IETF Logo Mail Archive

Re: [TLS] [pkix] Previous attempt to update OCSP

Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 11 August 2010 03:12 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 431BA3A6910; Tue, 10 Aug 2010 20:12:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.238
X-Spam-Level:
X-Spam-Status: No, score=-3.238 tagged_above=-999 required=5 tests=[AWL=0.361, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UroZA96v3cf1; Tue, 10 Aug 2010 20:12:53 -0700 (PDT)
Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by core3.amsl.com (Postfix) with ESMTP id CFFC93A689E; Tue, 10 Aug 2010 20:12:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1281496409; x=1313032409; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20<pgut001@cs.auckland.ac.nz> |To:=20aerowolf@gmail.com,=20DPKemp@missi.ncsc.mil |Subject:=20Re:=20[TLS]=20[pkix]=20Previous=20attempt=20t o=20update=20OCSP|Cc:=20pkix@ietf.org,=20tls@ietf.org |In-Reply-To:=20<gcpa57emw0794q0kx3jezwJv4X.penango@mail. gmail.com>|Message-Id:=20<E1Oj1k8-0004zf-D9@wintermute02. cs.auckland.ac.nz>|Date:=20Wed,=2011=20Aug=202010=2015:12 :40=20+1200; bh=qG0Vjrrms5LDVezwxzYT6CXUJO5RQbpvajdGtTKgqSg=; b=d82adHpupoZxkg4kIayo5xFPq48RXA/Ep/P0ayPa+dSgd9HOVL3DairK jaFFtbqFhX3FYygsl25mB0ufIKRgIv//IlFnUgmfTUHjbhoqaAUTWlEpq hHWFZMG0kvWHh9sfdzmnfpW8p1jhyGdFD1tEe5gRNs5VQBokhzhxozKxO 0=;
X-IronPort-AV: E=Sophos;i="4.55,350,1278244800"; d="scan'208";a="20271788"
X-Ironport-HAT: UNIVERSITY - $RELAY-THROTTLE
X-Ironport-Source: 130.216.207.92 - Outgoing - Outgoing
Received: from wintermute02.cs.auckland.ac.nz ([130.216.207.92]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 11 Aug 2010 15:12:40 +1200
Received: from pgut001 by wintermute02.cs.auckland.ac.nz with local (Exim 4.69) (envelope-from <pgut001@cs.auckland.ac.nz>) id 1Oj1k8-0004zf-D9; Wed, 11 Aug 2010 15:12:40 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: aerowolf@gmail.com, DPKemp@missi.ncsc.mil
In-Reply-To: <gcpa57emw0794q0kx3jezwJv4X.penango@mail.gmail.com>
Message-Id: <E1Oj1k8-0004zf-D9@wintermute02.cs.auckland.ac.nz>
Date: Wed, 11 Aug 2010 15:12:40 +1200
Cc: pkix@ietf.org, tls@ietf.org
Subject: Re: [TLS] [pkix] Previous attempt to update OCSP
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Aug 2010 03:12:55 -0000

"Kyle Hamilton" <aerowolf@gmail.com> writes:

>DQoNCk9uIFR1ZSwgQXVnIDEwLCAyMDEwIGF0IDc6MDYgQU0sIEtlbXAsIERhdmlkIFAuIDxEUEtl
>bXBAbWlzc2kubmNzYy5taWw+IHdyb3RlOg0KPiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0K
>PiBGcm9tOiBUb21hcyBHdXN0YXZzc29uDQo+DQo+PiBPbiAwOC8xMC8yMDEwIDA4OjQ0IEFNLCBQ
>ZXRlciBHdXRtYW5uIHdyb3RlOg0KPj4+DQo+Pj4gT0NTUCBpc24ndCB0aGF0IHNpbXBsZSwgaXQn
>cyBhY3R1YWxseSBxdWl0ZSBjb21wbGljYXRlZCBmb3Igd2hhdCBpdA0KPiBkb2VzLiCgVGhlDQo+
>Pj4gcmVhc29uIGl0IGdldHMgdXNlZCBpcyBiZWNhdXNlIGl0J3Mgbm90IENSTHMuDQo+Pj4NCj4+

Interesting, I'd never considered the misrevocation issue.  Is this a real
problem though, or just (one of many) conceptual issues with periodic-
blacklist-based validity checks?

(Given that fact that revocation checking barely works anyway - I'm still
waiting for the Realtek malware cert to be regarded as revoked by software a
month after the CA declared it revoked - I'd say that it's not such a big
concern, but only because of the nonfunctionality of the revocation mechanism
as a whole).

>IHRoZSBDUkwgd2l0aCBrZXlDb21wcm9taXNlIGFzIHRoZSByZWFzb24sIHNvbWVvbmUgZG93bmxv
>YWRzIGl0LCB0aGUgZXJyb3IgaXMgY29ycmVjdGVkIChhbmQgdGhlIHNlcmlhbCBudW1iZXIgb2Yg
>dGhlIGluY29ycmVjdCBjZXJ0aWZpY2F0ZSByZW1vdmVkIGFuZCB0aGUgY29ycmVjdCBvbmUgYWRk

Drifting rather off topic here, but I think attribute certs are a lost cause,
and have been for years.  If you really want a PMI, use your X.509 cert to
sign some SAML, which is well-supported and gives you what you need (and far
more than an attribute cert ever can).

Peter.

v2.23.0 | Report a Bug | By Email