IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00

Tim Hollebeek <tim.hollebeek@digicert.com> Tue, 23 May 2023 15:34 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3751C15199A for <spasm@ietfa.amsl.com>; Tue, 23 May 2023 08:34:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MkJsYU0551LI for <spasm@ietfa.amsl.com>; Tue, 23 May 2023 08:34:05 -0700 (PDT)
Received: from NAM04-BN8-obe.outbound.protection.outlook.com (mail-bn8nam04on20706.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e8d::706]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5D80C151999 for <spasm@ietf.org>; Tue, 23 May 2023 08:34:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FmGuHqLTdF8Cy7AWifexDOc2JffQ0dGT5JL82J7owVniAvkrZ7VPvgyC1pjJj6wfgaC4rfykv/MXf1EJlStyJltGELqtVyL9EU5CEWjP+GcusUXpqzXUcW50/5i3LBRN7RM3wRws8znuqsjz+Q1MGXRxqAQumgB0Ko99VzoNIiyGNlve1rKUVnP79kRgIFoAequ4NkS8uLCFoI+EE06CzjzruynJRVTvJir9imC+DV3q/rbHv3gwQV/oz1yNpf0NSRx44NbzIStYyYt1ABG82tiIYlDLVcSESOtOgy6g/+Ztot900Y48mWCIdGrJTesjGoGL4uWy1ta6AS2Ye80m+Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=R47aReBbpuxmnmd43FOlB9+Mho8tHyR0tQKEjuhQ/Uo=; b=ZQO5BjaThLU/riBYP9NAF9WwLQjKt1OMTCNj0qd+InX+Pvctwy0t0txSRlnExQ9JAFwWGuVRh5M6iG7zh6NSsbo4HRgaUr5/g++z9zftyhS6LIc4kzxycMMj0xjUPrZO6cy6mbO4+wX5lM2XAZ7CMeugK0pubC2wtsan7WRa8w4e75pDWioYpCFUStuSpOb1XV9vfVjDgqhrTbFs4MQ/ERPJkQogrkprSG3JacVCxwnSzv1CNmh3gyQdpiy0qKW64WcY9qIgx0C6REYfONmSBUDTGRJSXy7ZJAVfheEPIPDQcXXVc0Yf2BOvZreFGRROeFfD3CzhBlUUoe6ksTuB+Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=R47aReBbpuxmnmd43FOlB9+Mho8tHyR0tQKEjuhQ/Uo=; b=YEqAsHrjxyFFzMIW8V+Q1Ln5Cs5MojfsnrLp4lF58voe72TgC5SaoBIfLyBAS7gKdg7XqMoOtdtqbMCBOfWcGaRH6BsBNSDYJ85+CmoGQr8J5oiHpbegFNNTq7uX654uAkOLZB6e/BOPiB6VaRGDg4Fbl9IF36yxM1XIHOJ+UkhG9hzWPGOfx4jMRz6V/W917RhQHP9PN3Jj44aw2AUa9nfCDk8/PK79uF0xtAf0pGJu79N1xccT9gfbA5M95UUK6o6yi+9R0R8v5sr7YKOSDGQyzJ0b9pjusS7C0WIke+OrHE2IxIEGaehk4WOmGzFwd200vBmirrL/n7VAkDR08Q==
Received: from SN7PR14MB6492.namprd14.prod.outlook.com (2603:10b6:806:328::17) by SA1PR14MB6125.namprd14.prod.outlook.com (2603:10b6:806:2b9::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.28; Tue, 23 May 2023 15:34:00 +0000
Received: from SN7PR14MB6492.namprd14.prod.outlook.com ([fe80::4f62:78c4:f650:194b]) by SN7PR14MB6492.namprd14.prod.outlook.com ([fe80::4f62:78c4:f650:194b%5]) with mapi id 15.20.6411.028; Tue, 23 May 2023 15:34:00 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Russ Housley <housley@vigilsec.com>, Mike Ounsworth <Mike.Ounsworth@entrust.com>
CC: Seo Suchan <tjtncks@gmail.com>, LAMPS <spasm@ietf.org>
Thread-Topic: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00
Thread-Index: AQHZipK3HIBDX/LX1kSOAe9VcEBQVq9k+qqAgAMGuQA=
Date: Tue, 23 May 2023 15:34:00 +0000
Message-ID: <SN7PR14MB6492368040612089C83EB21983409@SN7PR14MB6492.namprd14.prod.outlook.com>
References: <168444309553.24047.14923062710269229403@ietfa.amsl.com> <E2BE1DCD-A241-4DDF-A5EC-DD3209C4CDA2@vigilsec.com> <a2122a10-fdfd-aabc-5c3c-242d90bd4175@gmail.com> <D18F7C58-EC30-4640-9AB7-94E428B79F62@vigilsec.com> <CH0PR11MB5739CD4F7CCE62CE34E4B7319F7C9@CH0PR11MB5739.namprd11.prod.outlook.com> <3FEBFDE6-1AA9-4615-AFA7-FB0B650A5DAB@vigilsec.com>
In-Reply-To: <3FEBFDE6-1AA9-4615-AFA7-FB0B650A5DAB@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SN7PR14MB6492:EE_|SA1PR14MB6125:EE_
x-ms-office365-filtering-correlation-id: 5e26652b-719e-4a48-e43e-08db5ba32190
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: o6rnyU5GrCXivb8VS7eU26lOlRU3FCR2mz2zP0zPYj7CK2EWKiHvJHHS/4AvbLA3GPSkEyNKi4gN576MRDs9/XY3awEabcCo7tmdVccJqk1Clwmpjn7xww0zeX0THnS6qSu8Ae42OwOpUgRx5GCJtM6kQkejm+kNrlpGIleYiQWc7mNWvcviICuI9DbhhakmrgcweKJhWzAkfkmnm5gPwltoSEAm1sMVrtiKbj0zeEmsmi6/N+n7QaH7RzfR88wCDs8oCf4ztjiePKkmphl9rhwJ1AGiDy3RhaAdy/cWb5ZmSQmpUyNNf9UubZauUAoK14o+iSzanFQODj3Yisst/96jvU9kAmNobgNrwFJubc5n6M7IlqPFTQMO6FCjfzp8e6WxhG4JvNcuwmkxwp9l1ytHUYVXo5/Js77wbum7q2Nfume7zpGfLEgUAzKQvNDB3YKxCYPeMLKS8lrVv/CC5UgRQf/O2Q/SxuXZye1TgJFpeC9d9yKSAc6vUDYaiuy1uiU/r04gvpmJJIpGu7GQGpLfDCHpcmIiwo7C6aV6HtmU+eZ6akulqywMiNT020UZ2WT/0uMLG0mnrHVQGCt2pfjlMNWi1ZJc657S0DBgJk8=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN7PR14MB6492.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(39850400004)(376002)(396003)(136003)(366004)(346002)(451199021)(478600001)(66946007)(66556008)(66476007)(66446008)(64756008)(4326008)(76116006)(7696005)(41300700001)(110136005)(55016003)(71200400001)(316002)(54906003)(5660300002)(52536014)(8936002)(8676002)(38070700005)(166002)(86362001)(38100700002)(44832011)(122000001)(9686003)(33656002)(6506007)(26005)(186003)(53546011)(2906002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: PqRer3mh/rYZloiw+tNNntIEnlzvPyr5+um9CORr8phXukDZ91NObpSsKOaUMjoWa70ajgKh6q/OU0lMbjku0Rz196frvBA3kRJvKIHXKWIxKiJnjcPk8oJtB9IuLQAKriPJIAAKc2y8pQglZ3CH82e6IZmMPkkCHWoDIFUIWjCfvz3AZ5Z9xR+LPVY3gfi/C8v8kwDOAc7uvyOOvlWCAjk+mD4pYteBFhmldk9T4P7eKF6Q/1CvmYwdz2a/SbXrID8Bs5ebRbtZvZvhxg+gyRPJs0bnPvzoTBAeXiuuYTysntXnAlJ79jhEWWfcHkyB/JnQ59Ra+cl3rIfGpD+BzCnHyuxOZLreLuQw1wX62ewpZ/lN0f6PzPnCRKuvOgUq6nJotYcsg+zaCin6cxg8n20SAYPh7xHG9cM1X9CHgbozaGM50XkOumxcNido1z7EnI4NS4I71aChRn6aHypUunLyDliV17V2a5UT+MNIvRSFCcc+5qO4mOsX8mvb67ECmr4wreH6DY7JNdAFJ/dvKGhxzK1VTpar/umDHqeM5cCTydRZ6G0xDv+jeKvr5Q9x6gejcFQC+7Uy1SJ3FSEhDM3DdXP9O++VVEZ922Gaz66d2b4IDRDv3/ALWsFsHI4TmaMf8CKFTKqS1gAGd9kPriQvr4FRknKpnG90iMPM/SRMxCa1cD99+52mV657ZWd1CBg1nVVmrUy4mx1XWAQajHIKt6rWUWtlNJLTZRjeihpsRbL2rq4kONK6SLxBBP3EssLHr7pVIo4VRjwgqVnOiPLwynJDGOYGWGEkHpY0Rq2/yU1JmF1FbCuvU+gIK6fRlyHvLBOid/FonK1TbXVKFC5YZNXJxKhbqrJJ/qn/IZYy+yZ8siOj2PVVsv76jnf00iux3nwOCExlYN8RoFTJqUEThpB3GQrgzyUcDcdio9h+0pQ9k1T79MKRW/vaXSWtMunCp+3mWYAUZS7DTTC/tVEkvkO7I5nLjTGGd7/k7LbrRr7zEUNOMCZ/Ve/aOttLAT5odxxwc+iW605hvJA7+pCnmVySe28VGqS3C5b32gmIvwHiIUIOdJ0PDnL1g3tY1y0pI8kZHHHDCEony99UxFPsDuvPt+URqNjmQMnabtCzvFZ6d0MPgFFY1RQZ2PyrsmL3l6Ljfd70XbdM+KU5cMH+DABiGfq/TPmrwGUtinxxmsvwI19zpAGX2K3lwvQqk2v3sEybTHB4NA0PsEyvieis3gcGlsBMOmDbXlkLuTPDA26EaAt8M0QsuFCDXEcgRazG36qWe08MxNFWXIDrnZ1cFxvhPocZfrxU7P/RrAoBP/DYcjkAcmQyiDgKrBc1nREIxV6r3CvFqIpkHzMvbK4TGz+F83rokkfQ+i5K9Ad+7UakBTJWmHlAk15DhrchR91Osn/POzQ7t+/YuhnUT7BvPDpAe+3GX39ydaU7M0OA/8d4I0T/mMUyZM8gUtpALGoMH5im8NwiMukSLl63bj2RhCRb3uANtqE3pF1LYHpQMXEvvtiNCPNga5ERkcA2skdho+pnSucxy5EFFG0ImpxuJlc3hDZ1uxQ7p7psPnFwZgCFGzhfT4LzImLk32cHjPKJ8isOI83NC7ED1/HE5A==
Content-Type: multipart/alternative; boundary="_000_SN7PR14MB6492368040612089C83EB21983409SN7PR14MB6492namp_"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SN7PR14MB6492.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5e26652b-719e-4a48-e43e-08db5ba32190
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 May 2023 15:34:00.3760 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: g3/am8WSNI/oe0BBcPq2bKEAPfHkCa09W+EO6w5wXX9B+sCwLdVKFYnkpgrLqVGWjp2Dfy89Q83KF/NIYHg/Sb7EdB9sVpwZjyFI99Z/PBw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR14MB6125
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Y6cgMez1AS0jPZZQ1HU-oU85uW0>
Subject: Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2023 15:34:09 -0000

Would it be useful to clearly and explicitly state this unstated assumption somewhere, perhaps in an errata?

“id-pkix-ocsp-nocheck SHALL NOT appear in a certificate unless that certificate is a delegated OCSP responder” would probably be a good thing to have stated somewhere.

I suppose it could be added to the CABF BRs as well.  They have the same bug (the BRs require nocheck in delegated OCSP responders, but don’t prohibit it elsewhere).

-Tim

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
Sent: Sunday, May 21, 2023 1:16 PM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
Cc: Seo Suchan <tjtncks@gmail.com>; LAMPS <spasm@ietf.org>
Subject: Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00

Mike:

Interesting


RFC6960, section “4.2.2.2.1<https://www.rfc-editor.org/rfc/rfc6960#section-4.2.2.2.1>.  Revocation Checking of an Authorized Responder”


“A CA may specify that an OCSP client can trust a responder for the
     lifetime of the responder's certificate.  The CA does so by
     including the extension id-pkix-ocsp-nocheck”

Are you allowed to put an id-pkix-ocsp-nocheck extension in end entity certs? If so, what does that mean?

My reading of the description is that id-pkix-ocsp-nocheck should only appear in a certificate issued to an OCSP responder.

Russ

v2.23.0 | Report a Bug | By Email