bulkscore=0 spamscore=0 adultscore=0 impostorscore=0 malwarescore=0 mlxlogscore=999 mlxscore=0 suspectscore=0 priorityscore=1501 clxscore=1015 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305230158
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/T4Jdvf8Xx5xEaicDP17HGon7GQo>
Subject: Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2023 19:33:02 -0000

Lol, soapbox indeed.

But that’s fine, right?

id-kp-OCSPSigning without id-pkix-ocsp-nocheck is fine (ocsp-nocheck is one of several mechanisms suggested in 4.2.2.2.1.)
id-pkix-ocsp-nocheck without id-kp-OCSPSigning is NOT FINE.

---
Mike Ounsworth

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
Sent: Tuesday, May 23, 2023 2:26 PM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
Cc: Tim Hollebeek <tim.hollebeek@digicert.com>; Seo Suchan <tjtncks@gmail.com>; LAMPS <spasm@ietf.org>
Subject: Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00

Mike:

I thought about the linkage between the nocheck extension and the OCSP Signing EKU.  I agree that there should not be any certificate that has no check that does not also have the OCSP Signing EKU.  However, given the way that some implementations handle EKU constraints one might find the OCSP Signing EKU without the nocheck extension.

Russ

P.S. Soapbox: https://www.ietf.org/archive/id/draft-housley-spasm-eku-constraints-03.txt<https://urldefense.com/v3/__https:/www.ietf.org/archive/id/draft-housley-spasm-eku-constraints-03.txt__;!!FJ-Y8qCqXTj2!bHnj-4YuoIQLG222sxpwt8cJKmL-XozMT9e_LDYk8VRyYa5Cmj_i53A0OeQK5_K_2lVsq-hsweeI5AdseIhf-hFREKHp$>




On May 23, 2023, at 2:59 PM, Mike Ounsworth <Mike.Ounsworth@entrust.com<mailto:Mike.Ounsworth@entrust.com>> wrote:

Also, and this is commentary on the proposed errata: how does a client enforce this? Should we be more precise about what “an OCSP Responder” is? Like

“A CA MUST NOT include the extension id-pkix-ocsp-nocheck in a
 certificate issued to an entity other than an OCSP Responder (ie that contains the id-kp-OCSPSigning EKU).”

?

---
Mike Ounsworth

From: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org<mailto:Mike.Ounsworth=40entrust.com@dmarc.ietf.org>>
Sent: Tuesday, May 23, 2023 1:52 PM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com<mailto:Mike.Ounsworth@entrust.com>>; Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>>; Tim Hollebeek <tim.hollebeek@digicert.com<mailto:tim.hollebeek@digicert.com>>
Cc: Seo Suchan <tjtncks@gmail.com<mailto:tjtncks@gmail.com>>; LAMPS <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: RE: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00

I’m curious for Tim to present this change at CA/B and see if anyone freaks out that this will break their super clever use of that extension.

---
Mike Ounsworth

From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> On Behalf Of Mike Ounsworth
Sent: Tuesday, May 23, 2023 1:50 PM
To: Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>>; Tim Hollebeek <tim.hollebeek@digicert.com<mailto:tim.hollebeek@digicert.com>>
Cc: Seo Suchan <tjtncks@gmail.com<mailto:tjtncks@gmail.com>>; LAMPS <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00

Awesome.

---
Mike Ounsworth

From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> On Behalf Of Russ Housley
Sent: Tuesday, May 23, 2023 1:28 PM
To: Tim Hollebeek <tim.hollebeek@digicert.com<mailto:tim.hollebeek@digicert.com>>
Cc: Seo Suchan <tjtncks@gmail.com<mailto:tjtncks@gmail.com>>; LAMPS <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00

PROPOSED ERRATA for RFC 6960, Section 4.2.2.2.1

OLD:

   - A CA may specify that an OCSP client can trust a responder for the
     lifetime of the responder's certificate.  The CA does so by
     including the extension id-pkix-ocsp-nocheck.  This SHOULD be a
     non-critical extension.  The value of the extension SHALL be NULL.
     CAs issuing such a certificate should realize that a compromise of
     the responder's key is as serious as the compromise of a CA key
     used to sign CRLs, at least for the validity period of this
     certificate.  CAs may choose to issue this type of certificate with
     a very short lifetime and renew it frequently.

     id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }

NEW:

   - A CA may specify that an OCSP client can trust a responder for the
     lifetime of the responder's certificate.  The CA does so by
     including the extension id-pkix-ocsp-nocheck.  This SHOULD be a
     non-critical extension.  The value of the extension SHALL be NULL.
     CAs issuing such a certificate should realize that a compromise of
     the responder's key is as serious as the compromise of a CA key
     used to sign CRLs, at least for the validity period of this
     certificate.  CAs may choose to issue this type of certificate with
     a very short lifetime and renew it frequently.

     id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }

    A CA MUST NOT include the extension id-pkix-ocsp-nocheck in a
    certificate issued to an entity other than an OCSP Responder.

Russ

On May 23, 2023, at 11:34 AM, Tim Hollebeek <tim.hollebeek=40digicert.com@dmarc.ietf.org<mailto:tim.hollebeek=40digicert.com@dmarc.ietf.org>> wrote:

Would it be useful to clearly and explicitly state this unstated assumption somewhere, perhaps in an errata?

“id-pkix-ocsp-nocheck SHALL NOT appear in a certificate unless that certificate is a delegated OCSP responder” would probably be a good thing to have stated somewhere.

I suppose it could be added to the CABF BRs as well.  They have the same bug (the BRs require nocheck in delegated OCSP responders, but don’t prohibit it elsewhere).

-Tim

From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> On Behalf Of Russ Housley
Sent: Sunday, May 21, 2023 1:16 PM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com<mailto:Mike.Ounsworth@entrust.com>>
Cc: Seo Suchan <tjtncks@gmail.com<mailto:tjtncks@gmail.com>>; LAMPS <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00

Mike:

Interesting


RFC6960, section “4.2.2.2.1<https://urldefense.com/v3/__https:/www.rfc-editor.org/rfc/rfc6960*section-4.2.2.2.1__;Iw!!FJ-Y8qCqXTj2!bi4AP-jeHViS93BjOd8QnyeP4SNKwkRxB41odNjHI9eRADjzQrv6bxRkdoqg26cVEf1o0ymsz-zvssr8LsCiZYw0OHYB$>.  Revocation Checking of an Authorized Responder”


“A CA may specify that an OCSP client can trust a responder for the
     lifetime of the responder's certificate.  The CA does so by
     including the extension id-pkix-ocsp-nocheck”

Are you allowed to put an id-pkix-ocsp-nocheck extension in end entity certs? If so, what does that mean?

My reading of the description is that id-pkix-ocsp-nocheck should only appear in a certificate issued to an OCSP responder.

Russ

_______________________________________________
Spasm mailing list
Spasm@ietf.org<mailto:Spasm@ietf.org>
https://www.ietf.org/mailman/listinfo/spasm<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!bi4AP-jeHViS93BjOd8QnyeP4SNKwkRxB41odNjHI9eRADjzQrv6bxRkdoqg26cVEf1o0ymsz-zvssr8LsCiZf8_jufn$>

Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.