Re: [lamps] draft-housley-lamps-norevavail-00
Russ Housley <housley@vigilsec.com> Fri, 19 May 2023 16:07 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A23A3C14CF13 for <spasm@ietfa.amsl.com>; Fri, 19 May 2023 09:07:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.797
X-Spam-Level:
X-Spam-Status: No, score=-1.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GRTwIpqADYdM for <spasm@ietfa.amsl.com>; Fri, 19 May 2023 09:07:05 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDC5BC14CEFD for <spasm@ietf.org>; Fri, 19 May 2023 09:07:05 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 99654F13E5; Fri, 19 May 2023 12:07:04 -0400 (EDT)
Received: from [192.168.1.161] (unknown [96.241.2.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 74AF9F1635; Fri, 19 May 2023 12:07:04 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <618CBF2F-5220-49B3-854D-254CD848565C@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_007AF572-DA93-4543-99FD-7CF3BA5C443F"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Date: Fri, 19 May 2023 12:07:04 -0400
In-Reply-To: <CH0PR11MB5739CCB7CDDCAD1D11F04DAE9F7C9@CH0PR11MB5739.namprd11.prod.outlook.com>
Cc: LAMPS <spasm@ietf.org>, Joe Mandel <Joe.Mandel@secureg.io>, Tomofumi Okubo <tomofumi.okubo@gmail.com>
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>, Tim Hollebeek <tim.hollebeek@digicert.com>
References: <168444309553.24047.14923062710269229403@ietfa.amsl.com> <E2BE1DCD-A241-4DDF-A5EC-DD3209C4CDA2@vigilsec.com> <SN7PR14MB649255412EFADEE00E0F6B00837C9@SN7PR14MB6492.namprd14.prod.outlook.com> <CH0PR11MB5739CCB7CDDCAD1D11F04DAE9F7C9@CH0PR11MB5739.namprd11.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.104.21)
X-Scanned-By: mailmunge 3.11 on 66.39.134.11
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/bRqa7K4hEFn2Mh8iJ3KbFu7Io3w>
Subject: Re: [lamps] draft-housley-lamps-norevavail-00
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 May 2023 16:07:10 -0000
Tim and Mike: Some applications look for revocation information using mechanisms other than pointers in certificate extensions. While there are not too many applications that use an X.500 Directory or LDAP, these applications look in the for revocation information in the CA's entry. Similar queries are used with or HTTP certificate repositories defined in RFC 4387. A flag to not bother looking is desirable for these applications. Other applications, especially browsers, use non-standard revocation checking mechanisms for the CAs that are part of their trust anchor store. When user organizations add their own trust anchors, they are not part of these non-standard revocation checking mechanisms. Again, a flag to not bother looking is desirable. The LAMPS Charter includes: 1. Specify the use of short-lived X.509 certificates for which no revocation information is made available by the Certification Authority. Short-lived certificates have a lifespan that is shorter than the time needed to detect, report, and distribute revocation information. As a result, revoking short-lived certificates is unnecessary and pointless. It seems to me that a document stating that the lack of certain certificate extensions offers an opportunity for uncertainly. Russ > On May 19, 2023, at 11:30 AM, Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org> wrote: > > +1 to Tim’s question. > > > Short-lived X.509v3 public key certificates as profiled in RFC 5280 > are seeing greater use in the Internet. > > What, specifically, are the use-cases driving this? If it’s browsers then I’d like to hear from a browser vendor about how they want to handle lack of revocation info (I suspect they just ignore it). > > So yeah, exactly what Tim said: in what case is it helpful to explicitly state “No revocation info available” vs just leaving those extns out? > > --- > Mike Ounsworth > > From: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org>> On Behalf Of Tim Hollebeek > Sent: Friday, May 19, 2023 8:59 AM > To: Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>>; LAMPS <spasm@ietf.org <mailto:spasm@ietf.org>> > Cc: Joe Mandel <Joe.Mandel@secureg.io <mailto:Joe.Mandel@secureg.io>>; Tomofumi Okubo <tomofumi.okubo@gmail.com <mailto:tomofumi.okubo@gmail.com>> > Subject: [EXTERNAL] Re: [lamps] draft-housley-lamps-norevavail-00 > > WARNING: This email originated outside of Entrust. > DO NOT CLICK links or attachments unless you trust the sender and know the content is safe. > Russ, > > Can you briefly describe the advantages of explicitly stating this in a short-lived certificate, instead of simply omitting all relevant revocation fields? > > -Tim > > From: Spasm <spasm-bounces@ietf.org <mailto:spasm-bounces@ietf.org>> On Behalf Of Russ Housley > Sent: Thursday, May 18, 2023 5:24 PM > To: LAMPS <spasm@ietf.org <mailto:spasm@ietf.org>> > Cc: Joe Mandel <Joe.Mandel@secureg.io <mailto:Joe.Mandel@secureg.io>>; Tomofumi Okubo <tomofumi.okubo@gmail.com <mailto:tomofumi.okubo@gmail.com>> > Subject: [lamps] draft-housley-lamps-norevavail-00 > > I want the LAMPS WG to be aware of this I-D. However, I do not think we should adopt it until the event predicted in the History section actually comes to pass: > > With greater use of short-lived certificates in the Internet, the > next revision of ITU-T Recommendation X.509 [X.509-TBD] is expected > to allow the noRevAvail certificate extension to be used with public > key certificates as well as attribute certificates. > > Russ > > > > From: internet-drafts@ietf.org <mailto:internet-drafts@ietf.org> > Subject: New Version Notification for draft-housley-lamps-norevavail-00.txt > Date: May 18, 2023 at 4:51:35 PM EDT > To: "Joseph Mandel" <joe.mandel@secureg.io <mailto:joe.mandel@secureg.io>>, "Russ Housley" <housley@vigilsec.com <mailto:housley@vigilsec.com>>, "Tomofumi Okubo" <tomofumi.okubo+ietf@gmail.com <mailto:tomofumi.okubo+ietf@gmail.com>> > > > A new version of I-D, draft-housley-lamps-norevavail-00.txt > has been successfully submitted by Russ Housley and posted to the > IETF repository. > > Name: draft-housley-lamps-norevavail > Revision: 00 > Title: No Revocation Available for Short-lived X.509 Certificates > Document date: 2023-05-18 > Group: Individual Submission > Pages: 8 > URL: https://www.ietf.org/archive/id/draft-housley-lamps-norevavail-00.txt <https://urldefense.com/v3/__https:/www.ietf.org/archive/id/draft-housley-lamps-norevavail-00.txt__;!!FJ-Y8qCqXTj2!aGMAtEGaEzGgAUElR2nDasYxEQAhagSpUVcwvvjJ8qnwC15CYPwQHfT9-eSKkHmj5jgvQ9FdRxmcWssDffszb-HLx4OSEx4UdNwr7O5FiA$> > Status: https://datatracker.ietf.org/doc/draft-housley-lamps-norevavail/ <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-housley-lamps-norevavail/__;!!FJ-Y8qCqXTj2!aGMAtEGaEzGgAUElR2nDasYxEQAhagSpUVcwvvjJ8qnwC15CYPwQHfT9-eSKkHmj5jgvQ9FdRxmcWssDffszb-HLx4OSEx4UdNw-m8lCCA$> > Html: https://www.ietf.org/archive/id/draft-housley-lamps-norevavail-00.html <https://urldefense.com/v3/__https:/www.ietf.org/archive/id/draft-housley-lamps-norevavail-00.html__;!!FJ-Y8qCqXTj2!aGMAtEGaEzGgAUElR2nDasYxEQAhagSpUVcwvvjJ8qnwC15CYPwQHfT9-eSKkHmj5jgvQ9FdRxmcWssDffszb-HLx4OSEx4UdNyD5wXkvA$> > Htmlized: https://datatracker.ietf.org/doc/html/draft-housley-lamps-norevavail <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/draft-housley-lamps-norevavail__;!!FJ-Y8qCqXTj2!aGMAtEGaEzGgAUElR2nDasYxEQAhagSpUVcwvvjJ8qnwC15CYPwQHfT9-eSKkHmj5jgvQ9FdRxmcWssDffszb-HLx4OSEx4UdNx-cXhRbw$> > > > Abstract: > Short-lived X.509v3 public key certificates as profiled in RFC 5280 > are seeing greater use in the Internet. The Certification Authority > (CA) that issues these short-lived certificates do not publish > revocation information because the certificate lifespan that is > shorter than the time needed to detect, report, and distribute > revocation information. This specification defines the noRevAvail > certificate extension so that a relying party can readily determine > that the CA does not publish revocation information for the > certificate. > Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system. _______________________________________________ > Spasm mailing list > Spasm@ietf.org <mailto:Spasm@ietf.org> > https://www.ietf.org/mailman/listinfo/spasm <https://www.ietf.org/mailman/listinfo/spasm>
- [lamps] draft-housley-lamps-norevavail-00 Russ Housley
- Re: [lamps] draft-housley-lamps-norevavail-00 Tomofumi Okubo
- Re: [lamps] draft-housley-lamps-norevavail-00 Tim Hollebeek
- Re: [lamps] draft-housley-lamps-norevavail-00 Mike Ounsworth
- Re: [lamps] draft-housley-lamps-norevavail-00 Salz, Rich
- Re: [lamps] draft-housley-lamps-norevavail-00 Salz, Rich
- Re: [lamps] draft-housley-lamps-norevavail-00 Russ Housley
- Re: [lamps] draft-housley-lamps-norevavail-00 Russ Housley
- Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-no… Mike Ounsworth
- Re: [lamps] draft-housley-lamps-norevavail-00 Mike Ounsworth
- Re: [lamps] draft-housley-lamps-norevavail-00 Tim Hollebeek
- Re: [lamps] draft-housley-lamps-norevavail-00 Tim Hollebeek
- Re: [lamps] draft-housley-lamps-norevavail-00 Russ Housley
- Re: [lamps] draft-housley-lamps-norevavail-00 Seo Suchan
- Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-no… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-no… Russ Housley
- Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-no… Deb Cooley
- Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-no… Mike Ounsworth
- Re: [lamps] draft-housley-lamps-norevavail-00 Jeffrey Walton
- Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-no… Watson Ladd
- Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-no… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-no… Tim Hollebeek
- Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-no… Tim Hollebeek
- Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-no… Russ Housley
- Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-no… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-no… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-no… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-no… Russ Housley
- Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-no… Salz, Rich
- Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-no… Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-no… Michael StJohns