IETF Logo Mail Archive

Re: [TLS] [pkix] New version of Multiple OCSP mode of Certificate Status extension

"Yngve Nysaeter Pettersen" <yngve@opera.com> Wed, 04 August 2010 14:40 UTC

Return-Path: <yngve@opera.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6657A3A6823; Wed, 4 Aug 2010 07:40:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.274
X-Spam-Level:
X-Spam-Status: No, score=-6.274 tagged_above=-999 required=5 tests=[AWL=0.325, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lksGx8LzpbuB; Wed, 4 Aug 2010 07:40:26 -0700 (PDT)
Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by core3.amsl.com (Postfix) with ESMTP id B0F4C3A6B7E; Wed, 4 Aug 2010 07:40:24 -0700 (PDT)
Received: from killashandra.oslo.osa (pat-tdc.opera.com [213.236.208.22]) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id o74EeUQ0013267 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 4 Aug 2010 14:40:31 GMT
Content-Type: text/plain; charset="iso-8859-15"; format="flowed"; delsp="yes"
To: pkix@ietf.org, Rob Stradling <rob.stradling@comodo.com>
References: <E1OfxqR-00006L-FJ@wintermute02.cs.auckland.ac.nz> <op.vgtktnagvqd7e2@killashandra.oslo.osa> <201008032046.38830.rob.stradling@comodo.com>
Date: Wed, 04 Aug 2010 16:40:05 +0200
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
From: Yngve Nysaeter Pettersen <yngve@opera.com>
Organization: Opera Software
Message-ID: <op.vgw4c3czvqd7e2@killashandra.oslo.osa>
In-Reply-To: <201008032046.38830.rob.stradling@comodo.com>
User-Agent: Opera Mail/10.54 (Win32)
Cc: tls@ietf.org
Subject: Re: [TLS] [pkix] New version of Multiple OCSP mode of Certificate Status extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: yngve@opera.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Aug 2010 14:40:36 -0000

On Tue, 03 Aug 2010 21:46:38 +0200, Rob Stradling  
<rob.stradling@comodo.com> wrote:

> In another thread, Kyle H today wrote:
> "...why not change the ASN.1 to allow for multiple individual responses  
> in a
> SEQUENCE or SET?"

I suspect that this is about responses for multiple certificates for the  
same issuer.

I am not sure how well this will work for clients like Opera, since we are  
associating the response with the URL for retrieving it, we don't add it  
to a repository.
I also suspect that we will seldom encounter a certificate that was  
matched by that response anyway.


> This is another possible way forward for "Multiple OCSP".
>
> I suppose it would need a new "responseType" OID - something like...
> id-pkix-ocsp-multiple  OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 }
>
> The "response" OCTET STRING would contain a SEQUENCE OF (or SET OF)
> BasicOCSPResponse (rather than just a single BasicOCSPResponse).

If you mean that the sequence should include the OCSP responses for each  
intermediate, as well as the end entity certificate, that will not work  
unless the responder is signing with a certificate issued directly from  
the Root, and which is somehow designated as the signer fore each  
certificate in the chain.

If the signer of the end entity cert was allowed to sign responses for the  
intermediate, it would be allowed to create the revocation information  
about its own status (which should only be presented by the issuer  
itself), so it would need to be a designated responder cert issued by the  
Root.

Such a designated cert would probably become logistical problem for a Root  
hierarchy that have many independent intermediates, and essentially the  
Root issuer would have to maintain a revocation service for all subCAs.

Storing the full signed response from the issuer in the response would  
prevent such a logistical problem, but would create a larger response,  
which might cause other logistical problems.


-- 
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer		     Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 23 69 32 60              Fax:    +47 23 69 24 01
********************************************************************

v2.23.0 | Report a Bug | By Email