IETF Logo Mail Archive

Re: [lamps] WGLC for draft-ietf-lamps-norevavail

Corey Bonnell <Corey.Bonnell@digicert.com> Wed, 24 January 2024 15:01 UTC

Return-Path: <Corey.Bonnell@digicert.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E25D5C14E515 for <spasm@ietfa.amsl.com>; Wed, 24 Jan 2024 07:01:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.759
X-Spam-Level:
X-Spam-Status: No, score=-5.759 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0mUp46UciitB for <spasm@ietfa.amsl.com>; Wed, 24 Jan 2024 07:01:34 -0800 (PST)
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2108.outbound.protection.outlook.com [40.107.237.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E7D2C14F60F for <spasm@ietf.org>; Wed, 24 Jan 2024 07:01:34 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QBjg9REDcqt+mzsEMmKH7RvSGYB+WSiSHmM4mHk3lxB2chMReD0ePXz8/jM80H70lPuhLqMBo0BydDCb00mwXh5IYVqjDpkf8RC/Iqn/bg6pZl16VYhXvur5qEl7cm9rPYxcAOWyF6QwHI5aFTHWqJtVVXoiMR9YIU/4Ffg9656oP738R3li+4n7Tc/NGUi3tK07QfnQrxM8QoKI0iI6HPAiyvES7H8kWKNceyp6qjk//6SRcdI/dgI/ZaP45Qiq2QXRGdrv26+3kBGOuePLjBoaDLxc6xhK0j8ksF1ElGzhg+yanPq7x2Ilpm7K9WrE3nFB/0UgrZlbEwYiC5AK+Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=SB73f2t7ex44FhVYNYTh19cXj8xAtgclmQP7tDGQGFk=; b=gJ703BVXYv+0HrGGygEXAc1/LaSvvswFnxDUAN/R1BUl2GWJ5KzLu+vAEY0Bo0V5juTXnQASBV0ej1m8GSVLSlXvwESuwJu6LhzyDVKOCP8epVQeBXzroW6iGbk5XAVhRfiGFj2v8sVcsvro6okmDfNm5+srHgvD9ZtyO/DSvrILzQrcrvRxFB0+PPYBnV64T/hLCklEBvNagAm5HkwJjOjB2imUj2HS9v1gPCECpn23zbXz4jevkKtbMOOBD0vcomqoUQJZbQcgmCPIeanOCleyy5mfdsV4TUoLRSTZrPphJj4rPLVz29l12UzzDFb0GfIhCBC172rhqrFkjDXTFg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SB73f2t7ex44FhVYNYTh19cXj8xAtgclmQP7tDGQGFk=; b=LLx0zJWqdHmAT1OXjBaNPgCnLUvd18Q2z/FWMKsVMISOGzCjoCFGs+McdQzEOB0A+9FgSSg9cATiqjoclbe4tbh5qsdvg4PFSGme7EYnNxgpA9N6GxI0STeRNZYbsz8f5qHy85SFtQ3QOHqK8VMONaee1Zg+tdZgdNZP+1ncWEMT6eykiHIT3xna1MsikFHImww4aS2Dazyt+1gkbarhWoaUHvlouSp9trUxuLiVKIQqHzEP1PPGibq7maYePP3l4h8jzOwtGWETj99AhR7z1xbFfbOej+S+Ub3JOY/erv1QhaS0z8H4yxkVE6iBHjwcKRm1w6YUBfg6HcYkQTDU4Q==
Received: from DM6PR14MB2186.namprd14.prod.outlook.com (2603:10b6:5:b6::16) by BY5PR14MB4178.namprd14.prod.outlook.com (2603:10b6:a03:20f::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7228.22; Wed, 24 Jan 2024 15:01:19 +0000
Received: from DM6PR14MB2186.namprd14.prod.outlook.com ([fe80::a33c:97c7:a146:1ad4]) by DM6PR14MB2186.namprd14.prod.outlook.com ([fe80::a33c:97c7:a146:1ad4%3]) with mapi id 15.20.7228.023; Wed, 24 Jan 2024 15:01:19 +0000
From: Corey Bonnell <Corey.Bonnell@digicert.com>
To: Russ Housley <housley@vigilsec.com>
CC: SPASM <spasm@ietf.org>
Thread-Topic: [lamps] WGLC for draft-ietf-lamps-norevavail
Thread-Index: AdpOJi5i9c234LAKTh6yV6s4f0QWzQAHPEbQACQTwgAAACJPIA==
Date: Wed, 24 Jan 2024 15:01:19 +0000
Message-ID: <DM6PR14MB2186650FEA36D0E067263B8E927B2@DM6PR14MB2186.namprd14.prod.outlook.com>
References: <SN7PR14MB64926E63F2FF75AEDC5CDFFB83742@SN7PR14MB6492.namprd14.prod.outlook.com> <DM6PR14MB21861B05FD683A265D1A4A6592742@DM6PR14MB2186.namprd14.prod.outlook.com> <DD38A9FA-B3D1-4A6B-A231-490889A470DA@vigilsec.com>
In-Reply-To: <DD38A9FA-B3D1-4A6B-A231-490889A470DA@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR14MB2186:EE_|BY5PR14MB4178:EE_
x-ms-office365-filtering-correlation-id: f5d7a8b3-b469-40e6-edf9-08dc1ced523b
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: rLm8jJD4NplvkItaPbI8D/9DKYp6hs9uNiys3Ons6V9xw5CLadziE5qie7f3QyffPDFHlDM4P0TNsGJPO1ZkfiEZhrXmkleNLxfZw0gASYZkFHWaqc8MMBBjxGHQHHVegYoFZ/V1qzm4p3EetNS3JOqu3qfvP5kyOD9Iuwbf0aeq/PZH8lb4Ol8GVlmsJvii62lKsB4QgB0gf7Q+i8CwbbkhSZRJeCRm9pOpn1SWQbNzpC+lBUrsQdcvGEQF3pNb8KNb1OWWEvZfRkUPNFYG9sGfjsHA4aVp0EEc37PQRpqjMaKXQumb909JwgDRBxzgIloyagzcQKd7vnSQ7qMPMSmwbH+yLv0qrakMCN0h3a08NBFeXcT7Hnk35yFBCZX1Y4h5ZcV6r3f1VIsKU7pdr8uDDABrMJLY3bMWIVMHxDxGlNwHHEmB25fCSDGHfKr66qfMy55OFRo5inmAFcrwBDX/yMizcpTCdfQ/lezggnmbWt6QVa6i3JNIZOjhufT+EiXt1gcMqNrtL5XKrNsfAtZnDDhvh32dfM+/UnACCGo4hoX2kzkUdJfdCrL2su+tu8fDZ/5XooDrqGvDomofvjAzyzhXb6jlkj1vYvwgTOQPoInDy4kVi9aQwa4t7Mc6
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR14MB2186.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376002)(366004)(346002)(39850400004)(136003)(396003)(230922051799003)(1800799012)(451199024)(186009)(64100799003)(83380400001)(55016003)(26005)(9326002)(8676002)(52536014)(8936002)(64756008)(478600001)(66946007)(316002)(76116006)(5660300002)(66446008)(66476007)(66556008)(86362001)(38100700002)(99936003)(2906002)(4326008)(9686003)(6506007)(38070700009)(53546011)(71200400001)(6916009)(7696005)(41300700001)(122000001)(33656002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: PeKgip3scmUpv7GmhmG2ekFu9oKTW4rp4deg3Ioox6+1X9ZP2X0NR2wo9GjaB8vXHiapknONDS53LW27Ye5ky7dtm3KRKsmsZnhJqFQufXyWN7H72M9DmsHRRTrVlvABAN6jIPuwc1nMLiCvqbQob+ENOsdyhZvz2IhEDrNFCwRqQDwx8aBcu0mBrr2RYp2oyfa2p/of12apnte+tJwvulia5TRGyGHXkf7hXeRVd3829UrZ3CPT13T9R8Tv5W/N1ustnFQ6uouxg5PRBdHxTxkdxMaXhclZy+J2+oeGZpKvKaxLecnGDo7gZP9sFTxzS/7hh11UlkR36LSsw4cZpOWEYizSgR68e/Qk7sFLueaeioZ2p2MVwMmQJcwEwDjT4EMPznIMocT+WmYUpZue1pMBnbZLuuuMttbJh3jGTR0TkAgmVqsbV4hfyDzfPji9Yex47X8/XIYprZaEL6+UCys14SVVIsZzZNK5uAvEA1tx07hytmT3h95EL1MgA/sE+NzO7wMnTuRyrcE78a345KuUUwX81Vr7+8fxw+/W0h4a0T4zdXgO4Cnoi4TgjqNSf3McVQWXkDKpjj4vMcBPROqmukqzr5TfLqnS7eLLjjlcaf20YLJpwfB1Mc19g3p/cTKT/c4xMw0TZemWqPDrk6TydixIqsvbI8Hl/URucEMTF5Oz/GxaAzBl4s23vahG/hEd375lNQOY7IbG+xuxRHgHGaQ4p8LE25tas9YlBwY1xwjYVU1CG6k4LLcGDSBKRB71G2QBUlWRZveZOIPcNqrS6QgrMszKYe7qszwbJMPCmDLmXJwPp+l4XO3vR4PouquSLS9J9W/g4cnDV6NnKpeq5n1Ol8xBMyYeWlZ+DoAOKVxKb8VsYrHA1/RUx2II7uFTj+LrbnaC+Tw2dGcBpwoYlxCjEKqn5iF/VFgMedePu9UxoeNpoEz9gzzQr3Q6pDeBWypLZ2BO12uMFf46j1mwG2At6Z6RkON+oqiRrzob5ZPykG/KtdNX70IGHHfDalZTZ+ENaVosB9rYPjxiA219D13mSvC2/ZcEf6NSqfgTUMj+njxsUFvwogkGyO7ZZsrLiDvuyGPNMwDzaXqEj/J1w5IfAq6P0FHSDnKDICKXgz3Q9CyjCycxWwofV5csJCNJ7YL7clSPoVc69R8WhCPsQqMo0Qe69cgZ6S/D/buDrtiDRzaKgFisPalIThl/nd7OpGie4LYq0VG5Ydk+eYkv4ednfPtjfiR79+gEnO265Ydaq0wJOoM0FPLyo3ID1Obx/cXJbzrmUQF068/cP9tIyDY0fEGEQaMLDlEZg8tK14nsbcUT2IskMom2dNElyCvOwy2EKV+khSBEVeee2swyz7cgtjs2L0AJLbtYTzzjPMMwjpa/0CNK2ctx1fvZcBm1kmka15W8xwOAJudomC9PRZF8yhkgnwGbml5EZYBNsk5tWx5IieWMq9sGa11s60BB3gJcSNxKuAgPJ6i5H1G0l/Gi9n1YI1exyxB+SH89eTbL+0pAF4HrOEhQaUeB6qLGtGevYukpInwYHbJoKi4f6XcI9dRVOa4gTIZorkU3bhGEyZCdXuJzmckrEv0dOQ+RtMQtumlTZJlD85WIIw==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0097_01DA4EAC.42B7E3A0"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR14MB2186.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f5d7a8b3-b469-40e6-edf9-08dc1ced523b
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jan 2024 15:01:19.1810 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: jptvtiMACKW7hT1aj2S40HkHUAhI+xTuKMhOaEM+/+qVPN0BevyOfFQWtXTDSAD43DYM8IKJrRgyTlSGuENk3s3+8JSEKDIkkkJ+/DtFKrw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR14MB4178
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/bmgJFoWs3ss2DsWyIDH_iBGmbD4>
Subject: Re: [lamps] WGLC for draft-ietf-lamps-norevavail
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jan 2024 15:01:39 -0000

Hi Russ,

*	I would be glad to add some text that points out that they are similar, but I do not think that we should do anything to disrupt the way that OCSP ecosystem is working.  Thus, id-ce-noRevAvail is not a substitute for id-pkix-ocsp-nocheck, but it could be used in addition to id-pkix-ocsp-nocheck.

 

Sounds good to me.

 

*	The certification path validation algorithm does not look for revocation of trust anchors, so I do not really see a benefit to putting id-ce-noRevAvail in a self-signed root certificate.

 

A bit of a corner case, but I was thinking of scenarios where the root CA issues itself another root certificate. Certificate-consuming applications implementing the path validation algorithm would accept one of the “root” certificates as a valid intermediate certificate in the path. In this case, the revocation status of the “intermediate” certificate would be queried by the algorithm.

 

Thanks,

Corey

 

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
Sent: Wednesday, January 24, 2024 9:42 AM
To: Corey Bonnell <Corey.Bonnell@digicert.com>
Cc: SPASM <spasm@ietf.org>
Subject: Re: [lamps] WGLC for draft-ietf-lamps-norevavail

 

Corey:





I reviewed the draft and think it’s ready. Two non-blocking comments:

 

It would be good to specify how this extension differs from id-pkix-ocsp-nocheck. I *think* the difference is that id-pkix-ocsp-nocheck is appropriate for inclusion in OCSP delegated responder certificates but inappropriate in any other certificate type, whereas id-ce-noRevAvail is appropriate in any end-entity certificate type. This raises the question whether id-ce-noRevAvail is an appropriate substitute for id-pkix-ocsp-nocheck in an OCSP delegated responder certificate. If this document doesn’t address this difference, then perhaps it can be addressed if/when RFC 6960-bis happens.

 

I would be glad to add some text that points out that they are similar, but I do not think that we should do anything to disrupt the way that OCSP ecosystem is working.  Thus, id-ce-noRevAvail is not a substitute for id-pkix-ocsp-nocheck, but it could be used in addition to id-pkix-ocsp-nocheck.





It’s interesting that the ITU-T corrigendum permitting the inclusion of id-ce-noRevAvail in public key certificates constrained this allowance to end-entity certificates. This seems like a potentially useful extension to include in root certificates, as it would be an explicit indicator that revocation information is not available as opposed to the (implicit) signal that no information is available by virtue of the absence of any revocation pointer extension(s).

 

The certification path validation algorithm does not look for revocation of trust anchors, so I do not really see a benefit to putting id-ce-noRevAvail in a self-signed root certificate.

 

Russ

v2.23.0 | Report a Bug | By Email