IETF Logo Mail Archive

Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00

Mike Ounsworth <Mike.Ounsworth@entrust.com> Tue, 23 May 2023 18:50 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6634AC14EB1E for <spasm@ietfa.amsl.com>; Tue, 23 May 2023 11:50:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.996
X-Spam-Level:
X-Spam-Status: No, score=-6.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S2R31w_17Rni for <spasm@ietfa.amsl.com>; Tue, 23 May 2023 11:50:07 -0700 (PDT)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F1F0C14CF1B for <spasm@ietf.org>; Tue, 23 May 2023 11:50:07 -0700 (PDT)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 34NH55X7029215; Tue, 23 May 2023 13:50:01 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=mail1; bh=xR/IRx0t/mX1yDJeArB1ryj4pT6rKzX9wJtHDzfxq/Q=; b=hKM95Q7vYeTpSecfB2BEsx4p5Ew+f/NzAcF0Tku77TUYkDuoU+NS85i+YPLOETaZLifO SD/WbXXL3hQWbwF1pHwmxbl7OU8sTbzvkUeZbAAwNKAbMkrccdrwB0YFPmmId22Ailag CPQ352s+x3LgzWA0Ge+IdYkjfmVYu/qa7t5o81weFRV9021yp/gssyF6PiMRTXQUmxwJ TbQc+hswDCq/dkIPxoU9oW5ulSoaJjeudhEjy0nYlMs0MWSdonG1d2kSRsiqPgRD7cI9 OsEmL4rQdxHmuf+eM2pBVK6hJBpd8XahfW+D9293C8EbcJ9ajrxbyS5YUIMx+3Op0b6S gg==
Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2104.outbound.protection.outlook.com [104.47.70.104]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3qptw23wpr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 23 May 2023 13:50:01 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NL/IgPiK2HxnwKC91q7lrrewC87H8bQH+hkyuudBa9DbEPpUjy+358sU2XVQ7CJEmr0+aVG+RDaYIl+kPH+2GS49Je0YI3lgm5yX+S9FlDbDCobn5wzfvIx40VTKYhYoomvBls4Og1fAhpgkcFPX0bwT5JMM1fTbHKXQ+BzlQlRsgb2H+8euhFATDiL2opnYcC3ms/L4wa9+veTC9ZXHm441mUBof25ZrlIiPI5ju0Oq5mAos3x8TckK+0Js2MjOjO5E+dRWuhB3tN/Nk2OOGzsVhWgVR4hewNoNfGEwrkVCt/IYZnST5PESdYVJXhJTRCy6oIwS/nE5yufwNgVwCw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=xR/IRx0t/mX1yDJeArB1ryj4pT6rKzX9wJtHDzfxq/Q=; b=Uti03YjoFa/otCEFldhwp6QmI5dMDjlw4x8AptYFU9iA7Ou/xtFenfIAFJECmDWd2d/y8JKrrk48wGLWx9Hh32oFcxOzENdsf/Gzqh0idAKl43+qKZsa36VssTJy1u+Ee6GCzo53Nc2MuwqEUkS+kdu8GO2vFlVucAxDGecXenaGuZkXPTxKYgb7L2qdVKH7ftelE5WY1Jk8LZOj8ebX8qxm7qNLVaFU3UiT74086qIUHk9lozDxQzyXzxfdH2EoDglZCzkLl3tAGdaGjNUhu/Bw6Tj1LM5ChJ78OyeX7fNwHS/jg1hdD0uEGV9x7crLR1xPMeYa0ONx3/v0RlrENA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from DM8PR11MB5736.namprd11.prod.outlook.com (2603:10b6:8:11::11) by MW3PR11MB4650.namprd11.prod.outlook.com (2603:10b6:303:54::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.28; Tue, 23 May 2023 18:49:58 +0000
Received: from DM8PR11MB5736.namprd11.prod.outlook.com ([fe80::abc2:71f2:8905:2118]) by DM8PR11MB5736.namprd11.prod.outlook.com ([fe80::abc2:71f2:8905:2118%3]) with mapi id 15.20.6411.028; Tue, 23 May 2023 18:49:58 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Russ Housley <housley@vigilsec.com>, Tim Hollebeek <tim.hollebeek@digicert.com>
CC: Seo Suchan <tjtncks@gmail.com>, LAMPS <spasm@ietf.org>
Thread-Topic: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00
Thread-Index: AQHZjYwDyIYYJ2h2006541P4G+o7xa9oLW0AgAAGM0A=
Date: Tue, 23 May 2023 18:49:58 +0000
Message-ID: <DM8PR11MB5736036B93C87D3F6A719DE09F409@DM8PR11MB5736.namprd11.prod.outlook.com>
References: <168444309553.24047.14923062710269229403@ietfa.amsl.com> <E2BE1DCD-A241-4DDF-A5EC-DD3209C4CDA2@vigilsec.com> <a2122a10-fdfd-aabc-5c3c-242d90bd4175@gmail.com> <D18F7C58-EC30-4640-9AB7-94E428B79F62@vigilsec.com> <CH0PR11MB5739CD4F7CCE62CE34E4B7319F7C9@CH0PR11MB5739.namprd11.prod.outlook.com> <3FEBFDE6-1AA9-4615-AFA7-FB0B650A5DAB@vigilsec.com> <SN7PR14MB6492368040612089C83EB21983409@SN7PR14MB6492.namprd14.prod.outlook.com> <FBE4078F-33C0-49E0-A25C-69BCA88DC0E6@vigilsec.com>
In-Reply-To: <FBE4078F-33C0-49E0-A25C-69BCA88DC0E6@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM8PR11MB5736:EE_|MW3PR11MB4650:EE_
x-ms-office365-filtering-correlation-id: 1fc4e69c-3579-44b5-d442-08db5bbe820f
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: QD37cApJDOr1HiN0zr0313YWwp9ZnL3DN2tBfADEDT3bphwiiWV7sJCYFam6kK1DzFsIHmX+KPfRPWg6yLZBLchTFN8XL2UUNElLusueMnylw+N2osMVnqRb0W2O8m5myCL794EsgaqU5uhSTo+lgz3yJPUyXEQBFzSzLPl2W4qzRvZb+pYEfwT3MOqg6qoKOveRq8Gnh3//WVOajujM/KRYTxset9FQZnYHa46e24a7YjOnjbvxfWbeSYGEDxVRphzLzzorLyEI/ftpIbb8zrkuZxvzlx3gxn3fQ+fNdTBKpohleAAqCecouv4g3tGXBdk/JTRxbI8jJpFMz6FVdxVpHvfH+lhfghHuA2K3wcTYyv1r5boOu14iVWrO+Hoi+3iIkC+nlGvqyoeVNQkVqvEJ8CEusfW/n4YRaxjQUJ7tLQEwDqbM87pywFk3xm2dmWagxVgfMKYl8rZE751HRrAWVQvt2kKeVB1tMwGnKFBzbSmhO7VP7aKcSEhAFxFEACiIlPrN5jT95Kq0PgTqj8LqESqD+gyuHQwYmWcCq6xT+dh+T76/pUG+ni83z5iAvCPFdlX86Kxp1wxvi/fbputE8zi5z+9MD2/9Y69H0nQ=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM8PR11MB5736.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(39860400002)(376002)(396003)(136003)(346002)(366004)(451199021)(55016003)(38100700002)(33656002)(26005)(186003)(53546011)(122000001)(6506007)(9686003)(83380400001)(2906002)(41300700001)(7696005)(316002)(71200400001)(110136005)(54906003)(966005)(478600001)(66446008)(66946007)(66556008)(66476007)(76116006)(64756008)(4326008)(38070700005)(86362001)(166002)(8936002)(8676002)(5660300002)(52536014); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: VTI9SpEkS8G8m7SU2fBC3RE3d0D6DRiI+3n9IyL/Fy2uJMn4MOkNiL2R9YCM/SEg6MwH+0yQwnQpvUwMD1k+f+Ra6ogAOj27z0PuQX9SZ4BlCWG1FUyJ3lJafoHYBxd82pxyZryqWGMRFOOSB7Xd2ODTPam1TaDSiJgVgUoF2J3Q1wwuUGXjamdxYtMjhViwipnNbW+ORQLWMpAWuzVNPG8s+CLVOCSWTJA0k5QS+ZI63r4X5nLlZw2Ca5Zzz6k4YFA+Sl1uDqlt53egKAErnf2ccIwA/9x1ms0tn5oJvgNqSikTMtwcJzG+mhkZHdiUadxFVoNr2ig+CWG8K0W9eZiSOzSP6At6L+ksyWN333oERIOhSNj2appxKW92Wsoyc8w++KrAW2CyQqMdCLhCpffyyzl9Uoy5s5pgxwjNH86tP4d2eNPtxSWn7rGBe89zz0CrVTkXp0QYE4mC81M83ifacb7X11CiJv0M1W6n0a6NLHruVuBQmE0+mC3Q7eErADZ7a34UYTfuNXDD1HQav8iwGDgirwFUFKmcUN/8V4/QXUCrrqUN7H1Nux/F//05Az4wVmyWj0UkrTkF3XzuBxzOG4ZyTUzut5Xr3W4oXOL/IO0+/vMVZleAcg+eZkfJolfo3gGy70SKYLyk6D1TlTxt/cc3bUx2yOyIPw9r+vshfGI1FknACBwBcSgIDMwOXhzGPpUI02DGlNKkGr6smKNh0szZ3kaxbc5Eb12AEXR79SmJKCociNi+8bFaoiqLdig+Kvv3b/gt4v17GuXiF3JH+0h8+UvNmwMh+T9cPDH+2rsflhcnOZi73/BUo8UZbxIP94GuUOIJ1fa/QAXTHrtc+AX+1PpdkOmalw+xpsSxXPWsuHKRyBomSk+bGetO693bON+u1voPFTHknB9yzBgWu2XDPgX1WNqMkLJBdarykCaS3agILUh0VgwDIgVkFXJDR0z1VUbFFRInZiu7OVjAlS5Zr4ckUD07zILBwdi4O7GNz2ZQBJwVO2jnVY4RevLRoTS+0JyIjsVq299A7Lux+JY9mwGjk0947+WuqTVr2uiurPPkL32CKd1jPOlTi+CYr1EKQHe8QfiZ1Xycteozkawnwp+G/s8WPyyRU74CqlERKwmdPVwErg3xZAMD3Gt7CK4tQrjEIt2nBuO9ceGQZP1MPOIS3kH7Xa7ls5v2VQw+nEm7KacsbogesWV34VX7W6We56Rz+d7y/BIg2P+1dj9ZEQpSxzLQlerVdYm4x7tW8AKakTuMPPFasZpXuNMzBfFnAYQxPsIugyaVJqM5nygcXjTupHNOlhNYkRUY1SuiHu8/3FenEBbWKtktkS4Wqp5ru8XJnjpsgf/avC1tkhycQdDdyRpqZF3kMS2aQ164gBUyKJlWNoKVoq077fuXvkwkm4odIy6AcssELyX6PNaBO2zKF1r7r8VSM3qkAOIuX6RGlD90o9a3pAH8irHeld2vbiLbVktgxq16yOiM+Y+8qqPi3MXaT50m/9PPNV+Xs13WXX0Z2g+GpucM+zyyEWX4OMgSd9cthdyTGUC4aYbBgx5GC1kpa4UQw3vk4/3ruybb+G4WgnYHLWgi
Content-Type: multipart/alternative; boundary="_000_DM8PR11MB5736036B93C87D3F6A719DE09F409DM8PR11MB5736namp_"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM8PR11MB5736.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1fc4e69c-3579-44b5-d442-08db5bbe820f
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 May 2023 18:49:58.7000 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: JnP4T0FGUvxarLYM0EaMv6/YPXC97x9/DyF6vrbIN+Z95CRkjqdBXqQbyO5jKlAeqxAFznQu765jb8+xggIkVM3vh0p1422NfLUHixpdcD0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW3PR11MB4650
X-Proofpoint-GUID: UJSb7QavTZxbA6p13IOJ3oEWzejvq_k-
X-Proofpoint-ORIG-GUID: UJSb7QavTZxbA6p13IOJ3oEWzejvq_k-
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.176.26 definitions=2023-05-23_12,2023-05-23_02,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 priorityscore=1501 malwarescore=0 spamscore=0 adultscore=0 mlxlogscore=999 phishscore=0 clxscore=1015 impostorscore=0 suspectscore=0 bulkscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305230152
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/xKJAL1fR7fnHBNUI6SMyhrxh1G8>
Subject: Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2023 18:50:11 -0000

Awesome.

---
Mike Ounsworth

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
Sent: Tuesday, May 23, 2023 1:28 PM
To: Tim Hollebeek <tim.hollebeek@digicert.com>
Cc: Seo Suchan <tjtncks@gmail.com>; LAMPS <spasm@ietf.org>
Subject: Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00

PROPOSED ERRATA for RFC 6960, Section 4.2.2.2.1

OLD:

   - A CA may specify that an OCSP client can trust a responder for the
     lifetime of the responder's certificate.  The CA does so by
     including the extension id-pkix-ocsp-nocheck.  This SHOULD be a
     non-critical extension.  The value of the extension SHALL be NULL.
     CAs issuing such a certificate should realize that a compromise of
     the responder's key is as serious as the compromise of a CA key
     used to sign CRLs, at least for the validity period of this
     certificate.  CAs may choose to issue this type of certificate with
     a very short lifetime and renew it frequently.

     id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }

NEW:

   - A CA may specify that an OCSP client can trust a responder for the
     lifetime of the responder's certificate.  The CA does so by
     including the extension id-pkix-ocsp-nocheck.  This SHOULD be a
     non-critical extension.  The value of the extension SHALL be NULL.
     CAs issuing such a certificate should realize that a compromise of
     the responder's key is as serious as the compromise of a CA key
     used to sign CRLs, at least for the validity period of this
     certificate.  CAs may choose to issue this type of certificate with
     a very short lifetime and renew it frequently.

     id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }

    A CA MUST NOT include the extension id-pkix-ocsp-nocheck in a
    certificate issued to an entity other than an OCSP Responder.

Russ


On May 23, 2023, at 11:34 AM, Tim Hollebeek <tim.hollebeek=40digicert.com@dmarc.ietf.org<mailto:tim.hollebeek=40digicert.com@dmarc.ietf.org>> wrote:

Would it be useful to clearly and explicitly state this unstated assumption somewhere, perhaps in an errata?

“id-pkix-ocsp-nocheck SHALL NOT appear in a certificate unless that certificate is a delegated OCSP responder” would probably be a good thing to have stated somewhere.

I suppose it could be added to the CABF BRs as well.  They have the same bug (the BRs require nocheck in delegated OCSP responders, but don’t prohibit it elsewhere).

-Tim

From: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> On Behalf Of Russ Housley
Sent: Sunday, May 21, 2023 1:16 PM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com<mailto:Mike.Ounsworth@entrust.com>>
Cc: Seo Suchan <tjtncks@gmail.com<mailto:tjtncks@gmail.com>>; LAMPS <spasm@ietf.org<mailto:spasm@ietf.org>>
Subject: Re: [lamps] [EXTERNAL] Re: draft-housley-lamps-norevavail-00

Mike:

Interesting


RFC6960, section “4.2.2.2.1<https://urldefense.com/v3/__https:/www.rfc-editor.org/rfc/rfc6960*section-4.2.2.2.1__;Iw!!FJ-Y8qCqXTj2!bi4AP-jeHViS93BjOd8QnyeP4SNKwkRxB41odNjHI9eRADjzQrv6bxRkdoqg26cVEf1o0ymsz-zvssr8LsCiZYw0OHYB$>.  Revocation Checking of an Authorized Responder”


“A CA may specify that an OCSP client can trust a responder for the
     lifetime of the responder's certificate.  The CA does so by
     including the extension id-pkix-ocsp-nocheck”

Are you allowed to put an id-pkix-ocsp-nocheck extension in end entity certs? If so, what does that mean?

My reading of the description is that id-pkix-ocsp-nocheck should only appear in a certificate issued to an OCSP responder.

Russ

_______________________________________________
Spasm mailing list
Spasm@ietf.org<mailto:Spasm@ietf.org>
https://www.ietf.org/mailman/listinfo/spasm<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!bi4AP-jeHViS93BjOd8QnyeP4SNKwkRxB41odNjHI9eRADjzQrv6bxRkdoqg26cVEf1o0ymsz-zvssr8LsCiZf8_jufn$>

Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

v2.23.0 | Report a Bug | By Email