IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00

Russ Housley <housley@vigilsec.com> Tue, 23 May 2023 18:29 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C40A0C1524DC for <spasm@ietfa.amsl.com>; Tue, 23 May 2023 11:29:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x5B9ZB-Vb85z for <spasm@ietfa.amsl.com>; Tue, 23 May 2023 11:29:17 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8525C152573 for <spasm@ietf.org>; Tue, 23 May 2023 11:27:43 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 6F0F599BCD; Tue, 23 May 2023 14:27:42 -0400 (EDT)
Received: from [192.168.1.161] (unknown [96.241.2.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 5796899838; Tue, 23 May 2023 14:27:42 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <FBE4078F-33C0-49E0-A25C-69BCA88DC0E6@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D08D8AC5-16BD-496D-85A2-29E2E9066C3C"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Date: Tue, 23 May 2023 14:27:42 -0400
In-Reply-To: <SN7PR14MB6492368040612089C83EB21983409@SN7PR14MB6492.namprd14.prod.outlook.com>
Cc: Seo Suchan <tjtncks@gmail.com>, LAMPS <spasm@ietf.org>
To: Tim Hollebeek <tim.hollebeek@digicert.com>
References: <168444309553.24047.14923062710269229403@ietfa.amsl.com> <E2BE1DCD-A241-4DDF-A5EC-DD3209C4CDA2@vigilsec.com> <a2122a10-fdfd-aabc-5c3c-242d90bd4175@gmail.com> <D18F7C58-EC30-4640-9AB7-94E428B79F62@vigilsec.com> <CH0PR11MB5739CD4F7CCE62CE34E4B7319F7C9@CH0PR11MB5739.namprd11.prod.outlook.com> <3FEBFDE6-1AA9-4615-AFA7-FB0B650A5DAB@vigilsec.com> <SN7PR14MB6492368040612089C83EB21983409@SN7PR14MB6492.namprd14.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.104.21)
X-Scanned-By: mailmunge 3.11 on 66.39.134.11
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/ZcrFxbEmAP45RHE641EGcU7k1cQ>
Subject: Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2023 18:29:20 -0000

PROPOSED ERRATA for RFC 6960, Section 4.2.2.2.1

OLD:

   - A CA may specify that an OCSP client can trust a responder for the
     lifetime of the responder's certificate.  The CA does so by
     including the extension id-pkix-ocsp-nocheck.  This SHOULD be a
     non-critical extension.  The value of the extension SHALL be NULL.
     CAs issuing such a certificate should realize that a compromise of
     the responder's key is as serious as the compromise of a CA key
     used to sign CRLs, at least for the validity period of this
     certificate.  CAs may choose to issue this type of certificate with
     a very short lifetime and renew it frequently.

     id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }

NEW:

   - A CA may specify that an OCSP client can trust a responder for the
     lifetime of the responder's certificate.  The CA does so by
     including the extension id-pkix-ocsp-nocheck.  This SHOULD be a
     non-critical extension.  The value of the extension SHALL be NULL.
     CAs issuing such a certificate should realize that a compromise of
     the responder's key is as serious as the compromise of a CA key
     used to sign CRLs, at least for the validity period of this
     certificate.  CAs may choose to issue this type of certificate with
     a very short lifetime and renew it frequently.

     id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }

    A CA MUST NOT include the extension id-pkix-ocsp-nocheck in a
    certificate issued to an entity other than an OCSP Responder.

Russ

> On May 23, 2023, at 11:34 AM, Tim Hollebeek <tim.hollebeek=40digicert.com@dmarc.ietf.org> wrote:
> 
> Would it be useful to clearly and explicitly state this unstated assumption somewhere, perhaps in an errata?
>  
> “id-pkix-ocsp-nocheck SHALL NOT appear in a certificate unless that certificate is a delegated OCSP responder” would probably be a good thing to have stated somewhere. 
>  
> I suppose it could be added to the CABF BRs as well.  They have the same bug (the BRs require nocheck in delegated OCSP responders, but don’t prohibit it elsewhere).
>  
> -Tim
>  
> From: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org>> On Behalf Of Russ Housley
> Sent: Sunday, May 21, 2023 1:16 PM
> To: Mike Ounsworth <Mike.Ounsworth@entrust.com <mailto:Mike.Ounsworth@entrust.com>>
> Cc: Seo Suchan <tjtncks@gmail.com <mailto:tjtncks@gmail.com>>; LAMPS <spasm@ietf.org <mailto:spasm@ietf.org>>
> Subject: Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00
>  
> Mike:
>  
> Interesting
>  
> RFC6960, section “4.2.2.2.1 <https://www.rfc-editor.org/rfc/rfc6960#section-4.2.2.2.1>.  Revocation Checking of an Authorized Responder”
>  
> “A CA may specify that an OCSP client can trust a responder for the
>      lifetime of the responder's certificate.  The CA does so by
>      including the extension id-pkix-ocsp-nocheck”
>  
> Are you allowed to put an id-pkix-ocsp-nocheck extension in end entity certs? If so, what does that mean?
>  
> My reading of the description is that id-pkix-ocsp-nocheck should only appear in a certificate issued to an OCSP responder.
>  
> Russ
>  
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org <mailto:Spasm@ietf.org>
> https://www.ietf.org/mailman/listinfo/spasm <https://www.ietf.org/mailman/listinfo/spasm>

v2.23.0 | Report a Bug | By Email