From stefan@aaa-sec.com Fri Mar 1 08:56:13 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5E7921F938B for ; Fri, 1 Mar 2013 08:56:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -99.915 X-Spam-Level: X-Spam-Status: No, score=-99.915 tagged_above=-999 required=5 tests=[AWL=-1.477, BAYES_40=-0.185, HELO_EQ_SE=0.35, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H4+oats8c62N for ; Fri, 1 Mar 2013 08:56:13 -0800 (PST) Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id 5BD2221F9387 for ; Fri, 1 Mar 2013 08:56:13 -0800 (PST) Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id 19B6C4EB221 for ; Fri, 1 Mar 2013 17:56:12 +0100 (CET) X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id jE9_34eenDEK for ; Fri, 1 Mar 2013 17:56:11 +0100 (CET) Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id D247A4EB21F for ; Fri, 1 Mar 2013 17:56:11 +0100 (CET) Received: (qmail 41989 invoked from network); 1 Mar 2013 16:56:11 -0000 Received: from gw.aaa-sec.ideon.se (HELO [192.168.1.216]) (stefan@fiddler.nu@[85.235.7.89]) (envelope-sender ) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 1 Mar 2013 16:56:11 -0000 User-Agent: Microsoft-MacOutlook/14.3.1.130117 Date: Fri, 01 Mar 2013 17:56:08 +0100 From: Stefan Santesson To: pkix Message-ID: Thread-Topic: Agenda posted In-Reply-To: Mime-version: 1.0 Content-type: multipart/alternative; boundary="B_3445005372_1838468" Subject: [pkix] Agenda posted X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Mar 2013 16:56:14 -0000 > This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --B_3445005372_1838468 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit An agenda for the PKIX meeting in Orlando has been posted. http://www.ietf.org/proceedings/86/agenda/agenda-86-pkix I have not yet got confirmation from the est editors but assume some of the authors will provide an update presentation. /Stefan --B_3445005372_1838468 Content-type: text/html; charset="US-ASCII" Content-transfer-encoding: quoted-printable
An agenda for the PKIX meeti= ng in Orlando has been posted.


I have not yet got = confirmation from the est editors but assume some of the authors will provid= e an update presentation.

/Stefan

<= /html> --B_3445005372_1838468-- From denis.pinkas@bull.net Mon Mar 4 00:43:09 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F241721F88BE for ; Mon, 4 Mar 2013 00:43:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.248 X-Spam-Level: X-Spam-Status: No, score=-6.248 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SS9wNt7zwZbw for ; Mon, 4 Mar 2013 00:43:04 -0800 (PST) Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by ietfa.amsl.com (Postfix) with ESMTP id 3C44A21F88E1 for ; Mon, 4 Mar 2013 00:43:00 -0800 (PST) Received: from MSGC-007.bull.fr (unknown [129.184.87.136]) by odin2.bull.net (Bull S.A.) with ESMTP id C88B31D297; Mon, 4 Mar 2013 09:42:58 +0100 (CET) Received: from [127.0.0.1] ([129.184.39.15]) by MSGC-007.bull.fr (Lotus Domino Release 8.5.3FP1) with ESMTP id 2013030409425813-509 ; Mon, 4 Mar 2013 09:42:58 +0100 Message-ID: <51345E8D.3070601@bull.net> Date: Mon, 04 Mar 2013 09:42:53 +0100 From: Denis Pinkas User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130215 Thunderbird/17.0.3 MIME-Version: 1.0 To: Stefan Santesson , pkix X-MIMETrack: Itemize by SMTP Server on MSGC-007/SRV/BULL(Release 8.5.3FP1|March 07, 2012) at 04/03/2013 09:42:58, Serialize by Router on MSGC-007/SRV/BULL(Release 8.5.3FP1|March 07, 2012) at 04/03/2013 09:42:58, Serialize complete at 04/03/2013 09:42:58 X-TNEFEvaluated: 1 Content-Type: multipart/alternative; boundary="------------070304040505030409010200" Subject: [pkix] Comments on draft-santesson-auth-context-extension-04 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Mar 2013 08:43:09 -0000 This is a multi-part message in MIME format. --------------070304040505030409010200 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=ISO-8859-1; format=flowed Stefan, The goal of this document is to associate a public key to be used for verifying electronic signatures with an identifier composed of a set of attributes, typically SAML attributes, contained in an authentication token. MAJOR COMMENTS 1.The proposed draft is not aligned with the current practices of RFC 5280 and X.509: the right place to hold such a set of attributes is in the subject alternate name. The subject DN may or may not be empty. There is no rational in this draft to explain why this straightforward approach has not been chosen. SubjectAltName ::= GeneralNames GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName GeneralName ::= CHOICE { otherName[0]OtherName, rfc822Name[1]IA5String, dNSName[2]IA5String, x400Address[3]ORAddress, directoryName[4]Name, ediPartyName[5]EDIPartyName, uniformResourceIdentifier[6]IA5String, iPAddress[7]OCTET STRING, registeredID[8]OBJECT IDENTIFIER } OtherName ::= SEQUENCE { type-idOBJECT IDENTIFIER, value[0] EXPLICIT ANY DEFINED BY type-id } OtherName fits well with the requirements, if you accept to use an OID rather than a uniformResourceIdentifier. The value component would contain an XML structure conformant with a XML schema. 2.The document should be restructured to define: (a) the general way to answer to the requirements, and (b) a specific profile, in an Appendix, so that other RFCs could refer to the main body of the document. DETAILED COMMENTS 3.The proposed structure is not appropriate. a) Why is there a need to have a SEQUENCE ? This should be avoided. b) Why is contextInfo OPTIONAL? This should be avoided. AuthenticationContexts ::= SEQUENCE SIZE (1..MAX) OF AuthenticationContext AuthenticationContext ::= SEQUENCE { contextTypeUTF8String, contextInfoUTF8String OPTIONAL } 4.The text states: This extension MAY be marked critical. If the alternate name is present, why should there be a DN ? 5.The XML schema should be given first (Appendix B) followed by the explanations (sections 3.1 and 3.2). In other words, sections 3.1 and 3.2 should be placed in Appendix B. 6.The vocabulary used in sections 3.1 and 3.2 is confusing and should be changed. An example: "AuthContextInfo Element" does not exist. However, it is better to state that the contextInfo component contains an XML structure which must conform to an XML schema. 7.The XML structure proposed to fit inside contextInfo is overly complex. AuthenticationInstant is mandatory, whereas it is not needed. AssertionRef is not needed. ServiceID is not needed. 8.There are no matching rules defined. This means that the verification of the content of that field is not possible. 9.In section 3.2, I failed to understand the explanations for CertRef as well as for rdn and san. Why CertNameType cannot be "factorized" ? (in the example from Page 15, there are all the same). "rdn"The SAML attribute value is placed in the subject field of the certificate in a present Relative Distinguished Name attribute. "san"The SAML attribute value is placed in the Subject Alternative Name extension of the certificate. I also failed to understand the reason of such "mapping". The example in Appendix C illustrates the complexity of the proposal. Can the approach be made simpler ? If not, why ? 10.In section 4, I failed to understand the "dynamic" aspect. My understanding is that a person statically authenticates to a RA (Registration Authority) and then is given back a non-repudiation certificate with SAML attributes in it which may then be used as identity attributes. I am unsure what the text in this section wants to say when using the words "dynamic manner". Denis --------------070304040505030409010200 Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=ISO-8859-1

Stefan,


The goal of this document is to associate a public key to be used for verifying electronic signatures
with an identifier composed of a set of attributes, typically SAML attributes, contained in an authentication token.

 

 

MAJOR COMMENTS

 

1. The proposed draft is not aligned with the current practices of RFC 5280 and X.509:
the right place to hold such a set of attributes is in the subject alternate name.
The subject DN may or may not be empty.

 

There is no rational in this draft to explain why this straightforward approach has not been chosen.

 

   SubjectAltName ::= GeneralNames

 

   GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

 

   GeneralName ::= CHOICE {

        otherName                       [0]     OtherName,

        rfc822Name                      [1]     IA5String,

        dNSName                         [2]     IA5String,

        x400Address                     [3]     ORAddress,

        directoryName                   [4]     Name,

        ediPartyName                    [5]     EDIPartyName,

        uniformResourceIdentifier       [6]     IA5String,

        iPAddress                       [7]     OCTET STRING,

        registeredID                    [8]     OBJECT IDENTIFIER }

 

   OtherName ::= SEQUENCE {

        type-id    OBJECT IDENTIFIER,

        value      [0] EXPLICIT ANY DEFINED BY type-id }

 

OtherName fits well with the requirements, if you accept to use an OID rather than
a uniformResourceIdentifier.

 

The value component would contain an XML structure conformant with a XML schema.

 

 

2. The document should be restructured to define:

(a) the general way to answer to the requirements, and
(b) a specific profile, in an Appendix, so that other RFCs could refer to the main body of the document.

 

 

DETAILED COMMENTS

 

3. The proposed structure is not appropriate.

 

a) Why is there a need to have a SEQUENCE ? This should be avoided.

b) Why is contextInfo OPTIONAL? This should be avoided.

 

      AuthenticationContexts ::= SEQUENCE SIZE (1..MAX) OF

                                 AuthenticationContext

 

      AuthenticationContext ::= SEQUENCE {

          contextType     UTF8String,

          contextInfo     UTF8String OPTIONAL

      }

 

 

4. The text states:    This extension MAY be marked critical.

 

If the alternate name is present, why should there be a DN ?

 

 

5. The XML schema should be given first (Appendix B) followed by the explanations (sections 3.1 and 3.2).
In other words, sections 3.1 and 3.2 should be placed in Appendix B.

 

 

6. The vocabulary used in sections 3.1 and 3.2 is confusing and should be changed.

 

An example: “AuthContextInfo Element” does not exist. However, it is better to state that the contextInfo component
contains an XML structure which must conform to an XML schema.

 

 

7. The XML structure proposed to fit inside contextInfo is overly complex.

 

AuthenticationInstant is mandatory, whereas it is not needed.

AssertionRef is not needed.

ServiceID is not needed.

 

 

8. There are no matching rules defined. This means that the verification of the content of that field is not possible.

 

 

9. In section 3.2, I failed to understand the explanations for CertRef as well as for rdn and san.

 

Why CertNameType cannot be “factorized” ? (in the example from Page 15, there are all the same).

 

                      "rdn"   The SAML attribute value is placed in the

                              subject field of the certificate in a

                              present Relative Distinguished Name

                              attribute.

 

                      "san"   The SAML attribute value is placed in the

                              Subject Alternative Name extension of the

                              certificate.

 

I also failed to understand the reason of such “mapping”.
The example in Appendix C illustrates the complexity of the proposal.
Can the approach be made simpler ? If not, why ?

 

 

10. In section 4, I failed to understand the “dynamic” aspect. My understanding is that a person statically
authenticates to a RA (Registration Authority) and then is given back a non-repudiation certificate
with SAML attributes in it which may then be used as identity attributes.
I am unsure what the text in this section wants to say when using the words “dynamic manner”.


Denis

--------------070304040505030409010200-- From stefan@aaa-sec.com Mon Mar 4 02:10:40 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48C5421F87FF for ; Mon, 4 Mar 2013 02:10:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -99.04 X-Spam-Level: X-Spam-Status: No, score=-99.04 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, SARE_SPEC_REPLICA_OBFU=1.812, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m68VrtCOlCd1 for ; Mon, 4 Mar 2013 02:10:34 -0800 (PST) Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id C295221F8757 for ; Mon, 4 Mar 2013 02:10:32 -0800 (PST) Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id DB96751DD5E for ; Mon, 4 Mar 2013 11:10:30 +0100 (CET) X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id rU8sGV7jQ7UX for ; Mon, 4 Mar 2013 11:10:21 +0100 (CET) Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id D830C51DE69 for ; Mon, 4 Mar 2013 11:09:56 +0100 (CET) Received: (qmail 8487 invoked from network); 4 Mar 2013 10:09:56 -0000 Received: from gw.aaa-sec.ideon.se (HELO [192.168.1.2]) (stefan@fiddler.nu@[85.235.7.89]) (envelope-sender ) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 4 Mar 2013 10:09:56 -0000 User-Agent: Microsoft-MacOutlook/14.3.1.130117 Date: Mon, 04 Mar 2013 11:09:56 +0100 From: Stefan Santesson To: Denis Pinkas , pkix Message-ID: Thread-Topic: Comments on draft-santesson-auth-context-extension-04 In-Reply-To: <51345E8D.3070601@bull.net> Mime-version: 1.0 Content-type: multipart/alternative; boundary="B_3445240198_371853" Subject: Re: [pkix] Comments on draft-santesson-auth-context-extension-04 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Mar 2013 10:10:40 -0000 > This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --B_3445240198_371853 Content-type: text/plain; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable Denis, First, thanks for your review. I really appreciate it. It seems to me, especially with your leading concluding comment, that you have missed out on what this specification attempts to do. Perhaps you did not read the introduction enough, or perhaps I didn't write it clear enough. The purpose is not to associate the subject with a identifier composed of a set of attributes. That is, this is NOT a new name form. This extension helps a relying party to understand the source of the identity information that is placed in the traditional identity fields of a certificate. For example. If the serialNumber attributes holds the string "123456", then this extension can tell you where this string came from. The use case addressed is where the CA/RA obtains the authenticated identif= y from a SAML assertion when issuing the certificate. This extension provides means to preserve information about the original SAML attributes in the cert. From: Denis Pinkas Date: Monday, March 4, 2013 9:42 AM To: Stefan Santesson , pkix Subject: Comments on draft-santesson-auth-context-extension-04 > =20 > =20 >=20 > Stefan, > =20 > =20 >=20 > =20 > =20 > The goal of this document is to associate a public key to be used for > verifying electronic signatures > with an identifier composed of a set of attributes, typically SAML > attributes, contained in an authentication token. > =20 > =20 > =20 No you got this wrong. This is not an Identifier. > =20 > =20 > MAJOR COMMENTS > =20 > =20 > =20 > 1. The proposed draft is not aligned with the current practices of RFC 52= 80 > and X.509:=20 > the right place to hold such a set of attributes is in the subject alter= nate > name.=20 > The subject DN may or may not be empty. > =20 > =20 > =20 > There is no rational in this draft to explain why this straightforward > approach has not been chosen. > =20 > =20 > =20 > SubjectAltName ::=3D GeneralNames > =20 > =20 > =20 > GeneralNames ::=3D SEQUENCE SIZE (1..MAX) OF GeneralName > =20 > =20 > =20 > GeneralName ::=3D CHOICE { > =20 > otherName [0] OtherName, > =20 > rfc822Name [1] IA5String, > =20 > dNSName [2] IA5String, > =20 > x400Address [3] ORAddress, > =20 > directoryName [4] Name, > =20 > ediPartyName [5] EDIPartyName, > =20 > uniformResourceIdentifier [6] IA5String, > =20 > iPAddress [7] OCTET STRING, > =20 > registeredID [8] OBJECT IDENTIFIER } > =20 > =20 > =20 > OtherName ::=3D SEQUENCE { > =20 > type-id OBJECT IDENTIFIER, > =20 > value [0] EXPLICIT ANY DEFINED BY type-id } > =20 > =20 > =20 > OtherName fits well with the requirements, if you accept to use an OID ra= ther > than=20 > a uniformResourceIdentifier. > =20 > =20 > =20 > The value component would contain an XML structure conformant with a XML > schema. > =20 > =20 > =20 This draft does not contain an identifier, thus this comment is irrelevant. There is not explanation why we don't store an identifier as a SAN, since w= e do not create or store an identifier. > =20 > =20 > 2. The document should be restructured to define: > =20 > (a) the general way to answer to the requirements, and > (b) a specific profile, in an Appendix, so that other RFCs could refer t= o the > main body of the document. > =20 > =20 > =20 That could be one way to do it. > =20 > =20 > DETAILED COMMENTS > =20 > =20 > =20 > 3. The proposed structure is not appropriate. > =20 > =20 > =20 > a) Why is there a need to have a SEQUENCE ? This should be avoided. > =20 > b) Why is contextInfo OPTIONAL? This should be avoided. > =20 > =20 > =20 > AuthenticationContexts ::=3D SEQUENCE SIZE (1..MAX) OF > =20 > AuthenticationContext > =20 > =20 > =20 > AuthenticationContext ::=3D SEQUENCE { > =20 > contextType UTF8String, > =20 > contextInfo UTF8String OPTIONAL > =20 > } > =20 For exactly the same reason why SAML AuthContextClassRef in a SAML assertio= n is mandatory but not the XML structure it defines. In some cases you don't want to include explicit data, if that data is static and can be implicitly known through an identifier. The AuthContextClassRef in SAML is the best example as it is an exact functional replica of this. The URL identified by AuthContextClassRef is also a XML Schema ns for associated XML document. The XML Schema can define both a static XML document with fixed values as well as a structure where different values can be entered. Just including the reference to the XML Schema may then provide sufficient information to the relying party. The actual XML document is only included if some variable data need to be communicated within the associated XML document. Just including contextType but not contextInfo could be compared with the case where we include a certificate policy OID, but not the entire policy text. This is a really smart way to do this, which is made possible through the versatility of XML Schemas. > =20 > =20 > =20 > =20 > 4. The text states: This extension MAY be marked critical. > =20 > =20 > =20 > If the alternate name is present, why should there be a DN ? > =20 > =20 This comment must be based on a misunderstanding of the scope of this document. > =20 > =20 > =20 > =20 > 5. The XML schema should be given first (Appendix B) followed by the > explanations (sections 3.1 and 3.2). > In other words, sections 3.1 and 3.2 should be placed in Appendix B. > =20 That is one way to do it. If I was the implementer, I really wouldn't care as long as the information is there. I think it is quite common to place programatic contracts in Appendixes, wile explaining data elements in the body of the document. > =20 > =20 > =20 > =20 > 6. The vocabulary used in sections 3.1 and 3.2 is confusing and should be > changed. > =20 > =20 > =20 > An example: =B3AuthContextInfo Element=B2 does not exist. However, it is bett= er to > state that the contextInfo component > contains an XML structure which must conform to an XML schema. > =20 > =20 > =20 Sorry, I don't get this comment. The AuthContextInfo element does exist. It is defined in the schema. XML Schema defines syntax and structure but not the semantics. Semantics are defined the section 3. > =20 > =20 > 7. The XML structure proposed to fit inside contextInfo is overly complex= . > =20 > =20 > =20 > AuthenticationInstant is mandatory, whereas it is not needed. This information is always available from the SAML assertion and is considered fundamental, thus required. > =20 > AssertionRef is not needed. > =20 > ServiceID is not needed. > =20 And hence, both are optional. The XML Schema is actually very simple. Its just the nature of XML Schemas to look more complex than they actually are. Perhaps it is easier if you examine it through this following web doc (whic= h unfortunately can't be included in the spec): http://aaa-sec.com/eid2/sigsupport/XMLschema/AuthContExtDoc/index.html > =20 > =20 > =20 > =20 > 8. There are no matching rules defined. This means that the verification = of > the content of that field is not possible. > =20 First of all, this is not an identifier, thus there is no reason for a matching rule is it would be if this was an identifier that as a whole should be compared with something else. The SAML attribute value does not have to match the value of the cert attribute, this data in the extension is optional and, if present, is a hint.=20 But I could actually add some text to clarify this. > =20 > =20 > =20 > =20 > 9. In section 3.2, I failed to understand the explanations for CertRef as= well > as for rdn and san. > =20 > =20 > =20 > Why CertNameType cannot be =B3factorized=B2 ? (in the example from Page 15, t= here > are all the same). No, the example in the spec has one e-mail attribute that was placed in the SubjAltName extension of the cert. > =20 > =20 > =20 > "rdn" The SAML attribute value is placed in the > =20 > subject field of the certificate in a > =20 > present Relative Distinguished Name > =20 > attribute. > =20 > =20 > =20 > "san" The SAML attribute value is placed in the > =20 > Subject Alternative Name extension of the > =20 > certificate. > =20 > =20 > =20 > I also failed to understand the reason of such =B3mapping=B2. Yes, and I think that is the reason behind most of your comments. >=20 > The example in Appendix C illustrates the complexity of the proposal. > Can the approach be made simpler ? If not, why ? > =20 > =20 > =20 No it can't be made simpler. It contains exactly the information we need in the implementation where it is used. I could write a whole whitepaper about all detailed reasons, but if you really think about the use case, it should be clear. Consider the case where you know users by attributes defined in a SAML federation, where for example serialNumber is NOT used. A CA issues a certificate to a user based an a SAML assertion authenticatio= n based on the attribute profile of that federation. A user logs in to your service using a SAML assertion, and sends you a signed document associated with the issued certificate. You now need to determine whether that SAML assertion and the certificate represents the same user. You also need to determine that the SAML assertion and the certificate provides compatible levels of assertion for user authentication as defined in your SAML federation. This extension gives you exactly the amount of data that is needed in order to do this in an unambiguous fully automated process. > =20 > =20 > 10. In section 4, I failed to understand the =B3dynamic=B2 aspect. My > understanding is that a person statically > authenticates to a RA (Registration Authority) and then is given back a > non-repudiation certificate > with SAML attributes in it which may then be used as identity attributes= . > I am unsure what the text in this section wants to say when using the wo= rds > =B3dynamic manner=B2. > =20 > =20 Your view is to restrictive. The dynamic aspect of this is that a certificate may be issued on the fly a= t the instance when it is needed, containing just the information that is needed for one particular situation. This extension is (where this is used in the Swedish national infrastructure) added to certificates that are issued for just one instance of signing, and hence can be dynamically adapted to the needs of the intended relying party. Next time the user signs, a new key pair is generated with new certs that may contain another set of the user's attributes. The first instance may for example contain the users private identity based on a national identifier, the second may carry an organisational identity based on employee number. What attributes that are needed in every instance is determined in a servic= e context that is outside the scope of this specification. In these certificates, both the national identifier and the employee number may be placed as a serialNumber attribute in the subject field. Despite that, this extension makes it possible for the relying party to kno= w exactly what identity information each certificate carries, as it maps to the attribute profile of a SAML federation. /Stefan >=20 > =20 > =20 > Denis > =20 > =20 --B_3445240198_371853 Content-type: text/html; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable
Denis,

<= div>First, thanks for your review. I really appreciate it.

It seems to me, especially with your leading concluding comment, tha= t you have missed out on what this specification attempts to do.
P= erhaps you did not read the introduction enough, or perhaps I didn't write i= t clear enough.

The purpose is not to associate the= subject with a identifier composed of a set of attributes.
That i= s, this is NOT a new name form.

This extension help= s a relying party to understand the source of the identity information that = is placed in the traditional identity fields of a certificate.
For= example. If the serialNumber attributes holds the string "123456", then thi= s extension can tell you where this string came from.

The use case addressed is where the CA/RA obtains the authenticated ident= ify from a SAML assertion when issuing the certificate.
This exten= sion provides means to preserve information about the original SAML attribut= es in the cert.


From: Denis Pinkas <den= is.pinkas@bull.net>
Date: M= onday, March 4, 2013 9:42 AM
To: S= tefan Santesson <stefan@aaa-sec.com>, pkix <pkix@ietf.org>
Subject: Comments on draft-santesson-aut= h-context-extension-04

Stefan,


The goal of this document is to associate a public key to be used for verifying electronic signatures
with an identifier composed of a set of attributes, typically SAML attributes, contained in an authentication token.

 


No you got this wro= ng. This is not an Identifier.

 

MAJOR COMMENTS

 

1. The proposed draft is not aligned with the current practices of RFC 5280 and X.509:
the right place to hold such a set of attributes is in the subject alternate name.
The subject DN may or may not be empty.

 

There is no rational in this draft to explain why this straightforward approach has not been chosen.

 

   SubjectAltName ::=3D GeneralNames

 

   GeneralNames ::=3D SEQUENCE SIZE (1..MAX) OF GeneralName

 

   GeneralName ::=3D CHOICE {

       = ; otherName    &nb= sp;            &= nbsp;     [0] = ;    OtherName,

       = ; rfc822Name    &n= bsp;            =      [1] &nbs= p;   IA5String,

       = ; dNSName     = ;            &nb= sp;       [2]     IA5String,

       = ; x400Address    &= nbsp;            = ;    [3]  &nb= sp;  ORAddress,

       = ; directoryName    = ;            &nb= sp;  [4]     = Name,

       = ; ediPartyName    =             &nbs= p;   [5]   &n= bsp; EDIPartyName,

       = ; uniformResourceIdentifier  = ;     [6] &nb= sp;   IA5String,

       = ; iPAddress    &nb= sp;            &= nbsp;     [7] = ;    OCTET STRING,

       = ; registeredID    =             &nbs= p;   [8]   &n= bsp; OBJECT IDENTIFIER }

 

   OtherName ::=3D SEQUENCE {

       = ; type-id    OBJ= ECT IDENTIFIER,

       = ; value      = [0] EXPLICIT ANY DEFINED BY type-id }

 

OtherName fits well with the requirements, if you accept to use an OID rather than
a uniformResourceIdentifier.

 

The value component would contain an XML structure conformant with a XML schema.

 


This draft does not= contain an identifier, thus this comment is irrelevant.
There is = not explanation why we don't store an identifier as a SAN, since we do not c= reate or store an identifier.

 

2. The document should be restructured to define:

(a) the general way to answer to the requirements, and
(b) a specific profile, in an Appendix, so that other RFCs could refer to the main body of the document.

 


That could be one w= ay to do it.

 

DETAILED COMMENTS

 

3. The proposed structure is not appropriate.

 

a) Why is there a need to have a SEQUENCE ? This should be avoided.

b) Why is contextInfo OPTIONAL? This should be avoided.

 

      Aut= henticationContexts ::=3D SEQUENCE SIZE (1..MAX) OF

       = ;            &nb= sp;             AuthenticationContext

 

      Aut= henticationContext ::=3D SEQUENCE {

       = ;   contextType  &= nbsp;  UTF8String,

       = ;   contextInfo  &= nbsp;  UTF8String OPTIONAL

      }


For exactly the sam= e reason why SAML AuthContextClassRef in a SAML assertion is mandatory but n= ot the XML structure it defines.
In some cases you don't want to i= nclude explicit data, if that data is static and can be implicitly known thr= ough an identifier.

The AuthContextClassRef in= SAML is the best example as it is an exact functional replica of this.
The URL identified by AuthContextClassRef is also a XML Schema ns= for associated XML document.

The XML Schema can de= fine both a static XML document with fixed values as well as a structure whe= re different values can be entered.

Just including = the reference to the XML Schema may then provide sufficient information to t= he relying party. The actual XML document is only included if some variable = data need to be communicated within the associated XML document.
<= br>
Just including contextType but not contextInfo could be compar= ed with the case where we include a certificate policy OID, but not the enti= re policy text.

This is a really smart way to do th= is, which is made possible through the versatility of XML Schemas.


=  

 

4. The text states:    This extension MAY be marked critical.

 

If the alternate name is present, why should there be a DN ?


This comment must b= e based on a misunderstanding of the scope of this document.

<= /div>

<= span style=3D"mso-ansi-language:EN-GB" lang=3D"EN-GB"> 

 

5. The XML schema should be given first (Appendix B) followed by the explanations (sections 3.1 and 3.2).
In other words, sections 3.1 and 3.2 should be placed in Appendix B.


That is one way to = do it. If I was the implementer, I really wouldn't care as long as the infor= mation is there.
I think it is quite common to place programatic c= ontracts in Appendixes, wile explaining data elements in the body of the doc= ument.

 

 

6. The vocabulary used in sections 3.1 and 3.2 is confusing and should be changed.

 

An example: “AuthContextInfo Element” does not exist. However, it is better to state that the contextInfo component
contains an XML structure which must conform to an XML schema.=

 


Sorry, I don't get = this comment. The AuthContextInfo element does exist. It is defined in the s= chema. XML Schema defines syntax and structure but not the semantics. Semant= ics are defined the section 3.

 

7. The XML structure proposed to fit inside contextInfo is overly complex.

 

AuthenticationInstant is mandatory, whereas it is not needed.


This information is always available from the SAML assertion and is c= onsidered fundamental, thus required.

AssertionRef is not needed.

ServiceID is not needed.


And hence, both are= optional.

The XML Schema is actually very simple. = Its just the nature of XML Schemas to look more complex than they actually a= re.
Perhaps it is easier if you examine it through this following = web doc (which unfortunately can't be included in the spec):
= http://aaa-sec.com/eid2/sigsupport/XMLschema/AuthContExtDoc/index.html


 

 

8. There are no matching rules defined. This means that the verification of the content of that field is not possible.


First of all, this = is not an identifier, thus there is no reason for a matching rule is it woul= d be if this was an identifier that as a whole should be compared with somet= hing else.

The SAML attribute value does not have t= o match the value of the cert attribute, this data in the extension is optio= nal and, if present, is a hint. 
But I could actually add som= e text to clarify this.

=

 

 

9. In section 3.2, I failed to understand the explanations for CertRef as well as for rdn and san.

 

Why CertNameType cannot be “factorized” ? (in the example from Page 15, there are all the same).


No, the example in the spec has on= e e-mail attribute that was placed in the SubjAltName extension of the cert.=

 

       = ;            &nb= sp;  "rdn"   The = SAML attribute value is placed in the

       = ;            &nb= sp;          subject field of the certificate in a

       = ;            &nb= sp;          present Relative Distinguished Name

       = ;            &nb= sp;          attribute.

 

       = ;            &nb= sp;  "san"   The = SAML attribute value is placed in the

       = ;            &nb= sp;          Subject Alternative Name extension of the<= /p>

       = ;            &nb= sp;          certificate.

 

I also failed to understand the reason of such “mapping”.

<= div>
Yes, and I think that is the reason behind most of your c= omments.

<= p class=3D"MsoPlainText"> The example in Appendix C illustrates the complexity of the proposal.
Can the approach be made simpler ? If not, why ?<= /p>

 


No it can't be made= simpler. It contains exactly the information we need in the implementation = where it is used.

I could write a whole whitepaper = about all detailed reasons, but if you really think about the use case, it s= hould be clear.

Consider the case where you know us= ers by attributes defined in a SAML federation, where for example serialNumb= er is NOT used.
A CA issues a certificate to a user based an a SAM= L assertion authentication based on the attribute profile of that federation= .

A user logs in to your service using a SAML asser= tion, and sends you a signed document associated with the issued certificate= .
You now need to determine whether that SAML assertion and the ce= rtificate represents the same user.
You also need to determine tha= t the SAML assertion and the certificate provides compatible levels of asser= tion for user authentication as defined in your SAML federation.
<= br>
This extension gives you exactly the amount of data that is ne= eded in order to do this in an unambiguous fully automated process.

 

10. In section 4, I failed to understand the “dynamic” aspect. My understan= ding is that a person statically
authenticates to a RA (Registration Authority) and then is given back a non-repudiation certificate
with SAML attributes in it which may then be used as identity attributes.
I am unsure what the text in this section wants to say when using the words “dynamic manner”.



Your= view is to restrictive.

The dynamic aspect of this= is that a certificate may be issued on the fly at the instance when it is n= eeded, containing just the information that is needed for one particular sit= uation.
This extension is (where this is used in the Swedish natio= nal infrastructure) added to certificates that are issued for just one insta= nce of signing, and hence can be dynamically adapted to the needs of the int= ended relying party.

Next time the user signs, a ne= w key pair is generated with new certs that may contain another set of the u= ser's attributes.

The first instance may for exampl= e contain the users private identity based on a national identifier, the sec= ond may carry an organisational identity based on employee number.
What attributes that are needed in every instance is determined in a servic= e context that is outside the scope of this specification.

In these certificates, both the national identifier and the employee= number may be placed as a serialNumber attribute in the subject field.
Despite that, this extension makes it possible for the relying party t= o know exactly what identity information each certificate carries, as it map= s to the attribute profile of a SAML federation.

/S= tefan


Denis
=

--B_3445240198_371853-- From md@e-net.lt Mon Mar 4 02:26:59 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4ED4F21F8925 for ; Mon, 4 Mar 2013 02:26:59 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.786 X-Spam-Level: X-Spam-Status: No, score=-0.786 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, SARE_SPEC_REPLICA_OBFU=1.812] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LhdextGLF0jX for ; Mon, 4 Mar 2013 02:26:55 -0800 (PST) Received: from mail.ssc.lt (mail.ssc.lt [212.122.83.205]) by ietfa.amsl.com (Postfix) with ESMTP id 1C39721F891D for ; Mon, 4 Mar 2013 02:26:54 -0800 (PST) Received: from [84.240.23.136] (helo=[192.168.1.100]) by mail.ssc.lt with esmtpsa (TLS-1.0:DHE_RSA_AES_256_CBC_SHA:32) (Exim 4.50) id 1UCSba-0007Y2-NG; Mon, 04 Mar 2013 12:26:50 +0200 Message-ID: <513476E0.5040300@e-net.lt> Date: Mon, 04 Mar 2013 12:26:40 +0200 From: "Moudrick M. Dadashov" User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130215 Thunderbird/17.0.3 MIME-Version: 1.0 To: Stefan Santesson References: In-Reply-To: Content-Type: multipart/alternative; boundary="------------040409070101020509060801" Cc: pkix Subject: Re: [pkix] Comments on draft-santesson-auth-context-extension-04 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Mar 2013 10:26:59 -0000 This is a multi-part message in MIME format. --------------040409070101020509060801 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit On 3/4/2013 12:09 PM, Stefan Santesson wrote: > Denis, > > First, thanks for your review. I really appreciate it. > > It seems to me, especially with your leading concluding comment, that > you have missed out on what this specification attempts to do. > Perhaps you did not read the introduction enough, or perhaps I didn't > write it clear enough. > > The purpose is not to associate the subject with a identifier composed > of a set of attributes. > That is, this is NOT a new name form. > > This extension helps a relying party to understand the source of the > identity information that is placed in the traditional identity fields > of a certificate. > For example. If the serialNumber attributes holds the string "123456", > then this extension can tell you where this string came from. > How is this related to "semantics identifier" (ETSI TS 119 412-2) then? M.D. > The use case addressed is where the CA/RA obtains the authenticated > identify from a SAML assertion when issuing the certificate. > This extension provides means to preserve information about the > original SAML attributes in the cert. > > > From: Denis Pinkas > > Date: Monday, March 4, 2013 9:42 AM > To: Stefan Santesson >, > pkix > > Subject: Comments on draft-santesson-auth-context-extension-04 > > Stefan, > > > The goal of this document is to associate a public key to be used > for verifying electronic signatures > with an identifier composed of a set of attributes, typically SAML > attributes, contained in an authentication token. > > > No you got this wrong. This is not an Identifier. > > MAJOR COMMENTS > > 1.The proposed draft is not aligned with the current practices of > RFC 5280 and X.509: > the right place to hold such a set of attributes is in the subject > alternate name. > The subject DN may or may not be empty. > > There is no rational in this draft to explain why this > straightforward approach has not been chosen. > > SubjectAltName ::= GeneralNames > > GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName > > GeneralName ::= CHOICE { > > otherName[0]OtherName, > > rfc822Name[1]IA5String, > > dNSName[2]IA5String, > > x400Address[3]ORAddress, > > directoryName[4]Name, > > ediPartyName[5]EDIPartyName, > > uniformResourceIdentifier[6]IA5String, > > iPAddress[7]OCTET STRING, > > registeredID[8]OBJECT IDENTIFIER } > > OtherName ::= SEQUENCE { > > type-idOBJECT IDENTIFIER, > > value[0] EXPLICIT ANY DEFINED BY type-id } > > OtherName fits well with the requirements, if you accept to use an > OID rather than > a uniformResourceIdentifier. > > The value component would contain an XML structure conformant with > a XML schema. > > > This draft does not contain an identifier, thus this comment is > irrelevant. > There is not explanation why we don't store an identifier as a SAN, > since we do not create or store an identifier. > > 2.The document should be restructured to define: > > (a) the general way to answer to the requirements, and > (b) a specific profile, in an Appendix, so that other RFCs could > refer to the main body of the document. > > > That could be one way to do it. > > DETAILED COMMENTS > > 3.The proposed structure is not appropriate. > > a) Why is there a need to have a SEQUENCE ? This should be avoided. > > b) Why is contextInfo OPTIONAL? This should be avoided. > > AuthenticationContexts ::= SEQUENCE SIZE (1..MAX) OF > > AuthenticationContext > > AuthenticationContext ::= SEQUENCE { > > contextTypeUTF8String, > > contextInfoUTF8String OPTIONAL > > } > > > For exactly the same reason why SAML AuthContextClassRef in a SAML > assertion is mandatory but not the XML structure it defines. > In some cases you don't want to include explicit data, if that data is > static and can be implicitly known through an identifier. > > The AuthContextClassRef in SAML is the best example as it is an exact > functional replica of this. > The URL identified by AuthContextClassRef is also a XML Schema ns for > associated XML document. > > The XML Schema can define both a static XML document with fixed values > as well as a structure where different values can be entered. > > Just including the reference to the XML Schema may then provide > sufficient information to the relying party. The actual XML document > is only included if some variable data need to be communicated within > the associated XML document. > > Just including contextType but not contextInfo could be compared with > the case where we include a certificate policy OID, but not the entire > policy text. > > This is a really smart way to do this, which is made possible through > the versatility of XML Schemas. > > > 4.The text states: This extension MAY be marked critical. > > If the alternate name is present, why should there be a DN ? > > > This comment must be based on a misunderstanding of the scope of this > document. > > 5.The XML schema should be given first (Appendix B) followed by > the explanations (sections 3.1 and 3.2). > In other words, sections 3.1 and 3.2 should be placed in Appendix B. > > > That is one way to do it. If I was the implementer, I really wouldn't > care as long as the information is there. > I think it is quite common to place programatic contracts in > Appendixes, wile explaining data elements in the body of the document. > > 6.The vocabulary used in sections 3.1 and 3.2 is confusing and > should be changed. > > An example: "AuthContextInfo Element" does not exist. However, it > is better to state that the contextInfo component > contains an XML structure which must conform to an XML schema. > > > Sorry, I don't get this comment. The AuthContextInfo element does > exist. It is defined in the schema. XML Schema defines syntax and > structure but not the semantics. Semantics are defined the section 3. > > 7.The XML structure proposed to fit inside contextInfo is overly > complex. > > AuthenticationInstant is mandatory, whereas it is not needed. > > > This information is always available from the SAML assertion and is > considered fundamental, thus required. > > AssertionRef is not needed. > > ServiceID is not needed. > > > And hence, both are optional. > > The XML Schema is actually very simple. Its just the nature of XML > Schemas to look more complex than they actually are. > Perhaps it is easier if you examine it through this following web doc > (which unfortunately can't be included in the spec): > http://aaa-sec.com/eid2/sigsupport/XMLschema/AuthContExtDoc/index.html > > > 8.There are no matching rules defined. This means that the > verification of the content of that field is not possible. > > > First of all, this is not an identifier, thus there is no reason for a > matching rule is it would be if this was an identifier that as a whole > should be compared with something else. > > The SAML attribute value does not have to match the value of the cert > attribute, this data in the extension is optional and, if present, is > a hint. > But I could actually add some text to clarify this. > > 9.In section 3.2, I failed to understand the explanations for > CertRef as well as for rdn and san. > > Why CertNameType cannot be "factorized" ? (in the example from > Page 15, there are all the same). > > > No, the example in the spec has one e-mail attribute that was placed > in the SubjAltName extension of the cert. > > "rdn"The SAML attribute value is placed in the > > subject field of the certificate in a > > present Relative Distinguished Name > > attribute. > > "san"The SAML attribute value is placed in the > > Subject Alternative Name extension of the > > certificate. > > I also failed to understand the reason of such "mapping". > > > Yes, and I think that is the reason behind most of your comments. > > > The example in Appendix C illustrates the complexity of the proposal. > Can the approach be made simpler ? If not, why ? > > > No it can't be made simpler. It contains exactly the information we > need in the implementation where it is used. > > I could write a whole whitepaper about all detailed reasons, but if > you really think about the use case, it should be clear. > > Consider the case where you know users by attributes defined in a SAML > federation, where for example serialNumber is NOT used. > A CA issues a certificate to a user based an a SAML assertion > authentication based on the attribute profile of that federation. > > A user logs in to your service using a SAML assertion, and sends you a > signed document associated with the issued certificate. > You now need to determine whether that SAML assertion and the > certificate represents the same user. > You also need to determine that the SAML assertion and the certificate > provides compatible levels of assertion for user authentication as > defined in your SAML federation. > > This extension gives you exactly the amount of data that is needed in > order to do this in an unambiguous fully automated process. > > 10.In section 4, I failed to understand the "dynamic" aspect. My > understanding is that a person statically > authenticates to a RA (Registration Authority) and then is given > back a non-repudiation certificate > with SAML attributes in it which may then be used as identity > attributes. > I am unsure what the text in this section wants to say when using > the words "dynamic manner". > > > > Your view is to restrictive. > > The dynamic aspect of this is that a certificate may be issued on the > fly at the instance when it is needed, containing just the information > that is needed for one particular situation. > This extension is (where this is used in the Swedish national > infrastructure) added to certificates that are issued for just one > instance of signing, and hence can be dynamically adapted to the needs > of the intended relying party. > > Next time the user signs, a new key pair is generated with new certs > that may contain another set of the user's attributes. > > The first instance may for example contain the users private identity > based on a national identifier, the second may carry an organisational > identity based on employee number. > What attributes that are needed in every instance is determined in a > service context that is outside the scope of this specification. > > In these certificates, both the national identifier and the employee > number may be placed as a serialNumber attribute in the subject field. > Despite that, this extension makes it possible for the relying party > to know exactly what identity information each certificate carries, as > it maps to the attribute profile of a SAML federation. > > /Stefan > > > Denis > > > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix --------------040409070101020509060801 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit
On 3/4/2013 12:09 PM, Stefan Santesson wrote:
Denis,

First, thanks for your review. I really appreciate it.

It seems to me, especially with your leading concluding comment, that you have missed out on what this specification attempts to do.
Perhaps you did not read the introduction enough, or perhaps I didn't write it clear enough.

The purpose is not to associate the subject with a identifier composed of a set of attributes.
That is, this is NOT a new name form.

This extension helps a relying party to understand the source of the identity information that is placed in the traditional identity fields of a certificate.
For example. If the serialNumber attributes holds the string "123456", then this extension can tell you where this string came from.

How is this related to "semantics identifier" (ETSI TS 119 412-2) then?

M.D.
The use case addressed is where the CA/RA obtains the authenticated identify from a SAML assertion when issuing the certificate.
This extension provides means to preserve information about the original SAML attributes in the cert.


From: Denis Pinkas <denis.pinkas@bull.net>
Date: Monday, March 4, 2013 9:42 AM
To: Stefan Santesson <stefan@aaa-sec.com>, pkix <pkix@ietf.org>
Subject: Comments on draft-santesson-auth-context-extension-04

Stefan,


The goal of this document is to associate a public key to be used for verifying electronic signatures
with an identifier composed of a set of attributes, typically SAML attributes, contained in an authentication token.

 

No you got this wrong. This is not an Identifier.

 

MAJOR COMMENTS

 

1. The proposed draft is not aligned with the current practices of RFC 5280 and X.509:
the right place to hold such a set of attributes is in the subject alternate name.
The subject DN may or may not be empty.

 

There is no rational in this draft to explain why this straightforward approach has not been chosen.

 

   SubjectAltName ::= GeneralNames

 

   GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

 

   GeneralName ::= CHOICE {

        otherName                       [0]     OtherName,

        rfc822Name                      [1]     IA5String,

        dNSName                         [2]     IA5String,

        x400Address                     [3]     ORAddress,

        directoryName                   [4]     Name,

        ediPartyName                    [5]     EDIPartyName,

        uniformResourceIdentifier       [6]     IA5String,

        iPAddress                       [7]     OCTET STRING,

        registeredID                    [8]     OBJECT IDENTIFIER }

 

   OtherName ::= SEQUENCE {

        type-id    OBJECT IDENTIFIER,

        value      [0] EXPLICIT ANY DEFINED BY type-id }

 

OtherName fits well with the requirements, if you accept to use an OID rather than
a uniformResourceIdentifier.

 

The value component would contain an XML structure conformant with a XML schema.

 

This draft does not contain an identifier, thus this comment is irrelevant.
There is not explanation why we don't store an identifier as a SAN, since we do not create or store an identifier.

 

2. The document should be restructured to define:

(a) the general way to answer to the requirements, and
(b) a specific profile, in an Appendix, so that other RFCs could refer to the main body of the document.

 

That could be one way to do it.

 

DETAILED COMMENTS

 

3. The proposed structure is not appropriate.

 

a) Why is there a need to have a SEQUENCE ? This should be avoided.

b) Why is contextInfo OPTIONAL? This should be avoided.

 

      AuthenticationContexts ::= SEQUENCE SIZE (1..MAX) OF

                                 AuthenticationContext

 

      AuthenticationContext ::= SEQUENCE {

          contextType     UTF8String,

          contextInfo     UTF8String OPTIONAL

      }

For exactly the same reason why SAML AuthContextClassRef in a SAML assertion is mandatory but not the XML structure it defines.
In some cases you don't want to include explicit data, if that data is static and can be implicitly known through an identifier.

The AuthContextClassRef in SAML is the best example as it is an exact functional replica of this.
The URL identified by AuthContextClassRef is also a XML Schema ns for associated XML document.

The XML Schema can define both a static XML document with fixed values as well as a structure where different values can be entered.

Just including the reference to the XML Schema may then provide sufficient information to the relying party. The actual XML document is only included if some variable data need to be communicated within the associated XML document.

Just including contextType but not contextInfo could be compared with the case where we include a certificate policy OID, but not the entire policy text.

This is a really smart way to do this, which is made possible through the versatility of XML Schemas.


 

 

4. The text states:    This extension MAY be marked critical.

 

If the alternate name is present, why should there be a DN ?

This comment must be based on a misunderstanding of the scope of this document.

 

 

5. The XML schema should be given first (Appendix B) followed by the explanations (sections 3.1 and 3.2).
In other words, sections 3.1 and 3.2 should be placed in Appendix B.

That is one way to do it. If I was the implementer, I really wouldn't care as long as the information is there.
I think it is quite common to place programatic contracts in Appendixes, wile explaining data elements in the body of the document.

 

 

6. The vocabulary used in sections 3.1 and 3.2 is confusing and should be changed.

 

An example: “AuthContextInfo Element” does not exist. However, it is better to state that the contextInfo component
contains an XML structure which must conform to an XML schema.

 

Sorry, I don't get this comment. The AuthContextInfo element does exist. It is defined in the schema. XML Schema defines syntax and structure but not the semantics. Semantics are defined the section 3.

 

7. The XML structure proposed to fit inside contextInfo is overly complex.

 

AuthenticationInstant is mandatory, whereas it is not needed.

This information is always available from the SAML assertion and is considered fundamental, thus required.

AssertionRef is not needed.

ServiceID is not needed.

And hence, both are optional.

The XML Schema is actually very simple. Its just the nature of XML Schemas to look more complex than they actually are.
Perhaps it is easier if you examine it through this following web doc (which unfortunately can't be included in the spec):


 

 

8. There are no matching rules defined. This means that the verification of the content of that field is not possible.

First of all, this is not an identifier, thus there is no reason for a matching rule is it would be if this was an identifier that as a whole should be compared with something else.

The SAML attribute value does not have to match the value of the cert attribute, this data in the extension is optional and, if present, is a hint. 
But I could actually add some text to clarify this.

 

 

9. In section 3.2, I failed to understand the explanations for CertRef as well as for rdn and san.

 

Why CertNameType cannot be “factorized” ? (in the example from Page 15, there are all the same).

No, the example in the spec has one e-mail attribute that was placed in the SubjAltName extension of the cert.

 

                      "rdn"   The SAML attribute value is placed in the

                              subject field of the certificate in a

                              present Relative Distinguished Name

                              attribute.

 

                      "san"   The SAML attribute value is placed in the

                              Subject Alternative Name extension of the

                              certificate.

 

I also failed to understand the reason of such “mapping”.


Yes, and I think that is the reason behind most of your comments.


The example in Appendix C illustrates the complexity of the proposal.
Can the approach be made simpler ? If not, why ?

 

No it can't be made simpler. It contains exactly the information we need in the implementation where it is used.

I could write a whole whitepaper about all detailed reasons, but if you really think about the use case, it should be clear.

Consider the case where you know users by attributes defined in a SAML federation, where for example serialNumber is NOT used.
A CA issues a certificate to a user based an a SAML assertion authentication based on the attribute profile of that federation.

A user logs in to your service using a SAML assertion, and sends you a signed document associated with the issued certificate.
You now need to determine whether that SAML assertion and the certificate represents the same user.
You also need to determine that the SAML assertion and the certificate provides compatible levels of assertion for user authentication as defined in your SAML federation.

This extension gives you exactly the amount of data that is needed in order to do this in an unambiguous fully automated process.

 

10. In section 4, I failed to understand the “dynamic” aspect. My understanding is that a person statically
authenticates to a RA (Registration Authority) and then is given back a non-repudiation certificate
with SAML attributes in it which may then be used as identity attributes.
I am unsure what the text in this section wants to say when using the words “dynamic manner”.


Your view is to restrictive.

The dynamic aspect of this is that a certificate may be issued on the fly at the instance when it is needed, containing just the information that is needed for one particular situation.
This extension is (where this is used in the Swedish national infrastructure) added to certificates that are issued for just one instance of signing, and hence can be dynamically adapted to the needs of the intended relying party.

Next time the user signs, a new key pair is generated with new certs that may contain another set of the user's attributes.

The first instance may for example contain the users private identity based on a national identifier, the second may carry an organisational identity based on employee number.
What attributes that are needed in every instance is determined in a service context that is outside the scope of this specification.

In these certificates, both the national identifier and the employee number may be placed as a serialNumber attribute in the subject field.
Despite that, this extension makes it possible for the relying party to know exactly what identity information each certificate carries, as it maps to the attribute profile of a SAML federation.

/Stefan


Denis

 

_______________________________________________
pkix mailing list
pkix@ietf.org
https://www.ietf.org/mailman/listinfo/pkix

--------------040409070101020509060801-- From stefan@aaa-sec.com Mon Mar 4 03:58:04 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD10621F8881 for ; Mon, 4 Mar 2013 03:58:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -99.946 X-Spam-Level: X-Spam-Status: No, score=-99.946 tagged_above=-999 required=5 tests=[AWL=0.906, BAYES_00=-2.599, HELO_EQ_SE=0.35, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CKPUK01Ty+MX for ; Mon, 4 Mar 2013 03:58:04 -0800 (PST) Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id E1CCF21F8845 for ; Mon, 4 Mar 2013 03:58:03 -0800 (PST) Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id BB74651E7DA for ; Mon, 4 Mar 2013 12:58:01 +0100 (CET) X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id s9by-qaC8pV6 for ; Mon, 4 Mar 2013 12:58:01 +0100 (CET) Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id 2257B4FB162 for ; Mon, 4 Mar 2013 12:58:01 +0100 (CET) Received: (qmail 18268 invoked from network); 4 Mar 2013 11:58:00 -0000 Received: from gw.aaa-sec.ideon.se (HELO [192.168.1.2]) (stefan@fiddler.nu@[85.235.7.89]) (envelope-sender ) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 4 Mar 2013 11:58:00 -0000 User-Agent: Microsoft-MacOutlook/14.3.1.130117 Date: Mon, 04 Mar 2013 12:58:00 +0100 From: Stefan Santesson To: "Moudrick M. Dadashov" Message-ID: Thread-Topic: [pkix] Comments on draft-santesson-auth-context-extension-04 In-Reply-To: <513476E0.5040300@e-net.lt> Mime-version: 1.0 Content-type: multipart/alternative; boundary="B_3445246683_762612" Cc: pkix Subject: Re: [pkix] Comments on draft-santesson-auth-context-extension-04 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Mar 2013 11:58:04 -0000 > This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --B_3445246683_762612 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Hi, On the question in your mail, these mechanisms are complementary. The semantics identifier of ETSI TS 119 412-2 may be used to give the value of a serial number some structure. If that is all your implementation needs, then you are al done. In our case, it does not give us all we need, because we have: 1. Already gone through the pain of implementing identity semantics in the form of a SAML attribute profile, and we need to leverage that also in certs. 2. We need to map certs to SAML assertions to make sure they represent the same user. ETSI TS 119 412-2 does not give us that. However, these concepts can easily be combined. The SAML attribute value that is being placed in a serialNumber attribute can be formatted according to the semantics identifier defined in ETSI TS 119 412-2. And the source of the identifier value may be expressed using the auth context extension. This way you can serve the relying party that is trained to interpret the semantics identifier structure. At the same time you can serve the relying party that need to know the SAML origin of the attribute value. The whole purpose of the extension is that the cert should work as a normal cert even if the extension is not understood. It just provides additional information to those trained to understand the extension. This is the same with semantics identifier. If you don't understand that identifier, the content of serialNumber is just understood as an arbitrary string of characters. If you do understand it, it gives you more semantics. /Stefan From: "Moudrick M. Dadashov" Date: Monday, March 4, 2013 11:26 AM To: Stefan Santesson Cc: Denis Pinkas , pkix Subject: Re: [pkix] Comments on draft-santesson-auth-context-extension-04 > > > On 3/4/2013 12:09 PM, Stefan Santesson wrote: > > >> >> Denis, >> >> >> >> >> First, thanks for your review. I really appreciate it. >> >> >> >> >> It seems to me, especially with your leading concluding comment, that you >> have missed out on what this specification attempts to do. >> >> Perhaps you did not read the introduction enough, or perhaps I didn't write >> it clear enough. >> >> >> >> >> The purpose is not to associate the subject with a identifier composed of a >> set of attributes. >> >> That is, this is NOT a new name form. >> >> >> >> >> This extension helps a relying party to understand the source of the identity >> information that is placed in the traditional identity fields of a >> certificate. >> >> For example. If the serialNumber attributes holds the string "123456", then >> this extension can tell you where this string came from. >> >> >> >> > How is this related to "semantics identifier" (ETSI TS 119 412-2) then? > > M.D. --B_3445246683_762612 Content-type: text/html; charset="US-ASCII" Content-transfer-encoding: quoted-printable
Hi,

On the question in your mail, these mechanisms are complementary.

The semantics identifier of ETSI TS 119 412-2 may be us= ed to give the value of a serial number some structure.
If that is= all your implementation needs, then you are al done.

In our case, it does not give us all we need, because we have:
    <= li>Already gone through the pain of implementing identity semantics in the f= orm of a SAML attribute profile, and we need to leverage that also in certs.=
  1. We need to map certs to SAML assertions to make sure they represent= the same user.

ETSI TS 119 412-2 does not give= us that.

However, these concepts can easily be com= bined.

The SAML attribute value that is being place= d in a serialNumber attribute can be formatted according to the semantics id= entifier defined in ETSI TS 119 412-2. And the source of the identifier= value may be expressed using the auth context extension.

This way you can serve the relying party that is trained to interpret= the semantics identifier structure.
At the same time you can serv= e the relying party that need to know the SAML origin of the attribute value= .

The whole purpose of the extension is that the ce= rt should work as a normal cert even if the extension is not understood. It = just provides additional information to those trained to understand the exte= nsion.
This is the same with semantics identifier. If you don't un= derstand that identifier, the content of serialNumber is just understood as = an arbitrary string of characters. If you do understand it, it gives you mor= e semantics.

/Stefan


<= /div>

From: "Moudrick M. D= adashov" <md@e-net.lt>
Date: Monday, March 4, 2013 11:26 AM
To: Stefan Santesson <stefan@aaa-sec.com>
Cc: Denis Pinkas <denis.p= inkas@bull.net>, pkix <pkix@ietf.or= g>
Subject: Re: [pkix] Comm= ents on draft-santesson-auth-context-extension-04

On 3/4/2013 12:09 PM, Stefan Santesson wrote:
=
Denis,

First, thanks for your review. I really appreciate it.

It seems to me, especially with your leading concluding comment, that you have missed out on what this specification attempts to do.
Perhaps you did not read the introduction enough, or perhaps I didn't write it clear enough.

The purpose is not to associate the subject with a identifier composed of a set of attributes.
That is, this is NOT a new name form.

This extension helps a relying party to understand the source of the identity information that is placed in the traditional identity fields of a certificate.
For example. If the serialNumber attributes holds the string "123456", then this extension can tell you where this string came from.

How is this related to "semantics identifier" (ETSI TS 119 412-2) then?

M.D.




--B_3445246683_762612-- From stefan@aaa-sec.com Mon Mar 4 05:57:30 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C998B21F8A5F for ; Mon, 4 Mar 2013 05:57:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -99.493 X-Spam-Level: X-Spam-Status: No, score=-99.493 tagged_above=-999 required=5 tests=[AWL=-0.453, BAYES_00=-2.599, HELO_EQ_SE=0.35, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, SARE_SPEC_REPLICA_OBFU=1.812, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pFcgr-3VnP1q for ; Mon, 4 Mar 2013 05:57:23 -0800 (PST) Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id E91CA21F8A6B for ; Mon, 4 Mar 2013 05:57:22 -0800 (PST) Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id 7285051EE61 for ; Mon, 4 Mar 2013 14:57:20 +0100 (CET) X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id eo68Yh7JUZ76 for ; Mon, 4 Mar 2013 14:57:13 +0100 (CET) Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id 30AA351F12B for ; Mon, 4 Mar 2013 14:57:13 +0100 (CET) Received: (qmail 43338 invoked from network); 4 Mar 2013 13:57:12 -0000 Received: from gw.aaa-sec.ideon.se (HELO [192.168.1.2]) (stefan@fiddler.nu@[85.235.7.89]) (envelope-sender ) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 4 Mar 2013 13:57:12 -0000 User-Agent: Microsoft-MacOutlook/14.3.1.130117 Date: Mon, 04 Mar 2013 14:57:10 +0100 From: Stefan Santesson To: "Moudrick M. Dadashov" Message-ID: Thread-Topic: [pkix] Comments on draft-santesson-auth-context-extension-04 In-Reply-To: <513476E0.5040300@e-net.lt> Mime-version: 1.0 Content-type: multipart/alternative; boundary="B_3445253835_1241822" Cc: pkix Subject: Re: [pkix] Comments on draft-santesson-auth-context-extension-04 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Mar 2013 13:57:30 -0000 > This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --B_3445253835_1241822 Content-type: text/plain; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable Based on comments received today I have updated this draft, preliminary available at: http://aaa-sec.com/_temp/draft-santesson-auth-context-extension-04.txt I have edited the Introduction section to clarify the scope of the document= . I have also added a new section (now 3.2) that explains the absence of attribute matching rules. The section should also make clear how specific attribute data format conventions, such as the one expressed in ETSI TS 119 412-2, can co-exist with this extension. /Stefan From: "Moudrick M. Dadashov" Date: Monday, March 4, 2013 11:26 AM To: Stefan Santesson Cc: Denis Pinkas , pkix Subject: Re: [pkix] Comments on draft-santesson-auth-context-extension-04 > =20 > =20 > On 3/4/2013 12:09 PM, Stefan Santesson wrote: > =20 > =20 >> =20 >> Denis, >> =20 >>=20 >> =20 >> =20 >> First, thanks for your review. I really appreciate it. >> =20 >>=20 >> =20 >> =20 >> It seems to me, especially with your leading concluding comment, that yo= u >> have missed out on what this specification attempts to do. >> =20 >> Perhaps you did not read the introduction enough, or perhaps I didn't wr= ite >> it clear enough. >> =20 >>=20 >> =20 >> =20 >> The purpose is not to associate the subject with a identifier composed o= f a >> set of attributes. >> =20 >> That is, this is NOT a new name form. >> =20 >>=20 >> =20 >> =20 >> This extension helps a relying party to understand the source of the ide= ntity >> information that is placed in the traditional identity fields of a >> certificate. >> =20 >> For example. If the serialNumber attributes holds the string "123456", t= hen >> this extension can tell you where this string came from. >> =20 >>=20 >> =20 >> =20 > How is this related to "semantics identifier" (ETSI TS 119 412-2) then? > =20 > M.D.=20 > =20 >> =20 >> The use case addressed is where the CA/RA obtains the authenticated iden= tify >> from a SAML assertion when issuing the certificate. >> =20 >> This extension provides means to preserve information about the original= SAML >> attributes in the cert. >> =20 >>=20 >> =20 >> =20 >>=20 >> =20 >> =20 >> From: Denis Pinkas >> Date: Monday, March 4, 2013 9:42 AM >> To: Stefan Santesson , pkix >> Subject: Comments on draft-santesson-auth-context-extension-04 >> =20 >> =20 >>=20 >> =20 >> =20 >>> =20 >>> =20 >>> =20 >>>=20 >>> Stefan, >>> =20 >>> =20 >>>=20 >>> =20 >>> =20 >>> The goal of this document is to associate a public key to be used for >>> verifying electronic signatures >>> with an identifier composed of a set of attributes, typically SAML >>> attributes, contained in an authentication token. >>> =20 >>> =20 >>> =20 >>> =20 >>> =20 >> =20 >>=20 >> =20 >> =20 >> No you got this wrong. This is not an Identifier. >> =20 >>=20 >> =20 >> =20 >>> =20 >>> =20 >>> =20 >>>=20 >>> =20 >>> =20 >>> MAJOR COMMENTS >>> =20 >>> =20 >>> =20 >>> 1. The proposed draft is not aligned with the current practices of RFC = 5280 >>> and X.509:=20 >>> the right place to hold such a set of attributes is in the subject >>> alternate name. >>> The subject DN may or may not be empty. >>> =20 >>> =20 >>> =20 >>> There is no rational in this draft to explain why this straightforward >>> approach has not been chosen. >>> =20 >>> =20 >>> =20 >>> SubjectAltName ::=3D GeneralNames >>> =20 >>> =20 >>> =20 >>> GeneralNames ::=3D SEQUENCE SIZE (1..MAX) OF GeneralName >>> =20 >>> =20 >>> =20 >>> GeneralName ::=3D CHOICE { >>> =20 >>> otherName [0] OtherName, >>> =20 >>> rfc822Name [1] IA5String, >>> =20 >>> dNSName [2] IA5String, >>> =20 >>> x400Address [3] ORAddress, >>> =20 >>> directoryName [4] Name, >>> =20 >>> ediPartyName [5] EDIPartyName, >>> =20 >>> uniformResourceIdentifier [6] IA5String, >>> =20 >>> iPAddress [7] OCTET STRING, >>> =20 >>> registeredID [8] OBJECT IDENTIFIER } >>> =20 >>> =20 >>> =20 >>> OtherName ::=3D SEQUENCE { >>> =20 >>> type-id OBJECT IDENTIFIER, >>> =20 >>> value [0] EXPLICIT ANY DEFINED BY type-id } >>> =20 >>> =20 >>> =20 >>> OtherName fits well with the requirements, if you accept to use an OID >>> rather than=20 >>> a uniformResourceIdentifier. >>> =20 >>> =20 >>> =20 >>> The value component would contain an XML structure conformant with a XM= L >>> schema. >>> =20 >>> =20 >>> =20 >>> =20 >>> =20 >> =20 >>=20 >> =20 >> =20 >> This draft does not contain an identifier, thus this comment is irreleva= nt. >> =20 >> There is not explanation why we don't store an identifier as a SAN, sinc= e we >> do not create or store an identifier. >> =20 >>=20 >> =20 >> =20 >>> =20 >>> =20 >>> =20 >>>=20 >>> =20 >>> =20 >>> 2. The document should be restructured to define: >>> =20 >>> (a) the general way to answer to the requirements, and >>> (b) a specific profile, in an Appendix, so that other RFCs could refer= to >>> the main body of the document. >>> =20 >>> =20 >>> =20 >>> =20 >>> =20 >> =20 >>=20 >> =20 >> =20 >> That could be one way to do it. >> =20 >>=20 >> =20 >> =20 >>> =20 >>> =20 >>> =20 >>>=20 >>> =20 >>> =20 >>> DETAILED COMMENTS >>> =20 >>> =20 >>> =20 >>> 3. The proposed structure is not appropriate. >>> =20 >>> =20 >>> =20 >>> a) Why is there a need to have a SEQUENCE ? This should be avoided. >>> =20 >>> b) Why is contextInfo OPTIONAL? This should be avoided. >>> =20 >>> =20 >>> =20 >>> AuthenticationContexts ::=3D SEQUENCE SIZE (1..MAX) OF >>> =20 >>> AuthenticationContext >>> =20 >>> =20 >>> =20 >>> AuthenticationContext ::=3D SEQUENCE { >>> =20 >>> contextType UTF8String, >>> =20 >>> contextInfo UTF8String OPTIONAL >>> =20 >>> } >>> =20 >>> =20 >>> =20 >> =20 >>=20 >> =20 >> =20 >> For exactly the same reason why SAML AuthContextClassRef in a SAML asser= tion >> is mandatory but not the XML structure it defines. >> =20 >> In some cases you don't want to include explicit data, if that data is s= tatic >> and can be implicitly known through an identifier. >> =20 >>=20 >> =20 >> =20 >> The AuthContextClassRef in SAML is the best example as it is an exact >> functional replica of this. >> =20 >> The URL identified by AuthContextClassRef is also a XML Schema ns for >> associated XML document. >> =20 >>=20 >> =20 >> =20 >> The XML Schema can define both a static XML document with fixed values a= s >> well as a structure where different values can be entered. >> =20 >>=20 >> =20 >> =20 >> Just including the reference to the XML Schema may then provide sufficie= nt >> information to the relying party. The actual XML document is only includ= ed if >> some variable data need to be communicated within the associated XML >> document. >> =20 >>=20 >> =20 >> =20 >> Just including contextType but not contextInfo could be compared with th= e >> case where we include a certificate policy OID, but not the entire polic= y >> text. >> =20 >>=20 >> =20 >> =20 >> This is a really smart way to do this, which is made possible through th= e >> versatility of XML Schemas. >> =20 >>=20 >> =20 >> =20 >>=20 >> =20 >> =20 >>> =20 >>> =20 >>> =20 >>>=20 >>> =20 >>> =20 >>> =20 >>> =20 >>> 4. The text states: This extension MAY be marked critical. >>> =20 >>> =20 >>> =20 >>> If the alternate name is present, why should there be a DN ? >>> =20 >>> =20 >>> =20 >>> =20 >> =20 >>=20 >> =20 >> =20 >> This comment must be based on a misunderstanding of the scope of this >> document. >> =20 >>=20 >> =20 >> =20 >>> =20 >>> =20 >>> =20 >>>=20 >>> =20 >>> =20 >>> =20 >>> =20 >>> 5. The XML schema should be given first (Appendix B) followed by the >>> explanations (sections 3.1 and 3.2). >>> In other words, sections 3.1 and 3.2 should be placed in Appendix B. >>> =20 >>> =20 >>> =20 >> =20 >>=20 >> =20 >> =20 >> That is one way to do it. If I was the implementer, I really wouldn't ca= re as >> long as the information is there. >> =20 >> I think it is quite common to place programatic contracts in Appendixes,= wile >> explaining data elements in the body of the document. >> =20 >>=20 >> =20 >> =20 >>> =20 >>> =20 >>> =20 >>>=20 >>> =20 >>> =20 >>> =20 >>> =20 >>> 6. The vocabulary used in sections 3.1 and 3.2 is confusing and should = be >>> changed. >>> =20 >>> =20 >>> =20 >>> An example: =B3AuthContextInfo Element=B2 does not exist. However, it is be= tter >>> to state that the contextInfo component >>> contains an XML structure which must conform to an XML schema. >>> =20 >>> =20 >>> =20 >>> =20 >>> =20 >> =20 >>=20 >> =20 >> =20 >> Sorry, I don't get this comment. The AuthContextInfo element does exist.= It >> is defined in the schema. XML Schema defines syntax and structure but no= t the >> semantics. Semantics are defined the section 3. >> =20 >>=20 >> =20 >> =20 >>> =20 >>> =20 >>> =20 >>>=20 >>> =20 >>> =20 >>> 7. The XML structure proposed to fit inside contextInfo is overly compl= ex. >>> =20 >>> =20 >>> =20 >>> AuthenticationInstant is mandatory, whereas it is not needed. >>> =20 >>> =20 >>> =20 >> =20 >>=20 >> =20 >> =20 >> This information is always available from the SAML assertion and is >> considered fundamental, thus required. >> =20 >>=20 >> =20 >> =20 >>> =20 >>> =20 >>> =20 >>>=20 >>> =20 >>> AssertionRef is not needed. >>> =20 >>> ServiceID is not needed. >>> =20 >>> =20 >>> =20 >> =20 >>=20 >> =20 >> =20 >> And hence, both are optional. >> =20 >>=20 >> =20 >> =20 >> The XML Schema is actually very simple. Its just the nature of XML Schem= as to >> look more complex than they actually are. >> =20 >> Perhaps it is easier if you examine it through this following web doc (w= hich >> unfortunately can't be included in the spec): >> =20 >> http://aaa-sec.com/eid2/sigsupport/XMLschema/AuthContExtDoc/index.html >> =20 >>=20 >> =20 >> =20 >>=20 >> =20 >> =20 >>> =20 >>> =20 >>> =20 >>>=20 >>> =20 >>> =20 >>> =20 >>> =20 >>> 8. There are no matching rules defined. This means that the verificatio= n of >>> the content of that field is not possible. >>> =20 >>> =20 >>> =20 >> =20 >>=20 >> =20 >> =20 >> First of all, this is not an identifier, thus there is no reason for a >> matching rule is it would be if this was an identifier that as a whole s= hould >> be compared with something else. >> =20 >>=20 >> =20 >> =20 >> The SAML attribute value does not have to match the value of the cert >> attribute, this data in the extension is optional and, if present, is a = hint. >> =20 >> But I could actually add some text to clarify this. >> =20 >>=20 >> =20 >> =20 >>> =20 >>> =20 >>> =20 >>>=20 >>> =20 >>> =20 >>> =20 >>> =20 >>> 9. In section 3.2, I failed to understand the explanations for CertRef = as >>> well as for rdn and san. >>> =20 >>> =20 >>> =20 >>> Why CertNameType cannot be =B3factorized=B2 ? (in the example from Page 15, >>> there are all the same). >>> =20 >>> =20 >>> =20 >> =20 >>=20 >> =20 >> =20 >> No, the example in the spec has one e-mail attribute that was placed in = the >> SubjAltName extension of the cert. >> =20 >>=20 >> =20 >> =20 >>> =20 >>> =20 >>> =20 >>>=20 >>> =20 >>> =20 >>> =20 >>> "rdn" The SAML attribute value is placed in the >>> =20 >>> subject field of the certificate in a >>> =20 >>> present Relative Distinguished Name >>> =20 >>> attribute. >>> =20 >>> =20 >>> =20 >>> "san" The SAML attribute value is placed in the >>> =20 >>> Subject Alternative Name extension of the >>> =20 >>> certificate. >>> =20 >>> =20 >>> =20 >>> I also failed to understand the reason of such =B3mapping=B2. >>> =20 >>> =20 >>> =20 >> =20 >>=20 >> =20 >> =20 >> Yes, and I think that is the reason behind most of your comments. >> =20 >>=20 >> =20 >> =20 >>> =20 >>> =20 >>> =20 >>>=20 >>>=20 >>> The example in Appendix C illustrates the complexity of the proposal. >>> Can the approach be made simpler ? If not, why ? >>> =20 >>> =20 >>> =20 >>> =20 >>> =20 >> =20 >>=20 >> =20 >> =20 >> No it can't be made simpler. It contains exactly the information we need= in >> the implementation where it is used. >> =20 >>=20 >> =20 >> =20 >> I could write a whole whitepaper about all detailed reasons, but if you >> really think about the use case, it should be clear. >> =20 >>=20 >> =20 >> =20 >> Consider the case where you know users by attributes defined in a SAML >> federation, where for example serialNumber is NOT used. >> =20 >> A CA issues a certificate to a user based an a SAML assertion authentica= tion >> based on the attribute profile of that federation. >> =20 >>=20 >> =20 >> =20 >> A user logs in to your service using a SAML assertion, and sends you a s= igned >> document associated with the issued certificate. >> =20 >> You now need to determine whether that SAML assertion and the certificat= e >> represents the same user. >> =20 >> You also need to determine that the SAML assertion and the certificate >> provides compatible levels of assertion for user authentication as defin= ed in >> your SAML federation. >> =20 >>=20 >> =20 >> =20 >> This extension gives you exactly the amount of data that is needed in or= der >> to do this in an unambiguous fully automated process. >> =20 >>=20 >> =20 >> =20 >>> =20 >>> =20 >>> =20 >>>=20 >>> =20 >>> =20 >>> 10. In section 4, I failed to understand the =B3dynamic=B2 aspect. My >>> understanding is that a person statically >>> authenticates to a RA (Registration Authority) and then is given back = a >>> non-repudiation certificate >>> with SAML attributes in it which may then be used as identity attribut= es. >>> I am unsure what the text in this section wants to say when using the = words >>> =B3dynamic manner=B2. >>> =20 >>> =20 >>> =20 >>> =20 >> =20 >>=20 >> =20 >> =20 >>=20 >> =20 >> =20 >> Your view is to restrictive. >> =20 >>=20 >> =20 >> =20 >> The dynamic aspect of this is that a certificate may be issued on the fl= y at >> the instance when it is needed, containing just the information that is >> needed for one particular situation. >> =20 >> This extension is (where this is used in the Swedish national infrastruc= ture) >> added to certificates that are issued for just one instance of signing, = and >> hence can be dynamically adapted to the needs of the intended relying pa= rty. >> =20 >>=20 >> =20 >> =20 >> Next time the user signs, a new key pair is generated with new certs tha= t may >> contain another set of the user's attributes. >> =20 >>=20 >> =20 >> =20 >> The first instance may for example contain the users private identity ba= sed >> on a national identifier, the second may carry an organisational identit= y >> based on employee number. >> =20 >> What attributes that are needed in every instance is determined in a ser= vice >> context that is outside the scope of this specification. >> =20 >>=20 >> =20 >> =20 >> In these certificates, both the national identifier and the employee num= ber >> may be placed as a serialNumber attribute in the subject field. >> =20 >> Despite that, this extension makes it possible for the relying party to = know >> exactly what identity information each certificate carries, as it maps t= o the >> attribute profile of a SAML federation. >> =20 >>=20 >> =20 >> =20 >> /Stefan >> =20 >>=20 >> =20 >> =20 >>> =20 >>> =20 >>> =20 >>>=20 >>>=20 >>> =20 >>> =20 >>> Denis >>> =20 >>> =20 >>> =20 >>> =20 >> =20 >> =20 >> =20 >> _______________________________________________ >> pkix mailing list >> pkix@ietf.orghttps://www.ietf.org/mailman/listinfo/pkix >> =20 > =20 > =20 --B_3445253835_1241822 Content-type: text/html; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable
Based on comments received t= oday I have updated this draft, preliminary available at:
htt= p://aaa-sec.com/_temp/draft-santesson-auth-context-extension-04.txt

I have edited the Introduction section to clarify the s= cope of the document.

I have also added a new secti= on (now 3.2) that explains the absence of attribute matching rules.
The section should also make clear how specific attribute data format conv= entions, such as the one expressed in ETSI TS 119 412-2, can co-exist w= ith this extension.

/Stefan

From: "Moudrick M. Dadashov" <md@e-net.lt>
Dat= e: Monday, March 4, 2013 11:26 AM
= To: Stefan Santesson <stefan@= aaa-sec.com>
Cc: Denis Pink= as <denis.pinkas@bull.net>,= pkix <pkix@ietf.org>
Subject: Re: [pkix] Comments on draft-santesson= -auth-context-extension-04

On 3/4/2013 12:09 PM, Stefan Santesson wrote:
=
Denis,

First, thanks for your review. I really appreciate it.

It seems to me, especially with your leading concluding comment, that you have missed out on what this specification attempts to do.
Perhaps you did not read the introduction enough, or perhaps I didn't write it clear enough.

The purpose is not to associate the subject with a identifier composed of a set of attributes.
That is, this is NOT a new name form.

This extension helps a relying party to understand the source of the identity information that is placed in the traditional identity fields of a certificate.
For example. If the serialNumber attributes holds the string "123456", then this extension can tell you where this string came from.

How is this related to "semantics identifier" (ETSI TS 119 412-2) then?

M.D.
=
The use case addressed is where the CA/RA obtains the authenticated identify from a SAML assertion when issuing the certificate.
This extension provides means to preserve information about the original SAML attributes in the cert.


From: Denis Pinkas <denis.pinkas@bull.net>
Date: Monday, March 4, 2013 9:42 AM
To: Stefan Santesson <st= efan@aaa-sec.com>, pkix <pk= ix@ietf.org>
Subject: Comments on draft-santesson-auth-context-extension-04

Stefan,


The goal of this document is to associate a public key to be used for verifying electronic signatures
with an identifier composed of a set of attributes, typically SAML attributes, contained in an authentication token.

 

No you got this wrong. This is not an Identifier.

 

MAJOR COMMENTS

 

1. The proposed draft is not aligned with the current practices of RFC 5280 and X.509:
the right place to hold such a set of attributes is in the subject alternate name.
The subject DN may or may not be empty.

 

There is no rational in this draft to explain why this straightforward approach has not been chosen.<= /span>

 

   SubjectAltN= ame ::=3D GeneralNames

 

   GeneralName= s ::=3D SEQUENCE SIZE (1..MAX) OF GeneralName

 

   GeneralName= ::=3D CHOICE {

     &= nbsp;  otherName   = ;            &nb= sp;       [0]     OtherName,

     &= nbsp;  rfc822Name  &nbs= p;            &n= bsp;      [1]=      IA5String,

     &= nbsp;  dNSName   &= nbsp;            = ;         [2]     IA5String,<= /p>

     &= nbsp;  x400Address  &nb= sp;            &= nbsp;     [3] = ;    ORAddress,

     &= nbsp;  directoryName  &= nbsp;            = ;    [4]  &nb= sp;  Name,

     &= nbsp;  ediPartyName  &n= bsp;            =      [5] &nbs= p;   EDIPartyName,

     &= nbsp;  uniformResourceIdentifier&= nbsp;      [6]     IA5String,

     &= nbsp;  iPAddress   = ;            &nb= sp;       [7]     OCTET STRING,

     &= nbsp;  registeredID  &n= bsp;            =      [8] &nbs= p;   OBJECT IDENTIFIER }

 

   OtherName := :=3D SEQUENCE {

     &= nbsp;  type-id    = OBJECT IDENTIFIER,

     &= nbsp;  value   &nb= sp;  [0] EXPLICIT ANY DEFINED BY type-id }

 

OtherName fits well with the requirements, if you accept to use an OID rather than
a uniformResourceIdentifier.

 

The value component would contain an XML structure conformant with a XML schema.

 

This draft does not contain an identifier, thus this comment is irrelevant.
There is not explanation why we don't store an identifier as a SAN, since we do not create or store an identifier.

 

2. The document should be restructured to define:

(a) the general way to answer to the requirements, and
(b) a specific profile, in an Appendix, so that other RFCs could refer to the main body of the document.

 

That could be one way to do it.

 

DETAILED COMMENTS

 

3. The proposed structure is not appropriate. =

 

a) Why is there a need to have a SEQUENCE ? This should be avoided.

b) Why is contextInfo OPTIONAL? This should be avoided.<= /span>

 

      = AuthenticationContexts ::=3D SEQUENCE SIZE (1..MAX) OF

     &= nbsp;            = ;            &nb= sp;  AuthenticationContext

 

      = AuthenticationContext ::=3D SEQUENCE {

     &= nbsp;    contextType&nb= sp;    UTF8String,

     &= nbsp;    contextInfo&nb= sp;    UTF8String OPTIONAL

      = }

For exactly the same reason why SAML AuthContextClassRef in a SAML assertion is mandatory but not the XML structure it defines.
In some cases you don't want to include explicit data, if that data is static and can be implicitly known through an identifier.

The AuthContextClassRef in SAML is the best example as it i= s an exact functional replica of this.
The URL identified by AuthContextClassRef is also a XML Schema ns for associated XML document.

The XML Schema can define both a static XML document with fixed values as well as a structure where different values can be entered.

Just including the reference to the XML Schema may then provide sufficient information to the relying party. The actual XML document is only included if some variable data need to be communicated within the associated XML document.

Just including contextType but not contextInfo could be compared with the case where we include a certificate policy OID, but not the entire policy text.

This is a really smart way to do this, which is made possible through the versatility of XML Schemas.


 

 

4. The text states:    = This extension MAY be marked critical.

 

If the alternate name is present, why should there be a DN ?
=


This comment must be based on a misunderstanding of the scope of this document.

 

 

5. The XML schema should be given first (Appendix B) followed by the explanations (sections 3.1 and 3.2).
In other words, sections 3.1 and 3.2 should be placed in Appendix B.

That is one way to do it. If I was the implementer, I really wouldn't care as long as the information is there.
I think it is quite common to place programatic contracts in Appendixes, wile explaining data elements in the body of the document.

 

 

6. The vocabulary used in sections 3.1 and 3.2 is confusing and should be changed.

 

An example: “AuthContextInfo Element” does not e= xist. However, it is better to state that the contextInfo component
contains an XML structure which must conform to an XML schema.

 

Sorry, I don't get this comment. The AuthContextInfo element does exist. It is defined in the schema. XML Schema defines syntax and structure but not the semantics. Semantics are defined the section 3.

 

7. The XML structure proposed to fit inside contextInfo is overly complex.

 

AuthenticationInstant is mandatory, whereas it is not needed.

This information is always available from the SAML assertion and is considered fundamental, thus required.

AssertionRef is not needed.

ServiceID is not needed.

And hence, both are optional.

The XML Schema is actually very simple. Its just the nature of XML Schemas to look more complex than they actually are.
Perhaps it is easier if you examine it through this following web doc (which unfortunately can't be included in the spec):


 

 

8. There are no matching rules defined. This means that the verification of the content of that field is not possible.

First of all, this is not an identifier, thus there is no reason for a matching rule is it would be if this was an identifier that as a whole should be compared with something else.

The SAML attribute value does not have to match the value of the cert attribute, this data in the extension is optional and, if present, is a hint. 
But I could actually add some text to clarify this.

 

 

9. In section 3.2, I failed to understand the explanations for CertRef as well as for rdn and san.=

 

Why CertNameType cannot be “factorized” ? (in the= example from Page 15, there are all the same).

No, the example in the spec has one e-mail attribute that was placed in the SubjAltName extension of the cert.

 

     &= nbsp;            = ;    "rdn"   = The SAML attribute value is placed in the

     &= nbsp;            = ;            subject field of the certificate in a

     &= nbsp;            = ;            present Relative Distinguished Name

     &= nbsp;            = ;            attribute.

 

     &= nbsp;            = ;    "san"   = The SAML attribute value is placed in the

     &= nbsp;            = ;            Subject Alternative Name extension of the

     &= nbsp;            = ;            certificate.

 

I also failed to understand the reason of such “mapping= 221;.


Yes, and I think that is the reason behind most of your comments.


The example in Appendix C illustrates the complexity of the proposal.
Can the approach be made simpler ? If not, why ?

 

No it can't be made simpler. It contains exactly the information we need in the implementation where it is used.

I could write a whole whitepaper about all detailed reasons, but if you really think about the use case, it should be clear.

Consider the case where you know users by attributes defined in a SAML federation, where for example serialNumber is NOT used.
A CA issues a certificate to a user based an a SAML assertion authentication based on the attribute profile of that federation.

A user logs in to your service using a SAML assertion, and sends you a signed document associated with the issued certificate.
You now need to determine whether that SAML assertion and the certificate represents the same user.
You also need to determine that the SAML assertion and the certificate provides compatible levels of assertion for user authentication as defined in your SAML federation.

This extension gives you exactly the amount of data that is needed in order to do this in an unambiguous fully automated process.

 

10. In section 4, I failed to understand the “dynamic̶= 1; aspect. My understanding is that a person statically
= authenticates to a RA (Registration Authority) and then is given back a non-repudiation certificate
with SAML attributes in it which may then be used as identity attributes.
I am unsure what the text in this section wants to say when using the words “dynamic manner”.


Your view is to restrictive.

The dynamic aspect of this is that a certificate may be issued on the fly at the instance when it is needed, containing just the information that is needed for one particular situation.
This extension is (where this is used in the Swedish national infrastructure) added to certificates that are issued for just one instance of signing, and hence can be dynamically adapted to the needs of the intended relying party.

Next time the user signs, a new key pair is generated with new certs that may contain another set of the user's attributes.

The first instance may for example contain the users private identity based on a national identifier, the second may carry an organisational identity based on employee number.
What attributes that are needed in every instance is determined in a service context that is outside the scope of this specification.

In these certificates, both the national identifier and the employee number may be placed as a serialNumber attribute in the subject field.
Despite that, this extension makes it possible for the relying party to know exactly what identity information each certificate carries, as it maps to the attribute profile of a SAML federation.

/Stefan


Denis

 

_______________________________________________
pkix mailing list
pkix@ietf.o=
rghttps://www.ietf.org/mailman/listinfo/pkix

--B_3445253835_1241822-- From denis.pinkas@bull.net Tue Mar 5 09:44:24 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3538921F8491 for ; Tue, 5 Mar 2013 09:44:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.342 X-Spam-Level: X-Spam-Status: No, score=-5.342 tagged_above=-999 required=5 tests=[AWL=-0.906, BAYES_00=-2.599, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, SARE_SPEC_REPLICA_OBFU=1.812] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YjxIszt6AaVT for ; Tue, 5 Mar 2013 09:44:18 -0800 (PST) Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by ietfa.amsl.com (Postfix) with ESMTP id 63CD81F0D12 for ; Tue, 5 Mar 2013 09:44:17 -0800 (PST) Received: from MSGC-007.bull.fr (unknown [129.184.87.136]) by odin2.bull.net (Bull S.A.) with ESMTP id 0E41E1D2FB; Tue, 5 Mar 2013 18:44:16 +0100 (CET) Received: from [127.0.0.1] ([129.184.39.15]) by MSGC-007.bull.fr (Lotus Domino Release 8.5.3FP1) with ESMTP id 2013030518441498-4727 ; Tue, 5 Mar 2013 18:44:14 +0100 Message-ID: <51362EEB.6070802@bull.net> Date: Tue, 05 Mar 2013 18:44:11 +0100 From: Denis Pinkas User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130215 Thunderbird/17.0.3 MIME-Version: 1.0 To: Stefan Santesson References: In-Reply-To: X-MIMETrack: Itemize by SMTP Server on MSGC-007/SRV/BULL(Release 8.5.3FP1|March 07, 2012) at 05/03/2013 18:44:15, Serialize by Router on MSGC-007/SRV/BULL(Release 8.5.3FP1|March 07, 2012) at 05/03/2013 18:44:16, Serialize complete at 05/03/2013 18:44:16 Content-Type: multipart/alternative; boundary="------------000803000105000106070705" Cc: pkix Subject: Re: [pkix] Comments on draft-santesson-auth-context-extension-04 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Mar 2013 17:44:24 -0000 This is a multi-part message in MIME format. --------------000803000105000106070705 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=ISO-8859-1; format=flowed Stefan, I read the new specification (dated March 4) and it does not solve my concerns. ** The real goal is stated at the top of page 4: *to verify that the signature was created by the same user that logged on * *to the service*. In your response below, you also say: "You now need to determine whether that SAML assertion and the certificate represents the same user." This is rather different from the goal stated on page 3: The primary purpose of this document is to provide a mechanism that allows an application to understand information that express the identity of a *subject in a certificate that is stored either in a* *subject field attribute, as a subject alternative name or in a* *subject directory attribute.* If we draw an analogy with the way to construct a DN, we do not mention that the DN was created after the presentation of a passport or an ID card, plus a way to justify the place of birth, a a way to justify the place of living, an that the country name was extracted from the presentation of the passport, etc ... So why should we do this in your context ? We need to store information in the certificate directly derived from the SAML token, so that the application which performed a SAML authentication can make sure that the certificate was delivered for the same person, by *making a comparison using some set of rules.** * So *t**here is a need to have matching rules* for the content of the SAML token with the content of the new extension (whatever it is). If we don't have such rules, then the goal at the top of page 4 cannot be met. I do not see the added value to explain some translation process since it would be used for audit purposes only and the CA MUST anyway maintain information about the issuance of the token. So in case of a problem, the CA SHALL be able to answer and it is not needed to overload the content of the certificate with more information. I still believe that OtherName is the right place to contains the parameters extracted from the SAML token, that will be used for comparison. Denis PS. I wonder whether we should continue to have in mind to have this document issued as an RFC. It may well be a national Swedish standard. > Based on comments received today I have updated this draft, > preliminary available at: > http://aaa-sec.com/_temp/draft-santesson-auth-context-extension-04.txt > > I have edited the Introduction section to clarify the scope of the > document. > > I have also added a new section (now 3.2) that explains the absence of > attribute matching rules. > The section should also make clear how specific attribute data format > conventions, such as the one expressed in ETSI TS 119 412-2, can > co-exist with this extension. > > /Stefan > > From: "Moudrick M. Dadashov" > > Date: Monday, March 4, 2013 11:26 AM > To: Stefan Santesson > > Cc: Denis Pinkas >, pkix > > Subject: Re: [pkix] Comments on draft-santesson-auth-context-extension-04 > > On 3/4/2013 12:09 PM, Stefan Santesson wrote: >> Denis, >> >> First, thanks for your review. I really appreciate it. >> >> It seems to me, especially with your leading concluding comment, >> that you have missed out on what this specification attempts to do. >> Perhaps you did not read the introduction enough, or perhaps I >> didn't write it clear enough. >> >> The purpose is not to associate the subject with a identifier >> composed of a set of attributes. >> That is, this is NOT a new name form. >> >> This extension helps a relying party to understand the source of >> the identity information that is placed in the traditional >> identity fields of a certificate. >> For example. If the serialNumber attributes holds the string >> "123456", then this extension can tell you where this string came >> from. >> > How is this related to "semantics identifier" (ETSI TS 119 412-2) > then? > > M.D. >> The use case addressed is where the CA/RA obtains the >> authenticated identify from a SAML assertion when issuing the >> certificate. >> This extension provides means to preserve information about the >> original SAML attributes in the cert. >> >> >> From: Denis Pinkas > > >> Date: Monday, March 4, 2013 9:42 AM >> To: Stefan Santesson > >, pkix > > >> Subject: Comments on draft-santesson-auth-context-extension-04 >> >> Stefan, >> >> >> The goal of this document is to associate a public key to be >> used for verifying electronic signatures >> with an identifier composed of a set of attributes, typically >> SAML attributes, contained in an authentication token. >> >> >> No you got this wrong. This is not an Identifier. >> >> MAJOR COMMENTS >> >> 1.The proposed draft is not aligned with the current >> practices of RFC 5280 and X.509: >> the right place to hold such a set of attributes is in the >> subject alternate name. >> The subject DN may or may not be empty. >> >> There is no rational in this draft to explain why this >> straightforward approach has not been chosen. >> >> SubjectAltName ::= GeneralNames >> >> GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName >> >> GeneralName ::= CHOICE { >> >> otherName[0]OtherName, >> >> rfc822Name[1]IA5String, >> >> dNSName[2]IA5String, >> >> x400Address[3]ORAddress, >> >> directoryName[4]Name, >> >> ediPartyName[5]EDIPartyName, >> >> uniformResourceIdentifier[6]IA5String, >> >> iPAddress[7]OCTET STRING, >> >> registeredID[8]OBJECT IDENTIFIER } >> >> OtherName ::= SEQUENCE { >> >> type-idOBJECT IDENTIFIER, >> >> value[0] EXPLICIT ANY DEFINED BY type-id } >> >> OtherName fits well with the requirements, if you accept to >> use an OID rather than >> a uniformResourceIdentifier. >> >> The value component would contain an XML structure conformant >> with a XML schema. >> >> >> This draft does not contain an identifier, thus this comment is >> irrelevant. >> There is not explanation why we don't store an identifier as a >> SAN, since we do not create or store an identifier. >> >> 2.The document should be restructured to define: >> >> (a) the general way to answer to the requirements, and >> (b) a specific profile, in an Appendix, so that other RFCs >> could refer to the main body of the document. >> >> >> That could be one way to do it. >> >> DETAILED COMMENTS >> >> 3.The proposed structure is not appropriate. >> >> a) Why is there a need to have a SEQUENCE ? This should be >> avoided. >> >> b) Why is contextInfo OPTIONAL? This should be avoided. >> >> AuthenticationContexts ::= SEQUENCE SIZE (1..MAX) OF >> >> AuthenticationContext >> >> AuthenticationContext ::= SEQUENCE { >> >> contextTypeUTF8String, >> >> contextInfoUTF8String OPTIONAL >> >> } >> >> >> For exactly the same reason why SAML AuthContextClassRef in a >> SAML assertion is mandatory but not the XML structure it defines. >> In some cases you don't want to include explicit data, if that >> data is static and can be implicitly known through an identifier. >> >> The AuthContextClassRef in SAML is the best example as it is an >> exact functional replica of this. >> The URL identified by AuthContextClassRef is also a XML Schema ns >> for associated XML document. >> >> The XML Schema can define both a static XML document with fixed >> values as well as a structure where different values can be entered. >> >> Just including the reference to the XML Schema may then provide >> sufficient information to the relying party. The actual XML >> document is only included if some variable data need to be >> communicated within the associated XML document. >> >> Just including contextType but not contextInfo could be compared >> with the case where we include a certificate policy OID, but not >> the entire policy text. >> >> This is a really smart way to do this, which is made possible >> through the versatility of XML Schemas. >> >> >> 4.The text states: This extension MAY be marked critical. >> >> If the alternate name is present, why should there be a DN ? >> >> >> This comment must be based on a misunderstanding of the scope of >> this document. >> >> 5.The XML schema should be given first (Appendix B) followed >> by the explanations (sections 3.1 and 3.2). >> In other words, sections 3.1 and 3.2 should be placed in >> Appendix B. >> >> >> That is one way to do it. If I was the implementer, I really >> wouldn't care as long as the information is there. >> I think it is quite common to place programatic contracts in >> Appendixes, wile explaining data elements in the body of the >> document. >> >> 6.The vocabulary used in sections 3.1 and 3.2 is confusing >> and should be changed. >> >> An example: "AuthContextInfo Element" does not exist. >> However, it is better to state that the contextInfo component >> contains an XML structure which must conform to an XML schema. >> >> >> Sorry, I don't get this comment. The AuthContextInfo element does >> exist. It is defined in the schema. XML Schema defines syntax and >> structure but not the semantics. Semantics are defined the section 3. >> >> 7.The XML structure proposed to fit inside contextInfo is >> overly complex. >> >> AuthenticationInstant is mandatory, whereas it is not needed. >> >> >> This information is always available from the SAML assertion and >> is considered fundamental, thus required. >> >> AssertionRef is not needed. >> >> ServiceID is not needed. >> >> >> And hence, both are optional. >> >> The XML Schema is actually very simple. Its just the nature of >> XML Schemas to look more complex than they actually are. >> Perhaps it is easier if you examine it through this following web >> doc (which unfortunately can't be included in the spec): >> http://aaa-sec.com/eid2/sigsupport/XMLschema/AuthContExtDoc/index.html >> >> >> 8.There are no matching rules defined. This means that the >> verification of the content of that field is not possible. >> >> >> First of all, this is not an identifier, thus there is no reason >> for a matching rule is it would be if this was an identifier that >> as a whole should be compared with something else. >> >> The SAML attribute value does not have to match the value of the >> cert attribute, this data in the extension is optional and, if >> present, is a hint. >> But I could actually add some text to clarify this. >> >> 9.In section 3.2, I failed to understand the explanations for >> CertRef as well as for rdn and san. >> >> Why CertNameType cannot be "factorized" ? (in the example >> from Page 15, there are all the same). >> >> >> No, the example in the spec has one e-mail attribute that was >> placed in the SubjAltName extension of the cert. >> >> "rdn"The SAML attribute value is placed in the >> >> subject field of the certificate in a >> >> present Relative Distinguished Name >> >> attribute. >> >> "san"The SAML attribute value is placed in the >> >> Subject Alternative Name extension of the >> >> certificate. >> >> I also failed to understand the reason of such "mapping". >> >> >> Yes, and I think that is the reason behind most of your comments. >> >> >> The example in Appendix C illustrates the complexity of the >> proposal. >> Can the approach be made simpler ? If not, why ? >> >> >> No it can't be made simpler. It contains exactly the information >> we need in the implementation where it is used. >> >> I could write a whole whitepaper about all detailed reasons, but >> if you really think about the use case, it should be clear. >> >> Consider the case where you know users by attributes defined in a >> SAML federation, where for example serialNumber is NOT used. >> A CA issues a certificate to a user based an a SAML assertion >> authentication based on the attribute profile of that federation. >> >> A user logs in to your service using a SAML assertion, and sends >> you a signed document associated with the issued certificate. >> You now need to determine whether that SAML assertion and the >> certificate represents the same user. >> You also need to determine that the SAML assertion and the >> certificate provides compatible levels of assertion for user >> authentication as defined in your SAML federation. >> >> This extension gives you exactly the amount of data that is >> needed in order to do this in an unambiguous fully automated process. >> >> 10.In section 4, I failed to understand the "dynamic" aspect. >> My understanding is that a person statically >> authenticates to a RA (Registration Authority) and then is >> given back a non-repudiation certificate >> with SAML attributes in it which may then be used as identity >> attributes. >> I am unsure what the text in this section wants to say when >> using the words "dynamic manner". >> >> >> >> Your view is to restrictive. >> >> The dynamic aspect of this is that a certificate may be issued on >> the fly at the instance when it is needed, containing just the >> information that is needed for one particular situation. >> This extension is (where this is used in the Swedish national >> infrastructure) added to certificates that are issued for just >> one instance of signing, and hence can be dynamically adapted to >> the needs of the intended relying party. >> >> Next time the user signs, a new key pair is generated with new >> certs that may contain another set of the user's attributes. >> >> The first instance may for example contain the users private >> identity based on a national identifier, the second may carry an >> organisational identity based on employee number. >> What attributes that are needed in every instance is determined >> in a service context that is outside the scope of this specification. >> >> In these certificates, both the national identifier and the >> employee number may be placed as a serialNumber attribute in the >> subject field. >> Despite that, this extension makes it possible for the relying >> party to know exactly what identity information each certificate >> carries, as it maps to the attribute profile of a SAML federation. >> >> /Stefan >> >> >> Denis >> >> >> >> _______________________________________________ >> pkix mailing list >> pkix@ietf.orghttps://www.ietf.org/mailman/listinfo/pkix > --------------000803000105000106070705 Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=ISO-8859-1
Stefan,

I read the new specification (dated March 4) and it does not solve my concerns.

The real goal is stated at the top of page 4:


 to verify that the signature was created by the same user that logged on

  to the service.

In your response below, you also say:

      "You now need to determine whether that SAML assertion and the certificate represents the same user."

This is rather different from the goal stated on page 3:

   The primary purpose of this document is to provide a mechanism that

   allows an application to understand information that express the

   identity of a subject in a certificate that is stored either in a

   subject field attribute, as a subject alternative name or in a

   subject directory attribute.


If we draw an analogy with the way to construct a DN, we do not mention that the DN was created after
the presentation of a passport or an ID card, plus a way to justify the place of birth, a a way to justify
the place of living, an that the country name was extracted from the presentation of the passport, etc ...

So why should we do this in your context ?

We need to store information in the certificate directly derived from the SAML token, so that the application
which performed a SAML authentication can make sure that the certificate was delivered for the same person,
by making a comparison using some set of rules.

So there is a need to have matching rules for the content of the SAML token with the content of
the new extension (whatever it is). If we don't have such rules, then the goal at the top of page 4 cannot be met.

I do not see the added value to explain some translation process since it would be used for audit purposes only and
the CA MUST anyway maintain information about the issuance of the token. So in case of a problem, the
CA SHALL be able to answer and it is not needed to overload the content of the certificate with more information.

I still believe that OtherName is the right place to contains the parameters extracted from the SAML token,
that will be used for comparison.

Denis


PS. I wonder whether we should continue to have in mind to have this document issued as an RFC.
       It may well be a national Swedish standard.

Based on comments received today I have updated this draft, preliminary available at:

I have edited the Introduction section to clarify the scope of the document.

I have also added a new section (now 3.2) that explains the absence of attribute matching rules.
The section should also make clear how specific attribute data format conventions, such as the one expressed in ETSI TS 119 412-2, can co-exist with this extension.

/Stefan

From: "Moudrick M. Dadashov" <md@e-net.lt>
Date: Monday, March 4, 2013 11:26 AM
To: Stefan Santesson <stefan@aaa-sec.com>
Cc: Denis Pinkas <denis.pinkas@bull.net>, pkix <pkix@ietf.org>
Subject: Re: [pkix] Comments on draft-santesson-auth-context-extension-04

On 3/4/2013 12:09 PM, Stefan Santesson wrote:
Denis,

First, thanks for your review. I really appreciate it.

It seems to me, especially with your leading concluding comment, that you have missed out on what this specification attempts to do.
Perhaps you did not read the introduction enough, or perhaps I didn't write it clear enough.

The purpose is not to associate the subject with a identifier composed of a set of attributes.
That is, this is NOT a new name form.

This extension helps a relying party to understand the source of the identity information that is placed in the traditional identity fields of a certificate.
For example. If the serialNumber attributes holds the string "123456", then this extension can tell you where this string came from.

How is this related to "semantics identifier" (ETSI TS 119 412-2) then?

M.D.
The use case addressed is where the CA/RA obtains the authenticated identify from a SAML assertion when issuing the certificate.
This extension provides means to preserve information about the original SAML attributes in the cert.


From: Denis Pinkas <denis.pinkas@bull.net>
Date: Monday, March 4, 2013 9:42 AM
To: Stefan Santesson <stefan@aaa-sec.com>, pkix <pkix@ietf.org>
Subject: Comments on draft-santesson-auth-context-extension-04

Stefan,


The goal of this document is to associate a public key to be used for verifying electronic signatures
with an identifier composed of a set of attributes, typically SAML attributes, contained in an authentication token.

 

No you got this wrong. This is not an Identifier.

 

MAJOR COMMENTS

 

1. The proposed draft is not aligned with the current practices of RFC 5280 and X.509:
the right place to hold such a set of attributes is in the subject alternate name.
The subject DN may or may not be empty.

 

There is no rational in this draft to explain why this straightforward approach has not been chosen.

 

   SubjectAltName ::= GeneralNames

 

   GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

 

   GeneralName ::= CHOICE {

        otherName                       [0]     OtherName,

        rfc822Name                      [1]     IA5String,

        dNSName                         [2]     IA5String,

        x400Address                     [3]     ORAddress,

        directoryName                   [4]     Name,

        ediPartyName                    [5]     EDIPartyName,

        uniformResourceIdentifier       [6]     IA5String,

        iPAddress                       [7]     OCTET STRING,

        registeredID                    [8]     OBJECT IDENTIFIER }

 

   OtherName ::= SEQUENCE {

        type-id    OBJECT IDENTIFIER,

        value      [0] EXPLICIT ANY DEFINED BY type-id }

 

OtherName fits well with the requirements, if you accept to use an OID rather than
a uniformResourceIdentifier.

 

The value component would contain an XML structure conformant with a XML schema.

 

This draft does not contain an identifier, thus this comment is irrelevant.
There is not explanation why we don't store an identifier as a SAN, since we do not create or store an identifier.

 

2. The document should be restructured to define:

(a) the general way to answer to the requirements, and
(b) a specific profile, in an Appendix, so that other RFCs could refer to the main body of the document.

 

That could be one way to do it.

 

DETAILED COMMENTS

 

3. The proposed structure is not appropriate.

 

a) Why is there a need to have a SEQUENCE ? This should be avoided.

b) Why is contextInfo OPTIONAL? This should be avoided.

 

      AuthenticationContexts ::= SEQUENCE SIZE (1..MAX) OF

                                 AuthenticationContext

 

      AuthenticationContext ::= SEQUENCE {

          contextType     UTF8String,

          contextInfo     UTF8String OPTIONAL

      }

For exactly the same reason why SAML AuthContextClassRef in a SAML assertion is mandatory but not the XML structure it defines.
In some cases you don't want to include explicit data, if that data is static and can be implicitly known through an identifier.

The AuthContextClassRef in SAML is the best example as it is an exact functional replica of this.
The URL identified by AuthContextClassRef is also a XML Schema ns for associated XML document.

The XML Schema can define both a static XML document with fixed values as well as a structure where different values can be entered.

Just including the reference to the XML Schema may then provide sufficient information to the relying party. The actual XML document is only included if some variable data need to be communicated within the associated XML document.

Just including contextType but not contextInfo could be compared with the case where we include a certificate policy OID, but not the entire policy text.

This is a really smart way to do this, which is made possible through the versatility of XML Schemas.


 

 

4. The text states:    This extension MAY be marked critical.

 

If the alternate name is present, why should there be a DN ?

This comment must be based on a misunderstanding of the scope of this document.

 

 

5. The XML schema should be given first (Appendix B) followed by the explanations (sections 3.1 and 3.2).
In other words, sections 3.1 and 3.2 should be placed in Appendix B.

That is one way to do it. If I was the implementer, I really wouldn't care as long as the information is there.
I think it is quite common to place programatic contracts in Appendixes, wile explaining data elements in the body of the document.

 

 

6. The vocabulary used in sections 3.1 and 3.2 is confusing and should be changed.

 

An example: “AuthContextInfo Element” does not exist. However, it is better to state that the contextInfo component
contains an XML structure which must conform to an XML schema.

 

Sorry, I don't get this comment. The AuthContextInfo element does exist. It is defined in the schema. XML Schema defines syntax and structure but not the semantics. Semantics are defined the section 3.

 

7. The XML structure proposed to fit inside contextInfo is overly complex.

 

AuthenticationInstant is mandatory, whereas it is not needed.

This information is always available from the SAML assertion and is considered fundamental, thus required.

AssertionRef is not needed.

ServiceID is not needed.

And hence, both are optional.

The XML Schema is actually very simple. Its just the nature of XML Schemas to look more complex than they actually are.
Perhaps it is easier if you examine it through this following web doc (which unfortunately can't be included in the spec):


 

 

8. There are no matching rules defined. This means that the verification of the content of that field is not possible.

First of all, this is not an identifier, thus there is no reason for a matching rule is it would be if this was an identifier that as a whole should be compared with something else.

The SAML attribute value does not have to match the value of the cert attribute, this data in the extension is optional and, if present, is a hint. 
But I could actually add some text to clarify this.

 

 

9. In section 3.2, I failed to understand the explanations for CertRef as well as for rdn and san.

 

Why CertNameType cannot be “factorized” ? (in the example from Page 15, there are all the same).

No, the example in the spec has one e-mail attribute that was placed in the SubjAltName extension of the cert.

 

                      "rdn"   The SAML attribute value is placed in the

                              subject field of the certificate in a

                              present Relative Distinguished Name

                              attribute.

 

                      "san"   The SAML attribute value is placed in the

                              Subject Alternative Name extension of the

                              certificate.

 

I also failed to understand the reason of such “mapping”.


Yes, and I think that is the reason behind most of your comments.


The example in Appendix C illustrates the complexity of the proposal.
Can the approach be made simpler ? If not, why ?

 

No it can't be made simpler. It contains exactly the information we need in the implementation where it is used.

I could write a whole whitepaper about all detailed reasons, but if you really think about the use case, it should be clear.

Consider the case where you know users by attributes defined in a SAML federation, where for example serialNumber is NOT used.
A CA issues a certificate to a user based an a SAML assertion authentication based on the attribute profile of that federation.

A user logs in to your service using a SAML assertion, and sends you a signed document associated with the issued certificate.
You now need to determine whether that SAML assertion and the certificate represents the same user.
You also need to determine that the SAML assertion and the certificate provides compatible levels of assertion for user authentication as defined in your SAML federation.

This extension gives you exactly the amount of data that is needed in order to do this in an unambiguous fully automated process.

 

10. In section 4, I failed to understand the “dynamic” aspect. My understanding is that a person statically
authenticates to a RA (Registration Authority) and then is given back a non-repudiation certificate
with SAML attributes in it which may then be used as identity attributes.
I am unsure what the text in this section wants to say when using the words “dynamic manner”.


Your view is to restrictive.

The dynamic aspect of this is that a certificate may be issued on the fly at the instance when it is needed, containing just the information that is needed for one particular situation.
This extension is (where this is used in the Swedish national infrastructure) added to certificates that are issued for just one instance of signing, and hence can be dynamically adapted to the needs of the intended relying party.

Next time the user signs, a new key pair is generated with new certs that may contain another set of the user's attributes.

The first instance may for example contain the users private identity based on a national identifier, the second may carry an organisational identity based on employee number.
What attributes that are needed in every instance is determined in a service context that is outside the scope of this specification.

In these certificates, both the national identifier and the employee number may be placed as a serialNumber attribute in the subject field.
Despite that, this extension makes it possible for the relying party to know exactly what identity information each certificate carries, as it maps to the attribute profile of a SAML federation.

/Stefan


Denis

 

_______________________________________________
pkix mailing list
pkix@ietf.orghttps://www.ietf.org/mailman/listinfo/pkix

--------------000803000105000106070705-- From stefan@aaa-sec.com Tue Mar 5 16:27:30 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2253611E80A5 for ; Tue, 5 Mar 2013 16:27:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -98.725 X-Spam-Level: X-Spam-Status: No, score=-98.725 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, SARE_MILLIONSOF=0.315, SARE_SPEC_REPLICA_OBFU=1.812, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oyJ3oToDJUK5 for ; Tue, 5 Mar 2013 16:27:20 -0800 (PST) Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id 1276321F8523 for ; Tue, 5 Mar 2013 16:27:12 -0800 (PST) Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id 165544D9AA5 for ; Wed, 6 Mar 2013 01:27:10 +0100 (CET) X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id UcjATUqVIGcK for ; Wed, 6 Mar 2013 01:27:01 +0100 (CET) Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id F013F4DB581 for ; Wed, 6 Mar 2013 01:27:00 +0100 (CET) Received: (qmail 95787 invoked from network); 6 Mar 2013 00:26:59 -0000 Received: from 81-232-51-61-no39.business.telia.com (HELO [192.168.0.105]) (stefan@fiddler.nu@[81.232.51.61]) (envelope-sender ) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 6 Mar 2013 00:26:59 -0000 User-Agent: Microsoft-MacOutlook/14.3.1.130117 Date: Wed, 06 Mar 2013 01:26:59 +0100 From: Stefan Santesson To: Denis Pinkas Message-ID: Thread-Topic: [pkix] Comments on draft-santesson-auth-context-extension-04 In-Reply-To: <51362EEB.6070802@bull.net> Mime-version: 1.0 Content-type: multipart/alternative; boundary="B_3445378021_1641212" Cc: pkix Subject: Re: [pkix] Comments on draft-santesson-auth-context-extension-04 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Mar 2013 00:27:30 -0000 > This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --B_3445378021_1641212 Content-type: text/plain; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable Hi Denis, Comments in line; From: Denis Pinkas Date: Tuesday, March 5, 2013 6:44 PM To: Stefan Santesson Cc: pkix , Sean Turner Subject: Re: [pkix] Comments on draft-santesson-auth-context-extension-04 > =20 > =20 > Stefan, > =20 > I read the new specification (dated March 4) and it does not solve my > concerns. > =20 > The real goal is stated at the top of page 4: >=20 >=20 > =20 > =20 > to verify that the signature was created by the same user that logged on > to the service. No that is an example of what you might want to do with this. > =20 > In your response below, you also say: > =20 > "You now need to determine whether that SAML assertion and the > certificate represents the same user." > =20 > This is rather different from the goal stated on page 3: > =20 > =20 >=20 > The primary purpose of this document is to provide a mechanism that > =20 > allows an application to understand information that express the > =20 > identity of a subject in a certificate that is stored either in a > =20 > subject field attribute, as a subject alternative name or in a > =20 > subject directory attribute. > =20 This is the primary function. This can be used to achieve the goal of the example use case above. There is no contradiction. >=20 > If we draw an analogy with the way to construct a DN, we do not mention = that > the DN was created after > the presentation of a passport or an ID card, plus a way to justify the = place > of birth, a a way to justify > the place of living, an that the country name was extracted from the > presentation of the passport, etc ... > =20 > So why should we do this in your context ? Only if it solves a problem you have. Else why bother? You seem to be missing a big point, and perhaps that is because you have no= t dealt with the problems of combining a SAML federation with a PKI infrastructure? This extension addresses real practical problems arising from the fact that cert profiles and SAML federations have different attribute profiles. That is, they use different attributes and name forms to express the same thing. Basically, if you have gone through the paint to teach every participating service to understand user identity according to the SAML attribute profile= , you may want to use that also to understand certificate entities. In some cases that is absolutely necessary but currently not possible without using quite ugly heuristics and very local conventions that does no= t scale very well. > =20 > We need to store information in the certificate directly derived from th= e > SAML token, so that the application > which performed a SAML authentication can make sure that the certificate= was > delivered for the same person, > by making a comparison using some set of rules. >=20 > So there is a need to have matching rules for the content of the SAML to= ken > with the content of > the new extension (whatever it is). If we don't have such rules, then th= e > goal at the top of page 4 cannot be met. No, but you put the finger on a problem that caused me to do another update to make this clear. I removed the three parameters specifying the saml Attribute and replaced i= t with a real saml:attribute element. This removes any need to discuss attribute matching, because the SAML attribute stored in this extension, when compared with anything outside of the cert, is compared with a SAML attribute from a SAML assertion. Matching SAML attributes is handled by the SAML standard and is therefore outside th= e scope of this document. > =20 > I do not see the added value to explain some translation process since i= t > would be used for audit purposes only and > the CA MUST anyway maintain information about the issuance of the token.= So > in case of a problem, the > CA SHALL be able to answer and it is not needed to overload the content = of > the certificate with more information. The need does not arise just in case of a problem. This comparison is done every time a user signs a document in a government service. This is million= s of transactions and hence this process must be well defined and automated. The comparison between the SAML assertion the user presented at login, and the signature certificate presented by the user in the same session will originate from multiple Ideneity Providers and signature services, so just relying on local conventions does not scale and is too static to provide a future proof solution. Do I dare to say trust me? :) We have modelled and prototyped this for almost a year, and without adding this information to the certs, our infrastructure would not work. > =20 > I still believe that OtherName is the right place to contains the parame= ters > extracted from the SAML token, > that will be used for comparison. No, for a number of reasons. We want this cert to be processed just as any normal certificate. The primary purpose is to declare the information source of present subject attributes and name forms, not to define a new OTHER name. The biggest reason why this definitely can't be an other name is because there is absolutely no guarantee that the content in this extension will contain any unique name of anything related to the subject. In it's simplest use it will just identify an XML Schema defining a static ruleset. In such case that schema identifier will be the same for all certs issued to various subjects. An updated version of the draft is available using the same link. /Stefan > =20 > Denis=20 > =20 > =20 > PS. I wonder whether we should continue to have in mind to have this doc= ument > issued as an RFC. > It may well be a national Swedish standard. > =20 > =20 > =20 >> =20 >> Based on comments received today I have updated this draft, preliminary >> available at: >> =20 >> http://aaa-sec.com/_temp/draft-santesson-auth-context-extension-04.txt >> =20 >>=20 >> =20 >> =20 >> I have edited the Introduction section to clarify the scope of the docum= ent. >> =20 >>=20 >> =20 >> =20 >> I have also added a new section (now 3.2) that explains the absence of >> attribute matching rules. >> =20 >> The section should also make clear how specific attribute data format >> conventions, such as the one expressed in ETSI TS 119 412-2, can co-exis= t >> with this extension. >> =20 >>=20 >> =20 >> =20 >> /Stefan >> =20 >>=20 >> =20 >> =20 >> From: "Moudrick M. Dadashov" >> Date: Monday, March 4, 2013 11:26 AM >> To: Stefan Santesson >> Cc: Denis Pinkas , pkix >> Subject: Re: [pkix] Comments on draft-santesson-auth-context-extension= -04 >> =20 >> =20 >>=20 >> =20 >> =20 >>> =20 >>> =20 >>> =20 >>> On 3/4/2013 12:09 PM, Stefan Santesson wrote: >>> =20 >>> =20 >>>> =20 >>>> Denis, >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> First, thanks for your review. I really appreciate it. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> It seems to me, especially with your leading concluding comment, that = you >>>> have missed out on what this specification attempts to do. >>>> =20 >>>> Perhaps you did not read the introduction enough, or perhaps I didn't = write >>>> it clear enough. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> The purpose is not to associate the subject with a identifier composed= of a >>>> set of attributes. >>>> =20 >>>> That is, this is NOT a new name form. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> This extension helps a relying party to understand the source of the >>>> identity information that is placed in the traditional identity fields= of a >>>> certificate. >>>> =20 >>>> For example. If the serialNumber attributes holds the string "123456",= then >>>> this extension can tell you where this string came from. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>> How is this related to "semantics identifier" (ETSI TS 119 412-2) then= ? >>> =20 >>> M.D.=20 >>> =20 >>>> =20 >>>> The use case addressed is where the CA/RA obtains the authenticated >>>> identify from a SAML assertion when issuing the certificate. >>>> =20 >>>> This extension provides means to preserve information about the origin= al >>>> SAML attributes in the cert. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> From: Denis Pinkas >>>> Date: Monday, March 4, 2013 9:42 AM >>>> To: Stefan Santesson , pkix >>>> Subject: Comments on draft-santesson-auth-context-extension-04 >>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>> Stefan, >>>>> =20 >>>>> =20 >>>>>=20 >>>>> =20 >>>>> =20 >>>>> The goal of this document is to associate a public key to be used for >>>>> verifying electronic signatures >>>>> with an identifier composed of a set of attributes, typically SAML >>>>> attributes, contained in an authentication token. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> No you got this wrong. This is not an Identifier. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>> =20 >>>>> =20 >>>>> MAJOR COMMENTS >>>>> =20 >>>>> =20 >>>>> =20 >>>>> 1. The proposed draft is not aligned with the current practices of RF= C >>>>> 5280 and X.509: >>>>> the right place to hold such a set of attributes is in the subject >>>>> alternate name. >>>>> The subject DN may or may not be empty. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> There is no rational in this draft to explain why this straightforwar= d >>>>> approach has not been chosen. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> SubjectAltName ::=3D GeneralNames >>>>> =20 >>>>> =20 >>>>> =20 >>>>> GeneralNames ::=3D SEQUENCE SIZE (1..MAX) OF GeneralName >>>>> =20 >>>>> =20 >>>>> =20 >>>>> GeneralName ::=3D CHOICE { >>>>> =20 >>>>> otherName [0] OtherName, >>>>> =20 >>>>> rfc822Name [1] IA5String, >>>>> =20 >>>>> dNSName [2] IA5String, >>>>> =20 >>>>> x400Address [3] ORAddress, >>>>> =20 >>>>> directoryName [4] Name, >>>>> =20 >>>>> ediPartyName [5] EDIPartyName, >>>>> =20 >>>>> uniformResourceIdentifier [6] IA5String, >>>>> =20 >>>>> iPAddress [7] OCTET STRING, >>>>> =20 >>>>> registeredID [8] OBJECT IDENTIFIER } >>>>> =20 >>>>> =20 >>>>> =20 >>>>> OtherName ::=3D SEQUENCE { >>>>> =20 >>>>> type-id OBJECT IDENTIFIER, >>>>> =20 >>>>> value [0] EXPLICIT ANY DEFINED BY type-id } >>>>> =20 >>>>> =20 >>>>> =20 >>>>> OtherName fits well with the requirements, if you accept to use an O= ID >>>>> rather than=20 >>>>> a uniformResourceIdentifier. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> The value component would contain an XML structure conformant with a = XML >>>>> schema. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> This draft does not contain an identifier, thus this comment is irrele= vant. >>>> =20 >>>> There is not explanation why we don't store an identifier as a SAN, si= nce >>>> we do not create or store an identifier. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>> =20 >>>>> =20 >>>>> 2. The document should be restructured to define: >>>>> =20 >>>>> (a) the general way to answer to the requirements, and >>>>> (b) a specific profile, in an Appendix, so that other RFCs could ref= er to >>>>> the main body of the document. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> That could be one way to do it. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>> =20 >>>>> =20 >>>>> DETAILED COMMENTS >>>>> =20 >>>>> =20 >>>>> =20 >>>>> 3. The proposed structure is not appropriate. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> a) Why is there a need to have a SEQUENCE ? This should be avoided. >>>>> =20 >>>>> b) Why is contextInfo OPTIONAL? This should be avoided. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> AuthenticationContexts ::=3D SEQUENCE SIZE (1..MAX) OF >>>>> =20 >>>>> AuthenticationContext >>>>> =20 >>>>> =20 >>>>> =20 >>>>> AuthenticationContext ::=3D SEQUENCE { >>>>> =20 >>>>> contextType UTF8String, >>>>> =20 >>>>> contextInfo UTF8String OPTIONAL >>>>> =20 >>>>> } >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> For exactly the same reason why SAML AuthContextClassRef in a SAML >>>> assertion is mandatory but not the XML structure it defines. >>>> =20 >>>> In some cases you don't want to include explicit data, if that data is >>>> static and can be implicitly known through an identifier. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> The AuthContextClassRef in SAML is the best example as it is an exact >>>> functional replica of this. >>>> =20 >>>> The URL identified by AuthContextClassRef is also a XML Schema ns for >>>> associated XML document. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> The XML Schema can define both a static XML document with fixed values= as >>>> well as a structure where different values can be entered. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> Just including the reference to the XML Schema may then provide suffic= ient >>>> information to the relying party. The actual XML document is only incl= uded >>>> if some variable data need to be communicated within the associated XM= L >>>> document. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> Just including contextType but not contextInfo could be compared with = the >>>> case where we include a certificate policy OID, but not the entire pol= icy >>>> text. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> This is a really smart way to do this, which is made possible through = the >>>> versatility of XML Schemas. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> 4. The text states: This extension MAY be marked critical. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> If the alternate name is present, why should there be a DN ? >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> This comment must be based on a misunderstanding of the scope of this >>>> document. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> 5. The XML schema should be given first (Appendix B) followed by the >>>>> explanations (sections 3.1 and 3.2). >>>>> In other words, sections 3.1 and 3.2 should be placed in Appendix B. >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> That is one way to do it. If I was the implementer, I really wouldn't = care >>>> as long as the information is there. >>>> =20 >>>> I think it is quite common to place programatic contracts in Appendixe= s, >>>> wile explaining data elements in the body of the document. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> 6. The vocabulary used in sections 3.1 and 3.2 is confusing and shoul= d be >>>>> changed. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> An example: =B3AuthContextInfo Element=B2 does not exist. However, it is >>>>> better to state that the contextInfo component >>>>> contains an XML structure which must conform to an XML schema. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> Sorry, I don't get this comment. The AuthContextInfo element does exis= t. It >>>> is defined in the schema. XML Schema defines syntax and structure but = not >>>> the semantics. Semantics are defined the section 3. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>> =20 >>>>> =20 >>>>> 7. The XML structure proposed to fit inside contextInfo is overly com= plex. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> AuthenticationInstant is mandatory, whereas it is not needed. >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> This information is always available from the SAML assertion and is >>>> considered fundamental, thus required. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>> =20 >>>>> AssertionRef is not needed. >>>>> =20 >>>>> ServiceID is not needed. >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> And hence, both are optional. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> The XML Schema is actually very simple. Its just the nature of XML Sch= emas >>>> to look more complex than they actually are. >>>> =20 >>>> Perhaps it is easier if you examine it through this following web doc >>>> (which unfortunately can't be included in the spec): >>>> =20 >>>> http://aaa-sec.com/eid2/sigsupport/XMLschema/AuthContExtDoc/index.html >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> 8. There are no matching rules defined. This means that the verificat= ion >>>>> of the content of that field is not possible. >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> First of all, this is not an identifier, thus there is no reason for a >>>> matching rule is it would be if this was an identifier that as a whole >>>> should be compared with something else. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> The SAML attribute value does not have to match the value of the cert >>>> attribute, this data in the extension is optional and, if present, is = a >>>> hint.=20 >>>> =20 >>>> But I could actually add some text to clarify this. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> 9. In section 3.2, I failed to understand the explanations for CertRe= f as >>>>> well as for rdn and san. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> Why CertNameType cannot be =B3factorized=B2 ? (in the example from Page = 15, >>>>> there are all the same). >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> No, the example in the spec has one e-mail attribute that was placed i= n the >>>> SubjAltName extension of the cert. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> "rdn" The SAML attribute value is placed in t= he >>>>> =20 >>>>> subject field of the certificate in a >>>>> =20 >>>>> present Relative Distinguished Name >>>>> =20 >>>>> attribute. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> "san" The SAML attribute value is placed in t= he >>>>> =20 >>>>> Subject Alternative Name extension of t= he >>>>> =20 >>>>> certificate. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> I also failed to understand the reason of such =B3mapping=B2. >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> Yes, and I think that is the reason behind most of your comments. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>>=20 >>>>> The example in Appendix C illustrates the complexity of the proposal= . >>>>> Can the approach be made simpler ? If not, why ? >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> No it can't be made simpler. It contains exactly the information we ne= ed in >>>> the implementation where it is used. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> I could write a whole whitepaper about all detailed reasons, but if yo= u >>>> really think about the use case, it should be clear. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> Consider the case where you know users by attributes defined in a SAML >>>> federation, where for example serialNumber is NOT used. >>>> =20 >>>> A CA issues a certificate to a user based an a SAML assertion >>>> authentication based on the attribute profile of that federation. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> A user logs in to your service using a SAML assertion, and sends you a >>>> signed document associated with the issued certificate. >>>> =20 >>>> You now need to determine whether that SAML assertion and the certific= ate >>>> represents the same user. >>>> =20 >>>> You also need to determine that the SAML assertion and the certificate >>>> provides compatible levels of assertion for user authentication as def= ined >>>> in your SAML federation. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> This extension gives you exactly the amount of data that is needed in = order >>>> to do this in an unambiguous fully automated process. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>> =20 >>>>> =20 >>>>> 10. In section 4, I failed to understand the =B3dynamic=B2 aspect. My >>>>> understanding is that a person statically >>>>> authenticates to a RA (Registration Authority) and then is given bac= k a >>>>> non-repudiation certificate >>>>> with SAML attributes in it which may then be used as identity attrib= utes. >>>>> I am unsure what the text in this section wants to say when using th= e >>>>> words =B3dynamic manner=B2. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> Your view is to restrictive. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> The dynamic aspect of this is that a certificate may be issued on the = fly >>>> at the instance when it is needed, containing just the information tha= t is >>>> needed for one particular situation. >>>> =20 >>>> This extension is (where this is used in the Swedish national >>>> infrastructure) added to certificates that are issued for just one ins= tance >>>> of signing, and hence can be dynamically adapted to the needs of the >>>> intended relying party. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> Next time the user signs, a new key pair is generated with new certs t= hat >>>> may contain another set of the user's attributes. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> The first instance may for example contain the users private identity = based >>>> on a national identifier, the second may carry an organisational ident= ity >>>> based on employee number. >>>> =20 >>>> What attributes that are needed in every instance is determined in a >>>> service context that is outside the scope of this specification. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> In these certificates, both the national identifier and the employee n= umber >>>> may be placed as a serialNumber attribute in the subject field. >>>> =20 >>>> Despite that, this extension makes it possible for the relying party t= o >>>> know exactly what identity information each certificate carries, as it= maps >>>> to the attribute profile of a SAML federation. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> /Stefan >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>>=20 >>>>> =20 >>>>> =20 >>>>> Denis >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>> =20 >>>> =20 >>>> _______________________________________________ >>>> pkix mailing list >>>> pkix@ietf.orghttps://www.ietf.org/mailman/listinfo/pkix >>>> =20 >>> =20 >>> =20 >>> =20 >>> =20 >> =20 > =20 > =20 --B_3445378021_1641212 Content-type: text/html; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable
Hi Denis,

Comments in line;

Fro= m: Denis Pinkas <denis.pin= kas@bull.net>
Date: Tuesday= , March 5, 2013 6:44 PM
To: Stefan= Santesson <stefan@aaa-sec.com>= ;
Cc: pkix <pkix@ietf.org>, Sean Turner <turners@ieca.com>
Subject:= Re: [pkix] Comments on draft-santesson-auth-context-extension-04

Stefan,

I read the new specification (dated March 4) and it does not solve my concerns.

The real goal is stated at the top of page 4:


 to verify that the signature was created by the same user that logged on

  to the service.

N= o that is an example of what you might want to do with this.

<= /div>

In your response below, you also say:

      "You n= ow need to determine whether that SAML assertion and the certificate represents the same user."

This is rather different from the goal stated on page 3:

   The primary purpose of this document is to provide a mechanism that

   allows an application to understand information that express the

   identity of a subject in a certificate that is stored either in a

=    subject field attribute, as a subject alternative name or in a

=    subject directory attribute.


This is the= primary function. This can be used to achieve the goal of the example use c= ase above. There is no contradiction.


=

= If we draw an analogy with the way to construct a DN, we do not mention that the DN was created after
the presentation of a passport or an ID card, plus a way to justify the place of birth, a a way to justify
the place of living, an that the country name was extracted from the presentation of the passport, etc ...

So why should we do this in your context ?

Only if it solves a problem you have. Els= e why bother?

You seem to be missing a big point, a= nd perhaps that is because you have not dealt with the problems of combining= a SAML federation with a PKI infrastructure?
This extension addre= sses real practical problems arising from the fact that cert profiles and SA= ML federations have different attribute profiles. That is, they use differen= t attributes and name forms to express the same thing.

<= div>Basically, if you have gone through the paint to teach every participati= ng service to understand user identity according to the SAML attribute profi= le, you may want to use that also to understand certificate entities.
<= div>
In some cases that is absolutely necessary but currently = not possible without using quite ugly heuristics and very local conventions = that does not scale very well.


We need to store information in the certificate directly derived from the SAML token, so that the application
which performed a SAML authentication can make sure that the certificate was delivered for the same person,
by making a comparison using some set of rules.

So there is a need to have matching rules for the content of the SAML token with the content of
the new extension (whatever it is). If we don't have such rules, then the goal at the top of page 4 cannot be met.


No, but you pu= t the finger on a problem that caused me to do another update to make this c= lear.

I removed the three parameters specifying the= saml Attribute and replaced it with a real saml:attribute element.

This removes any need to discuss attribute matching, becaus= e the SAML attribute stored in this extension, when compared with anything o= utside of the cert, is compared with a SAML attribute from a SAML assertion.= Matching SAML attributes is handled by the SAML standard and is therefore o= utside the scope of this document.



I do not see the added value to explain some translation process since it would be used for audit purposes only and
the CA MUST anyway maintain information about the issuance of the token. So in case of a problem, the
CA SHALL be able to answer and it is not needed to overload the content of the certificate with more information.

The need does not arise just in ca= se of a problem. This comparison is done every time a user signs a document = in a government service. This is millions of transactions and hence this pro= cess must be well defined and automated.
The comparison between th= e SAML assertion the user presented at login, and the signature certificate = presented by the user in the same session will originate from multiple Idene= ity Providers and signature services, so just relying on local conventions d= oes not scale and is too static to provide a future proof solution.

Do I dare to say trust me? :) We have modelled and prototyp= ed this for almost a year, and without adding this information to the certs,= our infrastructure would not work.


I still believe that OtherName is the right place to contains the parameters extracted from the SAML token,
that will be used for comparison.
<= /span>

No, for a number of reasons.

<= div>We want this cert to be processed just as any normal certificate. <= /div>
The primary purpose is to declare the information source of presen= t subject attributes and name forms, not to define a new OTHER name.

The biggest reason why this definitely can't be an other n= ame is because there is absolutely no guarantee that the content in this ext= ension will contain any unique name of anything related to the subject.
In it's simplest use it will just identify an XML Schema defining a st= atic ruleset. In such case that schema identifier will be the same for all c= erts issued to various subjects.

An updated version= of the draft is available using the same link.

/St= efan


Denis


PS. I wonder whether we should continue to have in mind to have this document issued as an RFC.
       It may well be a national Swedis= h standard.

=
Based on comments received today I have updated this draft, preliminary available at:

I have edited the Introduction section to clarify the scope of the document.

I have also added a new section (now 3.2) that explains the absence of attribute matching rules.
The section should also make clear how specific attribute data format conventions, such as the one expressed in ETSI TS 119 412-2, can co-exist with this extension.

/Stefan

From: "Moudrick M. Dadashov" <md@e-net.lt>
Date: Monday, March 4, 2013 11:26 AM
To: Stefan Santesson <st= efan@aaa-sec.com>
Cc: Denis Pinkas <denis.pinkas@bull.n= et>, pkix <pk= ix@ietf.org>
Subject: Re: [pkix] Comments on draft-santesson-auth-context-extension-04

On 3/4/2013 12:09 PM, Stefan Santesson wrote:
Denis,

First, thanks for your review. I really appreciate it.

It seems to me, especially with your leading concluding comment, that you have missed out on what this specification attempts to do.
Perhaps you did not read the introduction enough, or perhaps I didn't write it clear enough.

The purpose is not to associate the subject with a identifier composed of a set of attributes.
That is, this is NOT a new name form.

This extension helps a relying party to understand the source of the identity information that is placed in the traditional identity fields of a certificate.
For example. If the serialNumber attributes holds the string "123456", then this extension can tell you where this string came from.

How is this related to "semantics identifier" (ETSI TS 119 412-2) then?

M.D.
The use case addressed is where the CA/RA obtains the authenticated identify from a SAML assertion when issuing the certificate.
This extension provides means to preserve information about the original SAML attributes in the cert.


From: Denis Pinkas <denis.pinkas@bull.net>
Date: Monday, March 4, 2013 9:42 AM
To: Stefan Santesson <stefan@aaa-sec.com>, pkix <pkix@ietf.org>
Subject: Comments on draft-santesson-auth-context-extension-04

Stefan,


The goal of this document is to associate a public key to be used for verifying electronic signatures
with an identifier composed of a set of attributes, typically SAML attributes, contained in an authentication token.

 

No you got this wrong. This is not an Identifier.

 

MAJOR COMMENTS

 

1. The proposed draft is not aligned with the current practices of RFC 5280 and X.509:
the right place to hold such a set of attributes is in the subject alternate name.
The subject DN may or may not be empty.

 

There is no rational in this draft to explain why this straightforward approach has not been chosen.

 

   S= ubjectAltName ::=3D GeneralNames

 

   G= eneralNames ::=3D SEQUENCE SIZE (1..MAX) OF GeneralName<= /o:p>

 

   G= eneralName ::=3D CHOICE {

   &nb= sp;    otherName &= nbsp;            = ;         [0] =     OtherName,

   &nb= sp;    rfc822Name =             &nbs= p;        [1] =     IA5String,

   &nb= sp;    dNSName &nb= sp;            &= nbsp;          [2] =     IA5String,

   &nb= sp;    x400Address = ;            &nb= sp;       [3] =     ORAddress,

   &nb= sp;    directoryName&nb= sp;            &= nbsp;     [4] =     Name,

   &nb= sp;    ediPartyName&nbs= p;            &n= bsp;      [5] =     EDIPartyName,

   &nb= sp;    uniformResourceIdentifier       [6]     IA5String,

   &nb= sp;    iPAddress &= nbsp;            = ;         [7] =     OCTET STRING,

   &nb= sp;    registeredID&nbs= p;            &n= bsp;      [8] =     OBJECT IDENTIFIER }

 

   O= therName ::=3D SEQUENCE {

   &nb= sp;    type-id &nb= sp;  OBJECT IDENTIFIER,

   &nb= sp;    value  = ;    [0] EXPLICIT ANY DEFINED BY type-id }

 

OtherName fits well with the requirements, if you accept to use an OID rather than
a uniformResourceIdentifier.<= /p>

 

The value component would contain an XML structure conformant with a XML schema.

 

This draft does not contain an identifier, thus this comment is irrelevant.
There is not explanation why we don't store an identifier as a SAN, since we do not create or store an identifier.

 

2. The document should be restructured to define:

(a) the general way to answer to the requirements, and
(b) a specific profile, in an Appendix, so that other RFCs could refer to the main body of the document.

 

That could be one way to do it.

 

DETAILED COMMENTS

 

3. The proposed structure is not appropriate.

 

a) Why is there a need to have a SEQUENCE ? This should be avoided.

b) Why is contextInfo OPTIONAL? This should be avoided.

 

   &nb= sp;  AuthenticationContexts ::=3D SEQUENCE SIZE (1..MAX) OF=

   &nb= sp;            &= nbsp;            = ;    AuthenticationContext<= /p>

 

   &nb= sp;  AuthenticationContext ::=3D SEQUENCE {

   &nb= sp;      contextType     UTF8String,

   &nb= sp;      contextInfo     UTF8String OPTIONAL

   &nb= sp;  }

For exactly the same reason why SAML AuthContextClassRef in a SAML assertion is mandatory but not the XML structure it defines.
In some cases you don't want to include explicit data, if that data is static and can be implicitly known through an identifier.

The AuthContextClassRef in SAML is the best examp= le as it is an exact functional replica of this.
The URL identified by AuthContextClassRef is also= a XML Schema ns for associated XML document.

The XML Schema can define both a static XML document with fixed values as well as a structure where different values can be entered.

Just including the reference to the XML Schema may then provide sufficient information to the relying party. The actual XML document is only included if some variable data need to be communicated within the associated XML document.

Just including contextType but not contextInfo could be compared with the case where we include a certificate policy OID, but not the entire policy text.

This is a really smart way to do this, which is made possible through the versatility of XML Schemas.


 

 

4. The text states:    This extension MAY be marked critical.

 

If the alternate name is present, why should there be a DN ?

This comment must be based on a misunderstanding of the scope of this document.

 

 

5. The XML schema should be given first (Appendix B) followed by the explanations (sections 3.1 and 3.2).
In other words, sections 3.1 and 3.2 should be placed in Appendix B.

That is one way to do it. If I was the implementer, I really wouldn't care as long as the information is there.
I think it is quite common to place programatic contracts in Appendixes, wile explaining data elements in the body of the document.

 

 

6. The vocabulary used in sections 3.1 and 3.2 is confusing and should be changed.<= /span>

 

An example: “AuthContextInfo Element” = does not exist. However, it is better to state that the contextInfo component
contains an XML structure which must conform to an XML schema.

 

Sorry, I don't get this comment. The AuthContextInfo element does exist. It is defined in the schema. XML Schema defines syntax and structure but not the semantics. Semantics are defined the section 3.

 

7. The XML structure proposed to fit inside contextInfo is overly complex.

 

AuthenticationInstant is mandatory, whereas it is not needed.<= /p>


This information is always available from the SAML assertion and is considered fundamental, thus required.

AssertionRef is not needed.

ServiceID is not needed.

And hence, both are optional.

The XML Schema is actually very simple. Its just the nature of XML Schemas to look more complex than they actually are.
Perhaps it is easier if you examine it through this following web doc (which unfortunately can't be included in the spec):


 

 

8. There are no matching rules defined. This means that the verification of the content of that field is not possible.

First of all, this is not an identifier, thus there is no reason for a matching rule is it would be if this was an identifier that as a whole should be compared with something else.

The SAML attribute value does not have to match the value of the cert attribute, this data in the extension is optional and, if present, is a hint. 
But I could actually add some text to clarify this.

 

 

9. In section 3.2, I failed to understand the explanations for CertRef as well as for rdn and san.

 

Why CertNameType cannot be “factorized”= ? (in the example from Page 15, there are all the same).

No, the example in the spec has one e-mail attribute that was placed in the SubjAltName extension of the cert.

 

   &nb= sp;            &= nbsp;     "rdn"&nbs= p;  The SAML attribute value is placed in the

   &nb= sp;            &= nbsp;            = ; subject field of the certificate in a

   &nb= sp;            &= nbsp;            = ; present Relative Distinguished Name=

   &nb= sp;            &= nbsp;            = ; attribute.

 

   &nb= sp;            &= nbsp;     "san"&nbs= p;  The SAML attribute value is placed in the

   &nb= sp;            &= nbsp;            = ; Subject Alternative Name extension of the

   &nb= sp;            &= nbsp;            = ; certificate.

 

I also failed to understand the reason of such “mapping”.


Yes, and I think that is the reason behind most of your comments.


The example in Appendix C illustrates the complexity of the proposal.
Can the approach be made simpler ? If not, why ?

 

No it can't be made simpler. It contains exactly the information we need in the implementation where it is used.

I could write a whole whitepaper about all detailed reasons, but if you really think about the use case, it should be clear.

Consider the case where you know users by attributes defined in a SAML federation, where for example serialNumber is NOT used.
A CA issues a certificate to a user based an a SAML assertion authentication based on the attribute profile of that federation.

A user logs in to your service using a SAML assertion, and sends you a signed document associated with the issued certificate.
You now need to determine whether that SAML assertion and the certificate represents the same user.
You also need to determine that the SAML assertion and the certificate provides compatible levels of assertion for user authentication as defined in your SAML federation.

This extension gives you exactly the amount of data that is needed in order to do this in an unambiguous fully automated process.

 

10. In section 4, I failed to understand the “dynamic” aspect. My understanding = is that a person statically
authenticates to a RA (Registration Authority) and then is given back a non-repudiation certificate
with SAML attributes in it which may then be used as identity attributes.
I am unsure what the text in this section wants to say when using the words “dynami= c manner”.


Your view is to restrictive.

The dynamic aspect of this is that a certificate may be issued on the fly at the instance when it is needed, containing just the information that is needed for one particular situation.
This extension is (where this is used in the Swedish national infrastructure) added to certificates that are issued for just one instance of signing, and hence can be dynamically adapted to the needs of the intended relying party.

Next time the user signs, a new key pair is generated with new certs that may contain another set of the user's attributes.

The first instance may for example contain the users private identity based on a national identifier, the second may carry an organisational identity based on employee number.
What attributes that are needed in every instance is determined in a service context that is outside the scope of this specification.

In these certificates, both the national identifier and the employee number may be placed as a serialNumber attribute in the subject field.
Despite that, this extension makes it possible for the relying party to know exactly what identity information each certificate carries, as it maps to the attribute profile of a SAML federation.

/Stefan


Denis

 

______________________________________________=
_
pkix mailing list
pkix@ietf.orghttps://www.ietf.=
org/mailman/listinfo/pkix

--B_3445378021_1641212-- From stefan@aaa-sec.com Wed Mar 6 04:27:38 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D78121F88EF for ; Wed, 6 Mar 2013 04:27:38 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -98.883 X-Spam-Level: X-Spam-Status: No, score=-98.883 tagged_above=-999 required=5 tests=[AWL=0.157, BAYES_00=-2.599, HELO_EQ_SE=0.35, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, SARE_SPEC_REPLICA_OBFU=1.812, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vkr+ecG-MOmI for ; Wed, 6 Mar 2013 04:27:29 -0800 (PST) Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id 8AFBC21F86D2 for ; Wed, 6 Mar 2013 04:27:28 -0800 (PST) Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id 20DED52EC13 for ; Wed, 6 Mar 2013 13:27:27 +0100 (CET) X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 5_m5FAzVk3lu for ; Wed, 6 Mar 2013 13:27:16 +0100 (CET) Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id A536952EDB2 for ; Wed, 6 Mar 2013 13:27:16 +0100 (CET) Received: (qmail 91016 invoked from network); 6 Mar 2013 12:27:16 -0000 Received: from 81-232-51-61-no39.business.telia.com (HELO [192.168.0.105]) (stefan@fiddler.nu@[81.232.51.61]) (envelope-sender ) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 6 Mar 2013 12:27:16 -0000 User-Agent: Microsoft-MacOutlook/14.3.1.130117 Date: Wed, 06 Mar 2013 13:27:20 +0100 From: Stefan Santesson To: Denis Pinkas Message-ID: Thread-Topic: [pkix] Comments on draft-santesson-auth-context-extension-04 In-Reply-To: <51362EEB.6070802@bull.net> Mime-version: 1.0 Content-type: multipart/alternative; boundary="B_3445421244_2998215" Cc: pkix Subject: Re: [pkix] Comments on draft-santesson-auth-context-extension-04 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Mar 2013 12:27:38 -0000 > This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --B_3445421244_2998215 Content-type: text/plain; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable Denis, I took a look at this this morning with fresh eyes, and some of your questions triggered me to do further improvements on the Schema, explanations and examples. The latest draft is still available from here: http://aaa-sec.com/_temp/draft-santesson-auth-context-extension-04.txt Hopefully the new examples will give you a better Idea on how this extensio= n can be used and why this is not suitable as an other name form. I'm really grateful for your review even if I don't do everything exactly a= s you suggested. /Stefan From: Denis Pinkas Date: Tuesday, March 5, 2013 6:44 PM To: Stefan Santesson Cc: pkix Subject: Re: [pkix] Comments on draft-santesson-auth-context-extension-04 > =20 > =20 > Stefan, > =20 > I read the new specification (dated March 4) and it does not solve my > concerns. > =20 > The real goal is stated at the top of page 4: >=20 >=20 > =20 > =20 > to verify that the signature was created by the same user that logged on > to the service. > =20 > In your response below, you also say: > =20 > "You now need to determine whether that SAML assertion and the > certificate represents the same user." > =20 > This is rather different from the goal stated on page 3: > =20 > =20 > The primary purpose of this document is to provide a mechanism that > =20 > allows an application to understand information that express the > =20 > identity of a subject in a certificate that is stored either in a > =20 > subject field attribute, as a subject alternative name or in a > =20 > subject directory attribute. > =20 > If we draw an analogy with the way to construct a DN, we do not mention = that > the DN was created after > the presentation of a passport or an ID card, plus a way to justify the = place > of birth, a a way to justify > the place of living, an that the country name was extracted from the > presentation of the passport, etc ... > =20 > So why should we do this in your context ? > =20 > We need to store information in the certificate directly derived from th= e > SAML token, so that the application > which performed a SAML authentication can make sure that the certificate= was > delivered for the same person, > by making a comparison using some set of rules. > =20 > So there is a need to have matching rules for the content of the SAML to= ken > with the content of > the new extension (whatever it is). If we don't have such rules, then th= e > goal at the top of page 4 cannot be met. > =20 > I do not see the added value to explain some translation process since i= t > would be used for audit purposes only and > the CA MUST anyway maintain information about the issuance of the token.= So > in case of a problem, the > CA SHALL be able to answer and it is not needed to overload the content = of > the certificate with more information. > =20 > I still believe that OtherName is the right place to contains the parame= ters > extracted from the SAML token, > that will be used for comparison. > =20 > Denis=20 > =20 > =20 > PS. I wonder whether we should continue to have in mind to have this doc= ument > issued as an RFC. > It may well be a national Swedish standard. > =20 > =20 > =20 >> =20 >> Based on comments received today I have updated this draft, preliminary >> available at: >> =20 >> http://aaa-sec.com/_temp/draft-santesson-auth-context-extension-04.txt >> =20 >>=20 >> =20 >> =20 >> I have edited the Introduction section to clarify the scope of the docum= ent. >> =20 >>=20 >> =20 >> =20 >> I have also added a new section (now 3.2) that explains the absence of >> attribute matching rules. >> =20 >> The section should also make clear how specific attribute data format >> conventions, such as the one expressed in ETSI TS 119 412-2, can co-exis= t >> with this extension. >> =20 >>=20 >> =20 >> =20 >> /Stefan >> =20 >>=20 >> =20 >> =20 >> From: "Moudrick M. Dadashov" >> Date: Monday, March 4, 2013 11:26 AM >> To: Stefan Santesson >> Cc: Denis Pinkas , pkix >> Subject: Re: [pkix] Comments on draft-santesson-auth-context-extension= -04 >> =20 >> =20 >>=20 >> =20 >> =20 >>> =20 >>> =20 >>> =20 >>> On 3/4/2013 12:09 PM, Stefan Santesson wrote: >>> =20 >>> =20 >>>> =20 >>>> Denis, >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> First, thanks for your review. I really appreciate it. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> It seems to me, especially with your leading concluding comment, that = you >>>> have missed out on what this specification attempts to do. >>>> =20 >>>> Perhaps you did not read the introduction enough, or perhaps I didn't = write >>>> it clear enough. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> The purpose is not to associate the subject with a identifier composed= of a >>>> set of attributes. >>>> =20 >>>> That is, this is NOT a new name form. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> This extension helps a relying party to understand the source of the >>>> identity information that is placed in the traditional identity fields= of a >>>> certificate. >>>> =20 >>>> For example. If the serialNumber attributes holds the string "123456",= then >>>> this extension can tell you where this string came from. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>> How is this related to "semantics identifier" (ETSI TS 119 412-2) then= ? >>> =20 >>> M.D.=20 >>> =20 >>>> =20 >>>> The use case addressed is where the CA/RA obtains the authenticated >>>> identify from a SAML assertion when issuing the certificate. >>>> =20 >>>> This extension provides means to preserve information about the origin= al >>>> SAML attributes in the cert. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> From: Denis Pinkas >>>> Date: Monday, March 4, 2013 9:42 AM >>>> To: Stefan Santesson , pkix >>>> Subject: Comments on draft-santesson-auth-context-extension-04 >>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>> Stefan, >>>>> =20 >>>>> =20 >>>>>=20 >>>>> =20 >>>>> =20 >>>>> The goal of this document is to associate a public key to be used for >>>>> verifying electronic signatures >>>>> with an identifier composed of a set of attributes, typically SAML >>>>> attributes, contained in an authentication token. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> No you got this wrong. This is not an Identifier. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>> =20 >>>>> =20 >>>>> MAJOR COMMENTS >>>>> =20 >>>>> =20 >>>>> =20 >>>>> 1. The proposed draft is not aligned with the current practices of RF= C >>>>> 5280 and X.509: >>>>> the right place to hold such a set of attributes is in the subject >>>>> alternate name. >>>>> The subject DN may or may not be empty. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> There is no rational in this draft to explain why this straightforwar= d >>>>> approach has not been chosen. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> SubjectAltName ::=3D GeneralNames >>>>> =20 >>>>> =20 >>>>> =20 >>>>> GeneralNames ::=3D SEQUENCE SIZE (1..MAX) OF GeneralName >>>>> =20 >>>>> =20 >>>>> =20 >>>>> GeneralName ::=3D CHOICE { >>>>> =20 >>>>> otherName [0] OtherName, >>>>> =20 >>>>> rfc822Name [1] IA5String, >>>>> =20 >>>>> dNSName [2] IA5String, >>>>> =20 >>>>> x400Address [3] ORAddress, >>>>> =20 >>>>> directoryName [4] Name, >>>>> =20 >>>>> ediPartyName [5] EDIPartyName, >>>>> =20 >>>>> uniformResourceIdentifier [6] IA5String, >>>>> =20 >>>>> iPAddress [7] OCTET STRING, >>>>> =20 >>>>> registeredID [8] OBJECT IDENTIFIER } >>>>> =20 >>>>> =20 >>>>> =20 >>>>> OtherName ::=3D SEQUENCE { >>>>> =20 >>>>> type-id OBJECT IDENTIFIER, >>>>> =20 >>>>> value [0] EXPLICIT ANY DEFINED BY type-id } >>>>> =20 >>>>> =20 >>>>> =20 >>>>> OtherName fits well with the requirements, if you accept to use an O= ID >>>>> rather than=20 >>>>> a uniformResourceIdentifier. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> The value component would contain an XML structure conformant with a = XML >>>>> schema. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> This draft does not contain an identifier, thus this comment is irrele= vant. >>>> =20 >>>> There is not explanation why we don't store an identifier as a SAN, si= nce >>>> we do not create or store an identifier. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>> =20 >>>>> =20 >>>>> 2. The document should be restructured to define: >>>>> =20 >>>>> (a) the general way to answer to the requirements, and >>>>> (b) a specific profile, in an Appendix, so that other RFCs could ref= er to >>>>> the main body of the document. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> That could be one way to do it. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>> =20 >>>>> =20 >>>>> DETAILED COMMENTS >>>>> =20 >>>>> =20 >>>>> =20 >>>>> 3. The proposed structure is not appropriate. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> a) Why is there a need to have a SEQUENCE ? This should be avoided. >>>>> =20 >>>>> b) Why is contextInfo OPTIONAL? This should be avoided. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> AuthenticationContexts ::=3D SEQUENCE SIZE (1..MAX) OF >>>>> =20 >>>>> AuthenticationContext >>>>> =20 >>>>> =20 >>>>> =20 >>>>> AuthenticationContext ::=3D SEQUENCE { >>>>> =20 >>>>> contextType UTF8String, >>>>> =20 >>>>> contextInfo UTF8String OPTIONAL >>>>> =20 >>>>> } >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> For exactly the same reason why SAML AuthContextClassRef in a SAML >>>> assertion is mandatory but not the XML structure it defines. >>>> =20 >>>> In some cases you don't want to include explicit data, if that data is >>>> static and can be implicitly known through an identifier. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> The AuthContextClassRef in SAML is the best example as it is an exact >>>> functional replica of this. >>>> =20 >>>> The URL identified by AuthContextClassRef is also a XML Schema ns for >>>> associated XML document. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> The XML Schema can define both a static XML document with fixed values= as >>>> well as a structure where different values can be entered. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> Just including the reference to the XML Schema may then provide suffic= ient >>>> information to the relying party. The actual XML document is only incl= uded >>>> if some variable data need to be communicated within the associated XM= L >>>> document. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> Just including contextType but not contextInfo could be compared with = the >>>> case where we include a certificate policy OID, but not the entire pol= icy >>>> text. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> This is a really smart way to do this, which is made possible through = the >>>> versatility of XML Schemas. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> 4. The text states: This extension MAY be marked critical. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> If the alternate name is present, why should there be a DN ? >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> This comment must be based on a misunderstanding of the scope of this >>>> document. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> 5. The XML schema should be given first (Appendix B) followed by the >>>>> explanations (sections 3.1 and 3.2). >>>>> In other words, sections 3.1 and 3.2 should be placed in Appendix B. >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> That is one way to do it. If I was the implementer, I really wouldn't = care >>>> as long as the information is there. >>>> =20 >>>> I think it is quite common to place programatic contracts in Appendixe= s, >>>> wile explaining data elements in the body of the document. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> 6. The vocabulary used in sections 3.1 and 3.2 is confusing and shoul= d be >>>>> changed. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> An example: =B3AuthContextInfo Element=B2 does not exist. However, it is >>>>> better to state that the contextInfo component >>>>> contains an XML structure which must conform to an XML schema. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> Sorry, I don't get this comment. The AuthContextInfo element does exis= t. It >>>> is defined in the schema. XML Schema defines syntax and structure but = not >>>> the semantics. Semantics are defined the section 3. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>> =20 >>>>> =20 >>>>> 7. The XML structure proposed to fit inside contextInfo is overly com= plex. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> AuthenticationInstant is mandatory, whereas it is not needed. >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> This information is always available from the SAML assertion and is >>>> considered fundamental, thus required. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>> =20 >>>>> AssertionRef is not needed. >>>>> =20 >>>>> ServiceID is not needed. >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> And hence, both are optional. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> The XML Schema is actually very simple. Its just the nature of XML Sch= emas >>>> to look more complex than they actually are. >>>> =20 >>>> Perhaps it is easier if you examine it through this following web doc >>>> (which unfortunately can't be included in the spec): >>>> =20 >>>> http://aaa-sec.com/eid2/sigsupport/XMLschema/AuthContExtDoc/index.html >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> 8. There are no matching rules defined. This means that the verificat= ion >>>>> of the content of that field is not possible. >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> First of all, this is not an identifier, thus there is no reason for a >>>> matching rule is it would be if this was an identifier that as a whole >>>> should be compared with something else. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> The SAML attribute value does not have to match the value of the cert >>>> attribute, this data in the extension is optional and, if present, is = a >>>> hint.=20 >>>> =20 >>>> But I could actually add some text to clarify this. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> 9. In section 3.2, I failed to understand the explanations for CertRe= f as >>>>> well as for rdn and san. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> Why CertNameType cannot be =B3factorized=B2 ? (in the example from Page = 15, >>>>> there are all the same). >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> No, the example in the spec has one e-mail attribute that was placed i= n the >>>> SubjAltName extension of the cert. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> "rdn" The SAML attribute value is placed in t= he >>>>> =20 >>>>> subject field of the certificate in a >>>>> =20 >>>>> present Relative Distinguished Name >>>>> =20 >>>>> attribute. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> "san" The SAML attribute value is placed in t= he >>>>> =20 >>>>> Subject Alternative Name extension of t= he >>>>> =20 >>>>> certificate. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> I also failed to understand the reason of such =B3mapping=B2. >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> Yes, and I think that is the reason behind most of your comments. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>>=20 >>>>> The example in Appendix C illustrates the complexity of the proposal= . >>>>> Can the approach be made simpler ? If not, why ? >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> No it can't be made simpler. It contains exactly the information we ne= ed in >>>> the implementation where it is used. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> I could write a whole whitepaper about all detailed reasons, but if yo= u >>>> really think about the use case, it should be clear. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> Consider the case where you know users by attributes defined in a SAML >>>> federation, where for example serialNumber is NOT used. >>>> =20 >>>> A CA issues a certificate to a user based an a SAML assertion >>>> authentication based on the attribute profile of that federation. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> A user logs in to your service using a SAML assertion, and sends you a >>>> signed document associated with the issued certificate. >>>> =20 >>>> You now need to determine whether that SAML assertion and the certific= ate >>>> represents the same user. >>>> =20 >>>> You also need to determine that the SAML assertion and the certificate >>>> provides compatible levels of assertion for user authentication as def= ined >>>> in your SAML federation. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> This extension gives you exactly the amount of data that is needed in = order >>>> to do this in an unambiguous fully automated process. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>> =20 >>>>> =20 >>>>> 10. In section 4, I failed to understand the =B3dynamic=B2 aspect. My >>>>> understanding is that a person statically >>>>> authenticates to a RA (Registration Authority) and then is given bac= k a >>>>> non-repudiation certificate >>>>> with SAML attributes in it which may then be used as identity attrib= utes. >>>>> I am unsure what the text in this section wants to say when using th= e >>>>> words =B3dynamic manner=B2. >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> Your view is to restrictive. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> The dynamic aspect of this is that a certificate may be issued on the = fly >>>> at the instance when it is needed, containing just the information tha= t is >>>> needed for one particular situation. >>>> =20 >>>> This extension is (where this is used in the Swedish national >>>> infrastructure) added to certificates that are issued for just one ins= tance >>>> of signing, and hence can be dynamically adapted to the needs of the >>>> intended relying party. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> Next time the user signs, a new key pair is generated with new certs t= hat >>>> may contain another set of the user's attributes. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> The first instance may for example contain the users private identity = based >>>> on a national identifier, the second may carry an organisational ident= ity >>>> based on employee number. >>>> =20 >>>> What attributes that are needed in every instance is determined in a >>>> service context that is outside the scope of this specification. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> In these certificates, both the national identifier and the employee n= umber >>>> may be placed as a serialNumber attribute in the subject field. >>>> =20 >>>> Despite that, this extension makes it possible for the relying party t= o >>>> know exactly what identity information each certificate carries, as it= maps >>>> to the attribute profile of a SAML federation. >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>> /Stefan >>>> =20 >>>>=20 >>>> =20 >>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>>>=20 >>>>>=20 >>>>> =20 >>>>> =20 >>>>> Denis >>>>> =20 >>>>> =20 >>>>> =20 >>>>> =20 >>>> =20 >>>> =20 >>>> =20 >>>> _______________________________________________ >>>> pkix mailing list >>>> pkix@ietf.orghttps://www.ietf.org/mailman/listinfo/pkix >>>> =20 >>> =20 >>> =20 >>> =20 >>> =20 >> =20 > =20 > =20 > _______________________________________________ pkix mailing list > pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix --B_3445421244_2998215 Content-type: text/html; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable
Denis,

<= div>I took a look at this this morning with fresh eyes, and some of your que= stions triggered me to do further improvements on the Schema, explanations a= nd examples.

The latest draft is still available fr= om here:
http://aaa-sec.com/_temp/draft-santesson-auth-context-ext= ension-04.txt

Hopefully the new examples will give = you a better Idea on how this extension can be used and why this is not suit= able as an other name form.

I'm really grateful for= your review even if I don't do everything exactly as you suggested.

/Stefan



=

From: Denis Pinkas <denis.pinkas@bull.net>
Date: Tuesday, March 5, 2013 6:44 PM
To: Stefan Santesson <stefan@aaa-sec.com>
Cc: pkix <pkix@ietf.org&= gt;
Subject: Re: [pkix] Comments o= n draft-santesson-auth-context-extension-04

Stefan,

I read the new specification (dated March 4) and it does not solve my concerns.

The real goal is stated at the top of page 4:


 to verify that the signature was created by the same user that logged on

  to the service.

In your response below, you also say:

      "You n= ow need to determine whether that SAML assertion and the certificate represents the same user."

This is rather different from the goal stated on page 3:

   The primary purpose of this document is to provide a mechanism that

   allows an application to understand information that express the

   identity of a subject in a certificate that is stored either in a

=    subject field attribute, as a subject alternative name or in a

=    subject directory attribute.


If we draw an analogy with the way to construct a DN, we do not mention that the DN was created after
the presentation of a passport or an ID card, plus a way to justify the place of birth, a a way to justify
the place of living, an that the country name was extracted from the presentation of the passport, etc ...

So why should we do this in your context ?

We need to store information in the certificate directly derived from the SAML token, so that the application
which performed a SAML authentication can make sure that the certificate was delivered for the same person,
by making a comparison using some set of rules.

So there is a need to have matching rules for the content of the SAML token with the content of
the new extension (whatever it is). If we don't have such rules, then the goal at the top of page 4 cannot be met.

I do not see the added value to explain some translation process since it would be used for audit purposes only and
the CA MUST anyway maintain information about the issuance of the token. So in case of a problem, the
CA SHALL be able to answer and it is not needed to overload the content of the certificate with more information.

I still believe that OtherName is the right place to contains the parameters extracted from the SAML token,
that will be used for comparison.

Denis


PS. I wonder whether we should continue to have in mind to have this document issued as an RFC.
       It may well be a national Swedis= h standard.

=
Based on comments received today I have updated this draft, preliminary available at:

I have edited the Introduction section to clarify the scope of the document.

I have also added a new section (now 3.2) that explains the absence of attribute matching rules.
The section should also make clear how specific attribute data format conventions, such as the one expressed in ETSI TS 119 412-2, can co-exist with this extension.

/Stefan

From: "Moudrick M. Dadashov" <md@e-net.lt>
Date: Monday, March 4, 2013 11:26 AM
To: Stefan Santesson <st= efan@aaa-sec.com>
Cc: Denis Pinkas <denis.pinkas@bull.n= et>, pkix <pk= ix@ietf.org>
Subject: Re: [pkix] Comments on draft-santesson-auth-context-extension-04

On 3/4/2013 12:09 PM, Stefan Santesson wrote:
Denis,

First, thanks for your review. I really appreciate it.

It seems to me, especially with your leading concluding comment, that you have missed out on what this specification attempts to do.
Perhaps you did not read the introduction enough, or perhaps I didn't write it clear enough.

The purpose is not to associate the subject with a identifier composed of a set of attributes.
That is, this is NOT a new name form.

This extension helps a relying party to understand the source of the identity information that is placed in the traditional identity fields of a certificate.
For example. If the serialNumber attributes holds the string "123456", then this extension can tell you where this string came from.

How is this related to "semantics identifier" (ETSI TS 119 412-2) then?

M.D.
The use case addressed is where the CA/RA obtains the authenticated identify from a SAML assertion when issuing the certificate.
This extension provides means to preserve information about the original SAML attributes in the cert.


From: Denis Pinkas <denis.pinkas@bull.net>
Date: Monday, March 4, 2013 9:42 AM
To: Stefan Santesson <stefan@aaa-sec.com>, pkix <pkix@ietf.org>
Subject: Comments on draft-santesson-auth-context-extension-04

Stefan,


The goal of this document is to associate a public key to be used for verifying electronic signatures
with an identifier composed of a set of attributes, typically SAML attributes, contained in an authentication token.

 

No you got this wrong. This is not an Identifier.

 

MAJOR COMMENTS

 

1. The proposed draft is not aligned with the current practices of RFC 5280 and X.509:
the right place to hold such a set of attributes is in the subject alternate name.
The subject DN may or may not be empty.

 

There is no rational in this draft to explain why this straightforward approach has not been chosen.

 

   S= ubjectAltName ::=3D GeneralNames

 

   G= eneralNames ::=3D SEQUENCE SIZE (1..MAX) OF GeneralName<= /o:p>

 

   G= eneralName ::=3D CHOICE {

   &nb= sp;    otherName &= nbsp;            = ;         [0] =     OtherName,

   &nb= sp;    rfc822Name =             &nbs= p;        [1] =     IA5String,

   &nb= sp;    dNSName &nb= sp;            &= nbsp;          [2] =     IA5String,

   &nb= sp;    x400Address = ;            &nb= sp;       [3] =     ORAddress,

   &nb= sp;    directoryName&nb= sp;            &= nbsp;     [4] =     Name,

   &nb= sp;    ediPartyName&nbs= p;            &n= bsp;      [5] =     EDIPartyName,

   &nb= sp;    uniformResourceIdentifier       [6]     IA5String,

   &nb= sp;    iPAddress &= nbsp;            = ;         [7] =     OCTET STRING,

   &nb= sp;    registeredID&nbs= p;            &n= bsp;      [8] =     OBJECT IDENTIFIER }

 

   O= therName ::=3D SEQUENCE {

   &nb= sp;    type-id &nb= sp;  OBJECT IDENTIFIER,

   &nb= sp;    value  = ;    [0] EXPLICIT ANY DEFINED BY type-id }

 

OtherName fits well with the requirements, if you accept to use an OID rather than
a uniformResourceIdentifier.<= /p>

 

The value component would contain an XML structure conformant with a XML schema.

 

This draft does not contain an identifier, thus this comment is irrelevant.
There is not explanation why we don't store an identifier as a SAN, since we do not create or store an identifier.

 

2. The document should be restructured to define:

(a) the general way to answer to the requirements, and
(b) a specific profile, in an Appendix, so that other RFCs could refer to the main body of the document.

 

That could be one way to do it.

 

DETAILED COMMENTS

 

3. The proposed structure is not appropriate.

 

a) Why is there a need to have a SEQUENCE ? This should be avoided.

b) Why is contextInfo OPTIONAL? This should be avoided.

 

   &nb= sp;  AuthenticationContexts ::=3D SEQUENCE SIZE (1..MAX) OF=

   &nb= sp;            &= nbsp;            = ;    AuthenticationContext<= /p>

 

   &nb= sp;  AuthenticationContext ::=3D SEQUENCE {

   &nb= sp;      contextType     UTF8String,

   &nb= sp;      contextInfo     UTF8String OPTIONAL

   &nb= sp;  }

For exactly the same reason why SAML AuthContextClassRef in a SAML assertion is mandatory but not the XML structure it defines.
In some cases you don't want to include explicit data, if that data is static and can be implicitly known through an identifier.

The AuthContextClassRef in SAML is the best examp= le as it is an exact functional replica of this.
The URL identified by AuthContextClassRef is also= a XML Schema ns for associated XML document.

The XML Schema can define both a static XML document with fixed values as well as a structure where different values can be entered.

Just including the reference to the XML Schema may then provide sufficient information to the relying party. The actual XML document is only included if some variable data need to be communicated within the associated XML document.

Just including contextType but not contextInfo could be compared with the case where we include a certificate policy OID, but not the entire policy text.

This is a really smart way to do this, which is made possible through the versatility of XML Schemas.


 

 

4. The text states:    This extension MAY be marked critical.

 

If the alternate name is present, why should there be a DN ?

This comment must be based on a misunderstanding of the scope of this document.

 

 

5. The XML schema should be given first (Appendix B) followed by the explanations (sections 3.1 and 3.2).
In other words, sections 3.1 and 3.2 should be placed in Appendix B.

That is one way to do it. If I was the implementer, I really wouldn't care as long as the information is there.
I think it is quite common to place programatic contracts in Appendixes, wile explaining data elements in the body of the document.

 

 

6. The vocabulary used in sections 3.1 and 3.2 is confusing and should be changed.<= /span>

 

An example: “AuthContextInfo Element” = does not exist. However, it is better to state that the contextInfo component
contains an XML structure which must conform to an XML schema.

 

Sorry, I don't get this comment. The AuthContextInfo element does exist. It is defined in the schema. XML Schema defines syntax and structure but not the semantics. Semantics are defined the section 3.

 

7. The XML structure proposed to fit inside contextInfo is overly complex.

 

AuthenticationInstant is mandatory, whereas it is not needed.<= /p>


This information is always available from the SAML assertion and is considered fundamental, thus required.

AssertionRef is not needed.

ServiceID is not needed.

And hence, both are optional.

The XML Schema is actually very simple. Its just the nature of XML Schemas to look more complex than they actually are.
Perhaps it is easier if you examine it through this following web doc (which unfortunately can't be included in the spec):


 

 

8. There are no matching rules defined. This means that the verification of the content of that field is not possible.

First of all, this is not an identifier, thus there is no reason for a matching rule is it would be if this was an identifier that as a whole should be compared with something else.

The SAML attribute value does not have to match the value of the cert attribute, this data in the extension is optional and, if present, is a hint. 
But I could actually add some text to clarify this.

 

 

9. In section 3.2, I failed to understand the explanations for CertRef as well as for rdn and san.

 

Why CertNameType cannot be “factorized”= ? (in the example from Page 15, there are all the same).

No, the example in the spec has one e-mail attribute that was placed in the SubjAltName extension of the cert.

 

   &nb= sp;            &= nbsp;     "rdn"&nbs= p;  The SAML attribute value is placed in the

   &nb= sp;            &= nbsp;            = ; subject field of the certificate in a

   &nb= sp;            &= nbsp;            = ; present Relative Distinguished Name=

   &nb= sp;            &= nbsp;            = ; attribute.

 

   &nb= sp;            &= nbsp;     "san"&nbs= p;  The SAML attribute value is placed in the

   &nb= sp;            &= nbsp;            = ; Subject Alternative Name extension of the

   &nb= sp;            &= nbsp;            = ; certificate.

 

I also failed to understand the reason of such “mapping”.


Yes, and I think that is the reason behind most of your comments.


The example in Appendix C illustrates the complexity of the proposal.
Can the approach be made simpler ? If not, why ?

 

No it can't be made simpler. It contains exactly the information we need in the implementation where it is used.

I could write a whole whitepaper about all detailed reasons, but if you really think about the use case, it should be clear.

Consider the case where you know users by attributes defined in a SAML federation, where for example serialNumber is NOT used.
A CA issues a certificate to a user based an a SAML assertion authentication based on the attribute profile of that federation.

A user logs in to your service using a SAML assertion, and sends you a signed document associated with the issued certificate.
You now need to determine whether that SAML assertion and the certificate represents the same user.
You also need to determine that the SAML assertion and the certificate provides compatible levels of assertion for user authentication as defined in your SAML federation.

This extension gives you exactly the amount of data that is needed in order to do this in an unambiguous fully automated process.

 

10. In section 4, I failed to understand the “dynamic” aspect. My understanding = is that a person statically
authenticates to a RA (Registration Authority) and then is given back a non-repudiation certificate
with SAML attributes in it which may then be used as identity attributes.
I am unsure what the text in this section wants to say when using the words “dynami= c manner”.


Your view is to restrictive.

The dynamic aspect of this is that a certificate may be issued on the fly at the instance when it is needed, containing just the information that is needed for one particular situation.
This extension is (where this is used in the Swedish national infrastructure) added to certificates that are issued for just one instance of signing, and hence can be dynamically adapted to the needs of the intended relying party.

Next time the user signs, a new key pair is generated with new certs that may contain another set of the user's attributes.

The first instance may for example contain the users private identity based on a national identifier, the second may carry an organisational identity based on employee number.
What attributes that are needed in every instance is determined in a service context that is outside the scope of this specification.

In these certificates, both the national identifier and the employee number may be placed as a serialNumber attribute in the subject field.
Despite that, this extension makes it possible for the relying party to know exactly what identity information each certificate carries, as it maps to the attribute profile of a SAML federation.

/Stefan


Denis

 

______________________________________________=
_
pkix mailing list
pkix@ietf.orghttps://www.ietf.=
org/mailman/listinfo/pkix

_______________________________________________ pkix mailing list pkix@ietf.org https://www.ietf.org/m= ailman/listinfo/pkix --B_3445421244_2998215-- From pritikin@cisco.com Thu Mar 7 17:58:02 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08C3E21F8767 for ; Thu, 7 Mar 2013 17:58:01 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0VJcV8cC6LgK for ; Thu, 7 Mar 2013 17:58:01 -0800 (PST) Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by ietfa.amsl.com (Postfix) with ESMTP id 3278721F8765 for ; Thu, 7 Mar 2013 17:58:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=603; q=dns/txt; s=iport; t=1362707881; x=1363917481; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=Xzh8jCpYIEhiD56wASvH3wG6/wSKqtikNQ7O6BjqcYI=; b=Mv7gBWhngwi5mE2djLBkkeNNWgu7/BPJt3F1WW4e1+jVLFMOml0wFoiQ TZHj+U7u5Ix1HsA+zaWF/DQD6bXlEHeyVZ8Ds8+h0C0QMp3LqdZ8DEYBc gvfauk72ZkCMp2TKnLx7iaOHfODgp+A80JF2wlpKMZHalZMl5Il46Saky 8=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AhIFAEFFOVGtJV2Z/2dsb2JhbABEh1+8cYFfFnSCLAEBAQMBAQEBNzQLBQsCAQgiFBAnCyUCBA4FCAGIBAYMu1WOWQIxB4JfYQOnPIMJgic X-IronPort-AV: E=Sophos;i="4.84,806,1355097600"; d="scan'208";a="182122304" Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by rcdn-iport-9.cisco.com with ESMTP; 08 Mar 2013 01:58:00 +0000 Received: from xhc-rcd-x03.cisco.com (xhc-rcd-x03.cisco.com [173.37.183.77]) by rcdn-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id r281w03u021285 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 8 Mar 2013 01:58:00 GMT Received: from xmb-rcd-x03.cisco.com ([169.254.7.17]) by xhc-rcd-x03.cisco.com ([173.37.183.77]) with mapi id 14.02.0318.004; Thu, 7 Mar 2013 19:58:00 -0600 From: "Max Pritikin (pritikin)" To: Stefan Santesson Thread-Topic: [pkix] Agenda posted Thread-Index: AQHOFp2xC4hQ9GUpp0mWuoKXWTwlBJibeBkA Date: Fri, 8 Mar 2013 01:58:00 +0000 Message-ID: <53EA47528D6ACF4486AA152F92C2B698CFFE38@xmb-rcd-x03.cisco.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.21.1.11] Content-Type: text/plain; charset="us-ascii" Content-ID: <8DD7F2E90D2B2448A25EE02BA94CE3D2@cisco.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: pkix Subject: Re: [pkix] Agenda posted X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Mar 2013 01:58:02 -0000 On Mar 1, 2013, at 9:56 AM, Stefan Santesson wrote: > An agenda for the PKIX meeting in Orlando has been posted. >=20 > http://www.ietf.org/proceedings/86/agenda/agenda-86-pkix >=20 > I have not yet got confirmation from the est editors but assume some of t= he authors will provide an update presentation. My apologies - I thought we'd responded.=20 Yes, we will provide an update presentation, - max >=20 > /Stefan >=20 > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix From denis.pinkas@bull.net Fri Mar 8 00:44:35 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7484D21F8609 for ; Fri, 8 Mar 2013 00:44:35 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.889 X-Spam-Level: X-Spam-Status: No, score=-4.889 tagged_above=-999 required=5 tests=[AWL=-0.453, BAYES_00=-2.599, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, SARE_SPEC_REPLICA_OBFU=1.812] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wgCy4doFrRJM for ; Fri, 8 Mar 2013 00:44:28 -0800 (PST) Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by ietfa.amsl.com (Postfix) with ESMTP id 590F521F8545 for ; Fri, 8 Mar 2013 00:44:27 -0800 (PST) Received: from MSGC-007.bull.fr (unknown [129.184.87.136]) by odin2.bull.net (Bull S.A.) with ESMTP id 2FF571D131; Fri, 8 Mar 2013 09:44:26 +0100 (CET) Received: from [127.0.0.1] ([129.184.39.15]) by MSGC-007.bull.fr (Lotus Domino Release 8.5.3FP1) with ESMTP id 2013030809442495-10897 ; Fri, 8 Mar 2013 09:44:24 +0100 Message-ID: <5139A4E4.2010107@bull.net> Date: Fri, 08 Mar 2013 09:44:20 +0100 From: Denis Pinkas User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130215 Thunderbird/17.0.3 MIME-Version: 1.0 To: Stefan Santesson References: In-Reply-To: X-MIMETrack: Itemize by SMTP Server on MSGC-007/SRV/BULL(Release 8.5.3FP1|March 07, 2012) at 08/03/2013 09:44:26, Serialize by Router on MSGC-007/SRV/BULL(Release 8.5.3FP1|March 07, 2012) at 08/03/2013 09:44:26, Serialize complete at 08/03/2013 09:44:26 Content-Type: multipart/alternative; boundary="------------000006000108030300060303" Cc: pkix Subject: Re: [pkix] Comments on draft-santesson-auth-context-extension-04 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Mar 2013 08:44:35 -0000 This is a multi-part message in MIME format. --------------000006000108030300060303 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=ISO-8859-1; format=flowed Stefan, I wonder whether your had "fresh eyes", because you moved one step forwards and then you moved three steps backwards: Section3.2 "Attribute matching" has now disappeared. The major disagreements remain: I disagree with the scope and the new draft does not solve my concerns. Allowing to have SAML attributes in a PKC would be a very good thing. However, the relying party DOES NOT care how these SAML attributes have been translated into a subject DN. It is the responsibility of the CA. Thus, if the scope only remains to know how the correspondence was made between the SAML attributes and the subject DN, I don't believe that this document will be useful for the Internet community and thus I am still unconvinced that this document should progress as an Internet Draft. If the scope is changed to allow to include SAML attributes as another name form in a PKC, then this is an important issue which deserves an Internet Draft. Denis > Denis, > > I took a look at this this morning with fresh eyes, and some of your > questions triggered me to do further improvements on the Schema, > explanations and examples. > > The latest draft is still available from here: > http://aaa-sec.com/_temp/draft-santesson-auth-context-extension-04.txt > > Hopefully the new examples will give you a better Idea on how this > extension can be used and why this is not suitable as an other name form. > > I'm really grateful for your review even if I don't do everything > exactly as you suggested. > > /Stefan > > > > > From: Denis Pinkas > > Date: Tuesday, March 5, 2013 6:44 PM > To: Stefan Santesson > > Cc: pkix > > Subject: Re: [pkix] Comments on draft-santesson-auth-context-extension-04 > > Stefan, > > I read the new specification (dated March 4) and it does not solve > my concerns. > ** > The real goal is stated at the top of page 4: > > > *to verify that the signature was created by the same user that > logged on * > > *to the service*. > > In your response below, you also say: > > "You now need to determine whether that SAML assertion and > the certificate represents the same user." > > This is rather different from the goal stated on page 3: > > The primary purpose of this document is to provide a mechanism that > > allows an application to understand information that express the > > identity of a *subject in a certificate that is stored either in a* > > *subject field attribute, as a subject alternative name or in a* > > *subject directory attribute.* > > > If we draw an analogy with the way to construct a DN, we do not > mention that the DN was created after > the presentation of a passport or an ID card, plus a way to > justify the place of birth, a a way to justify > the place of living, an that the country name was extracted from > the presentation of the passport, etc ... > > So why should we do this in your context ? > > We need to store information in the certificate directly derived > from the SAML token, so that the application > which performed a SAML authentication can make sure that the > certificate was delivered for the same person, > by *making a comparison using some set of rules.** > * > So *t**here is a need to have matching rules* for the content of > the SAML token with the content of > the new extension (whatever it is). If we don't have such rules, > then the goal at the top of page 4 cannot be met. > > I do not see the added value to explain some translation process > since it would be used for audit purposes only and > the CA MUST anyway maintain information about the issuance of the > token. So in case of a problem, the > CA SHALL be able to answer and it is not needed to overload the > content of the certificate with more information. > > I still believe that OtherName is the right place to contains the > parameters extracted from the SAML token, > that will be used for comparison. > > Denis > > > PS. I wonder whether we should continue to have in mind to have > this document issued as an RFC. > It may well be a national Swedish standard. > >> Based on comments received today I have updated this draft, >> preliminary available at: >> http://aaa-sec.com/_temp/draft-santesson-auth-context-extension-04.txt >> >> I have edited the Introduction section to clarify the scope of >> the document. >> >> I have also added a new section (now 3.2) that explains the >> absence of attribute matching rules. >> The section should also make clear how specific attribute data >> format conventions, such as the one expressed in ETSI TS 119 >> 412-2, can co-exist with this extension. >> >> /Stefan >> >> From: "Moudrick M. Dadashov" > >> Date: Monday, March 4, 2013 11:26 AM >> To: Stefan Santesson > >> Cc: Denis Pinkas > >, pkix > > >> Subject: Re: [pkix] Comments on >> draft-santesson-auth-context-extension-04 >> >> On 3/4/2013 12:09 PM, Stefan Santesson wrote: >>> Denis, >>> >>> First, thanks for your review. I really appreciate it. >>> >>> It seems to me, especially with your leading concluding >>> comment, that you have missed out on what this specification >>> attempts to do. >>> Perhaps you did not read the introduction enough, or perhaps >>> I didn't write it clear enough. >>> >>> The purpose is not to associate the subject with a >>> identifier composed of a set of attributes. >>> That is, this is NOT a new name form. >>> >>> This extension helps a relying party to understand the >>> source of the identity information that is placed in the >>> traditional identity fields of a certificate. >>> For example. If the serialNumber attributes holds the string >>> "123456", then this extension can tell you where this string >>> came from. >>> >> How is this related to "semantics identifier" (ETSI TS 119 >> 412-2) then? >> >> M.D. >>> The use case addressed is where the CA/RA obtains the >>> authenticated identify from a SAML assertion when issuing >>> the certificate. >>> This extension provides means to preserve information about >>> the original SAML attributes in the cert. >>> >>> >>> From: Denis Pinkas >> > >>> Date: Monday, March 4, 2013 9:42 AM >>> To: Stefan Santesson >> >, pkix >> > >>> Subject: Comments on draft-santesson-auth-context-extension-04 >>> >>> Stefan, >>> >>> >>> The goal of this document is to associate a public key >>> to be used for verifying electronic signatures >>> with an identifier composed of a set of attributes, >>> typically SAML attributes, contained in an >>> authentication token. >>> >>> >>> No you got this wrong. This is not an Identifier. >>> >>> MAJOR COMMENTS >>> >>> 1.The proposed draft is not aligned with the current >>> practices of RFC 5280 and X.509: >>> the right place to hold such a set of attributes is in >>> the subject alternate name. >>> The subject DN may or may not be empty. >>> >>> There is no rational in this draft to explain why this >>> straightforward approach has not been chosen. >>> >>> SubjectAltName ::= GeneralNames >>> >>> GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName >>> >>> GeneralName ::= CHOICE { >>> >>> otherName[0]OtherName, >>> >>> rfc822Name[1]IA5String, >>> >>> dNSName[2]IA5String, >>> >>> x400Address[3]ORAddress, >>> >>> directoryName[4]Name, >>> >>> ediPartyName[5]EDIPartyName, >>> >>> uniformResourceIdentifier[6]IA5String, >>> >>> iPAddress[7]OCTET STRING, >>> >>> registeredID[8]OBJECT IDENTIFIER } >>> >>> OtherName ::= SEQUENCE { >>> >>> type-idOBJECT IDENTIFIER, >>> >>> value[0] EXPLICIT ANY DEFINED BY type-id } >>> >>> OtherName fits well with the requirements, if you accept >>> to use an OID rather than >>> a uniformResourceIdentifier. >>> >>> The value component would contain an XML structure >>> conformant with a XML schema. >>> >>> >>> This draft does not contain an identifier, thus this comment >>> is irrelevant. >>> There is not explanation why we don't store an identifier as >>> a SAN, since we do not create or store an identifier. >>> >>> 2.The document should be restructured to define: >>> >>> (a) the general way to answer to the requirements, and >>> (b) a specific profile, in an Appendix, so that other >>> RFCs could refer to the main body of the document. >>> >>> >>> That could be one way to do it. >>> >>> DETAILED COMMENTS >>> >>> 3.The proposed structure is not appropriate. >>> >>> a) Why is there a need to have a SEQUENCE ? This should >>> be avoided. >>> >>> b) Why is contextInfo OPTIONAL? This should be avoided. >>> >>> AuthenticationContexts ::= SEQUENCE SIZE (1..MAX) OF >>> >>> AuthenticationContext >>> >>> AuthenticationContext ::= SEQUENCE { >>> >>> contextTypeUTF8String, >>> >>> contextInfoUTF8String OPTIONAL >>> >>> } >>> >>> >>> For exactly the same reason why SAML AuthContextClassRef in >>> a SAML assertion is mandatory but not the XML structure it >>> defines. >>> In some cases you don't want to include explicit data, if >>> that data is static and can be implicitly known through an >>> identifier. >>> >>> The AuthContextClassRef in SAML is the best example as it is >>> an exact functional replica of this. >>> The URL identified by AuthContextClassRef is also a XML >>> Schema ns for associated XML document. >>> >>> The XML Schema can define both a static XML document with >>> fixed values as well as a structure where different values >>> can be entered. >>> >>> Just including the reference to the XML Schema may then >>> provide sufficient information to the relying party. The >>> actual XML document is only included if some variable data >>> need to be communicated within the associated XML document. >>> >>> Just including contextType but not contextInfo could be >>> compared with the case where we include a certificate policy >>> OID, but not the entire policy text. >>> >>> This is a really smart way to do this, which is made >>> possible through the versatility of XML Schemas. >>> >>> >>> 4.The text states: This extension MAY be marked critical. >>> >>> If the alternate name is present, why should there be a DN ? >>> >>> >>> This comment must be based on a misunderstanding of the >>> scope of this document. >>> >>> 5.The XML schema should be given first (Appendix B) >>> followed by the explanations (sections 3.1 and 3.2). >>> In other words, sections 3.1 and 3.2 should be placed in >>> Appendix B. >>> >>> >>> That is one way to do it. If I was the implementer, I really >>> wouldn't care as long as the information is there. >>> I think it is quite common to place programatic contracts in >>> Appendixes, wile explaining data elements in the body of the >>> document. >>> >>> 6.The vocabulary used in sections 3.1 and 3.2 is >>> confusing and should be changed. >>> >>> An example: "AuthContextInfo Element" does not exist. >>> However, it is better to state that the contextInfo >>> component >>> contains an XML structure which must conform to an XML >>> schema. >>> >>> >>> Sorry, I don't get this comment. The AuthContextInfo element >>> does exist. It is defined in the schema. XML Schema defines >>> syntax and structure but not the semantics. Semantics are >>> defined the section 3. >>> >>> 7.The XML structure proposed to fit inside contextInfo >>> is overly complex. >>> >>> AuthenticationInstant is mandatory, whereas it is not >>> needed. >>> >>> >>> This information is always available from the SAML assertion >>> and is considered fundamental, thus required. >>> >>> AssertionRef is not needed. >>> >>> ServiceID is not needed. >>> >>> >>> And hence, both are optional. >>> >>> The XML Schema is actually very simple. Its just the nature >>> of XML Schemas to look more complex than they actually are. >>> Perhaps it is easier if you examine it through this >>> following web doc (which unfortunately can't be included in >>> the spec): >>> http://aaa-sec.com/eid2/sigsupport/XMLschema/AuthContExtDoc/index.html >>> >>> >>> 8.There are no matching rules defined. This means that >>> the verification of the content of that field is not >>> possible. >>> >>> >>> First of all, this is not an identifier, thus there is no >>> reason for a matching rule is it would be if this was an >>> identifier that as a whole should be compared with something >>> else. >>> >>> The SAML attribute value does not have to match the value of >>> the cert attribute, this data in the extension is optional >>> and, if present, is a hint. >>> But I could actually add some text to clarify this. >>> >>> 9.In section 3.2, I failed to understand the >>> explanations for CertRef as well as for rdn and san. >>> >>> Why CertNameType cannot be "factorized" ? (in the >>> example from Page 15, there are all the same). >>> >>> >>> No, the example in the spec has one e-mail attribute that >>> was placed in the SubjAltName extension of the cert. >>> >>> "rdn"The SAML attribute value is placed in the >>> >>> subject field of the certificate in a >>> >>> present Relative Distinguished Name >>> >>> attribute. >>> >>> "san"The SAML attribute value is placed in the >>> >>> Subject Alternative Name extension of the >>> >>> certificate. >>> >>> I also failed to understand the reason of such "mapping". >>> >>> >>> Yes, and I think that is the reason behind most of your >>> comments. >>> >>> >>> The example in Appendix C illustrates the complexity of >>> the proposal. >>> Can the approach be made simpler ? If not, why ? >>> >>> >>> No it can't be made simpler. It contains exactly the >>> information we need in the implementation where it is used. >>> >>> I could write a whole whitepaper about all detailed reasons, >>> but if you really think about the use case, it should be clear. >>> >>> Consider the case where you know users by attributes defined >>> in a SAML federation, where for example serialNumber is NOT >>> used. >>> A CA issues a certificate to a user based an a SAML >>> assertion authentication based on the attribute profile of >>> that federation. >>> >>> A user logs in to your service using a SAML assertion, and >>> sends you a signed document associated with the issued >>> certificate. >>> You now need to determine whether that SAML assertion and >>> the certificate represents the same user. >>> You also need to determine that the SAML assertion and the >>> certificate provides compatible levels of assertion for user >>> authentication as defined in your SAML federation. >>> >>> This extension gives you exactly the amount of data that is >>> needed in order to do this in an unambiguous fully automated >>> process. >>> >>> 10.In section 4, I failed to understand the "dynamic" >>> aspect. My understanding is that a person statically >>> authenticates to a RA (Registration Authority) and then >>> is given back a non-repudiation certificate >>> with SAML attributes in it which may then be used as >>> identity attributes. >>> I am unsure what the text in this section wants to say >>> when using the words "dynamic manner". >>> >>> >>> >>> Your view is to restrictive. >>> >>> The dynamic aspect of this is that a certificate may be >>> issued on the fly at the instance when it is needed, >>> containing just the information that is needed for one >>> particular situation. >>> This extension is (where this is used in the Swedish >>> national infrastructure) added to certificates that are >>> issued for just one instance of signing, and hence can be >>> dynamically adapted to the needs of the intended relying party. >>> >>> Next time the user signs, a new key pair is generated with >>> new certs that may contain another set of the user's attributes. >>> >>> The first instance may for example contain the users private >>> identity based on a national identifier, the second may >>> carry an organisational identity based on employee number. >>> What attributes that are needed in every instance is >>> determined in a service context that is outside the scope of >>> this specification. >>> >>> In these certificates, both the national identifier and the >>> employee number may be placed as a serialNumber attribute in >>> the subject field. >>> Despite that, this extension makes it possible for the >>> relying party to know exactly what identity information each >>> certificate carries, as it maps to the attribute profile of >>> a SAML federation. >>> >>> /Stefan >>> >>> >>> Denis >>> >>> >>> >>> _______________________________________________ >>> pkix mailing list >>> pkix@ietf.orghttps://www.ietf.org/mailman/listinfo/pkix >> > > _______________________________________________ pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix > --------------000006000108030300060303 Content-Transfer-Encoding: 7bit Content-Type: text/html; charset=ISO-8859-1
Stefan,

 I wonder whether your had "fresh eyes", because you moved one step forwards and then you moved three steps backwards:
Section 3.2 "Attribute matching" has now disappeared.

The major disagreements remain: I disagree with the scope and the new draft does not solve my concerns.

Allowing to have SAML attributes in a PKC would be a very good thing. However, the relying party DOES NOT care
how these SAML attributes have been translated into a subject DN. It is the responsibility of the CA.

Thus, if the scope only remains to know how the correspondence was made between  the SAML attributes and
the subject DN, I don't believe that this document will be useful for the Internet community and thus I am still unconvinced
that this document should progress as an Internet Draft.

If the scope is changed to allow to include SAML attributes as another name form in a PKC, then this is
an important issue which deserves an Internet Draft.

Denis

Denis,

I took a look at this this morning with fresh eyes, and some of your questions triggered me to do further improvements on the Schema, explanations and examples.

The latest draft is still available from here:

Hopefully the new examples will give you a better Idea on how this extension can be used and why this is not suitable as an other name form.

I'm really grateful for your review even if I don't do everything exactly as you suggested.

/Stefan




From: Denis Pinkas <denis.pinkas@bull.net>
Date: Tuesday, March 5, 2013 6:44 PM
To: Stefan Santesson <stefan@aaa-sec.com>
Cc: pkix <pkix@ietf.org>
Subject: Re: [pkix] Comments on draft-santesson-auth-context-extension-04

Stefan,

I read the new specification (dated March 4) and it does not solve my concerns.

The real goal is stated at the top of page 4:


 to verify that the signature was created by the same user that logged on

  to the service.

In your response below, you also say:

      "You now need to determine whether that SAML assertion and the certificate represents the same user."

This is rather different from the goal stated on page 3:

   The primary purpose of this document is to provide a mechanism that

   allows an application to understand information that express the

   identity of a subject in a certificate that is stored either in a

   subject field attribute, as a subject alternative name or in a

   subject directory attribute.


If we draw an analogy with the way to construct a DN, we do not mention that the DN was created after
the presentation of a passport or an ID card, plus a way to justify the place of birth, a a way to justify
the place of living, an that the country name was extracted from the presentation of the passport, etc ...

So why should we do this in your context ?

We need to store information in the certificate directly derived from the SAML token, so that the application
which performed a SAML authentication can make sure that the certificate was delivered for the same person,
by making a comparison using some set of rules.

So there is a need to have matching rules for the content of the SAML token with the content of
the new extension (whatever it is). If we don't have such rules, then the goal at the top of page 4 cannot be met.

I do not see the added value to explain some translation process since it would be used for audit purposes only and
the CA MUST anyway maintain information about the issuance of the token. So in case of a problem, the
CA SHALL be able to answer and it is not needed to overload the content of the certificate with more information.

I still believe that OtherName is the right place to contains the parameters extracted from the SAML token,
that will be used for comparison.

Denis


PS. I wonder whether we should continue to have in mind to have this document issued as an RFC.
       It may well be a national Swedish standard.

Based on comments received today I have updated this draft, preliminary available at:

I have edited the Introduction section to clarify the scope of the document.

I have also added a new section (now 3.2) that explains the absence of attribute matching rules.
The section should also make clear how specific attribute data format conventions, such as the one expressed in ETSI TS 119 412-2, can co-exist with this extension.

/Stefan

From: "Moudrick M. Dadashov" <md@e-net.lt>
Date: Monday, March 4, 2013 11:26 AM
To: Stefan Santesson <stefan@aaa-sec.com>
Cc: Denis Pinkas <denis.pinkas@bull.net>, pkix <pkix@ietf.org>
Subject: Re: [pkix] Comments on draft-santesson-auth-context-extension-04

On 3/4/2013 12:09 PM, Stefan Santesson wrote:
Denis,

First, thanks for your review. I really appreciate it.

It seems to me, especially with your leading concluding comment, that you have missed out on what this specification attempts to do.
Perhaps you did not read the introduction enough, or perhaps I didn't write it clear enough.

The purpose is not to associate the subject with a identifier composed of a set of attributes.
That is, this is NOT a new name form.

This extension helps a relying party to understand the source of the identity information that is placed in the traditional identity fields of a certificate.
For example. If the serialNumber attributes holds the string "123456", then this extension can tell you where this string came from.

How is this related to "semantics identifier" (ETSI TS 119 412-2) then?

M.D.
The use case addressed is where the CA/RA obtains the authenticated identify from a SAML assertion when issuing the certificate.
This extension provides means to preserve information about the original SAML attributes in the cert.


From: Denis Pinkas <denis.pinkas@bull.net>
Date: Monday, March 4, 2013 9:42 AM
To: Stefan Santesson <stefan@aaa-sec.com>, pkix <pkix@ietf.org>
Subject: Comments on draft-santesson-auth-context-extension-04

Stefan,


The goal of this document is to associate a public key to be used for verifying electronic signatures
with an identifier composed of a set of attributes, typically SAML attributes, contained in an authentication token.

 

No you got this wrong. This is not an Identifier.

 

MAJOR COMMENTS

 

1. The proposed draft is not aligned with the current practices of RFC 5280 and X.509:
the right place to hold such a set of attributes is in the subject alternate name.
The subject DN may or may not be empty.

 

There is no rational in this draft to explain why this straightforward approach has not been chosen.

 

   SubjectAltName ::= GeneralNames

 

   GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

 

   GeneralName ::= CHOICE {

        otherName                       [0]     OtherName,

        rfc822Name                      [1]     IA5String,

        dNSName                         [2]     IA5String,

        x400Address                     [3]     ORAddress,

        directoryName                   [4]     Name,

        ediPartyName                    [5]     EDIPartyName,

        uniformResourceIdentifier       [6]     IA5String,

        iPAddress                       [7]     OCTET STRING,

        registeredID                    [8]     OBJECT IDENTIFIER }

 

   OtherName ::= SEQUENCE {

        type-id    OBJECT IDENTIFIER,

        value      [0] EXPLICIT ANY DEFINED BY type-id }

 

OtherName fits well with the requirements, if you accept to use an OID rather than
a uniformResourceIdentifier.

 

The value component would contain an XML structure conformant with a XML schema.

 

This draft does not contain an identifier, thus this comment is irrelevant.
There is not explanation why we don't store an identifier as a SAN, since we do not create or store an identifier.

 

2. The document should be restructured to define:

(a) the general way to answer to the requirements, and
(b) a specific profile, in an Appendix, so that other RFCs could refer to the main body of the document.

 

That could be one way to do it.

 

DETAILED COMMENTS

 

3. The proposed structure is not appropriate.

 

a) Why is there a need to have a SEQUENCE ? This should be avoided.

b) Why is contextInfo OPTIONAL? This should be avoided.

 

      AuthenticationContexts ::= SEQUENCE SIZE (1..MAX) OF

                                 AuthenticationContext

 

      AuthenticationContext ::= SEQUENCE {

          contextType     UTF8String,

          contextInfo     UTF8String OPTIONAL

      }

For exactly the same reason why SAML AuthContextClassRef in a SAML assertion is mandatory but not the XML structure it defines.
In some cases you don't want to include explicit data, if that data is static and can be implicitly known through an identifier.

The AuthContextClassRef in SAML is the best example as it is an exact functional replica of this.
The URL identified by AuthContextClassRef is also a XML Schema ns for associated XML document.

The XML Schema can define both a static XML document with fixed values as well as a structure where different values can be entered.

Just including the reference to the XML Schema may then provide sufficient information to the relying party. The actual XML document is only included if some variable data need to be communicated within the associated XML document.

Just including contextType but not contextInfo could be compared with the case where we include a certificate policy OID, but not the entire policy text.

This is a really smart way to do this, which is made possible through the versatility of XML Schemas.


 

 

4. The text states:    This extension MAY be marked critical.

 

If the alternate name is present, why should there be a DN ?

This comment must be based on a misunderstanding of the scope of this document.

 

 

5. The XML schema should be given first (Appendix B) followed by the explanations (sections 3.1 and 3.2).
In other words, sections 3.1 and 3.2 should be placed in Appendix B.

That is one way to do it. If I was the implementer, I really wouldn't care as long as the information is there.
I think it is quite common to place programatic contracts in Appendixes, wile explaining data elements in the body of the document.

 

 

6. The vocabulary used in sections 3.1 and 3.2 is confusing and should be changed.

 

An example: “AuthContextInfo Element” does not exist. However, it is better to state that the contextInfo component
contains an XML structure which must conform to an XML schema.

 

Sorry, I don't get this comment. The AuthContextInfo element does exist. It is defined in the schema. XML Schema defines syntax and structure but not the semantics. Semantics are defined the section 3.

 

7. The XML structure proposed to fit inside contextInfo is overly complex.

 

AuthenticationInstant is mandatory, whereas it is not needed.

This information is always available from the SAML assertion and is considered fundamental, thus required.

AssertionRef is not needed.

ServiceID is not needed.

And hence, both are optional.

The XML Schema is actually very simple. Its just the nature of XML Schemas to look more complex than they actually are.
Perhaps it is easier if you examine it through this following web doc (which unfortunately can't be included in the spec):


 

 

8. There are no matching rules defined. This means that the verification of the content of that field is not possible.

First of all, this is not an identifier, thus there is no reason for a matching rule is it would be if this was an identifier that as a whole should be compared with something else.

The SAML attribute value does not have to match the value of the cert attribute, this data in the extension is optional and, if present, is a hint. 
But I could actually add some text to clarify this.

 

 

9. In section 3.2, I failed to understand the explanations for CertRef as well as for rdn and san.

 

Why CertNameType cannot be “factorized” ? (in the example from Page 15, there are all the same).

No, the example in the spec has one e-mail attribute that was placed in the SubjAltName extension of the cert.

 

                      "rdn"   The SAML attribute value is placed in the

                              subject field of the certificate in a

                              present Relative Distinguished Name

                              attribute.

 

                      "san"   The SAML attribute value is placed in the

                              Subject Alternative Name extension of the

                              certificate.

 

I also failed to understand the reason of such “mapping”.


Yes, and I think that is the reason behind most of your comments.


The example in Appendix C illustrates the complexity of the proposal.
Can the approach be made simpler ? If not, why ?

 

No it can't be made simpler. It contains exactly the information we need in the implementation where it is used.

I could write a whole whitepaper about all detailed reasons, but if you really think about the use case, it should be clear.

Consider the case where you know users by attributes defined in a SAML federation, where for example serialNumber is NOT used.
A CA issues a certificate to a user based an a SAML assertion authentication based on the attribute profile of that federation.

A user logs in to your service using a SAML assertion, and sends you a signed document associated with the issued certificate.
You now need to determine whether that SAML assertion and the certificate represents the same user.
You also need to determine that the SAML assertion and the certificate provides compatible levels of assertion for user authentication as defined in your SAML federation.

This extension gives you exactly the amount of data that is needed in order to do this in an unambiguous fully automated process.

 

10. In section 4, I failed to understand the “dynamic” aspect. My understanding is that a person statically
authenticates to a RA (Registration Authority) and then is given back a non-repudiation certificate
with SAML attributes in it which may then be used as identity attributes.
I am unsure what the text in this section wants to say when using the words “dynamic manner”.


Your view is to restrictive.

The dynamic aspect of this is that a certificate may be issued on the fly at the instance when it is needed, containing just the information that is needed for one particular situation.
This extension is (where this is used in the Swedish national infrastructure) added to certificates that are issued for just one instance of signing, and hence can be dynamically adapted to the needs of the intended relying party.

Next time the user signs, a new key pair is generated with new certs that may contain another set of the user's attributes.

The first instance may for example contain the users private identity based on a national identifier, the second may carry an organisational identity based on employee number.
What attributes that are needed in every instance is determined in a service context that is outside the scope of this specification.

In these certificates, both the national identifier and the employee number may be placed as a serialNumber attribute in the subject field.
Despite that, this extension makes it possible for the relying party to know exactly what identity information each certificate carries, as it maps to the attribute profile of a SAML federation.

/Stefan


Denis

 

_______________________________________________
pkix mailing list
pkix@ietf.orghttps://www.ietf.org/mailman/listinfo/pkix

_______________________________________________ pkix mailing list pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix

--------------000006000108030300060303-- From ben@digicert.com Fri Mar 8 08:54:17 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68FC721F856D for ; Fri, 8 Mar 2013 08:54:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.462 X-Spam-Level: X-Spam-Status: No, score=-4.462 tagged_above=-999 required=5 tests=[AWL=-0.277, BAYES_40=-0.185, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zSGaDVFbOKZO for ; Fri, 8 Mar 2013 08:54:07 -0800 (PST) Received: from mail.digicert.com (mail.digicert.com [64.78.193.232]) by ietfa.amsl.com (Postfix) with ESMTP id 85D9321F8563 for ; Fri, 8 Mar 2013 08:54:07 -0800 (PST) Received: from BWILSONL1 (unknown [64.78.193.228]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.digicert.com (Postfix) with ESMTPSA id 2DDC38FAC19 for ; Fri, 8 Mar 2013 09:54:07 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digicert.com; s=mail; t=1362761647; bh=B/M7FbqgMGV/xFRTrV39SdVjoMimBvfqQY3WCrC6IiQ=; h=Reply-To:From:To:Subject:Date; b=BJ1p3vbXbxDjAW2X0wpZS7Kz75HKPEWkEtzyEhQrjFyYpKd7pe2AJ6e0lGeNT7mBm st0KWuOFaqqKswXQRPoFG30SeWY8QoDZOjADeC2ayyAvxd8CPsoCMlGRTWcaNxTAyn vGCK7Q9itUtRiqWTkGDdmQedNUr4fcf/CLw3Wokk= From: "Ben Wilson" To: "'pkix'" Date: Fri, 8 Mar 2013 09:54:05 -0700 Organization: DigiCert Message-ID: <00b401ce1c1d$8b117710$a1346530$@digicert.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_00B5_01CE1BE2.DEB2ED30" X-Mailer: Microsoft Outlook 14.0 Thread-Index: Ac4cHWHT3dheD5AsSqSZNK0gSuFQfg== Content-Language: en-us Subject: [pkix] OID Processing betwee Intermediate CA and End Entity Certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ben@digicert.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Mar 2013 16:54:17 -0000 This is a multipart message in MIME format. ------=_NextPart_000_00B5_01CE1BE2.DEB2ED30 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Do any of you know whether software should process a certificate chain properly if I construct a policy OID arc (for SSL/TLS Server Certificates) as follows? Intermediate CA Policy OID : 2.16.840.1.114412.1 End Entity Policy OID : 2.16.840.1.114412.1.1 Thanks, Ben ------=_NextPart_000_00B5_01CE1BE2.DEB2ED30 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Do any of = you know whether software should process a certificate chain properly if = I construct a policy OID arc (for SSL/TLS Server Certificates) as = follows?

End = Entity Policy OID :

Thanks,

Ben

 

------=_NextPart_000_00B5_01CE1BE2.DEB2ED30-- From SChokhani@cygnacom.com Fri Mar 8 09:23:45 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 299D521F8630 for ; Fri, 8 Mar 2013 09:23:45 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TqyisUQQtBTL for ; Fri, 8 Mar 2013 09:23:44 -0800 (PST) Received: from ipedge2.cygnacom.com (ipedge2.cygnacom.com [216.191.252.27]) by ietfa.amsl.com (Postfix) with ESMTP id 64D8021F8615 for ; Fri, 8 Mar 2013 09:23:44 -0800 (PST) X-IronPort-AV: E=Sophos;i="4.84,809,1355115600"; d="scan'208,217";a="4092703" Received: from unknown (HELO scygexch7.cygnacom.com) ([10.4.60.22]) by ipedge2.cygnacom.com with ESMTP; 08 Mar 2013 12:23:42 -0500 Received: from scygexch7.cygnacom.com ([::1]) by scygexch7.cygnacom.com ([::1]) with mapi; Fri, 8 Mar 2013 12:23:41 -0500 From: Santosh Chokhani To: "ben@digicert.com" , 'pkix' Date: Fri, 8 Mar 2013 12:23:40 -0500 Thread-Topic: [pkix] OID Processing betwee Intermediate CA and End Entity Certificates Thread-Index: Ac4cHWHT3dheD5AsSqSZNK0gSuFQfgABBZKQ Message-ID: References: <00b401ce1c1d$8b117710$a1346530$@digicert.com> In-Reply-To: <00b401ce1c1d$8b117710$a1346530$@digicert.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_B83745DA469B7847811819C5005244AFF3DC95F4scygexch7cygnac_" MIME-Version: 1.0 Subject: Re: [pkix] OID Processing betwee Intermediate CA and End Entity Certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Mar 2013 17:23:45 -0000 --_000_B83745DA469B7847811819C5005244AFF3DC95F4scygexch7cygnac_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable That depends on the status of the require explicit policy in the path valid= ation state machine and user acceptable policy set. At best, the chain is good for no certificate policies. From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Ben= Wilson Sent: Friday, March 08, 2013 11:54 AM To: 'pkix' Subject: [pkix] OID Processing betwee Intermediate CA and End Entity Certif= icates Do any of you know whether software should process a certificate chain prop= erly if I construct a policy OID arc (for SSL/TLS Server Certificates) as f= ollows? Intermediate CA Policy OID : 2.16.840.1.114412.1 End Entity Policy OID : 2.16.840.1.114412.1.1 Thanks, Ben --_000_B83745DA469B7847811819C5005244AFF3DC95F4scygexch7cygnac_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

That depends on the status of the require explicit policy in = the path validation state machine and user acceptable policy set.

 <= /o:p>

At best,= the chain is good for no certificate policies.

 

From: pkix-bounces@ietf.org [mailto:pkix-bou= nces@ietf.org] On Behalf Of Ben Wilson
Sent: Friday, March= 08, 2013 11:54 AM
To: 'pkix'
Subject: [pkix] OID Proce= ssing betwee Intermediate CA and End Entity Certificates<= /p>

 

Do any of you know whether software should process a certificate chain p= roperly if I construct a policy OID arc (for SSL/TLS Server Certificates) a= s follows?

Intermediate CA Policy OID :  =

2.16.840.1.114412.1

2.16.840.1.114412.1.1

=

I= ntermediate CA Policy OID : 

2.16.840.1.114412.1

2.16.840.1.114412.1.1

Thanks,

Ben

 

= = --_000_B83745DA469B7847811819C5005244AFF3DC95F4scygexch7cygnac_-- From ben@digicert.com Fri Mar 8 09:36:40 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E50A021F8738 for ; Fri, 8 Mar 2013 09:36:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.53 X-Spam-Level: X-Spam-Status: No, score=-5.53 tagged_above=-999 required=5 tests=[AWL=1.068, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lyk0QfM17kV8 for ; Fri, 8 Mar 2013 09:36:37 -0800 (PST) Received: from mail.digicert.com (mail.digicert.com [64.78.193.232]) by ietfa.amsl.com (Postfix) with ESMTP id DE21E21F8751 for ; Fri, 8 Mar 2013 09:36:36 -0800 (PST) Received: from BWILSONL1 (unknown [64.78.193.228]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.digicert.com (Postfix) with ESMTPSA id 9A3AA7FA18F for ; Fri, 8 Mar 2013 10:36:36 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digicert.com; s=mail; t=1362764196; bh=5IXPwYD1aUaaIe5H0JfcRRMH0zqPau9WwZYBBRkfopo=; h=Reply-To:From:To:Subject:Date; b=L6/A/xWL0hWoPNzI0EHyYrLxjaoM9CwOdtfTk2hXSZIvrn8S6ApqYn0+P5RVGRvAQ +mpaWTy25G0vrgrbP5vRpHu7CHFrYwT02cUu19e87ZKYuqTfAatk+mtX3J5h8bIV3+ 9XzEuv67ERu1VJA2QA9Tgv0WYuJ3Jsgk6eZ3PEnk= From: "Ben Wilson" To: "'pkix'" Date: Fri, 8 Mar 2013 10:36:34 -0700 Organization: DigiCert Message-ID: <010601ce1c23$7aa50030$6fef0090$@digicert.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0107_01CE1BE8.CE469D60" X-Mailer: Microsoft Outlook 14.0 Thread-Index: Ac4cID4yYuSDeTBrQp+uuf3c/H1ROg== Content-Language: en-us Subject: Re: [pkix] OID Processing between Intermediate CA and End Entity Certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ben@digicert.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Mar 2013 17:36:41 -0000 This is a multipart message in MIME format. ------=_NextPart_000_0107_01CE1BE8.CE469D60 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit I've received a couple of clarifications off-list, but just to clarify - policy OIDs at the CA level are constraints on what policies an end entity certificate may include/assert. So if you are creating a subCA, and you are going to use it to issue certificates under multiple end entity policies, it's better to omit the CP OID altogether. Alternatives include specifying all policies (which you may not know beforehand) or the allpolicies OID. "In other words, contrary of what some people believe there are no policies for CAs, there are only policy OIDs for EE certificates." So, the OID arc structure will not work as I thought it might - like a filter reading left to right. Thanks, Ben ------=_NextPart_000_0107_01CE1BE8.CE469D60 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I’ve received a couple of clarifications = off-list,  but just to clarify – policy OIDs at the CA level = are constraints on what policies an end entity certificate may = include/assert. 

So if you are creating a subCA, and you are = going to use it to issue certificates under multiple end entity = policies, it’s better to omit the CP OID altogether.  = Alternatives include specifying all policies (which you may not know = beforehand) or the allpolicies OID.

“In other words, = contrary of what some people believe there are no policies for CAs, = there are only policy OIDs for EE certificates.”  =

 So, the OID arc structure will not work as = I thought it might -  like a filter reading left to = right.

Thanks,

Ben

------=_NextPart_000_0107_01CE1BE8.CE469D60-- From SChokhani@cygnacom.com Fri Mar 8 09:46:07 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58E9921F87BA for ; Fri, 8 Mar 2013 09:46:07 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dud+DKw6tINH for ; Fri, 8 Mar 2013 09:46:06 -0800 (PST) Received: from ipedge1.cygnacom.com (ipedge1.cygnacom.com [216.191.252.12]) by ietfa.amsl.com (Postfix) with ESMTP id D0CF021F87B1 for ; Fri, 8 Mar 2013 09:46:05 -0800 (PST) X-IronPort-AV: E=Sophos;i="4.84,809,1355115600"; d="scan'208,217";a="8132732" Received: from unknown (HELO scygexch7.cygnacom.com) ([10.4.60.22]) by ipedge1.cygnacom.com with ESMTP; 08 Mar 2013 12:46:03 -0500 Received: from scygexch7.cygnacom.com ([::1]) by scygexch7.cygnacom.com ([::1]) with mapi; Fri, 8 Mar 2013 12:46:03 -0500 From: Santosh Chokhani To: "ben@digicert.com" , 'pkix' Date: Fri, 8 Mar 2013 12:46:02 -0500 Thread-Topic: [pkix] OID Processing between Intermediate CA and End Entity Certificates Thread-Index: Ac4cID4yYuSDeTBrQp+uuf3c/H1ROgABG9Dg Message-ID: References: <010601ce1c23$7aa50030$6fef0090$@digicert.com> In-Reply-To: <010601ce1c23$7aa50030$6fef0090$@digicert.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_B83745DA469B7847811819C5005244AFF3DC95FAscygexch7cygnac_" MIME-Version: 1.0 Subject: Re: [pkix] OID Processing between Intermediate CA and End Entity Certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Mar 2013 17:46:07 -0000 --_000_B83745DA469B7847811819C5005244AFF3DC95FAscygexch7cygnac_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Omitting policy OID may not work. The chain may be invalid and is at the b= est not good for any policies. From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Ben= Wilson Sent: Friday, March 08, 2013 12:37 PM To: 'pkix' Subject: Re: [pkix] OID Processing between Intermediate CA and End Entity C= ertificates I've received a couple of clarifications off-list, but just to clarify - p= olicy OIDs at the CA level are constraints on what policies an end entity c= ertificate may include/assert. So if you are creating a subCA, and you are going to use it to issue certif= icates under multiple end entity policies, it's better to omit the CP OID a= ltogether. Alternatives include specifying all policies (which you may not= know beforehand) or the allpolicies OID. "In other words, contrary of what some people believe there are no policies= for CAs, there are only policy OIDs for EE certificates." So, the OID arc structure will not work as I thought it might - like a fi= lter reading left to right. Thanks, Ben --_000_B83745DA469B7847811819C5005244AFF3DC95FAscygexch7cygnac_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Omitting policy OID may not work.  The chain may be inva= lid and is at the best not good for any policies.

 

=

From: pkix-bounces@ietf.org [mailto:pkix-b= ounces@ietf.org] On Behalf Of Ben Wilson
Sent: Friday, Mar= ch 08, 2013 12:37 PM
To: 'pkix'
Subject: Re: [pkix] OID= Processing between Intermediate CA and End Entity Certificates<= /span>

 

I’ve received a couple of cla= rifications off-list,  but just to clarify – policy OIDs at the = CA level are constraints on what policies an end entity certificate may inc= lude/assert. 

So if you are creating a subCA, and you are going to use= it to issue certificates under multiple end entity policies, it’s be= tter to omit the CP OID altogether.  Alternatives include specifying a= ll policies (which you may not know beforehand) or the allpolicies OID.

“= ;In other words, contrary of what some people believe there are no policies= for CAs, there are only policy OIDs for EE certificates.” 

 = So, the OID arc structure will not work as I thought it might -  like = a filter reading left to right.

<= span style=3D'color:#1F497D'>Thanks,

Ben

= --_000_B83745DA469B7847811819C5005244AFF3DC95FAscygexch7cygnac_-- From ben@digicert.com Fri Mar 8 09:50:01 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A06121F8794 for ; Fri, 8 Mar 2013 09:50:01 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.886 X-Spam-Level: X-Spam-Status: No, score=-5.886 tagged_above=-999 required=5 tests=[AWL=0.712, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hAF-268Vljjn for ; Fri, 8 Mar 2013 09:49:56 -0800 (PST) Received: from mail.digicert.com (mail.digicert.com [64.78.193.232]) by ietfa.amsl.com (Postfix) with ESMTP id 72ED521F868E for ; Fri, 8 Mar 2013 09:49:56 -0800 (PST) Received: from BWILSONL1 (unknown [64.78.193.228]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.digicert.com (Postfix) with ESMTPSA id 40E318FAC1A; Fri, 8 Mar 2013 10:49:56 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digicert.com; s=mail; t=1362764996; bh=uR+tUS0Og5FJbw0/OYOBXPr4Ygfr1dC/gFQgOuwO0R8=; h=Reply-To:From:To:References:In-Reply-To:Subject:Date; b=lSFxD90GbI3hsMfrQ6hHNkDo5SM4Fmt5l765sRWDWcfiOxuXbFgg2b9yUHNABrL38 z7rQgcmGGm6Pc4jhxEumHf7oIaDcQYF50a3ddFu5EqhwSzUKQW8ATRxktQXhYds3bn BCJCv7e5M0F9L1hDCgjL9QJ/zKkhpq0eCJbOWlfo= From: "Ben Wilson" To: "'Santosh Chokhani'" , "'pkix'" References: <010601ce1c23$7aa50030$6fef0090$@digicert.com> In-Reply-To: Date: Fri, 8 Mar 2013 10:49:54 -0700 Organization: DigiCert Message-ID: <011701ce1c25$5741f0b0$05c5d210$@digicert.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0118_01CE1BEA.AAE3B4F0" X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQC2Ehg+PnyaJggAPdetcbY2awQIAwE+PWqJmsI0LaA= Content-Language: en-us Subject: Re: [pkix] OID Processing between Intermediate CA and End Entity Certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ben@digicert.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Mar 2013 17:50:01 -0000 This is a multipart message in MIME format. ------=_NextPart_000_0118_01CE1BEA.AAE3B4F0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Thanks, Santosh. So, is best practice to put in the 2.5.29.32.0 - "anyPolicy" OID? From: Santosh Chokhani [mailto:SChokhani@cygnacom.com] Sent: Friday, March 08, 2013 10:46 AM To: ben@digicert.com; 'pkix' Subject: RE: [pkix] OID Processing between Intermediate CA and End Entity Certificates Omitting policy OID may not work. The chain may be invalid and is at the best not good for any policies. From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Ben Wilson Sent: Friday, March 08, 2013 12:37 PM To: 'pkix' Subject: Re: [pkix] OID Processing between Intermediate CA and End Entity Certificates I've received a couple of clarifications off-list, but just to clarify - policy OIDs at the CA level are constraints on what policies an end entity certificate may include/assert. So if you are creating a subCA, and you are going to use it to issue certificates under multiple end entity policies, it's better to omit the CP OID altogether. Alternatives include specifying all policies (which you may not know beforehand) or the allpolicies OID. "In other words, contrary of what some people believe there are no policies for CAs, there are only policy OIDs for EE certificates." So, the OID arc structure will not work as I thought it might - like a filter reading left to right. Thanks, Ben ------=_NextPart_000_0118_01CE1BEA.AAE3B4F0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Thanks, Santosh.  So, is best practice to = put in the 2.5.29.32.0 - "anyPolicy” OID? =

 

From:= = Santosh Chokhani [mailto:SChokhani@cygnacom.com]
Sent: = Friday, March 08, 2013 10:46 AM
To: ben@digicert.com; = 'pkix'
Subject: RE: [pkix] OID Processing between Intermediate = CA and End Entity Certificates

 

Omitting policy OID may not work.  The = chain may be invalid and is at the best not good for any = policies.

 

From:= = pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] = On Behalf Of Ben Wilson
Sent: Friday, March 08, 2013 = 12:37 PM
To: 'pkix'
Subject: Re: [pkix] OID = Processing between Intermediate CA and End Entity = Certificates

 

I’ve received a couple of clarifications = off-list,  but just to clarify – policy OIDs at the CA level = are constraints on what policies an end entity certificate may = include/assert. 

So if you are creating a subCA, and you are = going to use it to issue certificates under multiple end entity = policies, it’s better to omit the CP OID altogether.  = Alternatives include specifying all policies (which you may not know = beforehand) or the allpolicies OID.

“In other words, = contrary of what some people believe there are no policies for CAs, = there are only policy OIDs for EE certificates.”  =

 So, the OID arc structure will not work as = I thought it might -  like a filter reading left to = right.

Thanks,

Ben

------=_NextPart_000_0118_01CE1BEA.AAE3B4F0-- From SChokhani@cygnacom.com Fri Mar 8 09:52:26 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87E0221F868E for ; Fri, 8 Mar 2013 09:52:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hgx+f6pryn1R for ; Fri, 8 Mar 2013 09:52:19 -0800 (PST) Received: from ipedge2.cygnacom.com (ipedge2.cygnacom.com [216.191.252.27]) by ietfa.amsl.com (Postfix) with ESMTP id 2BBEE21F8644 for ; Fri, 8 Mar 2013 09:52:19 -0800 (PST) X-IronPort-AV: E=Sophos;i="4.84,809,1355115600"; d="scan'208,217";a="4097689" Received: from unknown (HELO scygexch7.cygnacom.com) ([10.4.60.22]) by ipedge2.cygnacom.com with ESMTP; 08 Mar 2013 12:52:18 -0500 Received: from scygexch7.cygnacom.com ([::1]) by scygexch7.cygnacom.com ([::1]) with mapi; Fri, 8 Mar 2013 12:52:18 -0500 From: Santosh Chokhani To: "ben@digicert.com" , 'pkix' Date: Fri, 8 Mar 2013 12:52:17 -0500 Thread-Topic: [pkix] OID Processing between Intermediate CA and End Entity Certificates Thread-Index: AQC2Ehg+PnyaJggAPdetcbY2awQIAwE+PWqJmsI0LaCAAACwgA== Message-ID: References: <010601ce1c23$7aa50030$6fef0090$@digicert.com> <011701ce1c25$5741f0b0$05c5d210$@digicert.com> In-Reply-To: <011701ce1c25$5741f0b0$05c5d210$@digicert.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_B83745DA469B7847811819C5005244AFF3DC95FEscygexch7cygnac_" MIME-Version: 1.0 Subject: Re: [pkix] OID Processing between Intermediate CA and End Entity Certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Mar 2013 17:52:26 -0000 --_000_B83745DA469B7847811819C5005244AFF3DC95FEscygexch7cygnac_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Yes, except some products such as Windows XP and other toolkits may treat = "anyPolicy" as a simple OID and not a wild card. I generally recommend customers to spell out the OIDs. From: Ben Wilson [mailto:ben@digicert.com] Sent: Friday, March 08, 2013 12:50 PM To: Santosh Chokhani; 'pkix' Subject: RE: [pkix] OID Processing between Intermediate CA and End Entity C= ertificates Thanks, Santosh. So, is best practice to put in the 2.5.29.32.0 - "anyPoli= cy" OID? From: Santosh Chokhani [mailto:SChokhani@cygnacom.com] Sent: Friday, March 08, 2013 10:46 AM To: ben@digicert.com; 'pkix' Subject: RE: [pkix] OID Processing between Intermediate CA and End Entity C= ertificates Omitting policy OID may not work. The chain may be invalid and is at the b= est not good for any policies. From: pkix-bounces@ietf.org [mailto:pkix-boun= ces@ietf.org] On Behalf Of Ben Wilson Sent: Friday, March 08, 2013 12:37 PM To: 'pkix' Subject: Re: [pkix] OID Processing between Intermediate CA and End Entity C= ertificates I've received a couple of clarifications off-list, but just to clarify - p= olicy OIDs at the CA level are constraints on what policies an end entity c= ertificate may include/assert. So if you are creating a subCA, and you are going to use it to issue certif= icates under multiple end entity policies, it's better to omit the CP OID a= ltogether. Alternatives include specifying all policies (which you may not= know beforehand) or the allpolicies OID. "In other words, contrary of what some people believe there are no policies= for CAs, there are only policy OIDs for EE certificates." So, the OID arc structure will not work as I thought it might - like a fi= lter reading left to right. Thanks, Ben --_000_B83745DA469B7847811819C5005244AFF3DC95FEscygexch7cygnac_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Yes, except some products such as Windows XP and other toolki= ts may  treat “anyPolicy” as a simple OID and not a wild c= ard.

 

I generally recommend customers to spell out the OIDs.

 =

From: Ben Wilson [mailto:ben@di= gicert.com]
Sent: Friday, March 08, 2013 12:50 PM
To: = Santosh Chokhani; 'pkix'
Subject: RE: [pkix] OID Processing betwe= en Intermediate CA and End Entity Certificates

<= /div>

 

Thanks, Santosh.  So, is best practice to put i= n the 2.5.29.32.0 - "anyPolicy” OID?

 

<= div>

From: Santosh Chokhani [mailto:SChokhani@cygnacom.com]
Sent: = Friday, March 08, 2013 10:46 AM
To: ben@digicert.com; 'pkix'
Subject: RE: [pkix] OID Proce= ssing between Intermediate CA and End Entity Certificates=

 

Omitting policy OID may not work.  T= he chain may be invalid and is at the best not good for any policies.<= /o:p>

&nb= sp;

From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Ben= Wilson
Sent: Friday, March 08, 2013 12:37 PM
To: 'pkix= '
Subject: Re: [pkix] OID Processing between Intermediate CA and = End Entity Certificates

 

= I’ve received a couple of clarifications off-list,  but just to = clarify – policy OIDs at the CA level are constraints on what policie= s an end entity certificate may include/assert. 

So if you are creating = a subCA, and you are going to use it to issue certificates under multiple e= nd entity policies, it’s better to omit the CP OID altogether.  = Alternatives include specifying all policies (which you may not know before= hand) or the allpolicies OID.

“In other words, contrary of what some peo= ple believe there are no policies for CAs, there are only policy OIDs for E= E certificates.” 

 So, the OID arc structure will not work as= I thought it might -  like a filter reading left to right.=

Thanks,<= /o:p>

Ben

= --_000_B83745DA469B7847811819C5005244AFF3DC95FEscygexch7cygnac_-- From carl@redhoundsoftware.com Fri Mar 8 09:53:08 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 336F121F87DF for ; Fri, 8 Mar 2013 09:53:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 3.589 X-Spam-Level: *** X-Spam-Status: No, score=3.589 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_VERIZON_P=2.144, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_DYNAMIC=0.1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 06MGaCvvWi9B for ; Fri, 8 Mar 2013 09:53:06 -0800 (PST) Received: from mail-gg0-x236.google.com (mail-gg0-x236.google.com [IPv6:2607:f8b0:4002:c02::236]) by ietfa.amsl.com (Postfix) with ESMTP id 828F321F87D7 for ; Fri, 8 Mar 2013 09:53:06 -0800 (PST) Received: by mail-gg0-f182.google.com with SMTP id d1so307053ggn.27 for ; Fri, 08 Mar 2013 09:53:06 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:user-agent:date:subject:from:to:message-id:thread-topic :in-reply-to:mime-version:content-type:x-gm-message-state; bh=MvB3hDXUEkEwN+24y4KCLkbhAYd9FFZ/my2ocQtXsjU=; b=gBwBjfk20wPXrzZuClTQ034pvKwXq21M8YzjSv4MdlxiaODvxQFO1NMiU1WRWTLckS 1Y+YkbB78FKao0Vu5v7WBTZ1JW3d61yV/8epvcCw8LYEE4UTHITYz5dgDj7Kq8FehID6 qLQ55FEqTt0hmGveYXvr4pSEkULQXgLOvKvM+FniP2Sgg3JQRRLFT287czYzUdLag4Ej p8S/S1aWBtsmEW3px4/5TGGV4iIdx0Zs4qBhKEp+NNGakWYEgefDdTR4ENjrZk+dlbig VKS+UFAlBdyybBnid1JivcFAWbhhMDNd6jkTvHlj67mc0q40EY8yyixD0H2ksW3o0i1D 30GQ== X-Received: by 10.236.82.65 with SMTP id n41mr2423398yhe.66.1362765185939; Fri, 08 Mar 2013 09:53:05 -0800 (PST) Received: from [192.168.2.7] (pool-173-79-106-247.washdc.fios.verizon.net. [173.79.106.247]) by mx.google.com with ESMTPS id d43sm8991645yhk.23.2013.03.08.09.53.04 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 08 Mar 2013 09:53:05 -0800 (PST) User-Agent: Microsoft-MacOutlook/14.3.1.130117 Date: Fri, 08 Mar 2013 12:52:58 -0500 From: Carl Wallace To: , 'pkix' Message-ID: Thread-Topic: [pkix] OID Processing between Intermediate CA and End Entity Certificates In-Reply-To: <011701ce1c25$5741f0b0$05c5d210$@digicert.com> Mime-version: 1.0 Content-type: multipart/alternative; boundary="B_3445591983_3517841" X-Gm-Message-State: ALoCoQmbhJ51rJ9m3XyeJS2kbrAGGlnUZPlCMUc1LVSoDV3MFLVjINrtq9d/l7kDYNv9SlzNuhd5 Subject: Re: [pkix] OID Processing between Intermediate CA and End Entity Certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Mar 2013 17:53:08 -0000 > This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --B_3445591983_3517841 Content-type: text/plain; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable Sounds like you may be looking for EKU-type semantics, at least before thos= e were altered to be like the certificate policy semantics that won't work fo= r you. =20 From: Ben Wilson Organization: DigiCert Reply-To: Date: Friday, March 8, 2013 12:49 PM To: Santosh Chokhani , 'pkix' Subject: Re: [pkix] OID Processing between Intermediate CA and End Entity Certificates > Thanks, Santosh. So, is best practice to put in the 2.5.29.32.0 - "anyPo= licy=B2 > OID?=20 > =20 >=20 > From: Santosh Chokhani [mailto:SChokhani@cygnacom.com] > Sent: Friday, March 08, 2013 10:46 AM > To: ben@digicert.com; 'pkix' > Subject: RE: [pkix] OID Processing between Intermediate CA and End Entity > Certificates > =20 > Omitting policy OID may not work. The chain may be invalid and is at the= best > not good for any policies. > =20 >=20 > From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of B= en > Wilson > Sent: Friday, March 08, 2013 12:37 PM > To: 'pkix' > Subject: Re: [pkix] OID Processing between Intermediate CA and End Entity > Certificates > =20 > I=B9ve received a couple of clarifications off-list, but just to clarify =AD > policy OIDs at the CA level are constraints on what policies an end entit= y > certificate may include/assert. > So if you are creating a subCA, and you are going to use it to issue > certificates under multiple end entity policies, it=B9s better to omit the = CP > OID altogether. Alternatives include specifying all policies (which you = may > not know beforehand) or the allpolicies OID. > =B3In other words, contrary of what some people believe there are no polici= es > for CAs, there are only policy OIDs for EE certificates.=B2 > So, the OID arc structure will not work as I thought it might - like a > filter reading left to right. > Thanks, > Ben > _______________________________________________ pkix mailing list > pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix --B_3445591983_3517841 Content-type: text/html; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable
Sounds like you may be looki= ng for EKU-type semantics, at least before those were altered to be like the=  certificate policy semantics that won't work for you.  

From: Ben Wilson <ben@digicert.com>
Organization: DigiCert
Reply-To: <ben@digicert.com<= /a>>
Date: Friday, March 8, 201= 3 12:49 PM
To: Santosh Chokhani &l= t;schokhani@cygnacom.com>, 'p= kix' <pkix@ietf.org>
Subject: Re: [pkix] OID Processing between Inter= mediate CA and End Entity Certificates

Thanks, Santosh.  So, is best practice to put in the 2.5.29.32.0 - "= anyPolicy” OID?

 

From: S= antosh Chokhani [mailto:SChokhani@cy= gnacom.com]
Sent: Friday, March 08, 2013 10:46 AM
To: ben@digicert.com; 'pkix'
Subj= ect: RE: [pkix] OID Processing between Intermediate CA and End Entity Ce= rtificates

 =

Omitting policy O= ID may not work.  The chain may be invalid and is at the best not good = for any policies.

 

<= span style=3D"font-size: 10pt; font-family: Tahoma, sans-serif; ">From:= pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Ben Wilson
Sent: Friday, March 08, 2013 12:37 PM
To: 'p= kix'
Subject: Re: [pkix] OID Processing between Intermediate CA an= d End Entity Certificates

 

I&= #8217;ve received a couple of clarifications off-list,  but just to cla= rify – policy OIDs at the CA level are constraints on what policies an= end entity certificate may include/assert. 

So if you are creating a subCA,= and you are going to use it to issue certificates under multiple end entity= policies, it’s better to omit the CP OID altogether.  Alternativ= es include specifying all policies (which you may not know beforehand) or th= e allpolicies OID.

“In other words, contrary of what some people believe the= re are no policies for CAs, there are only policy OIDs for EE certificates.&= #8221; 

 So, the OID arc structure will not work as I thought it might = -  like a filter reading left to right.

Thanks,

Ben

_______________________________________________ pkix mailing list pkix@ietf.org https://www.ietf.org/m= ailman/listinfo/pkix
--B_3445591983_3517841-- From piyush@ditenity.com Fri Mar 8 10:36:16 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F24521F8862 for ; Fri, 8 Mar 2013 10:36:16 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.598 X-Spam-Level: X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c1uB-WbmY-Kr for ; Fri, 8 Mar 2013 10:36:14 -0800 (PST) Received: from mail-oa0-f48.google.com (mail-oa0-f48.google.com [209.85.219.48]) by ietfa.amsl.com (Postfix) with ESMTP id 442BC21F885E for ; Fri, 8 Mar 2013 10:36:14 -0800 (PST) Received: by mail-oa0-f48.google.com with SMTP id j1so2336718oag.7 for ; Fri, 08 Mar 2013 10:36:13 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:references:in-reply-to:subject:date:message-id :mime-version:content-type:x-mailer:thread-index:content-language :x-gm-message-state; bh=dQL6+ZQFlPTwv09HIK1V86AND044se5YHQaWThMlx6o=; b=REOhOlQXhlpntms+kPqji9lYWAfaSV9M9tGnP2wSiiBc5COuzXtFkRGBAZVwZb2Gcx wi5428BUENrikG4RhTxfxavrLkp2VvTZGhOJ8siXVJ/ta6DUXSHdAwYJHfHYwjEu2ysk 1tFpV01k5RdL/PRH60BnBHtZTs/1VnDzMTaEKQE64yxkuKo1JaA0k7F2CWN5deytNBaz W+5dw4oirxpLtq/Se/iJ+bi4h5wG54Unx75dTO2H7/k6XmsRs3V99hj5g0HdaaWQXw2/ xcufnyJvlrIEwEqEuU2Lyf35n9tkVm4w/a4Bj/W30jO4W4j6qCVSi7HtFKB0z6PaYUhe V+Hw== X-Received: by 10.182.110.33 with SMTP id hx1mr2611369obb.32.1362767773655; Fri, 08 Mar 2013 10:36:13 -0800 (PST) Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id d10sm6619780obk.1.2013.03.08.10.36.11 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 08 Mar 2013 10:36:12 -0800 (PST) From: "Piyush Jain" To: "'Santosh Chokhani'" , , "'pkix'" References: <010601ce1c23$7aa50030$6fef0090$@digicert.com> <011701ce1c25$5741f0b0$05c5d210$@digicert.com> In-Reply-To: Date: Fri, 8 Mar 2013 10:36:05 -0800 Message-ID: <06ea01ce1c2b$cc0e1710$642a4530$@ditenity.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_06EB_01CE1BE8.BDEC5DB0" X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQC2Ehg+PnyaJggAPdetcbY2awQIAwE+PWqJAYToMOkCethzeJqiQvqQ Content-Language: en-us X-Gm-Message-State: ALoCoQkuqkBFwF1ikoYRXez3lVu1uzu2Twg6qfYadySzsK/skX2XseKYogIMjfZOSVfnz7aNQenV Subject: Re: [pkix] OID Processing between Intermediate CA and End Entity Certificates X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Mar 2013 18:36:16 -0000 This is a multipart message in MIME format. ------=_NextPart_000_06EB_01CE1BE8.BDEC5DB0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit That may be the reason why some CA certificates have explicit policy OIDs as well as "anyPolicy" OID in the CP extension. From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Santosh Chokhani Sent: Friday, March 08, 2013 9:52 AM To: ben@digicert.com; 'pkix' Subject: Re: [pkix] OID Processing between Intermediate CA and End Entity Certificates Yes, except some products such as Windows XP and other toolkits may treat "anyPolicy" as a simple OID and not a wild card. I generally recommend customers to spell out the OIDs. From: Ben Wilson [mailto:ben@digicert.com] Sent: Friday, March 08, 2013 12:50 PM To: Santosh Chokhani; 'pkix' Subject: RE: [pkix] OID Processing between Intermediate CA and End Entity Certificates Thanks, Santosh. So, is best practice to put in the 2.5.29.32.0 - "anyPolicy" OID? From: Santosh Chokhani [mailto:SChokhani@cygnacom.com] Sent: Friday, March 08, 2013 10:46 AM To: ben@digicert.com; 'pkix' Subject: RE: [pkix] OID Processing between Intermediate CA and End Entity Certificates Omitting policy OID may not work. The chain may be invalid and is at the best not good for any policies. From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Ben Wilson Sent: Friday, March 08, 2013 12:37 PM To: 'pkix' Subject: Re: [pkix] OID Processing between Intermediate CA and End Entity Certificates I've received a couple of clarifications off-list, but just to clarify - policy OIDs at the CA level are constraints on what policies an end entity certificate may include/assert. So if you are creating a subCA, and you are going to use it to issue certificates under multiple end entity policies, it's better to omit the CP OID altogether. Alternatives include specifying all policies (which you may not know beforehand) or the allpolicies OID. "In other words, contrary of what some people believe there are no policies for CAs, there are only policy OIDs for EE certificates." So, the OID arc structure will not work as I thought it might - like a filter reading left to right. Thanks, Ben ------=_NextPart_000_06EB_01CE1BE8.BDEC5DB0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

That may be the reason why some CA certificates = have explicit policy OIDs as well as “anyPolicy” OID in the = CP extension.

 

From:= = pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of = Santosh Chokhani
Sent: Friday, March 08, 2013 9:52 = AM
To: ben@digicert.com; 'pkix'
Subject: Re: [pkix] = OID Processing between Intermediate CA and End Entity = Certificates

 

Yes, except some products such as Windows XP and = other toolkits may  treat “anyPolicy” as a simple OID = and not a wild card.

 

I generally recommend = customers to spell out the OIDs.

 

From:= = Ben Wilson [mailto:ben@digicert.com] =
Sent: Friday, March 08, 2013 12:50 PM
To: Santosh = Chokhani; 'pkix'
Subject: RE: [pkix] OID Processing between = Intermediate CA and End Entity = Certificates

 

Thanks, Santosh.  So, is best practice to = put in the 2.5.29.32.0 - "anyPolicy” OID? =

 

From:= = Santosh Chokhani [mailto:SChokhani@cygnacom.com]=
Sent: Friday, March 08, 2013 10:46 AM
To: ben@digicert.com; = 'pkix'
Subject: RE: [pkix] OID Processing between Intermediate = CA and End Entity Certificates

 

Omitting policy OID may not work.  The = chain may be invalid and is at the best not good for any = policies.

 

From:= = pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] = On Behalf Of Ben Wilson
Sent: Friday, March 08, 2013 = 12:37 PM
To: 'pkix'
Subject: Re: [pkix] OID = Processing between Intermediate CA and End Entity = Certificates

 

I’ve received a couple of clarifications = off-list,  but just to clarify – policy OIDs at the CA level = are constraints on what policies an end entity certificate may = include/assert. 

So if you are creating a subCA, and you are = going to use it to issue certificates under multiple end entity = policies, it’s better to omit the CP OID altogether.  = Alternatives include specifying all policies (which you may not know = beforehand) or the allpolicies OID.

“In other words, = contrary of what some people believe there are no policies for CAs, = there are only policy OIDs for EE certificates.”  =

 So, the OID arc structure will not work as = I thought it might -  like a filter reading left to = right.

Thanks,

Ben

------=_NextPart_000_06EB_01CE1BE8.BDEC5DB0-- From mrex@sap.com Fri Mar 8 15:18:34 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BD2A21F8605 for ; Fri, 8 Mar 2013 15:18:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.005 X-Spam-Level: X-Spam-Status: No, score=-10.005 tagged_above=-999 required=5 tests=[AWL=0.244, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6RDSmuK42FML for ; Fri, 8 Mar 2013 15:18:33 -0800 (PST) Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 1E9B321F85FE for ; Fri, 8 Mar 2013 15:18:32 -0800 (PST) Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id r28NIOVt005820 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 9 Mar 2013 00:18:24 +0100 (MET) In-Reply-To: <5139A4E4.2010107@bull.net> To: Denis Pinkas Date: Sat, 9 Mar 2013 00:18:24 +0100 (CET) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20130308231824.595391A617@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) X-SAP: out Cc: Stefan Santesson , pkix Subject: Re: [pkix] Comments on draft-santesson-auth-context-extension-04 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: mrex@sap.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Mar 2013 23:18:34 -0000 Denis, While I have no personal interest or use in this proposal myself, I'm somewhat confused by your message. Denis Pinkas wrote: > > Allowing to have SAML attributes in a PKC would be a very good thing. > However, the relying party DOES NOT care > how these SAML attributes have been translated into a subject DN. It is > the responsibility of the CA. Stefan said that he _has_ RPs who care. Where is your problem with this? > > Thus, if the scope only remains to know how the correspondence was made > between the SAML attributes and > the subject DN, I don't believe that this document will be useful for > the Internet community and thus I am still unconvinced > that this document should progress as an Internet Draft. "progress as Internet Draft"? (I have not the slightest idea what that is.) >From the document header, Stefan seems to be looking for an Individual Submission with the intended document status "Informational". Were you thinking of a Standards track document? Or were you thinking about a WG work item (Last thing I heard was that PKIX is scheduled to shut down (as IETF WG) and not accepting any further work items). Only the latter two would need any kind of "approval". Stefan's primary interest seems to be sharing information about what he does (or intends to do) with the IETF community. And Stefan seems to solicit and accept feedback and suggestions from the PKIX community to make this work more useful to others. > > If the scope is changed to allow to include SAML attributes as another > name form in a PKC, then this is > an important issue which deserves an Internet Draft. Stefan indicated that he needs this extension to convey information that does not qualify as SAN/otherName, so this feedback seems to be missing the point. If you have a need for this, you might have to create your own proposal/I-D to fit this purpose. -Martin From wwwrun@rfc-editor.org Sun Mar 10 07:30:44 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 848B321F8613 for ; Sun, 10 Mar 2013 07:30:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.541 X-Spam-Level: X-Spam-Status: No, score=-102.541 tagged_above=-999 required=5 tests=[AWL=0.059, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mSmhOWeSPn64 for ; Sun, 10 Mar 2013 07:30:44 -0700 (PDT) Received: from rfc-editor.org (unknown [IPv6:2001:1890:123a::1:2f]) by ietfa.amsl.com (Postfix) with ESMTP id 2C13021F85DA for ; Sun, 10 Mar 2013 07:30:44 -0700 (PDT) Received: by rfc-editor.org (Postfix, from userid 30) id 2128EB1E003; Sun, 10 Mar 2013 07:30:37 -0700 (PDT) To: philliph@comodo.com, rob.stradling@comodo.com, stephen.farrell@cs.tcd.ie, turners@ieca.com, kent@bbn.com, stefan@aaa-sec.com From: RFC Errata System Message-Id: <20130310143037.2128EB1E003@rfc-editor.org> Date: Sun, 10 Mar 2013 07:30:37 -0700 (PDT) Cc: pkix@ietf.org, rfc-editor@rfc-editor.org Subject: [pkix] [Editorial Errata Reported] RFC6844 (3528) X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Mar 2013 14:30:44 -0000 The following errata report has been submitted for RFC6844, "DNS Certification Authority Authorization (CAA) Resource Record". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata_search.php?rfc=6844&eid=3528 -------------------------------------- Type: Editorial Reported by: Sean Turner Section: s7.3 Original Text ------------- Reserved> Corrected Text -------------- Reserved Notes ----- The additional ">" is unnecessary. Instructions: ------------- This errata is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party (IESG) can log in to change the status and edit the report, if necessary. -------------------------------------- RFC6844 (draft-ietf-pkix-caa-15) -------------------------------------- Title : DNS Certification Authority Authorization (CAA) Resource Record Publication Date : January 2013 Author(s) : P. Hallam-Baker, R. Stradling Category : PROPOSED STANDARD Source : Public-Key Infrastructure (X.509) Area : Security Stream : IETF Verifying Party : IESG From wwwrun@rfc-editor.org Sun Mar 10 07:37:57 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DFF921F8804 for ; Sun, 10 Mar 2013 07:37:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.543 X-Spam-Level: X-Spam-Status: No, score=-102.543 tagged_above=-999 required=5 tests=[AWL=0.057, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nm5HScDZACb0 for ; Sun, 10 Mar 2013 07:37:56 -0700 (PDT) Received: from rfc-editor.org (unknown [IPv6:2001:1890:123a::1:2f]) by ietfa.amsl.com (Postfix) with ESMTP id C770C21F863A for ; Sun, 10 Mar 2013 07:37:56 -0700 (PDT) Received: by rfc-editor.org (Postfix, from userid 30) id B1884B1E003; Sun, 10 Mar 2013 07:37:49 -0700 (PDT) To: philliph@comodo.com, rob.stradling@comodo.com, stephen.farrell@cs.tcd.ie, turners@ieca.com, kent@bbn.com, stefan@aaa-sec.com From: RFC Errata System Message-Id: <20130310143749.B1884B1E003@rfc-editor.org> Date: Sun, 10 Mar 2013 07:37:49 -0700 (PDT) Cc: pkix@ietf.org, rfc-editor@rfc-editor.org Subject: [pkix] [Editorial Errata Reported] RFC6844 (3532) X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Mar 2013 14:37:57 -0000 The following errata report has been submitted for RFC6844, "DNS Certification Authority Authorization (CAA) Resource Record". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata_search.php?rfc=6844&eid=3532 -------------------------------------- Type: Editorial Reported by: Sean Turner Section: s7.3 Original Text ------------- 1-7 Reserved [RFC6844] Corrected Text -------------- 1-7 Unassigned [RFC6844] Notes ----- "Unassigned" is better than Reserved. Instructions: ------------- This errata is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party (IESG) can log in to change the status and edit the report, if necessary. -------------------------------------- RFC6844 (draft-ietf-pkix-caa-15) -------------------------------------- Title : DNS Certification Authority Authorization (CAA) Resource Record Publication Date : January 2013 Author(s) : P. Hallam-Baker, R. Stradling Category : PROPOSED STANDARD Source : Public-Key Infrastructure (X.509) Area : Security Stream : IETF Verifying Party : IESG From denis.pinkas@bull.net Mon Mar 11 02:15:07 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A14D21F84F5 for ; Mon, 11 Mar 2013 02:15:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=x tagged_above=-999 required=5 tests=[] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PsJkL0Dm-2jn for ; Mon, 11 Mar 2013 02:15:06 -0700 (PDT) Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by ietfa.amsl.com (Postfix) with ESMTP id 7509221F84EF for ; Mon, 11 Mar 2013 02:15:01 -0700 (PDT) Received: from MSGC-007.bull.fr (unknown [129.184.87.136]) by odin2.bull.net (Bull S.A.) with ESMTP id 01ABB1D28E; Mon, 11 Mar 2013 10:14:59 +0100 (CET) Received: from [127.0.0.1] ([129.184.39.15]) by MSGC-007.bull.fr (Lotus Domino Release 8.5.3FP1) with ESMTP id 2013031110144887-17856 ; Mon, 11 Mar 2013 10:14:48 +0100 Message-ID: <513DA081.7050404@bull.net> Date: Mon, 11 Mar 2013 10:14:41 +0100 From: Denis Pinkas User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130215 Thunderbird/17.0.3 MIME-Version: 1.0 To: Stefan Santesson References: In-Reply-To: X-MIMETrack: Itemize by SMTP Server on MSGC-007/SRV/BULL(Release 8.5.3FP1|March 07, 2012) at 11/03/2013 10:14:58, Serialize by Router on MSGC-007/SRV/BULL(Release 8.5.3FP1|March 07, 2012) at 11/03/2013 10:14:59, Serialize complete at 11/03/2013 10:14:59 Content-Type: multipart/alternative; boundary="------------010606060500020302040001" Cc: pkix Subject: Re: [pkix] Review of 2560-bis draft 8. Answer to WGLC X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Mar 2013 09:15:07 -0000 This is a multi-part message in MIME format. --------------010606060500020302040001 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: quoted-printable *Stefan,* ** *The review of your individual draft, took me the time I had during the=20 week for the IETF stuff; hence, why this reply has been delayed.* *The situation is rather simple, if we forget about the editorial comment= s, you have accepted one minor text change and that=92s all.* ** *So the major problems are not solved to my satisfaction.* ** *I have maintained below the portion of the text which needs to be=20 further discussed. ** **My comments are in blue.* ** *There is a new and very important issue that I discovered while reading=20 your comments. ** **See the discussion about singleExtensions and of responseExtensions.* *Comment 8*: You have changed the meaning of the revoked state in a way=20 that is not what I requested. The original text was: *The "revoked" state indicates that the certificate has been revoked* *(either permanantly or temporarily (on hold)).* The new text is: * The "revoked" state indicates that the certificate has been revoked* * either permanently or temporarily on hold (i.e. the revocation reaso= n* * is certificateHold).* By doing this, you do not allow any other case in the future to have a=20 temporary revocation: =93*temporarily on hold=94***is not the same=20 as*=93**temporarily revoked=94**.* I propose the following rewording: *The "revoked" state indicates that the certificate has been revoked * * either permanently or temporarily (e.g. placed on hold).* I substituted "temporarily on hold" with "temporarily. The rest=20 unchanged since the only existing reason code for temporary revocation=20 is certificateHold. *As you say, the only CURRENT existing reason code for temporary=20 revocation is certificateHold. ** **We must not PREVENT other reasons in the future to mean =93temporary=20 revocation=94, hence why the change is needed.* The way the text from draft 13 is now written seems to allow using=20 either *=93unknown=94*or *=93revoked=94*for non-issued certificates. If this is the intent, then the good news is that this does not come=20 anymore into conflict with the French rules which apply for the Administration since OCSP responders from CAs used by the French=20 Ministries having a direct access to the database of issued certificates will be able to use *=93unknown*=94, rather than *=93revoked=94*and the r= eason=20 code *=93onhold=94.* However, the current text is still mandating the use of *Extended=20 Revoked Definition*, but the rational for its need it is very poor. As I have said on the PKIX list, the fact that the revocation date is=20 January 1rst, 1970 is fully sufficient to know that we are in that very=20 special case, and you have not provided a rational to say the contrary. I have. And I have pointed you to the minutes of the last PKIC meeting. The consensus of the WG is to have the extension for just those reasons. As implementer, I don't like heuristics. A date of Jan 1st 1970 may=20 indicate this behaviour, but may just be a misconfiguration. It is not an explicit statement. So we could get rid of it, =85 but the text from section 4.4.8 states: * This extension MAY be present in other responses to signal that the* * responder implements the extended revoked definition in section 2.2.= * I have difficulties to understand what is really meant there (=93other=20 responses=94 ?), since the text states: * This extension indicates that the responder supports the extended* * definition of the "revoked" status to also include non-issued* * certificates according to section 2.2.* Since both =93unknown=94 and revoked=94 can be used, it would be desirabl= e to=20 be able to include the same extension in both cases, but in that case that extension should be renamed. This extension can be included in all responses to signal that a=20 responder implements the expanded definition of revoked. Doing so makes this fact auditable without having to ask for a=20 non-issued cert. I would propose to rename it: "*non-issued certificate*=94 which means=20 that the associated CA has no record of ever having issued a certificate with the certificate serial number in the request (I still consider it=20 as unnecessary in the case of =93revoked=94, but it would be very useful = in=20 the case of =93unknown=94). Of course, the text from section 4.4.8 would need to be revised. I propose the following: * * *4.4.8 Non-issued certificate extension* * This extension MUST be included in the OCSP response when the OCSP* * responder knows that the CA identified in the request has no record* * of ever having issued a certificate with the certificate serial* * number indicated in the request.* * Clients do not have to parse this extension in order to determine* * the status of certificates in responses.* * This extension is identified by the object identifier id-pkix-ocsp-* * non-issued-cert.* * id-pkix-ocsp-non-issued-cert OBJECT IDENTIFIER ::=3D {id-pkix-ocsp= 9}* * The value of the extension SHALL be NULL. This extension MUST NOT be= * * marked critical.* Then the text on page 8 would need to be rearranged. Your extension variant is a significant change to what has been agreed. Your extension would need to be a single response extension, and can't=20 be used to audit the behaviour of the OCSP responder unless you send a request for a non-issued cert. *Hummm !!! We have a very important point there. Thanks to your comment,=20 I now realize that the proposed extension applies to the whole response. However, this is not possible and I will=20 now explain why. An OCSP responder may receive a delegation from several CAs. With some of them, it can use a direct=20 access to the database of certificates, while for some others, it will use CRLs. So the meaning of =93revoked=94=20 will depend of the CA. * ** *This means that the indication cannot be global to the OCSP response.=20 If we use an extension, it can only apply ** **to an individual response and thus MUST in singleExtensions instead of=20 responseExtensions.* ** *Since it is singleExtension, it can used to =93audit the behaviour of th= e=20 OCSP responder=94 and I do not grasp your rational ** **when you say =93unless you send a request for a non-issued cert=94. The= re=20 is no need for sending anything.* We want to avoid sending such fake requests for audit purposes as it may=20 interfere with systems at the responder trying to detect existence of=20 rouge certificates. *There is no need to sending fake requests.* This is a type of change that I can't make unless you get support from a=20 majority of the WG for the change of direction you propose. *The important point is that the text states:* ** *=93The "revoked" state (=85) _MAY also be returned_ if the associated CA= =20 has no record of ever having issued a certificate with the certificate serial number in the request, using any current or=20 previous issuing key (referred to as a "non-issued" certificate in this document).=94* ** *The test does **_not_**state =93**_MUST_**also be returned=94. This mean= s=20 that it is also possible to reply =93unknown=94 if the associated CA ** **has no record of ever having issued a certificate with the certificate=20 serial number in the request. However, this is not ** **straightforward when reading the text and thus the text should be made=20 more explicit.* ** *Now, we get to the main point. The reason for adding an extension is=20 NOT to say that an extended meaning of revoked ** **is being used, but that the INDIVIDUAL response is given using a=20 direct access to the records of the certificates issued by the CA.* The current text is: * This state MAY also be returned if the* * associated CA has no record of ever having issued a certificate with= * * the certificate serial number in the request, using any current or* * previous issuing key (referred to as a "non-issued" certificate in* * this document).* * The "unknown" state indicates that the responder doesn't know about* * the certificate being requested.* * NOTE: The "revoked" state for known non-issued certificate serial* * numbers is allowed in order to reduce the risk of relying* * parties using CRLs as a fall back mechanism, which would be* * considerably higher if an "unknown" response was returned.* * When a responder responds revoked to a status request for a non-* * issued certificate, the responder MUST include the extended revoked* * definition response extension (section 4.4.8) in the response,* * indicating that the OCSP responder supports the extended definition* * of revoked state to also cover non-issued certificates. In addition,= * * the SingleResponse related to this non-issued certificate;* * - MUST provide the revocation reason certificateHold (6),* * - MUST specify the revocationTime January 1, 1970, and;* * - MUST NOT include a CRL References extension (section 4.4.2) or an= y* * CRL Entry Extensions (section 4.4.5).* Proposed text for a replacement: * The "unknown" state indicates that the responder doesn't know about* * the certificate being requested.* =20 * If the OCSP responder knows that CA identified in the request has* * no record of ever having issued a certificate with the certificate* * serial number in the request, using any current or previous issuing* * key (referred to as a "non-issued" certificate in this document),* * the OCSP responder SHALL respond either =93revoked =93 or =93unknown= =94.* This is unfortunately very common in your rewording efforts. When trying=20 to fix one thing, you create new even bigger problems. An infrastructure that provides reproduced responses will respond=20 "unauthorized". This text may be interpreted to interfere with such=20 operations. *I fear I don=92t understand your argument about =93unauthorized=94, but=20 before replying see below my next comment.* Further, and worse. This is not backwards compatible. Current OCSP=20 responders may respond "good" even if they have access to CA records. *You say: =93Current OCSP responders may respond "good" even if they have= =20 access to CA records=94. Originally RFC 2560 allowed returning =93good=94 for OCSP responder using CRLs. Since RFC 2560 provid= ed=20 no way to indicate that a direct access to the database was being used or not, it was not possible to do better. * ** *Now, if an OCSP responder has a direct access and indicates in the=20 response that it has such an access, do you really believe that it will return good ? I don=92t. * ** *If an OCSP responder wants to return =93good=94, it can still do it, but= in=20 that case it will not signal that it is using a direct access ** **and this is perfectly backwards compatible. So I do not =93buy=94 your=20 argumentation.* ** *Now, may be you understand better why I propose to rename the extension=20 =934.4.8 Non-issued certificate extension=94 and ** **also to change its semantics.* * Note: The "revoked" state for known non-issued certificate serial* * numbers is allowed in order to reduce the risk of relying parties* * using CRLs as a fall back mechanism, which would be possible when* * the "unknown" response is returned.* * When a responder responds revoked or unknown to a status request* * for a non-issued certificate, the responder MUST include the* * non-issued certificate extension (see section 4.4.8) in the* * response.* * When a responder responds revoked to a status request for a non-* * issued certificate, in addition, the responder:* * - MUST provide the revocation reason certificateHold (6),* * - MUST specify the revocationTime January 1, 1970, and;* * - MUST NOT include a CRL References extension (section 4.4.2) or an= y* * CRL Entry Extensions (section 4.4.5).* Finally, the last bullet on page 4 should be reworded: Current text: * o Section 4.4.8 specifies a new extension that indicates that the= * * responder supports the extended use of the "revoked" response* * for non-issued certificates defined in section 2.2.* Proposed replacement text: * o Section 4.4.8 specifies a new extension that indicates that* * the OCSP responder knows that CA identified in the request* * has no record of ever having issued a certificate with the* * certificate serial number present in the request, as defined* * in section 2.2.* No. Again, this changes the scope of the extension and its audit properti= es. Such change requires WG consensus. *See earlier comments.* *Comment 9:*Solved, if the comment above may be solved. *Comment 20*:This comment is preliminary classified by you as =93not=20 broken=94. However, since you asked: =93If you don=92t replace 4.2.2.3, then what really are you missing ?=94, I will provide you with an answer. This is the wrong way to state the question. Providing an ASN.1 syntax=20 as in 4.2.1 is not enough: the use of every parameter MUST be explained using English words. So if you explain the use of every parameter after=20 the description of the ASN.1 syntax in section 4.2.1. then section 4.2.2.= 3 is no more needed and thus can be deleted. The answer to your question =93what is really missing=94 is a description= of=20 the use of every parameter listed in the ASN.1 in section 4.2.1 There are sufficient descriptions in the subsections following the ASN.1=20 description. Your change proposals are not compatible with the minimalist= ic approach adopted by the WG. *The key point is whether we want a =93good=94 document or maintain the l= ow=20 quality of the original document.*** *Comment 26*: You asked for explanations. Let me provide you with an=20 example when CRLs are being used by the OCSP responder in the background. The OCSP responder needs to make sure that the CRL it uses is valid. If=20 it is simply using published CRLs (i.e. no trusted link with the CA), it=20 needs to make sure that the CA which has issued the CRL has no been revoked. No, this is a misstatement. You don't revoke CAs. You revoke CA=20 certificates. *Right.* There might be a CA certificate that has been revoked for a reason that=20 does not affect the OCSP responder. * ..but the contrary may also apply.* These are operational policies that are outside the scope of the protocol= . *The proposed text does not affect the protocol.* The proposed text in comment 26 is plain wrong, or at least misleading.=20 The OCSP responder does not have to validate the CRL up to any=20 particular root. It may for example have been configured to directly trust the public key=20 used to validate the CRL. *T**his depends how it makes sure that it is reading the right CRL. It=20 may or may not use a root CA.* In France, there is a root CA for the Administration. However, the use=20 of that root CA is optional. Thus a Ministry may have its own root, but may also have its key certified by the root CA of the=20 Administration. The OCSP responder may use the root CA of the Ministry, while a relying party may use the root CA of the Administration (or the=20 reverse) to validate the CRL for the target certificate. Thus the revocation status will be different if the certificate of the=20 CA of the Ministry is revoked by the root CA of the Administration. Which reinforces my point. How the OCSP responder is configured to trust=20 its information source is outside the scope of the protocol. The OCSP protocol never claims to provide the same conclusion about=20 revocation than another source the relying party may use. *We both agree; however would you point me where this is said in the=20 current draft? Since I could not find it, I believe it is useful to highlight the point in the security=20 considerations section. * * * *Finally, I believe that the major point indicated earlier comes from=20 the original "bad writing" of RFC 2560.* *There is no clear distinction between what applies to=20 ***BasicOCSPResponse* and ***what applies *to Single Response.* *On page 15 from draft-14, the text still states in section 4.2.2.2 =20 Authorized Responder: "It is necessary however to ensure that the entity signing this=20 information is authorized to do so". This is vague. What is "this information " ? This text is within section=20 "4.2.2 Notes on OCSP Responses". This does not help much. Is it BasicOCSPResponse ? If it is , this is wrong. It is SingleResponse, since a single response may be signed by the right=20 key and/or the right certificate, but not another single response. How can a reader guess that it is SingleResponse ? Once again the quality of the text is really bad, and that text and some=20 other portions (3.2 Signed Response Acceptance Requirements) would need to be changed. * ** *Denis* > Denis, > > My replies in line; > > From: Denis Pinkas > > Date: Monday, February 11, 2013 3:18 PM > To: Stefan Santesson > > Cc: Stephen Kent >, pkix=20 > > > Subject: Re: [pkix] Review of 2560-bis draft 8. Answer to WGLC > > Stefan, > > I have finally reviewed your disposition of comments. I have used > draft 13. > > I will not address the comments in sequence, but I will consider > four categories: > > *Category 1)*Some comments which seem to be solved. Yes indeed, > they may be a few of them ! > > *Category 2)*Some comments which might possibly be solved at the > WG level. > > *Category 3)*Some comments that I will address at the IETF last > call level, rather than the WG last call level, since I disagree > that it is =93new ways to say the same thing=94 and it is likely to= be > a waste of time for both of us to argue again at the WG level > (these comments are commented as =93not broken=94). > > *Category 4)*Some typos and editorials found while reading draft 13= . > > *CATEGORY 1* > > *Comment 4*(was editorial). > > *Comment 5.* > > ** > > *Comment 6. * > > *Comment 19*. Solved, since *=93unknown=94*seems now to be also > allowed for non-issued certificates > (even if the OCSP responder is using a direct access to the > certificate database). See comment 8. > > *Comment 13*: Acceptable, since the text uses *=93MAY=94.* > > *Comment 18. * > > *Comment 22.* > > *Comment 23.* > > *Comment 28.* > > *CATEGORY 1* > > *Comment 8*: You have changed the meaning of the revoked state in > a way that is not what I requested. > > The original text was: > > *The "revoked" state indicates that the certificate has been revoke= d* > > *(either permanantly or temporarily (on hold)).* > > The new text is: > > ** > > * The "revoked" state indicates that the certificate has been re= voked* > > * either permanently or temporarily on hold (i.e. the revocation= reason* > > * is certificateHold).* > > By doing this, you do not allow any other case in the future to > have a temporary revocation: =93*temporarily on hold=94** > *is not the same as*=93**temporarily revoked=94**.* > > I propose the following rewording: > > *The "revoked" state indicates that the certificate has been revoke= d * > > * either permanently or temporarily (e.g. placed on hold).* > > > I substituted "temporarily on hold" with "temporarily. The rest=20 > unchanged since the only existing reason code for temporary revocation=20 > is certificateHold. > > > > The way the text from draft 13 is now written seems to allow using > either *=93unknown=94*or *=93revoked=94*for non-issued certificates= . > If this is the intent, then the good news is that this does not > come anymore into conflict with the French rules which apply for > the Administration since OCSP responders from CAs used by the > French Ministries having a direct access to the database > of issued certificates will be able to use *=93unknown*=94, rather > than *=93revoked=94*and the reason code *=93onhold=94.* > > However, the current text is still mandating the use of *Extended > Revoked Definition*, but the rational for its need it is very poor. > As I have said on the PKIX list, the fact that the revocation date > is January 1rst, 1970 is fully sufficient to know that we are in th= at > very special case, and you have not provided a rational to say the > contrary. > > > I have. And I have pointed you to the minutes of the last PKIC meeting. > The consensus of the WG is to have the extension for just those reasons= . > > As implementer, I don't like heuristics. A date of Jan 1st 1970 may=20 > indicate this behaviour, but may just be a misconfiguration. It is not=20 > an explicit statement. > > So we could get rid of it, =85 but the text from section 4.4.8 stat= es: > > * This extension MAY be present in other responses to signal tha= t the* > > * responder implements the extended revoked definition in sectio= n 2.2.* > > I have difficulties to understand what is really meant there > (=93other responses=94 ?), since the text states: > > * This extension indicates that the responder supports the exten= ded* > > * definition of the "revoked" status to also include non-issued* > > * certificates according to section 2.2.* > > Since both =93unknown=94 and revoked=94 can be used, it would be > desirable to be able to include the same extension in both cases, > but in that case that extension should be renamed. > > > This extension can be included in all responses to signal that a=20 > responder implements the expanded definition of revoked. > Doing so makes this fact auditable without having to ask for a=20 > non-issued cert. > > > I would propose to rename it: "*non-issued certificate*=94 which > means that the associated CA has no record of ever having issued > a certificate with the certificate serial number in the request (I > still consider it as unnecessary in the case of =93revoked=94, but = it > would be > very useful in the case of =93unknown=94). Of course, the text from > section 4.4.8 would need to be revised. > > I propose the following: > > *4.4.8 Non-issued certificate extension* > > * * > > * This extension MUST be included in the OCSP response when the = OCSP* > > * responder knows that the CA identified in the request has no r= ecord* > > * of ever having issued a certificate with the certificate seria= l* > > * number indicated in the request.* > > * * > > * Clients do not have to parse this extension in order to determ= ine* > > * the status of certificates in responses.* > > * * > > * This extension is identified by the object identifier id-pkix-= ocsp-* > > * non-issued-cert.* > > * * > > * id-pkix-ocsp-non-issued-cert OBJECT IDENTIFIER ::=3D {id-pki= x-ocsp 9}* > > * * > > * The value of the extension SHALL be NULL. This extension MUST = NOT be* > > * marked critical.* > > Then the text on page 8 would need to be rearranged. > > > Your extension variant is a significant change to what has been agreed= . > Your extension would need to be a single response extension, and can't=20 > be used to audit the behaviour of the OCSP responder unless you send a=20 > request for a non-issued cert. > We want to avoid sending such fake requests for audit purposes as it=20 > may interfere with systems at the responder trying to detect existence=20 > of rouge certificates. > > This is a type of change that I can't make unless you get support from=20 > a majority of the WG for the change of direction you propose. > > The current text is: > > * This state MAY also be returned if the* > > * associated CA has no record of ever having issued a certificat= e with* > > * the certificate serial number in the request, using any curren= t or* > > * previous issuing key (referred to as a "non-issued" certificat= e in* > > * this document).* > > * * > > * The "unknown" state indicates that the responder doesn't know = about* > > * the certificate being requested.* > > * * > > * NOTE: The "revoked" state for known non-issued certificate ser= ial* > > * numbers is allowed in order to reduce the risk of relyin= g* > > * parties using CRLs as a fall back mechanism, which would= be* > > * considerably higher if an "unknown" response was returne= d.* > > * * > > * When a responder responds revoked to a status request for a no= n-* > > * issued certificate, the responder MUST include the extended re= voked* > > * definition response extension (section 4.4.8) in the response,= * > > * indicating that the OCSP responder supports the extended defin= ition* > > * of revoked state to also cover non-issued certificates. In add= ition,* > > * the SingleResponse related to this non-issued certificate;* > > * * > > * - MUST provide the revocation reason certificateHold (6),* > > * * > > * - MUST specify the revocationTime January 1, 1970, and;* > > * * > > * - MUST NOT include a CRL References extension (section 4.4.2= ) or any* > > * CRL Entry Extensions (section 4.4.5).* > > Proposed text for a replacement: > > * The "unknown" state indicates that the responder doesn't know = about* > > * the certificate being requested.* > > * * > > * If the OCSP responder knows that CA identified in the request = has* > > * no record of ever having issued a certificate with the certifi= cate* > > * serial number in the request, using any current or previous is= suing* > > * key (referred to as a "non-issued" certificate in this documen= t),* > > * the OCSP responder SHALL respond either =93revoked =93 or =93u= nknown=94.* > > > This is unfortunately very common in your rewording efforts. When=20 > trying to fix one thing, you create new even bigger problems. > > An infrastructure that provides reproduced responses will respond=20 > "unauthorized". This text may be interpreted to interfere with such=20 > operations. > Further, and worse. This is not backwards compatible. Current OCSP=20 > responders may respond "good" even if they have access to CA records. > > * * > > * Note: The "revoked" state for known non-issued certificate ser= ial* > > * numbers is allowed in order to reduce the risk of relying part= ies* > > * using CRLs as a fall back mechanism, which would be possible w= hen* > > * the "unknown" response is returned.* > > * * > > * When a responder responds revoked or unknown to a status reque= st* > > * for a non-issued certificate, the responder MUST include the* > > * non-issued certificate extension (see section 4.4.8) in the* > > * response.* > > * * > > * When a responder responds revoked to a status request for a no= n-* > > * issued certificate, in addition, the responder:* > > * * > > * - MUST provide the revocation reason certificateHold (6),* > > * * > > * - MUST specify the revocationTime January 1, 1970, and;* > > * * > > * - MUST NOT include a CRL References extension (section 4.4.2)= or any* > > * CRL Entry Extensions (section 4.4.5).* > > Finally, the last bullet on page 4 should be reworded: > > Current text: > > * o Section 4.4.8 specifies a new extension that indicates th= at the* > > * responder supports the extended use of the "revoked" res= ponse* > > * for non-issued certificates defined in section 2.2.* > > ** > > Proposed replacement text: > > * o Section 4.4.8 specifies a new extension that indicates t= hat* > > * the OCSP responder knows that CA identified in the reque= st* > > * has no record of ever having issued a certificate with t= he* > > * certificate serial number present in the request, as def= ined* > > * in section 2.2.* > > > No. Again, this changes the scope of the extension and its audit=20 > properties. > Such change requires WG consensus. > > > *Comment 9:*Solved, if the comment above may be solved. > > *Comment 20*:This comment is preliminary classified by you as =93no= t > broken=94. However, since you asked: =93If you don=92t replace 4.2.= 2.3, > then what really are you missing ?=94, I will provide you with an > answer. > > This is the wrong way to state the question. Providing an ASN.1 > syntax as in 4.2.1 is not enough: the use of every parameter > MUST be explained using English words. So if you explain the use > of every parameter after the description of the ASN.1 syntax > in section 4.2.1. then section 4.2.2.3 is no more needed and thus > can be deleted. > > The answer to your question =93what is really missing=94 is a > description of the use of every parameter listed in the ASN.1 in > section 4.2.1 > > > There are sufficient descriptions in the subsections following the=20 > ASN.1 description. Your change proposals are not compatible with the=20 > minimalistic approach adopted by the WG. > > > *Comment 21.* > > While I can agree in general with the intent of the text, I do not > understand the first sentence of the Note which speaks of =93CA key > rollover=94 > and is copied below: > > * Note: CA key rollover is not prohibited when issuing a certifi= cate* > > * for an authorized responder for backwards compatibility = with* > > * RFC 2560 [RFC2560]. That is, it is not prohibited to iss= ue a* > > * certificate for an authorized responder using a differen= t* > > * issuing key than the key used to issued the certificate = being* > > * checked for revocation. However, such practice is strong= ly* > > * discouraged since clients are not required to recognize = a* > > * responder with such certificate as an authorized respond= er.* > > I would propose to delete it, since it does not add anything and > thus to have: > > * Note: For backwards compatibility with RFC 2560 [RFC2560], it = is* > > * not prohibited to issue a certificate for an authorized* > > * responder using a different issuing key than the key use= d to* > > * issued the certificate being checked for revocation.* > > * However, such practice is strongly discouraged since cli= ents* > > * are not required to recognize a responder with such* > > * certificate as an authorized responder.* > > > I agree, your text is better. Updated. > > *Comment 24*: The ASN.1 module in annex B.1 is still wrong, since > it does not define NoCheck. > > > No you are wrong. We have confirmed with several ASN.1 experts that=20 > definition of NoCheck is not necessary to define null content. > The current definition is perfectly valid ASN.1 > > *Comment 26*: You asked for explanations. Let me provide you with > an example when CRLs are being used by the OCSP responder > in the background. The OCSP responder needs to make sure that the > CRL it uses is valid. If it is simply using published CRLs > (i.e. no trusted link with the CA), it needs to make sure that the > CA which has issued the CRL has no been revoked. > > > No, this is a misstatement. You don't revoke CAs. You revoke CA=20 > certificates. There might be a CA certificate that has been revoked=20 > for a reason that does not affect the OCSP responder. > These are operational policies that are outside the scope of the protoc= ol. > > The proposed text in comment 26 is plain wrong, or at least=20 > misleading. The OCSP responder does not have to validate the CRL up to=20 > any particular root. It may for example have been configured to=20 > directly trust the public key used to validate the CRL. > > > In France, there is a root CA for the Administration. However, the > use of that root CA is optional. Thus a Ministry may have its own > root, > but may also have its key certified by the root CA of the > Administration. The OCSP responder may use the root CA of the > Ministry, > while a relying party may use the root CA of the Administration > (or the reverse) to validate the CRL for the target certificate. > Thus the revocation status will be different if the certificate of > the CA of the Ministry is revoked by the root CA of the > Administration. > > > Which reinforces my point. How the OCSP responder is configured to=20 > trust its information source is outside the scope of the protocol. > > The OCSP protocol never claims to provide the same conclusion about=20 > revocation than another source the relying party may use. > > I skip category 3 as this will be dealt with in IESG last call. > > > *CATEGORY 3* > > *Comments*2, 3, 7, 10, 12, 14, 15, 16, 17, 25 and 27. > > *CATEGORY 4* > > Page 4. The indentation of the bullets in section 1 is not uniform. > Bullets 1, 4, 5 and 9 have problems. > > Page 4. The fact that there is now an Annex B.2 dealing with the > 2008 ASN.1 syntax is missing. This should be added. > > Page 10. Change =93*Se further section 4.2.2.2=94*into =93*See furt= her > section 4.2.2.2=94 > * > > > > Thanks. I have fixed them all. > > /Stefan > > > Denis > ** > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > > >> Denis, >> >> Responding to your comments below. >> >> However, one general remark to make recurring comments easier to >> understand. >> >> The WG decided to adopt a minimalistic approach to updating RFC >> 2560. That means that >> >> 1. We don't change anything from RFC 2560 unless it is broken, >> or the industry clearly need clarifications in order to avoid >> interoperability issues. >> 2. We retain the document structure of RFC 2560 as much as >> possible to allow easy comparison of what the changes are in >> comparison with RFC 2560. >> >> >> One can always think up more clever ways to write things out in >> words. But that also comes with a risk. >> The current words has been around for a long time and we know >> from experience which words worked to produce working >> implementations, and which did not. >> Introducing new ways to say the same thing may introduce new >> problems and people might disagree on what the new perfect >> wording should be. And this could go on forever. >> >> So when my reply is "Not broken", then that is because the >> current wording does not have such problems that is merits a chang= e. >> >> >> >> From: Denis Pinkas > > >> Date: Sunday, January 20, 2013 5:12 PM >> To: Stefan Santesson > >, Stephen Kent > > >> Cc: pkix > >> Subject: Re: [pkix] Review of 2560-bis draft 8. Answer to WGLC >> >> Please find 32 comments on draft-ietf-pkix-rfc2560bis >> >> 1.The document states: >> >> **> responded to separately> >> >> >> Responded to separately. >> >> 2.The current text from section 2 states: >> >> 2. Protocol Overview >> >> =20 >> >> In lieu of or as a supplement to checking against a period= ic CRL, it >> >> may be necessary to obtain*timely information* regarding = the >> >> revocation status of a certificate (cf. RFC5280], Section = 3.3). >> >> Examples include high-value funds transfer or large stock = trades. >> >> =20 >> >> The Online Certificate Status Protocol (OCSP) enables appl= ications to >> >> determine the (revocation) state of an identified certific= ate. OCSP >> >> may be used to satisfy some of the operational requirement= s of >> >> providing*more timely revocation information* than is pos= sible with >> >> CRLs and may also be used to obtain additional status info= rmation. >> >> =20 >> >> This text is misleading because readers may think that OCPS ne= cessarily provides =93timely information=94. >> >> =20 >> >> >> "may" does not mean "necessarily". >> >> Proposed text replacement: >> >> =20 >> >> *The Online Certificate Status Protocol (OCSP) is a >> client-server * >> >> *protocol which enables applications to obtain the revocation >> status * >> >> *of one or more certificates either "good", "revoked", or >> "unknown".* >> >> ** >> >> *The revocation status may be provided by the server either >> using a * >> >> *real time access to a database of issued certificates, or >> using a * >> >> *batch access to a database of issued certificates, or using a= * >> >> *real time access to a database of revocation statuses of >> issued * >> >> *certificates, or using a batch access to a database of >> revocation * >> >> *statuses of issued certificates, or using CRLs, or using a * >> >> *combination of base CRLs and delta CRLs.* >> >> ** >> >> *In the first case, it is possible to obtain timely >> revocation status * >> >> *information, whereas in the other cases, the freshness of the= * >> >> *revocation status is not better than the mechanisms it is >> based on.* >> >> =20 >> >> =20 >> >> >> Not broken >> >> 3.The current text from section 2 states: >> >> =20 >> >> An OCSP client issues a status request to an OCSP responde= r and >> >> Suspends acceptance of*the certificate in question* until= the >> >> responder provides a response. >> >> =20 >> >> This protocol specifies the data that needs to be exchange= d between >> >> an application checking the status of a certificate and th= e server >> >> providing that status. >> >> =20 >> >> Thus is insufficient for an overview. More details are needed = to know what the document provides, >> in particular that the request may contain several requests fo= r several certificates issued by different CAs. >> The possibility of using extensions should also be advertised. >> >> =20 >> >> Proposed text replacement: >> >> =20 >> >> When using OCSP, an OCSP client issues a certificate revocatio= n >> >> status request to an OCSP responder *for one or more >> certificates * >> >> *issued by the same CA or for one or more certificates issued >> by * >> >> *different CAs *and then suspends acceptance of the >> certificate(s) >> >> in question until the responder provides a response. >> >> This document specifies the data that needs to be exchanged >> between >> >> an application checking the status of a certificate and the >> server >> >> providing that status. >> >> *OCSP may also provide additional status information using * >> >> *extensions. * >> >> >> Not broken >> >> 4.Page 6. Editorial. Punctuation and a CR/LF are missing. >> >> The text states: >> >> * 3. the request contains the information needed by the res= ponder If* >> >> * any one of the prior conditions are not met, the OCSP = responder* >> >> * produces an error message; otherwise, it returns a def= initive* >> >> * response.* >> >> It should state: >> >> * 4. the request contains the information needed by the res= ponder.* >> >> * * >> >> * If any one of the prior conditions are not met, the OC= SP responder* >> >> * produces an error message; otherwise, it returns a def= initive* >> >> * response.* >> >> >> Fixed in draft 10. >> >> 5.On page 7, the text states: >> >> ** >> >> *All definitive response messages SHALL be digitally signed. >> The key* >> >> *used to sign the response MUST belong to one of the following= :* >> >> * * >> >> * - the CA who issued the certificate in question* >> >> * - a Trusted Responder whose public key is trusted by th= e requester* >> >> * - a CA Designated Responder (Authorized Responder) who = holds a* >> >> * specially marked certificate issued directly by the CA= , indicating* >> >> * that the responder may issue OCSP responses for that C= A.* >> >> ** >> >> The paragraph is ambiguous on several aspects. >> >> Delegation is addressed in at least three different places, >> but with different terms and conditions. >> If some one picks a sentence in one paragraph rather than >> another, it will lead to a different conclusion. >> RFCs are supposed to be clear. >> >> On page 10, the current text states in section*2.6 OCSP >> Signature Authority Delegation *states: >> >> =20 >> >> *The key that signs a certificate's status information need >> not be the* >> >> *same key that signed the certificate.**A certificate's issuer= * >> >> *explicitly delegates OCSP signing authority by issuing a >> certificate* >> >> *containing a unique value for extendedKeyUsage in the OCSP >> signer's* >> >> *certificate. This certificate MUST be issued directly to the* >> >> *responder by the cognizant CA.* >> >> =20 >> >> On page 16, there is a section >> *4.2.2.2***called*=93**Authorized Responders=94*dealing with t= he >> same topic. >> >> Section 4.2.2.2 states: >> >> *The key that signs a certificate's status information need >> not be the* >> >> *same key that signed the certificate**. It is necessary >> however to* >> >> *ensure that the entity signing this information is >> authorized to do* >> >> *so.Therefore, a certificate's issuer MAY either sign the OCSP= * >> >> *responses itself or it MAY explicitly designate this >> authority to* >> >> *another entity.OCSP signing delegation SHALL be designated >> by the* >> >> *inclusion of id-kp-OCSPSigning in an extendedKeyUsage >> certificate* >> >> *extension included in the OCSP response signer's >> certificate.This* >> >> *certificate MUST be issued directly by the CA that issued the= * >> >> *certificate in question.* >> >> ** >> >> *The CA SHOULD use the same issuing key to issue a delegation* >> >> *certificate as was used to sign the certificate being >> checked for* >> >> *revocation. Systems relying on OCSP responses MUST recognize = a* >> >> *delegation certificate as being issued by the CA that issued >> the* >> >> *certificate in question only if the delegation certificate >> and the* >> >> *certificate being checked for revocation was signed by the >> same key.*** >> >> The last sentence above in yellow is the key sentence that is >> missing in the two other sections. >> >> =20 >> >> Most implementations only support the case where the OCSP Resp= onder receives an OCSP certificate that is signed by the same key >> that was used to sign the target certificate. They do not supp= ort the case where the OCSP Responder receives an OCSP certificate >> that is signed by a key that is different from the one that wa= s used to sign the target certificate. >> >> It is inappropriate to have three sections dealing with the >> same topic with a slightly different meaning. >> >> It is proposed the following. >> >> On page 7, after: >> >> * - a CA Designated Responder (Authorized Responder) who = holds a* >> >> * specially marked certificate issued directly by the CA= , indicating* >> >> * that the responder may issue OCSP responses for that C= A.* >> >> it is proposed to add =93(*see section 4.2.2.2 for further >> details**)=94*, so that the reader knows that more details are >> provided later on. >> >> Then we do not need two sections to address delegation which >> start with the same sentence: >> >> >> =93*The key that signs a certificate's status information need >> not be the same key that signed the certificate=94.* >> >> ** >> >> It is thus proposed to delete section 2.6. >> >> Section 4.2.2.2 will thus remain the single section providing >> full details. >> >> =20 >> >> >> I have added references to section 4.2.2.2 in the quoted sections >> in 2.2 and 2.6. >> (will be included in draft 11) >> >> >> 6. Page 7, the text states: >> >> * A definitive response message is composed of:* >> >> * * >> >> * - version of the response syntax* >> >> * - name of the responder* >> >> * - responses for each of the certificates in a request* >> >> * - optional extensions* >> >> * - signature algorithm OID* >> >> * - signature computed across hash of the response* >> >> This description does not fit with the ASN.1 syntax which is >> detailed later on, and in particular: >> >> * ResponseData ::=3D SEQUENCE {* >> >> * version [0] EXPLICIT Version DEFAULT v1,= * >> >> * **responderID ResponderID,* >> >> * producedAt GeneralizedTime,* >> >> * responses SEQUENCE OF SingleResponse,* >> >> * responseExtensions [1] EXPLICIT Extensions OPTIONAL= }* >> >> Proposed text replacement: >> >> *A definitive response message is composed of:* >> >> ** >> >> *- a response status and if there is no error, the following:* >> >> *- the version of the response syntax,* >> >> *- an identifier of the OCSP server,* >> >> *- the time at which the response was produced,* >> >> *- single responses for each of the target certificates,* >> >> *- optional extensions,* >> >> *- the signature algorithm OID,* >> >> *- the signature computed across hash of the response, and* >> >> *- optional certificates.* >> >> >> This is an overview section. We ought not try to duplicate the >> level of detail provided in the detailed protocol section. >> A "definitive response" according to tho 2.1 is a response to an >> error-free request, so your first remark is redundant. >> >> I have added a note about time to the current list, and changed >> "name" to identifier in bullet 2. >> (will be included in draft 11) >> >> 7.The text states on page 7: >> >> *The response for each of the certificates in a request >> consists of* >> >> ** >> >> *-target certificate identifier* >> >> *-certificate status value* >> >> *-response validity interval* >> >> *-optional extensions* >> >> However, there are no explanations for the purpose of these >> parameters and how they should be processed. >> >> There are also no explanations on how to process a single >> response and how to verify that it is its presence within the >> signed structure >> is valid or not valid. This is a major deficiency of the >> current description of RC 2560 where there is no explanation >> on how to validate >> a single response. >> >> Text proposal to be added after: >> >> *The purpose of the identifier of the OCSP server is to allow >> OCSP * >> >> *clients to find whether the definitive response was signed >> by a CA * >> >> *or by an OCSP Responder.* >> >> ** >> >> *The identifier of the OCSP server SHOULD either be the name >> or the * >> >> *key from a CA, or the name or the key from a OCSP Responder.* >> >> ** >> >> *Unless there exist local rules (which are outside the scope >> of this * >> >> *document) for verifying that a single response is correctly >> signed, * >> >> *the following applies:* >> >> *When the identifier matches with the name of the CA which >> has issued * >> >> *the target certificate or corresponds to the key used to >> issue the * >> >> *target certificate, then a single response is correctly signe= d * >> >> *only if the digital signature of the OCSP response is valid >> using the * >> >> *key used to sign the target certificate.* >> >> ** >> >> *When the identifier does not match with the name of the CA >> which has * >> >> *issued the target certificate or does not correspond to the >> key used * >> >> *to issue the target certificate, then an single response is >> correctly * >> >> *signed only if :* >> >> ** >> >> *(a) there exists in the response an OCSP certificate issued b= y * >> >> *the CA which has issued the target certificate which is * >> >> *signed by the same key as the one used to issue the * >> >> *target certificate, and* >> >> ** >> >> *(b) the digital signature of the OCSP response is valid using= * >> >> *the subjectPublicKey contained in this OCSP certificate.* >> >> >> Not broken. >> All of this is already covered by the document. >> >> 8.The text states on page 7: >> >> The "revoked" state indicates that the certificate has been >> revoked >> >> *(either permanently or temporarily (on hold)). *This state >> MAY also be >> >> returned if the responder knows that the requested >> certificate has >> >> *never been issued during the history of the associated CA >> *using any >> >> current or previous issuing key. ** >> >> The text is ambiguous because there are two embedded >> parenthesis and it is unclear whether the inner parenthesis >> means =93i.e=94 or =93e.g=94. >> This single sentence may let think that on hold is the single >> case for temporarily revocation. Since neither X.509 nor RFC >> 5280 address >> the case of a temporary revocation in the context of an OCSP >> response (but only in the context of CRLs), we are able to >> add another case >> of temporary revocation which will only apply in the context >> of OCSP. >> >> The above sentence using the terms=93*never been issued during >> the history of the associated CA*=93does not capture the fact >> that it could be issued in the future, hence why using=93*not >> yet been used=94*would be more appropriate. >> >> Finally, it would have been more logical to use =93unknown=94.= So >> it is important to add a note to explain why we have chosen >> that case for =93legacy clients=94, >> otherwise the people who have not participate to the >> exchanges will not understand. >> >> Proposed text replacement: >> >> *The "revoked" state indicates that the certificate has be= en revoked,* >> >> * either permanently or temporarily.* >> >> =20 >> >> A certificate may be temporarily revoked either because it= is >> >> placed on hold (*i.e. the revocation reason is certificate= Hold*) or >> >> because the responder is able to know, using a positive li= st of >> >> issued certificates, that the serial number from the reque= sted >> >> certificate has*not yet been used* by the CA to issue a c= ertificate >> >> (*i.e. the revocation reason is notIssuedOrIrregularlyIssu= ed*). >> >> =20 >> >> *NOTE: The "revoked" state is used rather than the =93unknown=94= state, to* >> >> * make sure that relying parties that were conformant to= RFC 2560* >> >> * will not use CRLs as a fall back mechanism.* >> >> =20 >> >> >> I removed the double parenthesis and adopted your clarification >> with regard to "on hold". >> >> The text in draft 10 has changed from what you have commented on. >> I believe that text is better. >> >> You "Note" has problems. >> >> 1. We do not prevent responders to respond "unknown" if their >> assessment is that this is an appropriate response, >> considering what they know about the requested serial number. >> Thus the term "is used" is misleading. >> 2. This mechanisms does not "make sure" that the clients do >> anything. It's up to the discretion of the relying party to >> decide what source of revocation checking they rely on. This >> does however reduce the risk of clients falling back to CRL:s >> 3. This mechanism is not just relevant to old clients, but also >> to new one for the same reason. >> >> >> I have adopted a modified version of your Note: >> >> NOTE: The "revoked" state for known non-issued certificate seri= al >> numbers is allowed in order to reduce the risk of relying >> parties using CRLs as a fall back mechanism, which would = be >> considerably higher if an "unknown" response was returned= . >> >> >> >> 9.The text states on page 8: >> >> *When a responder responds revoked to a status request for a >> non-* >> >> *issued certificate, the responder MUST also;* >> >> ** >> >> *- include the extended revoked definition response extension* >> >> *(section 4.8), indicating that the OCSP responder supports th= e* >> >> *extended definition of revoked state to also cover non-issued= * >> >> *certificates,* >> >> ** >> >> *- provide the revocation reason certificateHold (6), and;* >> >> ** >> >> *- specify the revocation date January 1, 1970. * >> >> As already explained on the PKIX list, using the revocation >> reason**certificateHold is not appropriate >> because it changes the meaning of certificateHold. >> >> The extended revoked definition response extension is a means >> to signal that it not a true certificate hold but a =93not >> issued certificate=94. >> Legacy applications cannot take advantage of it. >> >> Some applications which handle non repudiation enter a >> waiting state when the revocation reason certificateHold is >> used thus >> it is not appropriate to overload the meaning. >> >> ** >> >> It is possible to use another enumeration for signalling that >> specific case: >> >> notIssuedOrIrregularlyIssued (7). >> >> ** >> >> Thus for new applications it would be much better to use >> notIssuedOrIrregularlyIssued (7) as already proposed on the >> PKIX list. >> >> The above sentence uses the text: =20 >> >> =20 >> >> =93a status request for a*non-issued certificate*=94 >> >> =20 >> >> whereas it would be more appropriate to state: =20 >> >> =20 >> >> =93a status request for a* serial number which has not been u= sed by the CA or used irregularly to issue a certificate=94.* >> >> * * >> >> Placing the ASN.1 description at such a place in the document = is inappropriate since the ASN.1 structures have not yet been described. >> Thus only the functional aspects should be mentioned, but not = the ASN.1 implications. >> >> * * >> >> BTW, the description should follow the same order as the ASN.1= . This is not the case. >> >> =20 >> >> This text should be deleted from this section and the appropri= ate text should be added when the parameters of the response are describe= d. >> >> =20 >> >> The text proposed in the previous comment should be sufficient= at this time of reading. >> >> =20 >> >> In addition, section*4.4.8Extended Revoked Definition *should >> be deleted.** >> >> =20 >> >> =20 >> >> >> The referred text has been updates in draft 09. >> >> This has been discussed on the list and you have yet to convince >> the list of your new reason code. >> I disagree as the risk of running into problems with the deployed >> base of application is hugely larger with introduction of a new >> reason code, rather than using certificateHold. >> No application should be broken, since no application have >> business asking for non-issued cert serial numbers in the first >> place. Secondly, no application can assume that a certificateHold >> reason will be cleared any time soon. >> >> >> 10.The text states on page 8: >> >> *2.4Semantics of thisUpdate, nextUpdate and producedAt* >> >> This section is misplaced. At this time of reading, the >> reader does not know that thisUpdate, nextUpdate and >> producedAt are values >> used by the ASN.1 structures. It is appropriate to describe >> what theses parameters mean when the ASN.1 syntax is described= . >> The current ASN.1 syntax is very badly described. One would >> expect that after every ASN.1 structure description every >> parameter is described. >> Unfortunately this is not the case. >> >> The text from this section is not aligned with the text that >> is present in section 4.2.2.1. >> >> In particular, in section 2.4: >> >> ** >> >> *If nextUpdate is not set, the responder is indicating that >> newer* >> >> *revocation information is available all the time.* >> >> While in section 4.2.2.1: >> >> *Responses where the nextUpdate value is not set are equivalen= t * >> >> *to a CRL with no time for nextUpdate (see Section 2.4).* >> >> It is not appropriate to have two different descriptions in >> two different places. >> >> Delete section 2.4. See comment number 19 for the description >> of these parameters. >> >> >> Not broken. >> The current text segments fits well into a protocol overview secti= on. >> >> 11.Section 2.5 is also misplaced. They use values from the >> ASN.1 syntax which has not yet been described. >> They should be moved or incorporated in the document once the >> ASN.1 description has been done. >> >> >> Not broken. >> >> 12.Remainder: Section 2.6 should be deleted (see comment >> number 5). >> >> >> Not broken. >> >> 13.Section 2.7 states: >> >> *2.7CA Key Compromise* >> >> ** >> >> *If an OCSP responder knows that a particular CA's private >> key has* >> >> *been compromised, it MAY return the revoked state for all* >> >> *certificates issued by that CA.* >> >> This section is misleading and should be removed. The reason >> is the following: >> >> The relying party must verify that the singleResponse is >> signed by a responder which is entitled to do so. >> >> a) If the CA key has been compromised and if the response is >> signed by that CA key then the singleResponse will be discarde= d >> when performing the certification path validation _whatever >> the content of the response may be_. >> >> b) If the CA key which has issued the OCSP certificate has >> been compromised and if the response is signed by the key >> present >> in the OCSP certificate then the singleResponse will be >> discarded when performing the certification path validation >> _whatever the content of the response may be_. >> >> Security must be provided using the validation of the >> certification path. Thus it does not matter what the OCSP >> responder states. >> >> >> >> Not broken. >> An OCSP responder does not have to be chained to the broken CA. >> The relying party may have other trust configuration at choice. >> >> >> >> 14.The text states on page 11: >> >> *3.2Signed Response Acceptance Requirements* >> >> ** >> >> *Prior to accepting a signed response as valid, OCSP clients >> SHALL* >> >> *confirm that:* >> >> ** >> >> *1. The certificate identified in a received response >> corresponds to* >> >> *that which was identified in the corresponding request;* >> >> ** >> >> *2. The signature on the response is valid;* >> >> ** >> >> *3. The identity of the signer matches the intended recipient >> of the* >> >> *request.* >> >> ** >> >> *4. The signer is currently authorized to sign the response.* >> >> ** >> >> *5. The time at which the status being indicated is known to b= e* >> >> *correct (thisUpdate) is sufficiently recent.* >> >> ** >> >> *6. When available, the time at or before which newer >> information will* >> >> *be available about the status of the certificate >> (nextUpdate) is* >> >> *greater than the current time.* >> >> This section is misplaced since it uses terms from the ASN.1 >> syntax and the protocol description has not yet been made, >> since it is the next section 4. Its text is not correct either= . >> >> This description does not take into account the fact that >> a*BasicOCSPResponse *may contain one or several >> *SingleResponses. * >> In particular, the sentence=93*The signer is currently >> authorized to sign the response*=94 is misleading because a si= gner >> may be authorized to include some***SingleResponses *but not >> necessarily all of them. >> >> The appropriate explanations should be done after the >> description of the response, when describing the processing >> of the response. >> >> Delete that section. >> >> >> Not broken. >> >> 15.On page 12, after the ASN.1 description, the only >> parameters which are described are: >> >> *hashAlgorithm,**issuerNameHash, issuerKeyHash and serialNumbe= r.* >> >> ** >> >> This is insufficient.In order to cover the full list of >> parameters, the following text is proposed: >> >> *requestorName is optional and MAY be used by the server for >> access * >> >> *control and audit purposes.* >> >> ** >> >> *requestList contains one or more single requests.* >> >> ** >> >> *requestExtensions is OPTIONAL.Any specific extension is >> OPTIONAL.* >> >> *The critical flag SHOULD NOT be set for any of them. Section >> 4.4 * >> >> *suggests several useful extensions.Additional extensions MAY >> be * >> >> *defined in additional RFCs.* >> >> ** >> >> *reqCert contains the identifier of a target certificate.* >> >> ** >> >> *issuerNameHash is the hash of the Issuer's distinguished >> name.The * >> >> *hash shall be calculated over the DER encoding of the >> issuer's name * >> >> *field in the certificate being checked. * >> >> ** >> >> *issuerKeyHash is the hash of the Issuer's public key.The hash= * >> >> *shall be calculated over the value (excluding tag and >> length) of the * >> >> *subject public key field in the issuer's certificate.The hash= * >> >> *algorithm used for both these hashes, is identified in * >> >> *hashAlgorithm. * >> >> ** >> >> *The primary reason to use the hash of the CA's public key in = * >> >> *addition to the hash of the CA's name, to identify the issuer= , * >> >> *is that it is possible that two CAs may choose to use the sam= e * >> >> *name (uniqueness in the Name is a recommendation that cannot >> be * >> >> *enforced). Two CAs will never, however, have the same public >> key * >> >> *unless the CAs either explicitly decided to share their >> private * >> >> *key, or the key of one of the CAs was compromised.* >> >> ** >> >> *serialNumber is the serial number of the certificate for whic= h * >> >> *status is being requested.* >> >> ** >> >> *singleRequestExtensions is OPTIONAL.Any specific extension is= * >> >> *OPTIONAL.The critical flag SHOULD NOT be set for any of them.= * >> >> ** >> >> *The requestor MAY choose to sign the OCSP request.In that >> case, the* >> >> *signature is computed over the tbsRequest structure.If the >> request* >> >> *is signed, the requestor SHALL specify its name in the >> requestorName* >> >> *field.Also, for signed requests, the requestor MAY include* >> >> *certificates that help the OCSP responder verify the >> requestor's* >> >> *signature in the certs field of Signature.* >> >> >> Not broken. >> The current text is short, but it is actually sufficient from the >> context of the ASN.1 definitions of the section. This is a >> detailed protocol section and the reader need to understand ASN.1 >> in any case to understand and implement the section. >> The information about criticality is already covered in the >> extension section. >> >> >> 16.Section 4.1.2 is called:=93*Notes on the Request Syntax=94* >> >> The first paragraph has been moved after the description >> of*issuerKeyHash *and thus is no more needed. >> >> The second paragraph has been moved after the description >> of*requestExtensions. * >> However, the sentence >> =93 *Unrecognized extensions MUST be ignored (unless they have >> the critical flag set and are not understood)*=94 >> has been deleted since it applies to the OCSP responder and >> not to the OCSP client. Thus it is no more needed. >> >> The third paragraph applies to signed requests. However, it >> should belong to a section dedicated on how clients should >> build OCPS requests, >> which is currently missing. See the next comment. >> >> This section should be deleted. >> >> >> Not broken. >> >> 17.There should be a new section called: =93*Requirements for >> OCSP clients=94. * >> >> It is important first to re-advertise that the request may be >> about several certificates. >> Thus it is important to describe the process for building a >> request, which is currently missing. >> >> *An OCSP request allows getting in the same response the >> revocation * >> >> *status of one or more certificates.In order to request the * >> >> *status of one or more certificates in a single request, OCSP = * >> >> *clients SHALL follow the following rules :* >> >> ** >> >> *For each candidate certificate, OCSP clients SHALL verify * >> >> *whether there exists a locally defined rule for the >> certificate in * >> >> *question which indicates the URI where the OCSP responder is = * >> >> *located.If this rule exists, it SHALL be followed. * >> >> ** >> >> *Otherwise, OCSP clients SHALL determine whether the candidate= * >> >> *certificate contains an AIA extension with an accessMethod >> which * >> >> *contains the id-ad-ocsp OID.If it is the case, the >> accessLocation * >> >> *contains a uniformResourceIdentifier (URI) which indicates th= e * >> >> *location of the OCSP server for that certificate. * >> >> ** >> >> *Certificates that contain the same URI MAY be grouped in a >> single * >> >> *request.* >> >> ** >> >> *Note:For each candidate certificate, when performing the path= * >> >> *validation algorithm, the OCSP client SHOULD verify that the = * >> >> *current time is within the validity period of the target * >> >> *certificate.Certificates which are outside their validity * >> >> *period SHOULD NOT be included in the request.* >> >> *The requestor MAY choose to sign the OCSP request. In that >> case, the* >> >> *signature is computed over the tbsRequest structure. If the >> request* >> >> *is signed, the requestor SHALL specify its name in the >> requestorName* >> >> *field. Also, for signed requests, the requestor MAY include* >> >> *certificates that help the OCSP responder verify the >> requestor's* >> >> *signature in the certs field of Signature.* >> >> >> Not broken. >> >> Your text may provide guidance that could be useful to some >> implementers, but is completely beyond this document and further, >> not generally applicable or true. >> As an example, an organisation may setup an in house locally >> configured OCSP responder that responds to all certificates "out >> there" that is relevant to that organisation. >> Such clients would just blindly send OCSP requests to their local >> responder, disregarding any information in the cert. >> It's totally beyond this spec to have an opinion about this. >> >> >> 18.The text states on page 14: >> >> *The responder MAY include certificates in the* >> >> *certs field of BasicOCSPResponse that help the OCSP client >> verify the* >> >> *responder's signature. If no certificates are included then >> certs* >> >> *SHOULD be absent.* >> >> While this sentence is true, it is not sufficient. In order >> to allow verifying every *SingleResponse*, >> it is important to include the relevant certificates which >> are pertinent to every *SingleResponse.* >> >> Proposed full text replacement: >> >> The responder MAY include certificates in the certs field of >> >> BasicOCSPResponse that help the OCSP client verify the >> responder's >> >> signature. >> >> *For every SingleResponse where the responder is not a CA, the= * >> >> *responder SHALL include the relevant OCSP certificate in the >> certs * >> >> *field of BasicOCSPResponse in order to allow the OCSP client = * >> >> *verifying the responder was entitled to include that >> SingleResponse * >> >> *in the signed BasicOCSPResponse.* >> >> ** >> >> **If no certificates are included then certs SHOULD be absent. >> >> >> Not broken. >> >> This requirement would break backwards compatibility with RFC 2560= . >> Further this would not be needed for a locally configured responde= r. >> >> 19.Page 15. The ASN.1 syntax should be changed in order to be >> able to use the enumeration case 7 that is not used for CRLs. >> This leads to the following change: >> >> Current text: >> >> ** >> >> *revocationReason[0]EXPLICIT CRLReason OPTIONAL }* >> >> Proposed text change: >> >> Current text: >> >> ** >> >> *revocationReason [0]EXPLICIT RevocationReason OPTIONAL }* >> >> *RevocationReason ::=3D ENUMERATED {* >> >> *unspecified(0),* >> >> *keyCompromise(1),* >> >> *cACompromise(2),* >> >> *affiliationChanged(3),* >> >> *superseded(4),* >> >> *cessationOfOperation(5),* >> >> *certificateHold(6),* >> >> *notIssuedOrIrregularlyIssued (7),* >> >> *removeFromCRL(8),* >> >> *privilegeWithdrawn(9),* >> >> *aACompromise(10) }* >> >> >> Not broken. >> >> You have to convince the list about your new reason code. >> >> 20.Page 15. After the ASN.1 syntax, there is no description >> of every parameter, neither on its use >> (except a few words in section*4.2.2.1 Time >> *about*thisUpdate, nextUpdate and producedAt).* >> >> ** >> >> Every parameter needs to be described and explained. >> >> ** >> >> *responderID indicates either the name or the key from a CA, >> or the * >> >> *name or the key from a OCSP Responder.* >> >> ** >> >> *producedAt indicates the time at which this response was >> signed.* >> >> ** >> >> *responses contains one or more single responses.* >> >> ** >> >> *responseExtensions is OPTIONAL.Any specific extension is >> OPTIONAL.* >> >> *The critical flag may or may not be set.* >> >> ** >> >> *certID is usually a copy of the same field which was placed >> in the * >> >> *request, but for OCSP responders which pre-produce signed >> responses * >> >> *certID may be the identifier of a target certificate that >> was not * >> >> *present in the request (see the end of section 4.2).* >> >> ** >> >> *certStatus indicates the status of the certificate: either >> good, * >> >> *revoked or unknown.* >> >> ** >> >> *thisUpdate indicates the time at which the status being >> indicated * >> >> *is known to be correct.* >> >> ** >> >> *nextUpdate indicates the time at or before which newer >> information * >> >> *will be available about the status of the certificate.If * >> >> *nextUpdate is not set, the server is indicating that newer * >> >> *revocation information is available all the time. * >> >> ** >> >> *If nextUpdate is set, it often corresponds to the {thisUpdate= , * >> >> *nextUpdate} interval in CRLs.Responses whose nextUpdate >> value is * >> >> *earlier than the local UTC time value SHOULD be considered * >> >> *unreliable.Responses whose thisUpdate time is later than the >> local * >> >> *UTC time SHOULD be considered unreliable.* >> >> ** >> >> *singleExtensions is OPTIONAL.Any specific extension is >> OPTIONAL.* >> >> *The critical flag SHOULD NOT be set for any of them.* >> >> ** >> >> *revocationTime indicates the time at which the certificate wa= s * >> >> *revoked.* >> >> ** >> >> *revocationReason is OPTIONAL. It includes all the cases that >> are * >> >> *present in CRLReason used for CRLs and an additional case 7 >> which is* >> >> *not used for CRLs.Case 7 is called >> notIssuedOrIrregularlyIssued. * >> >> ** >> >> *- "notIssued" corresponds to the case where the certificate * >> >> *serial number that was sent was erroneous and has not yet * >> >> *been used by the CA at the time of the query,* >> >> ** >> >> *- "irregularlyIssued" corresponds to the case where the * >> >> *certificate serial number that was sent really exists in a * >> >> *certificate that is correctly signed, but to its knowledge * >> >> *the CA has not issued a certificate with such a serial * >> >> *number. As an example, it may have been issued by the CA * >> >> *because the RA was compromised. * >> >> ** >> >> * When a responder responds revoked to a status request for= which it* >> >> * knows that the serial number has not been used by the CA = or has* >> >> * been irregularly used irregularly to issue a certificate,= then* >> >> * in RevokedInfo the responder MUST:* >> >> * * >> >> * - specify the revocationTime : January 1, 1970,* >> >> * - provide the revocationReason: notIssuedOrIrregul= arlyIssued (7).* >> >> * * >> >> * and in SingleResponse the responder MUST NOT include the = nextUpdate.* >> >> ** >> >> *The response MUST include a SingleResponse for each >> certificate in* >> >> *the request and SHOULD NOT include any additional >> SingleResponse* >> >> *elements.However, there is one exception: * >> >> ** >> >> *OCSP responders MAY pre-produce signed responses specifying >> the * >> >> *status of certificates at a specified time.The time at which = * >> >> *the status was known to be correct SHALL be reflected in the = * >> >> *thisUpdate field of the response. * >> >> ** >> >> *OCSP responders that pre-generate status responses MAY return= * >> >> *responses that include additional SingleResponse elements if* >> >> *necessary to improve response pre-generation performance or >> cache* >> >> *efficiency (as permitted in [RFC5019]).* >> >> Since the text above provides all the explanations at the >> level of the ASN.1 parameters, the general text >> from section*4.2.2.3 Basic Response *is no more need and >> should be deleted.** >> >> ** >> >> >> Preliminary I would say "not broken". >> If you don't replace 4.2.2.3, then what really are you missing? >> >> 21.0n page 16, there is a section >> *4.2.2.2***called*=93**Authorized Responders=94*** >> >> Section 4.2.2.2 states: >> >> *(=85)* >> >> *This certificate MUST be issued directly by the CA that >> issued the* >> >> *certificate in question.* >> >> ** >> >> *The CA SHOULD use the same issuing key to issue a delegation* >> >> *certificate as was used to sign the certificate being >> checked for* >> >> *revocation. Systems relying on OCSP responses MUST recognize = a* >> >> *delegation certificate as being issued by the CA that issued >> the* >> >> *certificate in question only if the delegation certificate >> and the* >> >> *certificate being checked for revocation was signed by the >> same key.* >> >> This section would need to reformatted to address CA >> requirements first and then OCSP responder requirements: >> >> *(=85)* >> >> *This certificate MUST be issued directly by the CA that >> issued the* >> >> *certificate in question.The CA SHOULD use the same issuing >> key to * >> >> *issue a delegation certificate as was used to sign the >> certificate * >> >> *being checked for revocation. * >> >> ** >> >> *Systems relying on OCSP responses MUST _be able to_ >> recognize a * >> >> *delegation certificate as being issued by the CA that issued >> the * >> >> *certificate in question if the delegation certificate and * >> >> *the certificate being checked _were_ signed by the same key.* >> >> >> I disagree. The CA is actually free to do anything, but cannot >> expect the client to recognise the responder as authorised unless >> the same private key is used. >> The current text places the requirement where they belong. >> >> 22.On page 17, the text states: >> >> *They MUST reject the* >> >> *response if the certificate required to validate the >> signature on the* >> >> *response fails to meet at least one of the following criteria= :* >> >> This is ambiguous. It is inappropriate to have a negative >> statement like=93*They MUST reject=94. * >> The sentence should be turned in the positive form=93*They >> SHALL accept=94* >> >> Since the ASN.1 syntax has now be described, it is possible >> to be more specific. >> >> The first occurrence of the word =93response=94 should be chan= ged >> into =93singleResponse=94, while the second occurrence >> of the word =93response=94 should be changed into =93ResponseD= ata=94 >> >> Proposed text replacement: >> >> *They SHALL accept a singleResponse if the certificate >> required to * >> >> *validate the signature placed on the ResponseData meets one >> of the * >> >> *following criteria:* >> >> >> >> No, this change is not backwards compatible. >> So state the requirements for rejection is not equivalent to >> stating requirements for acceptance. >> There may be other locally configured reasons to reject in >> addition to those listed in the standard. >> >> >> 23.On page 17, the text states: >> >> *3. Includes a value of id-kp-OCSPSigning in an ExtendedKeyUsa= ge* >> >> *extension and is issued by the CA that issued the >> certificate in* >> >> *question as stated above."* >> >> In order to be crystal clear, it is proposed to change the >> wording in the following way: >> >> *3. Includes a value of id-kp-OCSPSigning in an ExtendedKeyUsa= ge* >> >> *extension and was signed by the CA using the same key that >> used * >> >> *to issue the certificate in question.* >> >> >> No, issuing with another key is not prohibited, and may be >> accepted by some clients as an authorised responder. >> >> 24.On page 17, the text states: >> >> *This SHOULD be a non-critical extension. The value of the >> extension * >> >> *SHALL be NULL.* >> >> ** >> >> The ASN.1 syntax is missing. Add: >> >> ** >> >> *NoCheck ::=3D NULL* >> >> ** >> >> >> Moving this to a separate discussion. >> I'm not sure what the preferred way to describe this is. >> >> >> 25.Remainder: On page 18, the general text from >> section***4.2.2.3 Basic Response***is no more needed and >> should be deleted. See comment 20. >> >> ** >> >> >> Not broken. >> >> 26.On page 24, text should be added to the Security >> consideration section: >> >> *Different results when using OCSP and CRLs* >> >> ** >> >> *OCSP clients or verifiers must build and verify a >> certification path * >> >> *for each target certificate up to a trusted root.When an OCSP= * >> >> *Responder is using published CRLs, it must also build and >> verify a * >> >> *certification path for the CRLs it uses up to a trusted root.= * >> >> ** >> >> *However, it should be realized that the root used by an OCSP = * >> >> *Responder to verified these CRLs is not necessarily the same >> as the * >> >> *one that would be used by the OCSP client, if it were going >> to verify * >> >> *the CRLs itself.Hence the revocation status may not be >> identical * >> >> *in both cases.* >> >> ** >> >> ** >> >> >> I don't understand this one. >> >> 27.On page 24, text should be added to the Security >> consideration section: >> >> ** >> >> *Denial of service attack using a flood of queries* >> >> ** >> >> *A denial of service vulnerability is evident with respect to >> a flood * >> >> *of queries.The production of a cryptographic signature * >> >> *significantly affects response generation cycle time, thereby= * >> >> *exacerbating the situation. * >> >> ** >> >> *The flood of queries may either come from a flood attack or >> from the * >> >> *fact that there are too many certificates supported by the >> same OCSP * >> >> *responder.In the later case, the number of queries can be * >> >> *reduced by using a technique similar to the splitting of CRLs= : * >> >> ** >> >> *When a block of certificates have been issued with the same * >> >> *accessLocation in the AIA extension field of these >> certificates, * >> >> *then the accessLocation should be changed.In this way, a give= n * >> >> *OCSP server will only be responsible for a block of >> certificates.* >> >> ** >> >> >> If the security considerations section is talking about splitting >> OCSP responders in this way, then the document itself need to >> introduce the subject. >> I would suggest that it is beyond this update to do so. >> >> ** >> >> 28.On page 31, the text states. >> >> *An alternative to this module that conforms to the 2002 >> version of * >> >> *ASN.1 may be found in Section 4 of [RFC5912]. * >> >> ** >> >> RFC 5912 omits to define the nocheck extension. Thus it is >> inappropriate to refer to RFC 5912. >> >> The corrected module should be defined in this new draft. >> A corrected module is providedin *draft-pinkas-rfc2560bis-03.* >> >> >> Will move this (as stated above) to a separate discussion. >> >> 29.Different topics are not covered by the document. These >> topics are important. >> The following comments propose text to be placed in annexes. >> Three annexes are being proposed. >> >> Note: The texts are extracted from*draft-pinkas-rfc2560bis-03.= * >> >> >> Not broken. >> Each such amendment need to be thoroughly reviewed and motivated. >> >> >> 30.First annex being proposed. This annex is important, >> because key rollover is not addressed in the draft. >> >> *KEY ROLLOVER* >> >> ** >> >> *1. CA that directly supports an OCSP service* >> >> ** >> >> *When a CA that directly supports an OCSP service performs a >> key * >> >> *rollover:* >> >> ** >> >> *- for certificates issued under the old key, the CA SHALL >> continue * >> >> *to sign the revocation status of OCSP responses with that >> old key * >> >> *at least until all these certificates are expired, and* >> >> ** >> >> *- for certificates issued under the new key, the CA SHALL >> change the * >> >> *accessLocation in the AIA extension field of these >> certificates * >> >> *and sign the revocation status of OCSP responses with that >> new key * >> >> *at least until all these certificates are expired.* >> >> ** >> >> *Note: The change in accessLocation is necessary when the CA >> rekeys * >> >> *to meet the following constraints imposed by this standard: * >> >> ** >> >> *1) a BasicOCSPResponse can only be signed using a single * >> >> *private key; * >> >> ** >> >> *2) the response must be signed using the same CA key that * >> >> *was used to sign the certificate in question; and* >> >> ** >> >> *3) the OCSP response needs to cover all the certificates * >> >> *queried in the OCSP request.* >> >> *2. CA that uses OCSP responders* >> >> *When a CA that uses OCSP Responders performs a key rollover, >> then * >> >> *it MUST either designate a new OCSP Responder or keep the >> current * >> >> *OCSP Responder(s).* >> >> ** >> >> *If the CA designates a new OCSP Responder, then it SHALL >> change the * >> >> *accessLocation in the AIA extension field for the newly issue= d * >> >> *certificates and issue an OCSP certificate to the new OCSP >> Responder * >> >> *using its new key.* >> >> ** >> >> *If the CA keeps the same OCSP Responder(s), then it SHALL >> continue * >> >> *to use the same accessLocation(s) in the AIA extension field >> for the * >> >> *newly issued certificates and issue an OCSP certificate to th= e * >> >> *appropriate OCSP Responder(s) using its new key.* >> >> ** >> >> *Note: The CA may need to continue issuing certificates to >> the OCSP * >> >> *Responder(s) using the old CA key until all the certificates >> issued * >> >> *under the CA' old key for which the OCSP Responder(s) are * >> >> *authoritative have expired.* >> >> ** >> >> *3. OCSP Responder key rollover* >> >> ** >> >> *When an OCSP Responder performs a key rollover >> (asynchronously from * >> >> *a CA key rollover), then each CA which has designated an OCSP= * >> >> *Responder SHALL issue a new certificate for that OCSP >> Responder and * >> >> *for each of its issuing keys which meets the following >> property: * >> >> ** >> >> *- the issuing key has been used to sign at least one >> certificate * >> >> *which contains an AIA extension designating that OCSP >> Responder * >> >> *and that certificate is not yet expired.* >> >> ** >> >> *An OCSP Responder key rollover does not affect the values of >> the * >> >> *URIs that are placed in the accessLocation field from the >> target * >> >> *certificates.One or more OCSP Responder MAY respond to an OCS= P * >> >> *request addressed at a given URI picked from the >> accessLocation * >> >> *field from a target certificate.Each OCSP Responder MAY use a= * >> >> *different signing key, as long as it got an OCSP certificate = * >> >> *appropriate for that signing key and for the target >> certificate. * >> >> 31.Second annex being proposed. This annex is important >> because it describes the validation of an OCSP response in >> the past >> which is of a particular importance when validating >> electronic signatures. >> >> *Response processing by an OCSP client* >> >> ** >> >> *OCSP responses can be verified at the current time by an >> OCSP client * >> >> *when receiving a response, whereas old responses can be >> verified at * >> >> *a time in the past by a verifier.The algorithm below addresse= s * >> >> *both cases.* >> >> ** >> >> *Prior to processing a basic response, OCSP clients MUST >> determine * >> >> *the checking time, which may be either the current time or a >> time * >> >> *in the past.* >> >> ** >> >> *OCSP clients or verifiers SHALL check if the response contain= s * >> >> *responseExtensions. If such an extension is found and is >> recognized, * >> >> *it MUST be processed.If such a critical extension is found an= d * >> >> *is not recognized, the whole OCSP response MUST be >> considered as * >> >> *invalid.* >> >> ** >> >> *If the checking time is the current time, and if a nonce >> extension * >> >> *has been used in the request and is recognized (see section >> 4.5.1), * >> >> *OCSP clients MUST check whether the same nonce is present in >> the * >> >> *response.If the nonce is not present or is different, then th= e * >> >> *OCSP response MUST be discarded.* >> >> ** >> >> *Only the single response(s) which are/is of interest SHALL be= * >> >> *checked.* >> >> ** >> >> *STEP 1* >> >> ** >> >> *OCSP clients or verifiers SHALL verify that the certificate * >> >> *identified in a single response is of interest.Otherwise, >> proceed * >> >> *to step 3.* >> >> ** >> >> *If the certificate status included in a single certificate >> response * >> >> *is "unknown", then the revocation status of that certificate >> is * >> >> *"unknown", and proceed to step 3.* >> >> ** >> >> *If the certificate status from the single certificate >> response is * >> >> *either "good" or "revoked", OCSP clients or verifiers SHALL >> check * >> >> *that the checking time is within the validity period of the >> target * >> >> *certificate.If it is not the case, then the revocation >> status of * >> >> *that certificate is "unknown" and proceed to step 3.* >> >> ** >> >> *If the checking time is the current time, and if a nonce has >> been * >> >> *used in the request, then proceed to step 2.* >> >> ** >> >> *If the checking time is the current time, and if no nonce >> has been * >> >> *used in the request, OCSP clients MUST check that the >> producedAt* >> >> *field is within a time window that is "close enough" to the >> current * >> >> *time. * >> >> ** >> >> *Note: the notion of "close enough" is a local matter.It can >> be set * >> >> *to a few minutes to allow for small UTC time differences * >> >> *between the client and the server or to a few hours in case * >> >> *the server is producing pre-computed responses.* >> >> ** >> >> *If the checking time is a time in the past, verifiers MUST >> check * >> >> *that the producedAt field is in accordance with the >> verification * >> >> *rules (e.g. close and/or after the date of a time-stamp token= ).* >> >> ** >> >> *In addition, if the nextUpdate field is present, OCSP >> clients MUST * >> >> *check that the time which is indicated is greater than the >> checking * >> >> *time, otherwise the single response MUST be discarded.* >> >> ** >> >> *If checks are successful, then OCSP clients MUST process the = * >> >> *singleExtensions field, if it is present. * >> >> ** >> >> *If the criticality flag is set and the extension is not >> understood, * >> >> *then the status of the certificate shall be "unknown" and >> proceed to * >> >> *step 3.Otherwise, proceed to step 2. * >> >> ** >> >> *If the extension is understood, then the extension MUST be * >> >> *processed.According to its content proceed either to step 2 >> or to * >> >> *step 3. * >> >> ** >> >> *STEP 2* >> >> ** >> >> *OCSP clients or verifiers MUST build and verify a >> certification path * >> >> *for that certificate up to a trusted root, so that they have >> the * >> >> *knowledge of the CA public key value that was used to sign th= e * >> >> *target certificate.The revocation status of each certificate >> of * >> >> *that certification path (except the target certificate) >> SHALL be * >> >> *checked.* >> >> ** >> >> *If no path can be built or if one of the certificates of the >> path is * >> >> *revoked, then the revocation status of that certificate is >> "unknown", * >> >> *and proceed to step 3. * >> >> ** >> >> *If the certification path (except the target certificate) is >> valid, * >> >> *then two cases need to be considered:* >> >> ** >> >> *a) If the responderID matches with the name or the key from >> the CA * >> >> *which has issued the target certificate, then check whether >> the * >> >> *OCSP response is signed by the same key that was used to sign= * >> >> *the target certificate.* >> >> ** >> >> *If it is the case, then the revocation status of that * >> >> *certificate as indicated in the certStatus field is * >> >> *accepted and proceed to step 3.* >> >> ** >> >> *If it is not the case, then the revocation status of that * >> >> *certificate is "unknown" and proceed to step 3.* >> >> ** >> >> *b) If the responderID does not match with the name or the >> key from * >> >> *the CA which has issued the target certificate, then it >> indicates * >> >> *the name or the key from an OCSP Responder.Check whether ther= e * >> >> *exists a local rule which applies to this target certificate >> to * >> >> *verify that the signature of the BasicOCSPResponse is valid >> for * >> >> *that single response.If this rule exists, it SHALL be >> followed. * >> >> ** >> >> *Otherwise check whether there is an OCSP certificate (i.e. >> which * >> >> *has both the ocspSigning OID in the extended key usage >> extension * >> >> *and the digitalSignature bit in the key usage extension) >> signed * >> >> *by the same key that was used to sign the target certificate.= * >> >> *This certificate MUST be present in the certs field from the = * >> >> *BasicOCSPResponse. * >> >> ** >> >> *If such certificate is not found or is invalid, then the * >> >> *revocation status of that certificate is "unknown" and * >> >> *proceed to step 3.* >> >> ** >> >> *If such certificate exists and if the checking time is * >> >> *within the validity period of this certificate, then it MUST = * >> >> *be verified whether the OCSP response can be verified using * >> >> *the public key that is present in the OCSP Certificate. * >> >> ** >> >> *If it is not the case, then the revocation status of that * >> >> *certificate is "unknown" and proceed to step 3.* >> >> ** >> >> *If it is the case, then it MUST be verified that the OCSP * >> >> *Certificate has not been revoked.* >> >> ** >> >> *If one of these conditions is met, then the status for the >> target * >> >> *certificate as indicated in the certStatus field is accepted,= * >> >> *otherwise the revocation status is "unknown".* >> >> ** >> >> *STEP 3* >> >> ** >> >> *If there exists another single certificate status response >> for a * >> >> *target certificate that is of interest, then proceed to step >> 1. * >> >> *Otherwise the basic response is now processed.* >> >> 32.Third annex being proposed. This annex is important >> because it provides guidance on how to build an OCSP >> responder in the three cases. >> Many text portions are similar, but three full texts are >> provided in order to provide a better clarity for each of the >> three cases. >> >> *1. Request processing by OCSP servers* >> >> ** >> >> *The behavior of an OCSP server will be different whether the >> OCSP * >> >> *server is a CA acting as an OCSP responder, is an OCSP >> Responder * >> >> *which received a delegation from one or more CAs, or is a >> locally * >> >> *trusted Responder.* >> >> ** >> >> *1.1. Processing by a CA acting as an OCSP responder* >> >> ** >> >> *The OCSP responder SHALL maintain a list of entries. Each >> entry * >> >> *SHALL contain:* >> >> ** >> >> *- the URI associated to the OCSP responder, from which the >> OCSP * >> >> *requests are received, * >> >> ** >> >> *- the DN from a CA,* >> >> ** >> >> *- an issuing public key from a CA,* >> >> ** >> >> *- the method(s) used to know for which subset of certificates= * >> >> *issued by the CA it is responsible for, * >> >> ** >> >> *- the method(s) used to obtain the revocation status of that = * >> >> *subset of certificates issued under that CA issuing public >> key, * >> >> *and* >> >> ** >> >> *- the method used to gain access and sign with the private ke= y * >> >> *corresponding to the issuing public key.* >> >> ** >> >> *For a given URI value, the OCSP responder SHALL only use one >> CA * >> >> *key pair value. * >> >> ** >> >> *When it receives an OCSP request on that URI, the OCSP >> responder * >> >> *SHALL handle exceptions according to section 2.3. * >> >> ** >> >> *If the OCSP request contains the name of a requestor, the OCS= P * >> >> *responder SHALL verify whether there exists a locally >> defined rule * >> >> *which regulates access control.If this rule exists, it SHALL >> be * >> >> *followed.* >> >> ** >> >> *Then, for each target certificate, the OCSP responder SHALL >> verify * >> >> *whether both the hash of the issuer's DN and the hash of the >> issuer * >> >> *public key which are present in the request are eligible to a= * >> >> *locally defined rule which indicates that the OCSP responder >> is * >> >> *responsible to provide the revocation status of that target * >> >> *certificate.If this rule exists, it SHALL be followed.* >> >> ** >> >> *Otherwise, the OCSP responder SHALL determine whether it is * >> >> *responsible to provide the revocation status of that target * >> >> *certificate according to the following rule.* >> >> ** >> >> *For each target certificate, the OCSP responder SHALL verify >> whether * >> >> *both the hash of the issuer's DN and the hash of the issuer >> public * >> >> *key which are present in the request match respectively with >> the DN * >> >> *and the hash of the public key of contained in an entry from >> the * >> >> *list of entries maintained by this OCSP responder. * >> >> ** >> >> *When there is no match, then the OCSP responder SHALL >> indicate the * >> >> *"unknown" status and proceed with the next target >> certificate from * >> >> *the OCSP request.* >> >> ** >> >> *When there is a match, then the OCSP responder SHALL use the >> serial * >> >> *number of the target certificate that is present in the >> request and * >> >> *determine the revocation status of that certificate >> according to * >> >> *the method(s) defined in the entry. * >> >> ** >> >> *When the revocation status is provided by the server using a >> real * >> >> *time access to a database of revocation statuses of issued * >> >> *certificates, then the thisUpdate field SHALL be present in t= he* >> >> *SingleResponse response whereas the nextUpdate field SHALL be= * >> >> *missing. * >> >> ** >> >> *Otherwise, both the thisUpdate and the nextUpdate fields >> SHALL be * >> >> *present in the SingleResponse. * >> >> ** >> >> *The time at which this response will be signed MUST be >> indicated in * >> >> *the producedAt field from the SingleResponse.* >> >> ** >> >> *If a singleRequestExtensions is present in the request it >> MUST be * >> >> *processed.* >> >> ** >> >> *If there is another target certificate present in the >> request, it * >> >> *SHALL be processed in the same way.* >> >> ** >> >> *If a requestExtensions is present in the request it MUST be * >> >> *processed.* >> >> ** >> >> *The OCSP response MUST be signed using the CA issuing >> private key.* >> >> ** >> >> ** >> >> *1.2. Processing by an OCSP Responder* >> >> ** >> >> *For each CA from which the OCSP Responder has received a >> delegation, * >> >> *the OCSP Responder SHALL maintain a list of entries. * >> >> ** >> >> *Each entry SHALL contain:* >> >> ** >> >> *- the URI associated to this OCSP Responder, from which the >> OCSP * >> >> *requests are received, * >> >> ** >> >> *- the DN from a CA,* >> >> ** >> >> *- an issuing public key from a CA,* >> >> ** >> >> *- the method(s) used to know for which subset of certificates= * >> >> *issued by the CA it is responsible for, * >> >> ** >> >> *- the method(s) used to obtain the revocation status of that = * >> >> *subset of certificates issued under that CA issuing public ke= y,* >> >> ** >> >> *- an OCSP certificate, * >> >> ** >> >> *- the OCSP public key contained in that OCSP certificate, and= * >> >> ** >> >> *- the method used to gain access and sign with the OCSP >> private * >> >> *key corresponding to that OCSP certificate.* >> >> ** >> >> *For a given URI value, the OCSP Responder SHALL only use one >> OCSP * >> >> *key pair value.Therefore there cannot be two entries with the= * >> >> *same URI value and a different OCSP public key value.* >> >> ** >> >> *NOTE: a BasicOCSPResponse can only be signed using a single >> private * >> >> *key. * >> >> ** >> >> *The OCSP certificate SHALL be signed by the CA issuing >> private key * >> >> *which corresponds to the issuing CA public key that is in thi= s * >> >> *entry.* >> >> ** >> >> *When it receives an OCSP request, the OCSP responder SHALL >> handle * >> >> *exceptions according to section 2.3. * >> >> ** >> >> *If the OCSP request contains the name of a requestor, the OCS= P * >> >> *responder SHALL verify whether there exists a locally >> defined rule * >> >> *which regulates access control.If this rule exists, it SHALL >> be * >> >> *followed.* >> >> ** >> >> *For each target certificate, the OCSP Responder SHALL verify = * >> >> *whether both the hash of the issuer's DN and the hash of the >> issuer * >> >> *public key which are present in the OCSP request match with >> those * >> >> *from an entry.* >> >> ** >> >> *When there is no match, then the OCSP Responder SHALL >> indicate the * >> >> *"unknown" status and proceed with the next target >> certificate from * >> >> *the OCSP request.* >> >> ** >> >> *When there is a match, the OCSP Responder SHALL use the seria= l * >> >> *number of the target certificate this is present in the OCSP = * >> >> *request to determine the revocation status of that certificat= e * >> >> *according to the method(s) indicated in the entry. * >> >> ** >> >> *When the revocation status is provided by the server using a >> real * >> >> *time access to a database of revocation statuses of issued * >> >> *certificates, then the thisUpdate field SHALL be present in t= he* >> >> *SingleResponse response whereas the nextUpdate field SHALL be= * >> >> *missing. * >> >> ** >> >> *Otherwise, both the thisUpdate and the nextUpdate fields >> SHALL be * >> >> *present in the SingleResponse. * >> >> ** >> >> *The time at which this response will be signed MUST be >> indicated in * >> >> *the producedAt field from the SingleResponse.* >> >> ** >> >> *If a singleRequestExtensions is present in the request it >> MUST be * >> >> *processed.* >> >> ** >> >> *If there is another target certificate present in the >> request, it * >> >> *SHALL be processed in the same way.* >> >> ** >> >> *If a requestExtensions is present in the request it SHALL be = * >> >> *processed.* >> >> ** >> >> *The OCSP response MUST be signed using the OCSP private key.* >> >> ** >> >> *Unless there is a local rule which states differently, for >> every * >> >> *target certificate which matches both with the hash of a CA >> DN and an * >> >> *issuing public key from an entry, the OCSP certificate of >> that entry * >> >> *SHALL be placed in the certs field.* >> >> ** >> >> *It may happen, that none of the target certificates from the >> OCSP* >> >> *request matches both with the hash of a CA DN and an issuing >> public * >> >> *key from an entry.In that case and unless a local rule states= * >> >> *differently, the certs field from the BasicOCSPResponse >> SHOULD be * >> >> *kept empty (to limit the disclose of the names of the CAs >> from which * >> >> *the OCSP Responder received a delegation from).* >> >> ** >> >> *1.3. Processing by a locally trusted Responder* >> >> ** >> >> *For each CA for which the locally trusted Responder is * >> >> *authoritative, the OCSP Responder SHALL maintain a list of >> entries. * >> >> ** >> >> *Each entry SHALL contain:* >> >> ** >> >> *- the URI associated to this OCSP Responder, from which the >> OCSP * >> >> *requests are received, * >> >> ** >> >> *- the DN from a CA,* >> >> ** >> >> *- an issuing public key from a CA,* >> >> ** >> >> *- the method(s) used to know for which subset of certificates= * >> >> *issued by the CA it is responsible for, * >> >> ** >> >> *- the method(s) used to obtain the revocation status of that = * >> >> *subset of certificates issued under that CA issuing public ke= y,* >> >> ** >> >> *- the method used to gain access to the private key in order >> to * >> >> *sign the OCSP response. * >> >> ** >> >> *For a given URI value, the OCSP Responder SHALL only use one >> private * >> >> *key.Therefore there cannot be two entries with the same URI >> value * >> >> *and a different method to gain access to the appropriate >> private key.* >> >> ** >> >> *NOTE: a BasicOCSPResponse can only be signed using a single >> private * >> >> *key. * >> >> ** >> >> *When it receives an OCSP request, the OCSP responder SHALL >> handle * >> >> *exceptions according to section 2.3. * >> >> ** >> >> *If the OCSP request contains the name of a requestor, the OCS= P * >> >> *responder SHALL verify whether there exists a locally >> defined rule * >> >> *which regulates access control.If this rule exists, it SHALL >> be * >> >> *followed.* >> >> ** >> >> *For each target certificate, the OCSP Responder SHALL verify = * >> >> *whether both the hash of the issuer's DN and the hash of the >> issuer * >> >> *public key which are present in the OCSP request match with >> those * >> >> *from an entry.* >> >> ** >> >> *When there is no match, then the OCSP Responder SHALL >> indicate the * >> >> *"unknown" status and proceed with the next target >> certificate from * >> >> *the OCSP request.* >> >> ** >> >> *When there is a match, the OCSP Responder SHALL use the seria= l * >> >> *number of the target certificate this is present in the OCSP = * >> >> *request to determine the revocation status of that certificat= e * >> >> *according to the method(s) indicated in the entry. * >> >> ** >> >> *When the revocation status is provided by the server using a >> real * >> >> *time access to a database of revocation statuses of issued * >> >> *certificates, then the thisUpdate field SHALL be present in t= he* >> >> *SingleResponse response whereas the nextUpdate field SHALL be= * >> >> *missing. * >> >> ** >> >> *Otherwise, both the thisUpdate and the nextUpdate fields >> SHALL be * >> >> *present in the SingleResponse. * >> >> ** >> >> *The time at which this response will be signed MUST be >> indicated in * >> >> *the producedAt field from the SingleResponse.* >> >> ** >> >> *If a singleRequestExtensions is present in the request it >> MUST be * >> >> *processed.* >> >> ** >> >> *If there is another target certificate present in the >> request, it * >> >> *SHALL be processed in the same way.* >> >> ** >> >> *If a requestExtensions is present in the request it SHALL be = * >> >> *processed.* >> >> ** >> >> *The OCSP response MUST be signed using the OCSP private key.* >> >> ** >> >> *The certs field may contain no, one or several OCSP >> certificates * >> >> *according to local rules followed by the locally trusted >> Responder.* >> >> >> Not broken. >> >> /Stefan >> >> End of comments >> >> >> Denis >> >> _______________________________________________ pkix mailing >> list pkix@ietf.org >> https://www.ietf.org/mailman/listinfo/pkix=20 >> > --------------010606060500020302040001 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: quoted-printable

Stefan,

The review of your individual draft, took me the time I had during the week for the IETF stuff;
hence, why this reply has been delayed.

The situation is rather simple, if we forget about the editorial comments,
you have accepted one minor text change and that=92s all.

So the major problems are not solved to my satisfaction.

I have maintained below the portion of the text which needs to be further discussed.
My comments are in blue.

There is a new and very important issue tha= t I discovered while reading your comments.
See the discussion about singleExtensions and of responseExtensions.

Comment 8<= /span>: You have changed the meaning of the revoked state in a way that is not what I requested.

The origina= l text was:

=A0=A0 The "revoked" st= ate indicates that the certificate has been revoked<= span style=3D"mso-ansi-language:EN-GB" lang=3D"EN-GB"><= /span>

=A0=A0 (either permanan= tly or temporarily (on hold)).<= /span>

The new tex= t is:

=A0=A0 The =
"revoked" state indicates that the certificate has been revoked
=A0=A0 eith=
er permanently or temporarily on hold (i.e. the revocation reason<=
/b>
=A0=A0 is c=
ertificateHold).

By doing th= is, you do not allow any other case in the future to have a temporary revocation: =93temporarily on hold=94 is not the same as =93temporarily revoked=94.<= /span>

I propose t= he following rewording:

=A0=A0 The "revoked" st= ate indicates that the certificate has been revoked = <= /span>

=A0=A0 either permanently or temporarily (e=
.g. placed on hold).

I substitut= ed "temporarily on hold" with "temporarily. The rest unchanged since the only existing reason code for temporary revocation is certificateHold.

As you say, the only CURRENT existing reaso= n code for temporary revocation is certificateHold. We must not PREVENT other reasons in the future to mean =93temporary revocation=94, hence why the change is needed.

The way the text from draft 13 is now written seems to allow using either =93unknown=94 or <= b style=3D"mso-bidi-font-weight: normal">=93revoked=94 for non-iss= ued certificates.
If this is the intent, then the good news is that this does not come anymore into conflict with the French rules which apply
for the Administration since OCSP responders from CAs used by the French Ministries having a direct access to the database of issued certificates
will be able to use =93unknown=94, rather = than =93revoked=94 and the reason code <= span style=3D"font-size:10.0pt;mso-ansi-language:EN-GB" lang=3D"EN-GB">=93onhold=94.<= /span>

However, th= e current text is still mandating the use of Extended Revoked Definition, but the rational for its need it is very poor.
As I have said on the PKIX list, the fact that the revocation date is January 1rst, 1970 is fully sufficient to know that we are in that very special case,
and you have not provided a rational to say the contrary.

I have. And I have pointed you to the minutes of the last PKIC meeting.

The consensus of the WG is to have the extension for just those reasons.

As implementer, I don't like heuristics. A dat= e of Jan 1st 1970 may indicate this behaviour,
but may just be a misconfiguration. It is not an explicit statement.

So we could get rid of it, =85 but the text from section 4.4.8 states:

=A0=A0 This=
 extension MAY be present in other responses to signal that the
=A0=A0 resp=
onder implements the extended revoked definition in section 2.2.

I have difficulties to understand what is really meant there (=93other responses=94 ?), since the text states:<= /span>

=A0=A0 This=
 extension indicates that the responder supports the extended<=
span style=3D"mso-ansi-language:EN-GB" lang=3D"EN-GB"><=
/pre>
        
=A0=A0 defi=
nition of the "revoked" status to also include non-issued
        
=A0=A0 cert=
ificates according to section 2.2.

        
Since both
            =93unknown=94 and revoked=94 can be used, it would be desirab=
le to
            be able to include the same extension in both cases, 

            but in that case that extension should be renamed.=


        
This extension can be included in all response=
s
            to signal that a responder implements the expanded
            definition of revoked.<=
/span>

        
Doing so ma=
kes
            this fact auditable without having to ask for a non-issued
            cert.

        
I would
            propose to rename it: "non-issued certificate=94 which me=
ans
            that the associated CA has no record of ever having issued a
            certificate 

            with the certificate serial number in the request (I still
            consider it as unnecessary in the case of =93revoked=94, but =
it
            would be very useful in the case of =93unknown=94). 

            Of course, the text from section 4.4.8 would need to be
            revised.

        
I propose t=
he
            following:

        
=A0

        
4.4.8=A0 Non-issued certificate extension

        
=A0=A0 This=
 extension MUST be included in the OCSP response when the OCSP 

        
=A0=A0=A0re=
sponder knows that the CA identified in the request has no record =


        
=A0=A0=A0of=
 ever having issued a certificate with the certificate serial =
=


        
=A0=A0=A0nu=
mber indicated in the request.

        
=A0=A0 Clie=
nts do not have to parse this extension in order to determine =
=


        
=A0=A0=A0th=
e status of certificates in responses.

        
=A0=A0 This=
 extension is identified by the object identifier id-pkix-ocsp-

        
=A0=A0 non-=
issued-cert.

        
=A0=A0=A0=A0 id-pkix-ocsp-non-issued-cert OBJECT IDENTIFIER ::=3D {id-pkix-ocsp 9}

        
=A0=A0 The =
value of the extension SHALL be NULL. This extension MUST NOT be

        
=A0=A0 mark=
ed critical.

        
Then the te=
xt
            on page 8 would need to be rearranged.

        
Your extens=
ion
            =A0variant is a significant change to what has been agreed.

        
Your extens=
ion
            would need to be a single response extension, and can't be
            used to audit the behaviour of the OCSP responder 

            unless you send a request for a non-issued cert.

        
Hummm !!! We have a very important point
              there. Thanks to your comment, I now realize that the
              proposed extension 

              applies to the whole response. However, this is not
              possible and I will now explain why. An OCSP responder may
              receive 

              a delegation from several CAs. With some of them, it can
              use a direct access to the database of certificates, 

              while for some others, it will use CRLs. So the meaning of
              =93revoked=94 will depend of the CA. =


         
        
This means that the indication cannot be
              global to the OCSP response. If we use an extension, it
              can only apply 

            to an individual response and thus MUST in
              singleExtensions instead of responseExtensions.

         
        
Since it is singleExtension, it can used to
              =93audit the behaviour of the OCSP responder=94 and I do no=
t
              grasp your rational 

            when you say =93unless you send a request for a
              non-issued cert=94. There is no need for sending anything.<=
/b>

        
We want to avoid sending such fake requests fo=
r
            audit purposes as it may interfere with systems at the
            responder trying to detect existence of rouge certificates.<=
/span>

        
There is no need to sending fake requests.<=
/b>

        
This is a type of change that I can't make
            unless you get support from a majority of the WG for the
            change of direction you propose.=


        
The important point is that the text states:=


         
        
=93The "revoked" state (=85) MAY also be
                returned if the associated CA has no record of ever
              having issued a certificate 

              with the certificate serial number in the request, using
              any current or previous issuing key (referred to as a

              "non-issued" certificate in this document).=94

         
        
The test does not
              state =93MUST also be returned=94. Thi=
s
              means that it is also possible to reply =93unknown=94 if th=
e
              associated CA 

            has no record of ever having issued a certificate
              with the certificate serial number in the request.
              However, this is not 

            straightforward when reading the text and thus the
              text should be made more explicit.
         
        
Now, we get to the main point. The reason
              for adding an extension is NOT to say that an extended
              meaning of revoked 

            is being used, but that the INDIVIDUAL response is
              given using a direct access to the records of the
              certificates issued by the CA.

        
The current
            text is: 

            

        
=A0=A0 This=
 state MAY also be returned if the

        
=A0=A0 asso=
ciated CA has no record of ever having issued a certificate with

        
=A0=A0 the =
certificate serial number in the request, using any current or=
=


        
=A0=A0 prev=
ious issuing key (referred to as a "non-issued" certificate in=
=


        
=A0=A0 this=
 document).

        
=A0=A0 The =
"unknown" state indicates that the responder doesn't know about

        
=A0=A0 the =
certificate being requested.

        
=A0=A0 NOTE=
: The "revoked" state for known non-issued certificate serial<=
span style=3D"mso-ansi-language:EN-GB" lang=3D"EN-GB"><=
/pre>
        
=A0=A0=A0=A0=A0=A0=
=A0=A0 numbers is allowed in order to reduce the risk of relying

        
=A0=A0=A0=A0=A0=A0=
=A0=A0 parties using CRLs as a fall back mechanism, which would be=


        
=A0=A0=A0=A0=A0=A0=
=A0=A0 considerably higher if an "unknown" response was returned.<=
/span>

        
=A0=A0 When=
 a responder responds revoked to a status request for a non-
        
=A0=A0 issu=
ed certificate, the responder MUST include the extended revoked

        
=A0=A0 defi=
nition response extension (section 4.4.8) in the response,
        
=A0=A0 indi=
cating that the OCSP responder supports the extended definition

        
=A0=A0 of r=
evoked state to also cover non-issued certificates. In addition,

        
=A0=A0 the =
SingleResponse related to this non-issued certificate;

        
=A0=A0=A0 -=
 MUST provide the revocation reason certificateHold (6),

        
=A0=A0=A0 -=
 MUST specify the revocationTime January 1, 1970, and;

        
=A0=A0=A0 -=
 MUST NOT include a CRL References extension (section 4.4.2) or any

        
=A0=A0=A0=A0=A0 CRL Entry Extensions (section 4.4.5). 

        
Proposed te=
xt
            for a replacement: 

            

        
=A0=A0 The =
"unknown" state indicates that the responder doesn't know about

        
=A0=A0 the =
certificate being requested.

        
=
=A0

        
=A0=A0 If t=
he OCSP responder knows that CA identified in the request has =
=


        
=A0=A0=A0no=
 record of ever having issued a certificate with the certificate <=
/b>

        
=A0=A0=A0se=
rial number in the request, using any current or previous issuing =


        
=A0=A0=A0ke=
y (referred to as a "non-issued" certificate in this document), 

        
=A0=A0=A0th=
e OCSP responder SHALL respond either =93revoked =93 or =93unknown=94.

        
This is
            unfortunately very common in your rewording efforts. When
            trying to fix one thing, you create new even bigger
            problems.

        
An
            infrastructure that provides reproduced responses will
            respond "unauthorized". This text may be interpreted to
            interfere with such operations.

        
I fear I don=92t understand your argument ab=
out
              =93unauthorized=94, but before replying see below my next
              comment.

        
Further, an=
d
            worse. This is not backwards compatible. Current OCSP
            responders may respond "good" even if they have access to CA
            records.=A0

        
You say: =93Current OCSP responders may resp=
ond
              "good" even if they have access to CA records=94. Originall=
y
              RFC 2560 allowed 

              returning =93good=94 for OCSP responder using CRLs. Since R=
FC
              2560 provided no way to indicate that a direct access to
              the database 

              was being used or not, it was not possible to do better. 

         
        
Now, if an OCSP responder has a direct acces=
s
              and indicates in the response that it has such an access,
              do you really believe 

              that it will return good ? I don=92t. 

         
        
If an OCSP responder wants to return =93goo=
d=94,
              it can still do it, but in that case it will not signal
              that it is using a direct access 

            and this is perfectly backwards compatible. So I do
              not =93buy=94 your argumentation.

         
        
Now, may be you understand better why I
              propose to rename the extension =934.4.8 Non-issued
              certificate extension=94 and 

            also to change its semantics.
        
=A0

        
=A0=A0 Note=
: The "revoked" state for known non-issued certificate serial =
=


        
=A0=A0=A0nu=
mbers is allowed in order to reduce the risk of relying parties 

        
=A0=A0=A0using CRLs as a fall back mechanism=
, which would be possible when 

        
=A0=A0=A0th=
e "unknown" response is returned.

        
=A0=A0 When=
 a responder responds revoked or unknown to a status request <=
span style=3D"mso-ansi-language:EN-GB" lang=3D"EN-GB"><=
/pre>
        
=A0=A0=A0fo=
r a non-issued certificate, the responder MUST include the 
        
=A0=A0=A0no=
n-issued certificate extension (see section 4.4.8) in the 
        
=A0=A0=A0re=
sponse. 

        
=A0=A0=A0Wh=
en a responder responds revoked to a status request for a non-=
=


        
=A0=A0 issu=
ed certificate, in addition, the responder:

        
=A0=A0=A0 -=
 MUST provide the revocation reason certificateHold (6),

        
=A0=A0=A0 -=
 MUST specify the revocationTime January 1, 1970, and;

        
=A0=A0=A0 -=
 MUST NOT include a CRL References extension (section 4.4.2) or any

        
=A0=A0=A0=A0=A0 CRL Entry Extensions (section 4.4.5).

        
Finally, th=
e
            last bullet on page 4 should be reworded:
        
Current tex=
t:

        
=A0=A0=A0=A0=A0 o Section 4.4.8 specifies a new extension that indicates that the

        
=A0=A0=A0=A0=A0=A0=
=A0=A0 responder supports the extended use of the "revoked" respon=
se=


        
=A0=A0=A0=A0=A0=A0=
=A0=A0 for non-issued certificates defined in section 2.2.<=
/b>

        
Proposed
            replacement text:

        
=A0=A0=A0=A0=A0 o=A0 Section 4.4.8 specifies=
 a new extension that indicates that 

        
=A0=A0=A0=A0=A0=A0=
=A0=A0=A0the OCSP responder knows that CA identified in the reques=
t =


        
=A0=A0=A0=A0=A0=A0=
=A0=A0=A0has no record of ever having issued a certificate with th=
e =


        
=A0=A0=A0=A0=A0=A0=
=A0=A0=A0certificate serial number present in the request, as defi=
ned 

        
=A0=A0=A0=A0=A0=A0=
=A0=A0=A0in section 2.2.

        
No. Again,
            this changes the scope of the extension and its audit
            properties.

        
Such change
            requires WG consensus.

        
See earlier comments.=


        
Comment 9:=
 Solved, if =
the
            comment above may be solved.

        
Comment 20=
:=A0 This comment is
            preliminary classified by you as =93not broken=94. However,
            since you asked: =93If you don=92t replace 4.2.2.3,

            then what really are you missing ?=94, I will provide you wit=
h
            an answer.

        
This is the
            wrong way to state the question. Providing an ASN.1 syntax
            as in 4.2.1 is not enough: the use of every parameter MUST
            be explained 

            using English words. So if you explain the use of every
            parameter after the description of the ASN.1 syntax in
            section 4.2.1. then section 4.2.2.3 

            is no more needed and thus can be deleted.<=
/p>
        
The answer =
to
            your question =93what is really missing=94 is a description o=
f
            the use of every parameter listed in the ASN.1 in section
            4.2.1

        
There are sufficient descriptions in the
            subsections following the ASN.1 description. Your change
            proposals are not compatible with the minimalistic 

            approach adopted by the WG.<=
/span>

        
The key point is whether we want a =93good=94
              document or maintain the low quality of the original
              document.

        
Comment 26=
: You asked =
for
            explanations. Let me provide you with an example when CRLs
            are being used by the OCSP responder in the background. 

            The OCSP responder needs to make sure that the CRL it uses
            is valid. If it is simply using published CRLs (i.e. no
            trusted link with the CA), it needs 

            to make sure that the CA which has issued the CRL has no
            been revoked.

        
No, this is a misstatement. You don't revoke
            CAs. You revoke CA certificates. 

        
Right.

        
There might be a CA certificate that has been
            revoked for a reason that does not affect the OCSP
            responder.

        
=A0..but the contrary may also apply.

        
These are operational policies that are outsid=
e
            the scope of the protocol.

        
The proposed text does not affect the
              protocol.

        
The proposed text in comment 26 is plain wrong=
,
            or at least misleading. The OCSP responder does not have to
            validate the CRL up to any particular root. 

            It may for example have been configured to directly trust
            the public key used to validate the CRL.<=
/span>

        
This depends how it makes sure that
              it is reading the right CRL. It may or may not use a root
              CA.

        
In France,
            there is a root CA for the Administration. However, the use
            of that root CA is optional. Thus a Ministry may have its
            own root, 

            but may also have its key certified by the root CA of the
            Administration. The OCSP responder may use the root CA of
            the Ministry, 

            while a relying party may use the root CA of the
            Administration (or the reverse) to validate the CRL for the
            target certificate. 

            Thus the revocation status will be different if the
            certificate of the CA of the Ministry is revoked by the root
            CA of the Administration.

        
Which reinforces my point. How the OCSP
            responder is configured to trust its information source is
            outside the scope of the protocol.=


        
The OCSP protocol never claims to provide the
            same conclusion about revocation than another source the
            relying party may use.<=
/span>

        
We both agree; however would you point me
              where this is said in the current draft? Since I could not
              find it, 

              I believe it is useful to highlight the point in the
              security considerations section.

            

        


            

        
Finally, I believe that the major point
              indicated earlier comes from the original "bad writing"
              of=A0 RFC 2560.

        
There is no clear distinction between what
              applies to BasicOCSPResponse and =
what applies to Single
              Response.

        
On page 15 from draft-14, the text still
              states in section=A0 4.2.2.2=A0 Authorized Responder:

              

              =A0=A0 "It is necessary however to ensure that the entity
              signing this information is authorized to do so".

              

              This is vague. What is "this information " ? This text is
              within section "4.2.2=A0 Notes on OCSP Responses".

              This does not help much.

              

              Is it BasicOCSPResponse ? If it is , this is wrong.

              

              It is SingleResponse, since a single response may be
              signed by the right key and/or the right certificate, 

              but not another single response.

              

              How can a reader guess that it is SingleResponse ?

              

              Once again the quality of the text is really bad, and that
              text and some other portions=A0 (3.2=A0 Signed Response
              Acceptance Requirements)

              would need to be changed.

            

         
        
Denis
Denis,

My replies in line;

From: Denis Pinkas <denis.pinkas@bull.net>
Date: Monday, February 11, 2013 3:18 PM
To: Stefan Santesson <stefan@aaa-sec.com>
Cc: Stephen Kent <<= a moz-do-not-send=3D"true" href=3D"mailto:kent@bbn.com">kent@bb= n.com>, pkix <pkix@ietf.org>
Subject: Re: [pkix] Review of 2560-bis draft 8. Answer to WGLC

Stef= an,

=A0

I ha= ve finally reviewed your disposition of comments. I have used draft 13.

=A0

I wi= ll not address the comments in sequence, but I will consider four categories:

=A0

Ca= tegory 1) Some = comments which seem to be solved. Yes indeed, they may be a few of them !

=A0

Ca= tegory 2) Some = comments which might possibly be solved at the WG level.

=A0

Ca= tegory 3) Some = comments that I will address at the IETF last call level, rather than the WG last call level, since I disagree
that it is =93new ways to say the same thing=94 and i= t is likely to be a waste of time for both of us to argue again at the WG level
(these comments are commented as =93not broken=94).

=A0

Ca= tegory 4) Some typos and editorials found while reading draft 13.

=A0

=A0

CA= TEGORY 1

=A0

Co= mment 4 (was editorial).

=A0

Co= mment 5.

=A0

Co= mment 6.

=A0

Co= mment 19. Solved, since = =93unknown=94 se= ems now to be also allowed for non-issued certificates (even if the OCSP responder is using a direct access to the certificate database). See comment 8.

=A0

Co= mment 13: Acceptable, since the text uses =93= MAY=94.

=A0

Co= mment 18.

=A0

Co= mment 22.

=A0

Co= mment 23.

=A0

Co= mment 28.

=A0

CA= TEGORY 1

=A0

Co= mment 8: You have changed the meaning of the revoked state in a way that is not what I requested.

=A0

The original text was:

=A0

=A0=A0 The "revoked" state indicates that the certificate has been revoked

=A0=A0 (either permanantly or temporarily (on hold)).

=A0

The = new text is:

=A0

=A0=A0 The =
"revoked" state indicates that the certificate has been revoked
=A0=A0 eith=
er permanently or temporarily on hold (i.e. the revocation reason
=A0=A0 is c=
ertificateHold).

=A0

By doing this, you do not allow any other case in the future to have a temporary revocation: =93t= emporarily on hold=94 <= br> is not the same as =93t= emporarily revoked=94.=

=A0

I propose the following rewording:

=A0

=A0=A0 The "revoked" state indicates that the certificate has been revoked 

=A0=A0 eith=
er permanently or temporarily (e.g. placed on hold).

I substituted "temporarily on hold" with "temporarily. The rest unchanged since the only existing reason code for temporary revocation is certificateHold.



The = way the text from draft 13 is now written seems to allow using either =93= unknown=94 or = = =93revoked=94 fo= r non-issued certificates.
If this is the intent, then the good news is that this does not come anymore into conflict with the French rules which apply for
the Administration since OCSP responders from CAs used by the French Ministries having a direct access to the database
of issued certificates will be able to use =93= unknown=94, rather than =93= revoked=94 and the reason code =93= onhold=94.

=A0

Howe= ver, the current text is still mandating the use of = Extended Revoked Definition, bu= t the rational for its need it is very poor.
As I have said on the PKIX list, the fact that the revocation date is January 1rst, 1970 is fully sufficient to know that we are in that
very special case, and you have not provided a rational to say the contrary.

I have. And I have pointed you to the minutes of the last PKIC meeting.
The consensus of the WG is to have the extension for just those reasons.

As implementer, I don't like heuristics. A date of Jan 1st 1970 may indicate this behaviour, but may just be a misconfiguration. It is not an explicit statement.

=A0

So w= e could get rid of it, =85 but the text from section 4.4.8 states:

=A0

=A0=A0 This=
 extension MAY be present in other responses to signal that the
=A0=A0 resp=
onder implements the extended revoked definition in section 2.2.

=A0

I ha= ve difficulties to understand what is really meant there (=93other responses=94 ?), since the text state= s:

=A0

=A0=A0 This=
 extension indicates that the responder supports the extended<=
/span>
=A0=A0 defi=
nition of the "revoked" status to also include non-issued
=A0=A0 cert=
ificates according to section 2.2.

=A0

Sinc= e both =93unknown=94 and revoked=94 can be used, it wou= ld be desirable to be able to include the same extension in both cases,
but in that case that extension should be renamed.

This extension can be included in all responses to signal that a responder implements the expanded definition of revoked.
Doing so makes this fact auditable without having to ask for a non-issued cert.


I wo= uld propose to rename it: "= non-issued certificate=94 which means that the associated CA has no record of ever having issued
a certificate with the certificate serial number in the request (I still consider it as unnecessary in the case of =93revoked=94, but it would be
very useful in the case of =93unknown=94). Of course, the text from section 4.4.8 would need to be revised.

=A0

I propose the following:

=A0

4.4.8=A0 No=
n-issued certificate extension
=A0
=A0=A0 This extension MUST be included in t=
he OCSP response when the OCSP 
=A0=A0=A0re=
sponder knows that the CA identified in the request has no record 
=A0=A0=A0of=
 ever having issued a certificate with the certificate serial =

=A0=A0=A0nu=
mber indicated in the request.
=A0
=A0=A0 Clients do not have to parse this ex=
tension in order to determine 
=A0=A0=A0th=
e status of certificates in responses.
=A0
=A0=A0 This extension is identified by the =
object identifier id-pkix-ocsp-
=A0=A0 non-=
issued-cert.
=A0
=A0=A0=A0=A0 id-pkix-ocsp-non-issued-cert O=
BJECT IDENTIFIER ::=3D {id-pkix-ocsp 9}
=A0
=A0=A0 The value of the extension SHALL be =
NULL. This extension MUST NOT be
=A0=A0 mark=
ed critical.

=A0

Then the text on page 8 would need to be rearranged.<= /o:p>

=A0

Your extension =A0variant is a significant change to what has been agreed.
Your extension would need to be a single response extension, and can't be used to audit the behaviour of the OCSP responder unless you send a request for a non-issued cert.
We want to avoid sending such fake requests for audit purposes as it may interfere with systems at the responder trying to detect existence of rouge certificates.

This is a type of change that I can't make unless you get support from a majority of the WG for the change of direction you propose.

The current text is:

=A0

=A0=A0 This=
 state MAY also be returned if the
=A0=A0 asso=
ciated CA has no record of ever having issued a certificate with
=A0=A0 the =
certificate serial number in the request, using any current or=

=A0=A0 prev=
ious issuing key (referred to as a "non-issued" certificate in=

=A0=A0 this=
 document).
=A0
=A0=A0 The "unknown" state indicates that t=
he responder doesn't know about
=A0=A0 the =
certificate being requested.
=A0
=A0=A0 NOTE: The "revoked" state for known =
non-issued certificate serial
=A0=A0=A0=A0=A0=A0=
=A0=A0 numbers is allowed in order to reduce the risk of relying
=A0=A0=A0=A0=A0=A0=
=A0=A0 parties using CRLs as a fall back mechanism, which would be=

=A0=A0=A0=A0=A0=A0=
=A0=A0 considerably higher if an "unknown" response was returned.<=
o:p>
=A0
=A0=A0 When a responder responds revoked to=
 a status request for a non-
=A0=A0 issu=
ed certificate, the responder MUST include the extended revoked
=A0=A0 defi=
nition response extension (section 4.4.8) in the response,
=A0=A0 indi=
cating that the OCSP responder supports the extended definition
=A0=A0 of r=
evoked state to also cover non-issued certificates. In addition,
=A0=A0 the =
SingleResponse related to this non-issued certificate;<=
/b>
=A0
=A0=A0=A0 - MUST provide the revocation rea=
son certificateHold (6),
=A0
=A0=A0=A0 - MUST specify the revocationTime=
 January 1, 1970, and;
=A0
=A0=A0 =A0=
- MUST NOT include a CRL References extension (section 4.4.2) or a=
ny
=A0=A0=A0=A0=A0 CRL Entry Extensions (section 4.4.5).

=A0

Prop= osed text for a replacement:

=A0

=A0=A0 The =
"unknown" state indicates that the responder doesn't know about
=A0=A0 the =
certificate being requested.
=A0
=A0=A0 If the OCSP responder knows that CA =
identified in the request has 
=A0=A0=A0no=
 record of ever having issued a certificate with the certificate 
=A0=A0=A0se=
rial number in the request, using any current or previous issuing 
=A0=A0=A0ke=
y (referred to as a "non-issued" certificate in this document), 
=A0=A0=A0th=
e OCSP responder SHALL respond either =93revoked =93 or =93unknown=94.

This is unfortunately very common in your rewording efforts. When trying to fix one thing, you create new even bigger problems.

An infrastructure that provides reproduced responses will respond "unauthorized". This text may be interpreted to interfere with such operations.
Further, and worse. This is not backwards compatible. Current OCSP responders may respond "good" even if they have access to CA records.=A0

=A0
=A0=A0 Note: The "revoked" state for known =
non-issued certificate serial 
=A0=A0=A0nu=
mbers is allowed in order to reduce the risk of relying parties 
=A0=A0=A0us=
ing CRLs as a fall back mechanism, which would be possible when 
=A0=A0=A0th=
e "unknown" response is returned.
=A0
=A0=A0 When a responder responds revoked or=
 unknown to a status request 
=A0=A0=A0fo=
r a non-issued certificate, the responder MUST include the 
=A0=A0=A0no=
n-issued certificate extension (see section 4.4.8) in the 
=A0=A0=A0re=
sponse. 
=A0
=A0=A0 When a responder responds revoked to=
 a status request for a non-
=A0=A0 issu=
ed certificate, in addition, the responder:
=A0
=A0=A0=A0 - MUST provide the revocation rea=
son certificateHold (6),
=A0
=A0=A0=A0 - MUST specify the revocationTime=
 January 1, 1970, and;
=A0
=A0=A0=A0 - MUST NOT include a CRL Referenc=
es extension (section 4.4.2) or any
=A0=A0=A0=A0=A0 CRL Entry Extensions (section 4.4.5).

=A0

Fina= lly, the last bullet on page 4 should be reworded:

=A0

Curr= ent text:

=A0

=A0=A0=A0=A0=A0 o Section 4.4.8 specifies a new extension that indicates that the
=A0=A0=A0=A0=A0=A0=
=A0=A0 responder supports the extended use of the "revoked" respon=
se
=A0=A0=A0=A0=A0=A0=
=A0=A0 for non-issued certificates defined in section 2.2.

=A0

Prop= osed replacement text:

=A0

=A0=A0=A0=A0=A0 o =A0Section 4.4.8 specifies=
 a new extension that indicates that 
=A0=A0=A0=A0=A0=A0=
=A0=A0=A0the OCSP responder knows that CA identified in the reques=
t 
=A0=A0=A0=A0=A0=A0=
=A0=A0=A0has no record of ever having issued a certificate with th=
e 
=A0=A0=A0=A0=A0=A0=
=A0=A0=A0certificate serial number present in the request, as defi=
ned 
=A0=A0=A0=A0=A0=A0=
=A0=A0=A0in section 2.2.

=A0

No. Again, this changes the scope of the extension and its audit properties.
Such change requires WG consensus.


Co= mment 9: Solved, if the comment above may be solved.

=A0

Co= mment 20:=A0 = This comment is preliminary classified by you as =93not broken=94. However, since you asked: =93If you don=92= t replace 4.2.2.3,
then what really are you missing ?=94, I will provide you with an answer.

=A0

This= is the wrong way to state the question. Providing an ASN.1 syntax as in 4.2.1 is not enough: the use of every parameter
MUST be explained using English words. So if you explain the use of every parameter after the description of the ASN.1 syntax
in section 4.2.1. then section 4.2.2.3 is no more needed and thus can be deleted.

=A0

The answer to your question =93what is really missing=94 = is a description of the use of every parameter listed in the ASN.1 in section 4.2.1

=A0

There are sufficient descriptions in the subsections following the ASN.1 description. Your change proposals are not compatible with the minimalistic approach adopted by the WG.


Co= mment 21.

=A0

Whil= e I can agree in general with the intent of the text, I do not understand the first sentence of the Note which speaks of =93CA key rollover=94
and is copied below:

=A0

=A0=A0 Note=
: CA key rollover is not prohibited when issuing a certificate=

=A0=A0=A0=A0=A0=A0=
=A0=A0 for an authorized responder for backwards compatibility wit=
h
=A0=A0=A0=A0=A0=A0=
=A0=A0 RFC 2560 [RFC2560]. That is, it is not prohibited to issue =
a
=A0=A0=A0=A0=A0=A0=
=A0=A0 certificate for an authorized responder using a different
=A0=A0=A0=A0=A0=A0=
=A0=A0 issuing key than the key used to issued the certificate bei=
ng
=A0=A0=A0=A0=A0=A0=
=A0=A0 checked for revocation. However, such practice is strongly<=
o:p>
=A0=A0=A0=A0=A0=A0=
=A0=A0 discouraged since clients are not required to recognize a
=A0=A0=A0=A0=A0=A0=
=A0=A0 responder with such certificate as an authorized responder.=

=A0

I wo= uld propose to delete it, since it does not add anything and thus to have:

=A0

=A0=A0 Note=
: For backwards compatibility with RFC 2560 [RFC2560], it is <=
/span>
=A0=A0=A0=A0=A0=A0=
=A0=A0=A0not prohibited to issue a certificate for an authorized <=
o:p>
=A0=A0=A0=A0=A0=A0=
=A0=A0=A0responder using a different issuing key than the key used=
 to 
=A0=A0=A0=A0=A0=A0=
=A0=A0=A0issued the certificate being checked for revocation. 
=A0=A0=A0=A0=A0=A0=
=A0=A0=A0However, such practice is strongly discouraged since clie=
nts 
=A0=A0=A0=A0=A0=A0=
=A0=A0=A0are not required to recognize a responder with such =

=A0=A0=A0=A0=A0=A0=
=A0=A0=A0certificate as an authorized responder.=

I agree, your text is better. Updated.

=A0

Co= mment 24: The ASN.1 module in annex B.1 is still wrong, since it does not define NoCheck. <= /o:p>

=A0

No you are wrong. We have confirmed with several ASN.1 experts that definition of NoCheck is not necessary to define null content.
The current definition is perfectly valid ASN.1

Co= mment 26: You asked for explanations. Let me provide you with an example when CRLs are being used by the OCSP responder
in the background. The OCSP responder needs to make sure that the CRL it uses is valid. If it is simply using published CRLs
(i.e. no trusted link with the CA), it needs to make sure that the CA which has issued the CRL has no been revoked.

=A0

No, this is a misstatement. You don't revoke CAs. You revoke CA certificates. There might be a CA certificate that has been revoked for a reason that does not affect the OCSP responder.
These are operational policies that are outside the scope of the protocol.

The proposed text in comment 26 is plain wrong, or at least misleading. The OCSP responder does not have to validate the CRL up to any particular root. It may for example have been configured to directly trust the public key used to validate the CRL.


In <= st1:place w:st=3D"on">France<= /st1:country-region>, there is a root CA for the Administration. However, the use of that root CA is optional. Thus a Ministry may have its own root,
but may also have its key certified by the root CA of the Administration. The OCSP responder may use the root CA of the Ministry,
while a relying party may use the root CA of the Administration (or the reverse) to validate the CRL for the target certificate.
Thus the revocation status will be different if the certificate of the CA of the Ministry is revoked by the root CA of the Administration.<= /p>

=A0

Which reinforces my point. How the OCSP responder is configured to trust its information source is outside the scope of the protocol.

The OCSP protocol never claims to provide the same conclusion about revocation than another source the relying party may use.

I skip category 3 as this will be dealt with in IESG last call.


CA= TEGORY 3

=A0

Co= mments 2, = 3, 7, 10, 12, 14, 15, 16, 17, 25 and 27.

=A0

=A0

CA= TEGORY 4

=A0

Page= 4. The indentation of the bullets in section 1 is not uniform.
Bullets 1, 4, 5 and 9 have problems.

=A0

Page= 4. The fact that there is now an Annex B.2 dealing with the 2008 ASN.1 syntax is missing. This should be added.

=A0

Page 10. Change =93S= e further section 4.2.2.2=94 in= to =93S= ee further section 4.2.2.2=94


Thanks. I have fixed them all.

/Stefan


Denis
<= o:p>

=A0

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D


Denis,<= /div>

Respond= ing to your comments below.

However= , one general remark to make recurring comments easier to understand.

The WG decided to adopt a minimalistic approach to updating RFC 2560. That means that=A0
  1. We don't change anything from RFC 2560 unless it is broken, or the industry clearly need clarifications in order to avoid interoperability issues.
  2. We retain the document structure of RFC 2560 as much as possible to allow easy comparison of what the changes are in comparison with RFC 2560.

One can always think up more clever ways to write things out in words. But that also comes with a risk.
The current words has been around for a long time and we know from experience which words worked to produce working implementations, and which did not.
Introdu= cing new ways to say the same thing may introduce new problems and people might disagree on what the new perfect wording should be. And this could go on forever.

So when my reply is "Not broken", then that is because the current wording does not have such problems that is merits a change.



Fr= om: Denis Pinkas <denis.pinkas@= bull.net>
Date: Sunday, January 20, 2013 5:12 PM
To: Stefan Santesson <stefan@aaa-sec.c= om>, Stephen Kent <kent@bbn.com> Cc: pkix <pkix@ietf.org>=
Subject: Re: [pkix] Review of 2560-bis draft 8. Answer to WGLC

Please find 32 comments on draft-ietf-pkix-rfc2560bis

=A0

1.= The document states:

=A0= <Cut away issue 1 regarding authorship etc, as it has been responded to separately>

Respond= ed to separately.

=A0=

=A0=

2.= The current text from section 2 states:

=A0= 

2.=A0 Protocol Overv=
iew
=A0
=A0=A0 In lieu of or=
 as a supplement to checking against a periodic CRL, it=

=A0=A0 may be necess=
ary to obtain timely information=
 regarding the
=A0=A0 revocation st=
atus of a certificate (cf. RFC5280], Section 3.3).
                          
=A0=A0 Examples incl=
ude high-value funds transfer or large stock trades.
                          
=A0

                          
=A0=A0 The Online Ce=
rtificate Status Protocol (OCSP) enables applications to

                          
=A0=A0 determine the=
 (revocation) state of an identified certificate. OCSP<=
/pre>
                          
=A0=A0 may be used t=
o satisfy some of the operational requirements of

                          
=A0=A0 providing more timely revocation information<=
/b> than is possible with

                          
=A0=A0 CRLs and may =
also be used to obtain additional status information. <=
/pre>
                          
=A0

                          
This text is misleading because re=
aders may think that OCPS necessarily provides =93timely information=94.<=
o:p>

                          
=A0

"may" does not mean "necessarily".

Proposed text replacement:
=A0

=A0=A0 The Online Certificate Status Protocol (OCSP) is a client-server

=A0=A0 protocol which enables applications to obtain the revocation status <= /p>

=A0=A0 of one or more certificates either "good", "revoked", or "unknown".

=A0<= /p>

=A0=A0 The revocation status may be provided by the server either using a <= /b>

=A0=A0 real time access to a database of issued certificates, or using a

=A0=A0 batch access to a database of issued certificates, or using a

=A0=A0 real time access to a database of revocation statuses of issued =

=A0=A0 certificates, or using a batch access to a database of revocation

=A0=A0 statuses of issued certificates, or using CRLs, or using a

=A0=A0 combination of base CRLs and delta CRLs.

=A0<= /p>

=A0=A0 In the first case, it is possible to obtain timely revocation status

=A0=A0 information, whereas in the other cases, the freshness of the

=A0=A0 revocation status is not better than the mechanisms it is based on.

=A0
=A0

Not broken

3.= The current text from section 2 states:

=A0
=A0=A0 An OCSP clien=
t issues a status request to an OCSP responder and 
                          
=A0=A0=A0Suspends ac=
ceptance of the certificate in q=
uestion until the 

                          
=A0=A0=A0responder p=
rovides a response.

                          
=A0

                          
=A0=A0 This protocol=
 specifies the data that needs to be exchanged between<=
/pre>
                          
=A0=A0 an applicatio=
n checking the status of a certificate and the server
                          
=A0=A0 providing tha=
t status.

                          
=A0

                          
Thus is insufficient for an overvi=
ew. More details are needed to know what the document provides,=20
in particular that the request may contain several requests for several c=
ertificates issued by different CAs.=20
The possibility of using extensions should also be advertised.=


                          
=A0

                          
Proposed text replacement:

                          
=A0

                          
=A0=A0 =
When
                              using OCSP, an OCSP client issues a
                              certificate revocation 
                          
=A0=A0 =
status

                              request to an OCSP responder for
                                one or more certificates <=
/span>

                          
=A0=A0 issued

                                by the same CA or for one or more
                                certificates issued by =


                          
=A0=A0 different


                                CAs and then suspends acceptance
                              of the certificate(s) 
                          
=A0=A0 =
in
                              question until the responder provides a
                              response.

                          
=A0

                          
=A0=A0 =
This
                              document specifies the data that needs to
                              be exchanged between

                          
=A0=A0 =
an
                              application checking the status of a
                              certificate and the server

                          
=A0=A0 =
providing

                              that status.=A0
                              

                          
=A0

                          
=A0=A0 OCSP

                                may also provide additional status
                                information using <=
/p>
                          
=A0=A0 extensions.


                                

                          
=A0=


                          
=A0=

Not broken

4.= Page 6. Editorial. Punctuation and a CR/LF are missing.

=A0=

The text states:<= /span>

=A0

<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0 3. t=
he request contains the information needed by the responder If=

<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0=A0=A0=A0 any one of the prior conditions are not met, the OCSP responder=

<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0=A0=A0=A0 produces an error message; otherwise, it returns a definitive
<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0=A0=A0=A0 response.

=A0

It should state:<= /span>

=A0

<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0 4. t=
he request contains the information needed by the responder.
<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0
=A0=A0=A0=A0=A0 If any one of the prior con=
ditions are not met, the OCSP responder
<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0=A0=A0=A0 produces an error message; otherwise, it returns a definitive
<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0=A0=A0=A0 response.

=A0=

=A0=


Fixed i= n draft 10.

5.= On page 7, the text states:=

=A0=

=A0=A0 All definitive response messages SHALL be digitally signed. The key

=A0=A0 used to sign the response MUST belong to one of the following: 

<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0
=A0=A0 -=A0=
 the CA who issued the certificate in question
<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0 -=A0 a Trusted Responder whose public=
 key is trusted by the requester
<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0 -=A0 a CA Designated Responder (Autho=
rized Responder) who holds a
<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0=A0=A0=A0 specially marked certificate issued directly by the CA, indicating
<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0=A0=A0=A0 that the responder may issue OCSP responses for that CA.<=
/span>

=A0=

The paragraph is ambiguous o= n several aspects.

=A0

Delegation is addressed in a= t least three different places, but with different terms and conditions.
If some one picks a sentence in one paragraph rather than another, it will lead to a different conclusion.
RFCs are supposed to be clear.

=A0=

On page 10, the current text states in section 2.6 OCSP Signature Authority Delegation <= /span>states:

=A0

=A0=A0 The key that signs a certificate's status information need not be the=

=A0=A0 same key that signed the certificate. A certificate's issuer

=A0=A0 explicitly delegates OCSP signing authority by issuing a certificate

=A0=A0 containing a unique value for extendedKeyUsage in the OCSP signer's

=A0=A0 certificate. This certificate MUST be issued directly to the

=A0=A0 responder by the cognizant CA.

=A0

On page 16, there is a section 4.2.2.2 called =93= Authorized Responders=94 dealing with the same topic= .

=A0

Section 4.2.2.2 states:=

=A0=

=A0=A0 The key that signs a certificate's status information need not be the=

=A0=A0 same key that signed the certificate. It is necessary however to

=A0=A0 ensure that the entity signing this information is authorized to do=

=A0=A0 so.=A0 T= herefore, a certificate's issuer MAY either sign the OCSP

=A0=A0 responses itself or it MAY explicitly designate this authority to

=A0=A0 another entity.=A0 OCSP signing delegation SHALL be designated by the

=A0=A0 inclusion of id-kp-OCSPSigning in an extendedKeyUsage certificate

=A0=A0 extension included in the OCSP response signer's certificate.=A0 T= his

=A0=A0 certificate MUST be issued directly by the CA that issued the

=A0=A0 certificate in question.

=A0<= /p>

=A0=A0 The CA SHOULD use the same issuing key to issue a delegation<= /p>

=A0=A0 certificate as was used to sign the certificate being checked for

=A0=A0 revocation. Systems relying on OCSP responses MUST recognize a

=A0=A0 delegation certificate as being issued by the CA that issued the

=A0=A0 certificate in question only if the delegation certificate and the=

=A0=A0 certificate being checked for revocation was signed by the same key.

=A0=

The last sentence above in yellow is the key sentence that is missing in the two other sections.

=A0
Most implementations only support =
the case where the OCSP Responder receives an OCSP certificate that is si=
gned by the same key=20
that was used to sign the target certificate. They do not support the cas=
e where the OCSP Responder receives an OCSP certificate=20
that is signed by a key that is different from the one that was used to s=
ign the target certificate.

=A0

It is inappropriate to have three sections dealing with the same topic with a slightly different meaning.

=A0

It is proposed the following= .

=A0

On page 7, after:=

=A0= 

<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0 -=A0 a CA Designated Responder (Autho=
rized Responder) who holds a
<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0=A0=A0=A0 specially marked certificate issued directly by the CA, indicating
<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0=A0=A0=A0 that the responder may issue OCSP responses for that CA.<=
/span>

=A0=

it is proposed to add =93(see section 4.2.2.2 for further details)=94, so that the reader knows that more details are provided later on.

=A0=

Then we do not need two sections to address delegation which start with the same sentence:


=93The key that signs a certificate's status information need not be the same key that signed the certificate=94.

=A0<= /p>

It is thus proposed to delet= e section 2.6.

=A0

Section 4.2.2.2 will thus remain the single section providing full details.

=A0= 

=A0

I have added references to section 4.2.2.2 in the quoted sections in 2.2 and 2.6.
(will b= e included in draft 11)


6. Page 7, the text states:

=A0= 

<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0 A de=
finitive response message is composed of:
<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0
=A0=A0 -=A0=
 version of the response syntax
<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0 -=A0 name of the responder=

<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0 -=A0 responses for each of the certif=
icates in a request
<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0 -=A0 optional extensions
<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0 -=A0 signature algorithm OID
<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0 - =A0signature computed across hash o=
f the response

=A0=

This description does not fi= t with the ASN.1 syntax which is detailed later on, and in particular:

=A0= 

<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0 ResponseData ::=3D SEQUENCE {
<=
span style=3D"mso-spacerun:yes">=A0=A0=A0=A0=A0 version=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 [0] =
EXPLICIT Version DEFAULT v1,
<=
span style=3D"mso-spacerun:yes">=A0=A0=A0=A0=A0 responderID=A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 ResponderID,<=
/pre>
                          
<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0=A0=A0=A0 producedAt=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0 GeneralizedTime,

                          
<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0=A0=A0=A0 responses=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0=A0 SEQUENCE OF SingleResponse,

                          
<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0=A0=A0=A0 responseExtensions=A0=A0 [1]=
 EXPLICIT Extensions OPTIONAL }

                          
=A0=


                          
Proposed text replacement:

                          
=A0=


                          
=A0=A0 A
                                definitive response message is composed
                                of:

                          
=A0<=
/p>
                          
=A0=A0 -
                                a response status and if there is no
                                error, the following:

                          
=A0=A0 -
                                the version of the response syntax,<=
/o:p>

                          
=A0=A0 -
                                an identifier of the OCSP server,

                          
=A0=A0 -
                                the time at which the response was
                                produced,

                          
=A0=A0 -
                                single responses for each of the target
                                certificates,

                          
=A0=A0 -
                                optional extensions,

                          
=A0=A0 -
                                the signature algorithm OID,

                          
=A0=A0 -
                                the signature computed across hash of
                                the response, and
                          
=A0=A0 -
                                optional certificates.<=
/b>

                          
=A0=


                          
=A0=

This is an overview section. We ought not try to duplicate the level of detail provided in the detailed protocol section.
A "definitive response" according to tho 2.1 is a response to an error-free request, so your first remark is redundant.

I have added a note about time to the current list, and changed "name" to identifier in bullet 2.=A0
(will b= e included in draft 11)

7.= The text states on page 7:<= o:p>

=A0=

=A0=A0 The response for each of the certificates in a request consists of

=A0<= /p>

=A0=A0 -=A0 t= arget certificate identifier<= /b>

=A0=A0 -=A0 c= ertificate status value

=A0=A0 -=A0 r= esponse validity interval

=A0=A0 -=A0 o= ptional extensions

=A0=

However, there are no explanations for the purpose of these parameters and how they should be processed.

There are also no explanations on how to process a single response and how to verify that it is its presence within the signed structure
is valid or not valid. This is a major deficiency of the current description of RC 2560 where there is no explanation on how to validate
a single response.

=A0

Text proposal to be added after:

=A0=

=A0=A0 The purpose of the identifier of the OCSP server is to allow OCSP

=A0=A0 clients to find whether the definitive response was signed by a CA =

=A0=A0 or by an OCSP Responder.

=A0<= /p>

=A0=A0 The identifier of the OCSP server SHOULD either be the name or the

=A0=A0 key from a CA, or the name or the key from a OCSP Responder.

=A0<= /p>

=A0=A0 Unless there exist local rules (which are outside the scope of this

=A0=A0 document) for verifying that a single response is correctly signed, <= /p>

=A0=A0 the following applies:<= /p>

=A0

=A0=A0 When the identifier matches with the name of the CA which has issued

=A0=A0 the target certificate or corresponds to the key used to issue the <= /b>

=A0=A0 target certificate, then a single response is correctly signed

=A0=A0 only if the digital signature of the OCSP response is valid using the

=A0=A0 key used to sign the target certificate.=

=A0<= /p>

=A0=A0 When the identifier does not match with the name of the CA which has

=A0=A0 issued the target certificate or does not correspond to the key used

=A0=A0 to issue the target certificate, then an single response is correctly <= /span>

=A0=A0 signed only if :

=A0<= /p>

=A0=A0=A0=A0= =A0=A0=A0=A0 (a) there exists in the response an OCSP certificate issued by <= /b>

=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0 the CA which has issued the target certificate which is

=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0 signed by the same key as the one used to issue the <= /p>

=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0 target certificate, and=

=A0<= /p>

=A0=A0=A0=A0= =A0=A0=A0=A0 (b) the digital signature of the OCSP response is valid using

=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0 the subjectPublicKey contained in this OCSP certificate.<= /b>

=A0=

=A0=


Not broken.
All of this is already covered by the document.

8.= The text states on page 7:<= o:p>

=A0=

=A0=A0 = The "revoked" state indicates that the certificate has been revoked

=A0=A0 (either permanently or temporarily (on hold)). This state MAY also be<= /o:p>

=A0=A0 = returned if the responder knows that the requested certificate has

=A0=A0 = nev= er been issued during the history of the associated CA using any

=A0=A0 = current or previous issuing key.

=A0=

The text is ambiguous becaus= e there are two embedded parenthesis and it is unclear whether the inner parenthesis means =93i.e=94 or =93e.g=94.
This single sentence may let think that on hold is the single case for temporarily revocation. Since neither X.509 nor RFC 5280 address
the case of a temporary revocation in the context of an OCSP response (but only in the context of CRLs), we are able to add another case
of temporary revocation which will only apply in the context of OCSP.

=A0=

The above sentence using the terms =93= never been issued during the history of the associated CA =93does not capture the fact that it could be issued in the future, hence why using =93not yet been used=94 would be more appropriate.<= /o:p>

=A0=

Finally, it would have been more logical to use =93unknown=94. So it is important to add a note to explain why we have chosen that case for =93legacy clients=94,
otherwise the people who have not participate to the exchanges will not understand.

=A0

Proposed text replacement:

=A0= 

=A0=A0 The "revoked" state indicates that the certif=
icate has been revoked,
<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0 eith=
er permanently or temporarily.
=A0
=A0=A0 A certificate=
 may be temporarily revoked either because it is 
=A0=A0=A0placed on h=
old (i.e. the revocation reason =
is certificateHold) or 
=A0=A0=A0because the=
 responder is able to know, using a positive list of 
                          
=A0=A0=A0issued cert=
ificates, that the serial number from the requested 
                          
=A0=A0=A0certificate=
 has not yet been used by th=
e CA to issue a certificate 

                          
=A0=A0=A0(i.e. the revocation reason is notIssuedOrIr=
regularlyIssued).

                          
=A0

                          
<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">NOTE: The "revoked" state is used rather than the =93=
unknown=94 state, to

                          
<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0=A0=A0=A0 make sure that relying parties that were conformant to RFC 2560=


                          
<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0=A0=A0=A0 will not use CRLs as a fall back mechanism. 
                          
=A0

I removed the double parenthesis and adopted your clarification with regard to "on hold".=A0

The tex= t in draft 10 has changed from what you have commented on. I believe that text is better.

You "Note" has problems.
  1. We do not prevent responders to respond "unknown" if their assessment is that this is an appropriate response, considering what they know about the requested serial number. Thus the term "is used" is misleading.
  2. This mechanisms does not "make sure" that the clients do anything. It's up to the discretion of the relying party to decide what source of revocation checking they rely on. This does however reduce the risk of clients falling back to CRL:s
  3. This mechanism is not just relevant to old clients, but also to new one for the same reason.

I have adopted a modified version of your Note:

=A0 =A0NOTE: The "revok= ed" state for known non-issued certificate serial
=A0 =A0 =A0 =A0 =A0numb= ers is allowed in order to reduce the risk of relying
=A0 =A0 =A0 =A0 =A0part= ies using CRLs as a fall back mechanism, which would be
=A0 =A0 =A0 =A0 =A0cons= iderably higher if an "unknown" response was returned.



=A0=

9.= The text states on page 8:<= o:p>

=A0=

=A0=A0 When a responder responds revoked to a status request for a non-<= /p>

=A0=A0 issued certificate, the responder MUST also;

=A0<= /p>

=A0=A0=A0 - include the extended revoked definition response extension<= /p>

=A0=A0=A0=A0= =A0 (section 4.8), indicating that the OCSP responder supports the

=A0=A0=A0=A0= =A0 extended definition of revoked state to also cover non-issued

=A0=A0=A0=A0= =A0 certificates,

=A0<= /p>

=A0=A0=A0 - provide the revocation reason certificateHold (6), and;

=A0<= /p>

=A0=A0=A0 - specify the revocation date January 1, 1970.

=A0=

As already explained on the PKIX list, using the revocation reason <= /b>certificateHold is not appropriate
because it changes the meaning of certificateHold.

=A0

The extended revoked definition response extension is a means to signal that it not a true certificate hold but a =93not issued certificate=94. Legacy applications cannot take advantage of it.

=A0

Some applications which handle non repudiation enter a waiting state when the revocation reason certificateHold is used thus
it is not appropriate to overload the meaning.

=A0<= /p>

It is possible to use anothe= r enumeration for signalling that specific case:

notIssuedOrIrregularlyIssued (7).

=A0<= /p>

Thus for new applications it would be much better to use notIssuedOrIrregularlyIssued (7) as already proposed on the PKIX list.

=A0= 

The above sentence uses the text:<=
/span> 
=A0
=93a status request for a non-issued certificate=94 
=A0
whereas it would be more appropria=
te to state: 
=A0
=93a status request for a serial number which has not been used by the CA or used irregularl=
y to issue a certificate=94.
<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0
Placing the ASN.1 description at s=
uch a place in the document is inappropriate since the ASN.1 structures h=
ave not yet been described.=20
Thus only the functional aspects should be mentioned, but not the ASN.1 i=
mplications.
<=
span style=3D"font-size:12.0pt;
mso-ansi-language:EN-GB" lang=3D"EN-GB">=A0
BTW, the description should follow=
 the same order as the ASN.1. This is not the case. 
                          
=A0

                          
This text should be deleted from t=
his section and the appropriate text should be added when the parameters =
of the response are described. 

                          
=A0

                          
The text proposed in the previous =
comment should be sufficient at this time of reading.
                          
=A0

                          
In
                              addition, section 4.4.8=A0 E=
xtended



                                Revoked Definition should
                              be deleted.<=
o:p>

                          
=A0

                          
=A0

The referred text has been updates in draft 09.

This has been discussed on the list and you have yet to convince the list of your new reason code.
I disagree as the risk of running into problems with the deployed base of application is hugely larger with introduction of a new reason code, rather than using certificateHold.
No application should be broken, since no application have business asking for non-issued cert serial numbers in the first place. Secondly, no application can assume that a certificateHold reason will be cleared any time soon.


10= . The text states on page 8:<= o:p>

=A0=

2.4=A0 S= emantics of thisUpdate, nextUpdate and producedAt<= o:p>

=A0=

This section is misplaced. A= t this time of reading, the reader does not know that thisUpdate, nextUpdate and producedAt are values
used by the ASN.1 structures. It is appropriate to describe what theses parameters mean when the ASN.1 syntax is described.
The current ASN.1 syntax is very badly described. One would expect that after every ASN.1 structure description every parameter is described.
Unfortunately this is not the case.

The text from this section i= s not aligned with the text that is present in section 4.2.2.1.

=A0=

In particular, in section 2.4:

=A0<= /p>

=A0=A0 If nextUpdate is not set, the responder is indicating that newer

=A0=A0 revocation information is available all the time.

=A0=

While in section 4.2.2.1:

=A0=

=A0=A0 Responses where the nextUpdate value is not set are equivalent

=A0=A0 to a CRL with no time for nextUpdate (see Section 2.4).

=A0=

It is not appropriate to hav= e two different descriptions in two different places.

=A0

Delete section 2.4. See comment number 19 for the description of these parameters.

Not broken.
The current text segments fits well into a protocol overview section.

=A0=

=A0=

11= . Section 2.5 is also misplaced. They use values from the ASN.1 syntax which has not yet been described. They should be moved or incorporated in the document once the ASN.1 description has been done.

=A0

Not broken.

=A0

12= . Remainder: Section 2.6 should be deleted (see comment number 5).

=A0=


Not broken.

=A0=

13= . Section 2.7 states:

=A0=

2.7=A0 C= A Key Compromise

=A0<= /p>

=A0=A0 If an OCSP responder knows that a particular CA's private key has

=A0=A0 been compromised, it MAY return the revoked state for all

=A0=A0 certificates issued by that CA.<= /p>

=A0=

This section is misleading and should be removed. The reason is the following:

=A0

The relying party must verif= y that the singleResponse is signed by a responder which is entitled to do so.<= /o:p>

=A0

a) If the CA key has been compromised and if the response is signed by that CA key then the singleResponse will be discarded
when performing the certification path validation whatever the content of the response may be.

=A0

b) If the CA key which has issued the OCSP certificate has been compromised and if the response is signed by the key present
in the OCSP certificate then the singleResponse will be discarded when performing the certification path validation
whatever the content of the response may be.

=A0=

=A0=

Security must be provided using the validation of the certification path. Thus it does not matter what the OCSP responder states.



Not broken.
An OCSP responder does not have to be chained to the broken CA. The relying party may have other trust configuration at choice.



=A0

14= . The text states on page 11:=

=A0=

3.2=A0 S= igned Response Acceptance Requirements

=A0<= /p>

=A0=A0 Prior to accepting a signed response as valid, OCSP clients SHALL<= /p>

=A0=A0 confirm that:

=A0<= /p>

=A0=A0 1. The certificate identified in a received response corresponds to=

=A0=A0=A0=A0= =A0 that which was identified in the corresponding request;<= /b>

=A0<= /p>

=A0=A0 2. The signature on the response is valid;

=A0<= /p>

=A0=A0 3. The identity of the signer matches the intended recipient of the

=A0=A0=A0=A0= =A0 request.

=A0<= /p>

=A0=A0 4. The signer is currently authorized to sign the response.<= /p>

=A0<= /p>

=A0=A0 5. The time at which the status being indicated is known to be

=A0=A0=A0=A0= =A0 correct (thisUpdate) is sufficiently recent.=

=A0<= /p>

=A0=A0 6. When available, the time at or before which newer information will

=A0=A0=A0=A0= =A0 be available about the status of the certificate (nextUpdate) is

=A0=A0=A0=A0= =A0 greater than the current time.<= /b>

=A0=

This section is misplaced since it uses terms from the ASN.1 syntax and the protocol description has not yet been made,
since it is the next section 4. Its text is not correct either.

=A0

This description does not take into account the fact that a BasicOCSP= Response may contain one or several <= /span>SingleRes= ponses.
In particular, the sentence =93The signe= r is currently authorized to sign the response=94 is misleading because a signer
may be authorized to include some SingleRes= ponses but not necessarily all of them.

=A0=

The appropriate explanations should be done after the description of the response, when describing the processing of the response.

=A0

Delete that section.

=A0=


Not broken.

=A0

15= . On page 12, after the ASN.1 description, the only parameters which are described are:

hashAlgorithm,<= span style=3D"mso-ansi-language:EN-GB" lang=3D"EN-GB"> iss= uerNameHash, issuerKeyHash and serialNumber.

=A0<= /p>

This is insufficient.=A0 In order to cover the full list of parameters, the following text is proposed:

=A0=

=A0=A0 requestorName is optional and MAY be used by the server for access <= /p>

=A0=A0 control and audit purposes.=

=A0<= /p>

=A0=A0 requestList contains one or more single requests.

=A0<= /p>

=A0=A0 requestExtensions is OPTIONAL.=A0 A= ny specific extension is OPTIONAL.

=A0=A0 The critical flag SHOULD NOT be set for any of them. Section 4.4

=A0=A0 = sug= gests several useful extensions.=A0 A= dditional extensions MAY be <= /p>

=A0=A0 defined in additional RFCs.=

=A0<= /p>

=A0=A0 reqCert contains the identifier of a target certificate.

=A0<= /p>

=A0=A0 issuerNameHash is the hash of the Issuer's distinguished name.=A0 T= he

=A0=A0 hash shall be calculated over the DER encoding of the issuer's name =

=A0=A0 field in the certificate being checked.

=A0<= /p>

=A0=A0 issuerKeyHash is the hash of the Issuer's public key.=A0 T= he hash

=A0=A0 shall be calculated over the value (excluding tag and length) of the =

=A0=A0 subject public key field in the issuer's certificate.=A0 T= he hash

=A0=A0 algorithm used for both these hashes, is identified in

=A0=A0 hashAlgorithm.

=A0<= /p>

=A0=A0 =A0=A0=A0The primary reason to use the hash of the CA's public key in =

=A0=A0=A0=A0= =A0 addition to the hash of the CA's name, to identify the issuer,

=A0=A0=A0=A0= =A0 is that it is possible that two CAs may choose to use the same =

=A0=A0=A0=A0= =A0 name (uniqueness in the Name is a recommendation that cannot be =

=A0=A0=A0=A0= =A0 enforced). Two CAs will never, however, have the same public key

=A0=A0=A0=A0= =A0 unless the CAs either explicitly decided to share their private

=A0=A0=A0=A0= =A0 key, or the key of one of the CAs was compromised.

=A0<= /p>

=A0=A0 serialNumber is the serial number of the certificate for which

=A0=A0 status is being requested.=

=A0<= /p>

=A0=A0 singleRequestExtensions is OPTIONAL.=A0 A= ny specific extension is <= /b>

=A0=A0 OPTIONAL.=A0 T= he critical flag SHOULD NOT be set for any of them.

=A0<= /p>

=A0=A0 The requestor MAY choose to sign the OCSP request.= =A0 In that case, the

=A0=A0 signature is computed over the tbsRequest structure.=A0 If the request

=A0=A0 is signed, the requestor SHALL specify its name in the requestorName

=A0=A0 field.=A0 A= lso, for signed requests, the requestor MAY include

=A0=A0 certificates that help the OCSP responder verify the requestor's

=A0=A0 signature in the certs field of Signature.

=A0=


Not broken.
The current text is short, but it is actually sufficient from the context of the ASN.1 definitions of the section. This is a detailed protocol section and the reader need to understand ASN.1 in any case to understand and implement the section.
The information about criticality is already covered in the extension section.


=A0=

16. Section 4.1.2 is called: =93Not= es on the Request Syntax=94

=A0=

The first paragraph has been moved after the description of issuerKey= Hash and thus is no more needed.<= o:p>

=A0=

The second paragraph has bee= n moved after the description of requestEx= tensions.
However, the sentence
=93 Unrecognized extensions MUST be ignored (unless they have the critical flag set and are not understood)=94
has been deleted since it applies to the OCSP responder and not to the OCSP client. Thus it is no more needed.

=A0=

The third paragraph applies to signed requests. However, it should belong to a section dedicated on how clients should build OCPS requests,
which is currently missing. See the next comment.

=A0

This section should be deleted.

=A0

Not broken.

=A0

17= . There should be a new section called: =93Requirements for OCSP clients=94.

=A0=

It is important first to re-advertise that the request may be about several certificates.
Thus it is important to describe the process for building a request, which is currently missing.

=A0=

=A0=A0 An OCSP request allows getting in the same response the revocation

=A0=A0 status of one or more certificates.=A0 I= n order to request the

=A0=A0 status of one or more certificates in a single request, OCSP

=A0=A0 clients SHALL follow the following rules :

=A0<= /p>

=A0=A0 For each candidate certificate, OCSP clients SHALL verify

=A0=A0 whether there exists a locally defined rule for the certificate in =

=A0=A0 question which indicates the URI where the OCSP responder is

=A0=A0 located.=A0 I= f this rule exists, it SHALL be followed.

=A0<= /p>

=A0=A0 Otherwise, OCSP clients SHALL determine whether the candidate

=A0=A0 certificate contains an AIA extension with an accessMethod which =

=A0=A0 contains the id-ad-ocsp OID.=A0 I= f it is the case, the accessLocation <= /o:p>

=A0=A0 contains a uniformResourceIdentifier (URI) which indicates the

=A0=A0 location of the OCSP server for that certificate.

=A0<= /p>

=A0=A0 Certificates that contain the same URI MAY be grouped in a single

=A0=A0 request.

=A0<= /p>

Note:=A0 F= or each candidate certificate, when performing the path

=A0=A0=A0=A0= =A0=A0 validation algorithm, the OCSP client SHOULD verify that the

=A0=A0=A0=A0= =A0=A0 current time is within the validity period of the target

=A0=A0=A0=A0= =A0=A0 certificate.=A0 C= ertificates which are outside their validity

=A0=A0=A0=A0= =A0=A0 period SHOULD NOT be included in the request.

=A0=

=A0=A0 The requestor MAY choose to sign the OCSP request. In that case, the

=A0=A0 signature is computed over the tbsRequest structure. If the request

=A0=A0 is signed, the requestor SHALL specify its name in the requestorName

=A0=A0 field. Also, for signed requests, the requestor MAY include

=A0=A0 certificates that help the OCSP responder verify the requestor's

=A0=A0 signature in the certs field of Signature.

=A0=


Not broken.

Your text may provide guidance that could be useful to some implementers, but is completely beyond this document and further, not generally applicable or true.
As an example, an organisation may setup an in house locally configured OCSP responder that responds to all certificates "out there" that is relevant to that organisation.
Such clients would just blindly send OCSP requests to their local responder, disregarding any information in the cert.
It's totally beyond this spec to have an opinion about this.


=A0=

18= . The text states on page 14:=

=A0=

=A0=A0 The responder MAY include certificates in the

=A0=A0 certs field of BasicOCSPResponse that help the OCSP client verify the<= /b>

=A0=A0 responder's signature. If no certificates are included then certs=

=A0=A0 SHOULD be absent.

=A0=

While this sentence is true, it is not sufficient. In order to allow verifying every SingleResponse<= span style=3D"mso-ansi-language:EN-GB" lang=3D"EN-GB">,
it is important to include the relevant certificates which are pertinent to every SingleResponse.=

=A0

Proposed full text replacement:

=A0=

=A0=A0 = The responder MAY include certificates in the certs field of

=A0=A0 = BasicOCSPResponse that help the OCSP client verify the responder's

=A0=A0 = signature.

=A0=

=A0=A0 For every SingleResponse where the responder is not a CA, the

=A0=A0 responder SHALL include the relevant OCSP certificate in the certs

=A0=A0 field of BasicOCSPResponse in order to allow the OCSP client

=A0=A0 verifying the responder was entitled to include that SingleResponse

=A0=A0 in the signed BasicOCSPResponse.<= /span>

=A0<= /p>

=A0=A0 If no certificates are included then certs SHOULD be absent.

=A0

Not broken.

This requirement would break backwards compatibility with RFC 2560.
Further this would not be needed for a locally configured responder.

=A0

19= . Page 15. The ASN.1 syntax should be changed in order to be able to use the enumeration case 7 that is not used for CRLs.
This leads to the following change:

=A0

Current text:

=A0<= /p>

=A0=A0=A0=A0= =A0=A0 revocationReason=A0=A0=A0 [0]=A0=A0=A0=A0= EXPLICIT CRLReason OPTIONAL }

=A0

Proposed text change:

=A0

Current text:

=A0<= /p>

=A0=A0=A0=A0= =A0=A0 revocationReason =A0=A0=A0= [0]=A0=A0=A0=A0= EXPLICIT RevocationReason OPTIONAL }

=A0

RevocationReason ::=3D ENUMERATED {=

=A0=A0=A0=A0= =A0=A0=A0 unspecified=A0=A0=A0=A0= =A0=A0=A0=A0=A0 =A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0(0),

=A0=A0=A0=A0= =A0=A0=A0 keyCompromise=A0=A0=A0=A0= =A0=A0=A0 =A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0(1),

=A0=A0=A0=A0= =A0=A0=A0 cACompromise=A0=A0=A0=A0= =A0=A0=A0 =A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0= (2),

=A0=A0=A0=A0= =A0=A0=A0 affiliationChanged=A0=A0=A0 =A0=A0=A0=A0= =A0=A0=A0=A0=A0(3),

=A0=A0=A0=A0= =A0=A0=A0 superseded=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0 =A0= =A0=A0=A0=A0=A0=A0=A0(4= ),

=A0=A0=A0=A0= =A0=A0=A0 cessationOfOperation=A0 <= span style=3D"mso-spacerun:yes">=A0=A0=A0=A0= =A0=A0=A0=A0=A0(5),

=A0=A0=A0=A0= =A0=A0=A0 certificateHold=A0=A0=A0=A0= =A0=A0 =A0=A0=A0=A0= =A0=A0=A0=A0=A0(6),

=A0=A0=A0=A0= =A0=A0=A0 notIssuedOrIrregularlyIssued =A0=A0(7),

=A0=A0=A0=A0= =A0=A0=A0 removeFromCRL=A0=A0=A0=A0= =A0=A0=A0 =A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0(8),

=A0=A0=A0=A0= =A0=A0=A0 privilegeWithdrawn=A0=A0 =A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0(9),

=A0=A0=A0=A0= =A0=A0=A0 aACompromise=A0=A0=A0=A0= =A0=A0=A0 =A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0(1= 0) }

=A0

Not broken.

You have to convince the list about your new reason code.

=A0

20. Page 15. After the ASN.1 syntax, there is no description of every parameter, neither on its use
(except a few words in section 4.= 2.2.1 Time about th= isUpdate, nextUpdate and producedAt).

=A0<= /p>

Every parameter needs to be described and explained.

=A0<= /p>

=A0=A0 responderID indicates either the name or the key from a CA, or the <= /p>

=A0=A0 name or the key from a OCSP Responder.

=A0<= /p>

=A0=A0 producedAt indicates the time at which this response was signed.

=A0<= /p>

=A0=A0 responses contains one or more single responses.

=A0<= /p>

=A0=A0 responseExtensions is OPTIONAL.=A0 A= ny specific extension is OPTIONAL.

=A0=A0 The critical flag may or may not be set.=

=A0<= /p>

=A0=A0 certID is usually a copy of the same field which was placed in the

=A0=A0 request, but for OCSP responders which pre-produce signed responses <= /span>

=A0=A0 certID may be the identifier of a target certificate that was not

=A0=A0 present in the request (see the end of section 4.2).

=A0<= /p>

=A0=A0 certStatus indicates the status of the certificate: either good,

=A0=A0 revoked or unknown.

=A0<= /p>

=A0=A0 thisUpdate indicates the time at which the status being indicated

=A0=A0 is known to be correct.

=A0<= /p>

=A0=A0 nextUpdate indicates the time at or before which newer information <= /p>

=A0=A0 will be available about the status of the certificate.=A0 I= f

=A0=A0 nextUpdate is not set, the server is indicating that newer

=A0=A0 revocation information is available all the time.

=A0<= /p>

=A0=A0 If nextUpdate is set, it often corresponds to the {thisUpdate,

=A0=A0 nextUpdate} interval in CRLs.=A0 R= esponses whose nextUpdate value is

=A0=A0 earlier than the local UTC time value SHOULD be considered

=A0=A0 unreliable.=A0 R= esponses whose thisUpdate time is later than the local

=A0=A0 UTC time SHOULD be considered unreliable.

=A0<= /p>

=A0=A0 singleExtensions is OPTIONAL.=A0 A= ny specific extension is OPTIONAL.

=A0=A0 The critical flag SHOULD NOT be set for any of them.

=A0<= /p>

=A0=A0 revocationTime indicates the time at which the certificate was

=A0=A0 revoked.

=A0<= /p>

=A0=A0 revocationReason is OPTIONAL. =A0It includes all the cases that are

=A0=A0 present in CRLReason used for CRLs and an additional case 7 which is

=A0=A0 not used for CRLs.=A0 C= ase 7 is called notIssuedOrIrregularlyIssued. =

=A0<= /p>

=A0=A0=A0=A0= =A0 - "notIssued" corresponds to the case where the certificate <= /b>

=A0=A0=A0=A0= =A0=A0=A0=A0 serial number that was sent was erroneous and has not yet

=A0=A0=A0=A0= =A0=A0=A0=A0 been used by the CA at the time of the query,<= o:p>

=A0<= /p>

=A0=A0=A0=A0= =A0 - "irregularlyIssued" corresponds to the case where the

=A0=A0=A0=A0= =A0=A0=A0=A0 certificate serial number that was sent really exists in a

=A0=A0=A0=A0= =A0=A0=A0=A0 certificate that is correctly signed, but to its knowledge

=A0=A0=A0=A0= =A0=A0=A0=A0 the CA has not issued a certificate with such a serial

=A0=A0=A0=A0= =A0=A0=A0=A0 number. =A0As an example, it may have been issued by the CA

=A0=A0=A0=A0= =A0=A0=A0=A0 because the RA was compromised.

=A0<= /p> 

<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0 When=
 a responder responds revoked to a status request for which it 
<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0=A0kn=
ows that the serial number has not been used by the CA or has =

<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0=A0be=
en irregularly used irregularly to issue a certificate, then <=
/span>
<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0=A0=A0in=
 RevokedInfo the responder MUST:
<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0
=A0=A0 =A0=
=A0=A0- specify the revocationTime :=A0 January 1, 1970,
<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB"> =A0=A0=A0=A0=
=A0- provide the revocatio=
nReason: notIssuedOrIrregularlyIssued (7).
<=
span style=3D"mso-ansi-language:
EN-GB" lang=3D"EN-GB">=A0
=A0=A0 and in SingleResponse the responder =
MUST NOT include the nextUpdate.

=A0<= /p>

=A0=A0 The response MUST include a SingleResponse for each certificate in=

=A0=A0 the request and SHOULD NOT include any additional SingleResponse

=A0=A0 elements.=A0 H= owever, there is one exception:

=A0<= /p>

=A0=A0=A0=A0= =A0 OCSP responders MAY pre-produce signed responses specifying the

=A0=A0=A0=A0= =A0 status of certificates at a specified time.=A0 T= he time at which

=A0=A0=A0=A0= =A0 the status was known to be correct SHALL be reflected in the

=A0=A0=A0=A0= =A0 thisUpdate field of the response. =

=A0<= /p>

=A0=A0=A0=A0= =A0 OCSP responders that pre-generate status responses MAY return

=A0=A0=A0=A0= =A0 responses that include additional SingleResponse elements if

=A0=A0=A0=A0= =A0 necessary to improve response pre-generation performance or cache

=A0=A0=A0=A0= =A0 efficiency (as permitted in [RFC5019]).

=A0

Since the text above provides all the explanations at the level of the ASN.1 parameters, the general text
from section 4.2.2.3 Basic Response is no more need and should b= e deleted.

=A0<= /p>


Preliminary I would say "not broken".
If you don't replace 4.2.2.3, then what really are you missing?

=A0=

21= . 0n page 16, there is a section 4.2.2.2 called =93Authorize= d Responders=94<= o:p>

=A0

Section 4.2.2.2 states:=

=A0=

=A0=A0 (=85)

=A0=A0 This certificate MUST be issued directly by the CA that issued the<= /b>

=A0=A0 certificate in question.

=A0<= /p>

=A0=A0 The CA SHOULD use the same issuing key to issue a delegation<= /p>

=A0=A0 certificate as was used to sign the certificate being checked for

=A0=A0 revocation. Systems relying on OCSP responses MUST recognize a

=A0=A0 delegation certificate as being issued by the CA that issued the

=A0=A0 certificate in question only if the delegation certificate and the=

=A0=A0 certificate being checked for revocation was signed by the same key.

=A0=

This section would need to reformatted to address CA requirements first and then OCSP responder requirements:

=A0=

=A0=A0 (=85)

=A0=A0 This certificate MUST be issued directly by the CA that issued the<= /b>

=A0=A0 certificate in question.=A0 T= he CA SHOULD use the same issuing key to

=A0=A0 issue a delegation certificate as was used to sign the certificate

=A0=A0 being checked for revocation.

=A0<= /p>

=A0=A0 Systems relying on OCSP responses MUST be able to recognize a

=A0=A0 delegation certificate as being issued by the CA that issued the

=A0=A0 certificate in question if the delegation certificate and

=A0=A0 the certificate being checked were signed by the same key.=

=A0=


I disagree. The CA is actually free to do anything, but cannot expect the client to recognise the responder as authorised unless the same private key is used.
The current text places the requirement where they belong.

=A0=

22= . On page 17, the text states= :

=A0=

=A0=A0 They MUST reject the

=A0=A0 response if the certificate required to validate the signature on the

=A0=A0 response fails to meet at least one of the following criteria:=

=A0=

This is ambiguous. It is inappropriate to have a negative statement like =93The= y MUST reject=94.
The sentence should be turned in the positive form =93They SHALL accept=94

=A0=

Since the ASN.1 syntax has now be described, it is possible to be more specific.

=A0

The first occurrence of the word =93response=94 should be changed into =93singleResponse=94, while the second occurrence
of the word =93response=94 should be change= d into =93ResponseData=94

=A0=

Proposed text replacement:

=A0=

=A0=A0 They SHALL accept a singleResponse if the certificate required to

=A0=A0 validate the signature placed on the ResponseData meets one of the

=A0=A0 following criteria:


No, this change is not backwards compatible.
So state the requirements for rejection is not equivalent to stating requirements for acceptance.
There may be other locally configured reasons to reject in addition to those listed in the standard.


=A0=

=A0=

23= . On page 17, the text states= :

=A0=

=A0=A0 3. Includes a value of id-kp-OCSPSigning in an ExtendedKeyUsage=

=A0=A0 extension and is issued by the CA that issued the certificate in

=A0=A0 question as stated above."

=A0=

In order to be crystal clear= , it is proposed to change the wording in the following way:

=A0=

=A0=A0 3. Includes a value of id-kp-OCSPSigning in an ExtendedKeyUsage=

=A0=A0 extension and was signed by the CA using the same key that used

=A0=A0 to issue the certificate in question.

=A0=


No, issuing with another key is not prohibited, and may be accepted by some clients as an authorised responder.

=A0=

24= . On page 17, the text states= :

=A0=

=A0=A0 This SHOULD be a non-critical extension. The value of the extension =

=A0=A0 SHALL be NULL.

=A0<= /p>

The ASN.1 syntax is missing. Add:

=A0<= /p>

=A0=A0 NoCheck ::=3D NULL

=A0<= /p>

=A0=


Moving this to a separate discussion.
I'm not sure what the preferred way to describe this is.


25= . Remainder: On page 18, the general text from section 4.2.2.3 Basic Response = is no more needed and
should be deleted. See comment 20.

=A0=

=A0=


Not broken.

26= . On page 24, text should be added to the Security consideration section:

=A0=

Different results when using OCSP and CRLs=

=A0<= /p>

=A0=A0 OCSP clients or verifiers must build and verify a certification path

=A0=A0 for each target certificate up to a trusted root.=A0= When an OCSP

=A0=A0 Responder is using published CRLs, it must also build and verify a =

=A0=A0 certification path for the CRLs it uses up to a trusted root.

=A0<= /p>

=A0=A0 However, it should be realized that the root used by an OCSP

=A0=A0 Responder to verified these CRLs is not necessarily the same as the

=A0=A0 one that would be used by the OCSP client, if it were going to verify

=A0=A0 the CRLs itself.=A0 H= ence the revocation status may not be identical

=A0=A0 in both cases.

=A0<= /p>

=A0<= /p>


I don't understand this one.

27= . On page 24, text should be added to the Security consideration section:

=A0<= /p>

Denial of service attack using a flood of queries

=A0<= /p>

=A0=A0 A denial of service vulnerability is evident with respect to a flood

=A0=A0 of queries.= =A0 The production of a cryptographic signature

=A0=A0 significantly affects response generation cycle time, thereby

=A0=A0 exacerbating the situation.

=A0<= /p>

=A0=A0 The flood of queries may either come from a flood attack or from the

=A0=A0 fact that there are too many certificates supported by the same OCSP

=A0=A0 responder.=A0 I= n the later case, the number of queries can be

=A0=A0 reduced by using a technique similar to the splitting of CRLs: =

=A0<= /p>

=A0=A0=A0=A0= =A0 When a block of certificates have been issued with the same

=A0=A0=A0=A0= =A0 accessLocation in the AIA extension field of these certificates,

=A0=A0=A0=A0= =A0 then the accessLocation should be changed.=A0 I= n this way, a given <= /p>

=A0=A0=A0=A0= =A0 OCSP server will only be responsible for a block of certificates.<= /b>

=A0<= /p>


If the security considerations section is talking about splitting OCSP responders in this way, then the document itself need to introduce the subject.
I would suggest that it is beyond this update to do so.

=A0<= /p>

28= . On page 31, the text states= .

=A0=

=A0=A0 An alternative to this module that conforms to the 2002 version of =

=A0=A0 ASN.1 may be found in Section 4 of [RFC5912].

=A0<= /p>

RFC 5912 omits to define the nocheck extension. Thus it is inappropriate to refer to RFC 5912.

=A0

The corrected module should be defined in this new draft.
A corrected module is provided in draft-pinkas-rfc2560bis-03= .

=A0=


Will move this (as stated above) to a separate discussion.

=A0=

29= . Different topics are not covered by the document. These topics are important.
The following comments propose text to be placed in annexes. Three annexes are being proposed.

=A0

Note: The texts are extracte= d from draft-pinkas-rfc2560bis-03= .

=A0=

=A0=


Not broken.
Each such amendment need to be thoroughly reviewed and motivated.


30= . First annex being proposed. This annex is important, because key rollover is not addressed in the draft.

=A0=

KEY ROLLOVER

=A0<= /p>

1. CA that directly supports an OCSP service

=A0<= /p>

=A0=A0 When a CA that directly supports an OCSP service performs a key =

=A0=A0 rollover:

=A0<= /p>

=A0=A0 - for certificates issued under the old key, the CA SHALL continue

=A0=A0=A0=A0= to sign the revocation status of OCSP responses with that old key

=A0=A0=A0=A0= at least until all these certificates are expired, and

=A0<= /p>

=A0=A0 - for certificates issued under the new key, the CA SHALL change the <= /span>

=A0=A0=A0=A0= accessLocation in the AIA extension field of these certificates

=A0=A0=A0=A0= and sign the revocation status of OCSP responses with that new key

=A0=A0=A0=A0= at least until all these certificates are expired.

=A0<= /p>

=A0=A0 Note: The change in accessLocation is necessary when the CA rekeys <= /span>

=A0=A0=A0=A0= =A0=A0=A0=A0 to meet the following constraints imposed by this standard: <= /p>

=A0<= /p>

=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0 1) a BasicOCSPResponse can only be signed using a single

=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 private key;

=A0<= /p>

=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0 2) the response must be signed using the same CA key that

=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0 =A0=A0=A0=A0= was used to sign the certificate in question; and

=A0<= /p>

=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0 3) the OCSP response needs to cover all the certificates

=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 queried in the OCSP request.<= /o:p>

=A0=

2. CA that uses OCSP responders

=A0=

=A0=A0 When a CA that uses OCSP Responders performs a key rollover, then

=A0=A0 it MUST either designate a new OCSP Responder or keep the current =

=A0=A0 OCSP Responder(s).

=A0<= /p>

=A0=A0 If the CA designates a new OCSP Responder, then it SHALL change the

=A0=A0 accessLocation in the AIA extension field for the newly issued

=A0=A0 certificates and issue an OCSP certificate to the new OCSP Responder

=A0=A0 using its new key.

=A0<= /p>

=A0=A0 If the CA keeps the same OCSP Responder(s), then it SHALL continue =

=A0=A0 to use the same accessLocation(s) in the AIA extension field for the

=A0=A0 newly issued certificates and issue an OCSP certificate to the =

=A0=A0 appropriate OCSP Responder(s) using its new key.=

=A0<= /p>

=A0=A0 Note: The CA may need to continue issuing certificates to the OCSP

=A0=A0 Responder(s) using the old CA key until all the certificates issued

=A0=A0 under the CA' old key for which the OCSP Responder(s) are

=A0=A0 authoritative have expired.

=A0<= /p>

3. OCSP Responder key rollover

=A0<= /p>

=A0=A0 When an OCSP Responder performs a key rollover (asynchronously from =

=A0=A0 a CA key rollover), then each CA which has designated an OCSP =

=A0=A0 Responder SHALL issue a new certificate for that OCSP Responder and =

=A0=A0 for each of its issuing keys which meets the following property:

=A0<= /p>

=A0=A0=A0=A0= =A0 - the issuing key has been used to sign at least one certificate <= /b>

=A0=A0=A0=A0= =A0=A0=A0 which contains an AIA extension designating that OCSP Responder

=A0=A0=A0=A0= =A0=A0=A0 and that certificate is not yet expired.=

=A0<= /p>

=A0=A0 An OCSP Responder key rollover does not affect the values of the

=A0=A0 URIs that are placed in the accessLocation field from the target <= /b>

=A0=A0 certificates.=A0 O= ne or more OCSP Responder MAY respond to an OCSP

=A0=A0 request addressed at a given URI picked from the accessLocation

=A0=A0 field from a target certificate.=A0 E= ach OCSP Responder MAY use a

=A0=A0 different signing key, as long as it got an OCSP certificate

=A0=A0 appropriate for that signing key and for the target certificate.

=A0=

=A0=

31= . Second annex being proposed= . This annex is important because it describes the validation of an OCSP response in the past
which is of a particular importance when validating electronic signatures.

=A0=

Response processing by an OCSP client

=A0<= /p>

=A0=A0 OCSP responses can be verified at the current time by an OCSP client =

=A0=A0 when receiving a response, whereas old responses can be verified at <= /span>

=A0=A0 a time in the past by a verifier.=A0 T= he algorithm below addresses

=A0=A0 both cases.

=A0<= /p>

=A0=A0 Prior to processing a basic response, OCSP clients MUST determine =

=A0=A0 the checking time, which may be either the current time or a time =

=A0=A0 in the past.

=A0<= /p>

=A0=A0 OCSP clients or verifiers SHALL check if the response contains <= /p>

=A0=A0 responseExtensions. If such an extension is found and is recognized,

=A0=A0 it MUST be processed.=A0 I= f such a critical extension is found and

=A0=A0 is not recognized, the whole OCSP response MUST be considered as <= /b>

=A0=A0 invalid.

=A0<= /p>

=A0=A0 If the checking time is the current time, and if a nonce extension

=A0=A0 has been used in the request and is recognized (see section 4.5.1),

=A0=A0 OCSP clients MUST check whether the same nonce is present in the

=A0=A0 response.=A0 I= f the nonce is not present or is different, then the

=A0=A0 OCSP response MUST be discarded.

=A0<= /p>

=A0=A0 Only the single response(s) which are/is of interest SHALL be <= /p>

=A0=A0 checked.

=A0<= /p>

STEP 1

=A0<= /p>

=A0=A0 OCSP clients or verifiers SHALL verify that the certificate

=A0=A0 identified in a single response is of interest.=A0 O= therwise, proceed

=A0=A0 to step 3.

=A0<= /p>

=A0=A0 If the certificate status included in a single certificate response

=A0=A0 is "unknown", then the revocation status of that certificate is

=A0=A0 "unknown", and proceed to step 3.<= /b>

=A0<= /p>

=A0=A0 If the certificate status from the single certificate response is

=A0=A0 either "good" or "revoked", OCSP clients or verifiers SHALL check <= /b>

=A0=A0 that the checking time is within the validity period of the target

=A0=A0 certificate.=A0 I= f it is not the case, then the revocation status of

=A0=A0 that certificate is "unknown" and proceed to step 3.

=A0<= /p>

=A0=A0 If the checking time is the current time, and if a nonce has been

=A0=A0 used in the request, then proceed to step 2.

=A0<= /p>

=A0=A0 If the checking time is the current time, and if no nonce has been

=A0=A0 used in the request, OCSP clients MUST check that the producedAt=

=A0=A0 field is within a time window that is "close enough" to the current =

=A0=A0 time.

=A0<= /p>

=A0=A0 Note: the notion of "close enough" is a local matter.=A0 It can be set

=A0=A0=A0=A0= =A0=A0=A0=A0 to a few minutes to allow for small UTC time differences

=A0=A0=A0=A0= =A0=A0=A0=A0 between the client and the server or to a few hours in case

=A0=A0=A0=A0= =A0=A0=A0=A0 the server is producing pre-computed responses.

=A0<= /p>

=A0=A0 If the checking time is a time in the past, verifiers MUST check

=A0=A0 that the producedAt field is in accordance with the verification <= /b>

=A0=A0 rules (e.g. close and/or after the date of a time-stamp token).<= /p>

=A0<= /p>

=A0=A0 In addition, if the nextUpdate field is present, OCSP clients MUST

=A0=A0 check that the time which is indicated is greater than the checking

=A0=A0 time, otherwise the single response MUST be discarded.

=A0<= /p>

=A0=A0 If checks are successful, then OCSP clients MUST process the

=A0=A0 singleExtensions field, if it is present.

=A0<= /p>

=A0=A0 If the criticality flag is set and the extension is not understood, <= /span>

=A0=A0 then the status of the certificate shall be "unknown" and proceed to

=A0=A0 step 3.=A0 Otherwise, proceed to step 2. =

=A0<= /p>

=A0=A0 If the extension is understood, then the extension MUST be <= /p>

=A0=A0 processed.=A0 A= ccording to its content proceed either to step 2 or to

=A0=A0 step 3.

=A0<= /p>

STEP 2

=A0<= /p>

=A0=A0 OCSP clients or verifiers MUST build and verify a certification path

=A0=A0 for that certificate up to a trusted root, so that they have the <= /b>

=A0=A0 knowledge of the CA public key value that was used to sign the

=A0=A0 target certificate.=A0 T= he revocation status of each certificate of

=A0=A0 that certification path (except the target certificate) SHALL be <= /b>

=A0=A0 checked.

=A0<= /p>

=A0=A0 If no path can be built or if one of the certificates of the path is

=A0=A0 revoked, then the revocation status of that certificate is "unknown",

=A0=A0 and proceed to step 3. =

=A0<= /p>

=A0=A0 If the certification path (except the target certificate) is valid, =

=A0=A0 then two cases need to be considered:

=A0<= /p>

=A0=A0 a) If the responderID matches with the name or the key from the CA =

=A0=A0=A0=A0= =A0 which has issued the target certificate, then check whether the <= /p>

=A0=A0=A0=A0= =A0 OCSP response is signed by the same key that was used to sign

=A0=A0=A0=A0= =A0 the target certificate.=

=A0<= /p>

=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0 If it is the case, then the revocation status of that

=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0 certificate as indicated in the certStatus field is

=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0 accepted and proceed to step 3.

=A0<= /p>

=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0 If it is not the case, then the revocation status of that

=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0 certificate is "unknown" and proceed to step 3.<= /p>

=A0<= /p>

=A0=A0 b) If the responderID does not match with the name or the key from

=A0=A0=A0=A0= =A0 the CA which has issued the target certificate, then it indicates

=A0=A0=A0=A0= =A0 the name or the key from an OCSP Responder.=A0 C= heck whether there

=A0=A0=A0=A0= =A0 exists a local rule which applies to this target certificate to <= /b>

=A0=A0=A0=A0= =A0 verify that the signature of the BasicOCSPResponse is valid for

=A0=A0=A0=A0= =A0 that single response.=A0 I= f this rule exists, it SHALL be followed.

=A0<= /p>

=A0=A0=A0=A0= =A0 Otherwise check whether there is an OCSP certificate (i.e. which

=A0=A0=A0=A0= =A0 has both the ocspSigning OID in the extended key usage extension

=A0=A0=A0=A0= =A0 and the digitalSignature bit in the key usage extension) signed

=A0=A0=A0=A0= =A0 by the same key that was used to sign the target certificate.

=A0=A0=A0=A0= =A0 This certificate MUST be present in the certs field from the

=A0=A0=A0=A0= =A0 BasicOCSPResponse.

=A0<= /p>

=A0=A0=A0=A0= =A0=A0=A0=A0=A0 If such certificate is not found or is invalid, then the <= /p>

=A0=A0=A0=A0= =A0=A0=A0=A0=A0 revocation status of that certificate is "unknown" and

=A0=A0=A0=A0= =A0=A0=A0=A0=A0 proceed to step 3.

=A0<= /p>

=A0=A0=A0=A0= =A0=A0=A0=A0=A0 If such certificate exists and if the checking time is

=A0=A0=A0=A0= =A0=A0=A0=A0=A0 within the validity period of this certificate, then it MUST

=A0=A0=A0=A0= =A0=A0=A0=A0=A0 be verified whether the OCSP response can be verified using <= /p>

=A0=A0=A0=A0= =A0=A0=A0=A0=A0 the public key that is present in the OCSP Certificate.

=A0<= /p>

=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0 If it is not the case, then the revocation status of that

=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0 certificate is "unknown" and proceed to step 3.<= /p>

=A0<= /p>

=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0 If it is the case, then it MUST be verified that the OCSP

=A0=A0=A0=A0= =A0=A0=A0=A0=A0=A0=A0=A0 Certificate has not been revoked.<= o:p>

=A0<= /p>

=A0=A0=A0=A0= If one of these conditions is met, then the status for the target <= /b>

=A0=A0=A0=A0= certificate as indicated in the certStatus field is accepted,

=A0=A0=A0=A0= otherwise the revocation status is "unknown".<= /o:p>

=A0<= /p>

STEP 3

=A0<= /p>

=A0=A0 If there exists another single certificate status response for a <= /b>

=A0=A0 target certificate that is of interest, then proceed to step 1. =

=A0=A0 Otherwise the basic response is now processed.=

=A0=

=A0=

32= . Third annex being proposed. This annex is important because it provides guidance on how to build an OCSP responder in the three cases.
Many text portions are similar, but three full texts are provided in order to provide a better clarity for each of the three cases.

=A0=

1. Request processing by OCSP servers

=A0<= /p>

=A0=A0 The behavior of an OCSP server will be different whether the OCSP

=A0=A0 server is a CA acting as an OCSP responder, is an OCSP Responder <= /p>

=A0=A0 which received a delegation from one or more CAs, or is a locally

=A0=A0 trusted Responder.

=A0<= /p>

1.1. Processing by a CA acting as an OCSP responder

=A0<= /p>

=A0=A0 The OCSP responder SHALL maintain a list of entries. Each entry

=A0=A0 SHALL contain:

=A0<= /p>

=A0=A0=A0=A0= - the URI associated to the OCSP responder, from which the OCSP

=A0=A0=A0=A0= =A0=A0 requests are received,

=A0<= /p>

=A0=A0=A0=A0= - the DN from a CA,

=A0<= /p>

=A0=A0=A0=A0= - an issuing public key from a CA,

=A0<= /p>

=A0=A0=A0=A0= - the method(s) used to know for which subset of certificates =

=A0=A0=A0=A0= =A0=A0 issued by the CA it is responsible for,

=A0<= /p>

=A0=A0=A0=A0= - the method(s) used to obtain the revocation status of that

=A0=A0=A0=A0= =A0=A0 subset of certificates issued under that CA issuing public key,

=A0=A0=A0=A0= =A0=A0 and

=A0<= /p>

=A0=A0=A0=A0= - the method used to gain access and sign with the private key

=A0=A0=A0=A0= =A0=A0 corresponding to the issuing public key.

=A0<= /p>

=A0=A0 For a given URI value, the OCSP responder SHALL only use one CA <= /b>

=A0=A0 key pair value.

=A0<= /p>

=A0=A0 When it receives an OCSP request on that URI, the OCSP responder =

=A0=A0 SHALL handle exceptions according to section 2.3.

=A0<= /p>

=A0=A0 If the OCSP request contains the name of a requestor, the OCSP

=A0=A0 responder SHALL verify whether there exists a locally defined rule

=A0=A0 which regulates access control.=A0 I= f this rule exists, it SHALL be =

=A0=A0 followed.

=A0<= /p>

=A0=A0 Then, for each target certificate, the OCSP responder SHALL verify =

=A0=A0 whether both the hash of the issuer's DN and the hash of the issuer =

=A0=A0 public key which are present in the request are eligible to a

=A0=A0 locally defined rule which indicates that the OCSP responder is <= /p>

=A0=A0 responsible to provide the revocation status of that target

=A0=A0 certificate.=A0 I= f this rule exists, it SHALL be followed.

=A0<= /p>

=A0=A0 Otherwise, the OCSP responder SHALL determine whether it is

=A0=A0 responsible to provide the revocation status of that target

=A0=A0 certificate according to the following rule.

=A0<= /p>

=A0=A0 For each target certificate, the OCSP responder SHALL verify whether

=A0=A0 both the hash of the issuer's DN and the hash of the issuer public

=A0=A0 key which are present in the request match respectively with the DN

=A0=A0 and the hash of the public key of contained in an entry from the

=A0=A0 list of entries maintained by this OCSP responder.

=A0<= /p>

=A0=A0 When there is no match, then the OCSP responder SHALL indicate the <= /span>

=A0=A0 "unknown" status and proceed with the next target certificate from

=A0=A0 the OCSP request.

=A0<= /p>

=A0=A0 When there is a match, then the OCSP responder SHALL use the serial

=A0=A0 number of the target certificate that is present in the request and

=A0=A0 determine the revocation status of that certificate according to

=A0=A0 the method(s) defined in the entry.

=A0<= /p>

=A0=A0 When the revocation status is provided by the server using a real

=A0=A0 time access to a database of revocation statuses of issued =

=A0=A0 certificates, then the thisUpdate field SHALL be present in the

=A0=A0 SingleResponse response whereas the nextUpdate field SHALL be

=A0=A0 missing.

=A0<= /p>

=A0=A0 Otherwise, both the thisUpdate and the nextUpdate fields SHALL be

=A0=A0 present in the SingleResponse. =

=A0<= /p>

=A0=A0 The time at which this response will be signed MUST be indicated in

=A0=A0 the producedAt field from the SingleResponse.

=A0<= /p>

=A0=A0 If a singleRequestExtensions is present in the request it MUST be =

=A0=A0 processed.

=A0<= /p>

=A0=A0 If there is another target certificate present in the request, it

=A0=A0 SHALL be processed in the same way.<= /span>

=A0<= /p>

=A0=A0 If a requestExtensions is present in the request it MUST be =

=A0=A0 processed.

=A0<= /p>

=A0=A0 The OCSP response MUST be signed using the CA issuing private key.=

=A0<= /p>

=A0<= /p>

1.2. Processing by an OCSP Responder

=A0<= /p>

=A0=A0 For each CA from which the OCSP Responder has received a delegation,

=A0=A0 the OCSP Responder SHALL maintain a list of entries.

=A0<= /p>

=A0=A0 Each entry SHALL contain:

=A0<= /p>

=A0=A0=A0=A0= - the URI associated to this OCSP Responder, from which the OCSP

=A0=A0=A0=A0= =A0=A0 requests are received,

=A0<= /p>

=A0=A0=A0=A0= - the DN from a CA,

=A0<= /p>

=A0=A0=A0=A0= - an issuing public key from a CA,

=A0<= /p>

=A0=A0=A0=A0= - the method(s) used to know for which subset of certificates =

=A0=A0=A0=A0= =A0=A0 issued by the CA it is responsible for,

=A0<= /p>

=A0=A0=A0=A0= - the method(s) used to obtain the revocation status of that

=A0=A0=A0=A0= =A0=A0 subset of certificates issued under that CA issuing public key,=

=A0<= /p>

=A0=A0=A0=A0= - an OCSP certificate,

=A0<= /p>

=A0=A0=A0=A0= - the OCSP public key contained in that OCSP certificate, and

=A0<= /p>

=A0=A0=A0=A0= - the method used to gain access and sign with the OCSP private <= /b>

=A0=A0=A0=A0= =A0=A0 key corresponding to that OCSP certificate.

=A0<= /p>

=A0=A0 For a given URI value, the OCSP Responder SHALL only use one OCSP

=A0=A0 key pair value.=A0 T= herefore there cannot be two entries with the

=A0=A0 same URI value and a different OCSP public key value.

=A0<= /p>

=A0=A0 NOTE: a BasicOCSPResponse can only be signed using a single private =

=A0=A0=A0=A0= =A0=A0=A0=A0 key.

=A0<= /p>

=A0=A0 The OCSP certificate SHALL be signed by the CA issuing private key =

=A0=A0 which corresponds to the issuing CA public key that is in this

=A0=A0 entry.

=A0<= /p>

=A0=A0 When it receives an OCSP request, the OCSP responder SHALL handle =

=A0=A0 exceptions according to section 2.3.

=A0<= /p>

=A0=A0 If the OCSP request contains the name of a requestor, the OCSP

=A0=A0 responder SHALL verify whether there exists a locally defined rule

=A0=A0 which regulates access control.=A0 I= f this rule exists, it SHALL be =

=A0=A0 followed.

=A0<= /p>

=A0=A0 For each target certificate, the OCSP Responder SHALL verify =

=A0=A0 whether both the hash of the issuer's DN and the hash of the issuer =

=A0=A0 public key which are present in the OCSP request match with those

=A0=A0 from an entry.

=A0<= /p>

=A0=A0 When there is no match, then the OCSP Responder SHALL indicate the <= /span>

=A0=A0 "unknown" status and proceed with the next target certificate from

=A0=A0 the OCSP request.

=A0<= /p>

=A0=A0 When there is a match, the OCSP Responder SHALL use the serial

=A0=A0 number of the target certificate this is present in the OCSP

=A0=A0 request to determine the revocation status of that certificate

=A0=A0 according to the method(s) indicated in the entry.

=A0<= /p>

=A0=A0 When the revocation status is provided by the server using a real

=A0=A0 time access to a database of revocation statuses of issued =

=A0=A0 certificates, then the thisUpdate field SHALL be present in the

=A0=A0 SingleResponse response whereas the nextUpdate field SHALL be

=A0=A0 missing.

=A0<= /p>

=A0=A0 Otherwise, both the thisUpdate and the nextUpdate fields SHALL be

=A0=A0 present in the SingleResponse. =

=A0<= /p>

=A0=A0 The time at which this response will be signed MUST be indicated in

=A0=A0 the producedAt field from the SingleResponse.

=A0<= /p>

=A0=A0 If a singleRequestExtensions is present in the request it MUST be =

=A0=A0 processed.

=A0<= /p>

=A0=A0 If there is another target certificate present in the request, it

=A0=A0 SHALL be processed in the same way.<= /span>

=A0<= /p>

=A0=A0 If a requestExtensions is present in the request it SHALL be

=A0=A0 processed.

=A0<= /p>

=A0=A0 The OCSP response MUST be signed using the OCSP private key.

=A0<= /p>

=A0=A0 Unless there is a local rule which states differently, for every =

=A0=A0 target certificate which matches both with the hash of a CA DN and an =

=A0=A0 issuing public key from an entry, the OCSP certificate of that entry

=A0=A0 SHALL be placed in the certs field.<= /span>

=A0<= /p>

=A0=A0 It may happen, that none of the target certificates from the OCSP

=A0=A0 request matches both with the hash of a CA DN and an issuing public <= /b>

=A0=A0 key from an entry.=A0 I= n that case and unless a local rule states

=A0=A0 differently, the certs field from the BasicOCSPResponse SHOULD be

=A0=A0 kept empty (to limit the disclose of the names of the CAs from which

=A0=A0 the OCSP Responder received a delegation from).

=A0<= /p>

1.3. Processing by a locally trusted Responder

=A0<= /p>

=A0=A0 For each CA for which the locally trusted Responder is

=A0=A0 authoritative, the OCSP Responder SHALL maintain a list of entries.

=A0<= /p>

=A0=A0 Each entry SHALL contain:

=A0<= /p>

=A0=A0=A0=A0= - the URI associated to this OCSP Responder, from which the OCSP

=A0=A0=A0=A0= =A0=A0 requests are received,

=A0<= /p>

=A0=A0=A0=A0= - the DN from a CA,

=A0<= /p>

=A0=A0=A0=A0= - an issuing public key from a CA,

=A0<= /p>

=A0=A0=A0=A0= - the method(s) used to know for which subset of certificates =

=A0=A0=A0=A0= =A0=A0 issued by the CA it is responsible for,

=A0<= /p>

=A0=A0=A0=A0= - the method(s) used to obtain the revocation status of that

=A0=A0=A0=A0= =A0=A0 subset of certificates issued under that CA issuing public key,=

=A0<= /p>

=A0=A0=A0=A0= - the method used to gain access to the private key in order to

=A0=A0=A0=A0= =A0=A0 sign the OCSP response. =

=A0<= /p>

=A0=A0 For a given URI value, the OCSP Responder SHALL only use one private

=A0=A0 key.=A0 T= herefore there cannot be two entries with the same URI value

=A0=A0 and a different method to gain access to the appropriate private key.

=A0<= /p>

=A0=A0 NOTE: a BasicOCSPResponse can only be signed using a single private =

=A0=A0=A0=A0= =A0=A0=A0=A0 key.

=A0<= /p>

=A0=A0 When it receives an OCSP request, the OCSP responder SHALL handle =

=A0=A0 exceptions according to section 2.3.

=A0<= /p>

=A0=A0 If the OCSP request contains the name of a requestor, the OCSP

=A0=A0 responder SHALL verify whether there exists a locally defined rule

=A0=A0 which regulates access control.=A0 I= f this rule exists, it SHALL be =

=A0=A0 followed.

=A0<= /p>

=A0=A0 For each target certificate, the OCSP Responder SHALL verify =

=A0=A0 whether both the hash of the issuer's DN and the hash of the issuer =

=A0=A0 public key which are present in the OCSP request match with those

=A0=A0 from an entry.

=A0<= /p>

=A0=A0 When there is no match, then the OCSP Responder SHALL indicate the <= /span>

=A0=A0 "unknown" status and proceed with the next target certificate from

=A0=A0 the OCSP request.

=A0<= /p>

=A0=A0 When there is a match, the OCSP Responder SHALL use the serial

=A0=A0 number of the target certificate this is present in the OCSP

=A0=A0 request to determine the revocation status of that certificate

=A0=A0 according to the method(s) indicated in the entry.

=A0<= /p>

=A0=A0 When the revocation status is provided by the server using a real

=A0=A0 time access to a database of revocation statuses of issued =

=A0=A0 certificates, then the thisUpdate field SHALL be present in the

=A0=A0 SingleResponse response whereas the nextUpdate field SHALL be

=A0=A0 missing.

=A0<= /p>

=A0=A0 Otherwise, both the thisUpdate and the nextUpdate fields SHALL be

=A0=A0 present in the SingleResponse. =

=A0<= /p>

=A0=A0 The time at which this response will be signed MUST be indicated in

=A0=A0 the producedAt field from the SingleResponse.

=A0<= /p>

=A0=A0 If a singleRequestExtensions is present in the request it MUST be =

=A0=A0 processed.

=A0<= /p>

=A0=A0 If there is another target certificate present in the request, it

=A0=A0 SHALL be processed in the same way.<= /span>

=A0<= /p>

=A0=A0 If a requestExtensions is present in the request it SHALL be

=A0=A0 processed.

=A0<= /p>

=A0=A0 The OCSP response MUST be signed using the OCSP private key.

=A0<= /p>

=A0=A0 The certs field may contain no, one or several OCSP certificates

=A0=A0 according to local rules followed by the locally trusted Responder.<= /p>


Not broken.

/Stefan

=A0=

=A0=

End of comments


Denis

=A0=

_______________________________________________ pkix mailing list pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix


--------------010606060500020302040001-- From denis.pinkas@bull.net Mon Mar 11 02:41:46 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1433021F86A1 for ; Mon, 11 Mar 2013 02:41:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.645 X-Spam-Level: X-Spam-Status: No, score=-5.645 tagged_above=-999 required=5 tests=[AWL=0.604, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1rfUcQWyZlZQ for ; Mon, 11 Mar 2013 02:41:45 -0700 (PDT) Received: from odin2.bull.net (odin2.bull.net [129.184.85.11]) by ietfa.amsl.com (Postfix) with ESMTP id 382D021F8606 for ; Mon, 11 Mar 2013 02:41:45 -0700 (PDT) Received: from MSGC-007.bull.fr (unknown [129.184.87.136]) by odin2.bull.net (Bull S.A.) with ESMTP id 9F6411D2E7; Mon, 11 Mar 2013 10:41:44 +0100 (CET) Received: from [127.0.0.1] ([129.184.39.15]) by MSGC-007.bull.fr (Lotus Domino Release 8.5.3FP1) with ESMTP id 2013031110414430-17934 ; Mon, 11 Mar 2013 10:41:44 +0100 Message-ID: <513DA6D4.2010208@bull.net> Date: Mon, 11 Mar 2013 10:41:40 +0100 From: Denis Pinkas User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130215 Thunderbird/17.0.3 MIME-Version: 1.0 To: mrex@sap.com References: <20130308231824.595391A617@ld9781.wdf.sap.corp> In-Reply-To: <20130308231824.595391A617@ld9781.wdf.sap.corp> X-MIMETrack: Itemize by SMTP Server on MSGC-007/SRV/BULL(Release 8.5.3FP1|March 07, 2012) at 11/03/2013 10:41:44, Serialize by Router on MSGC-007/SRV/BULL(Release 8.5.3FP1|March 07, 2012) at 11/03/2013 10:41:44, Serialize complete at 11/03/2013 10:41:44 X-TNEFEvaluated: 1 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=ISO-8859-1; format=flowed Cc: Stefan Santesson , pkix Subject: Re: [pkix] Comments on draft-santesson-auth-context-extension-04 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Mar 2013 09:41:46 -0000 Martin, The problem is that we currently only have a static description for a mapping but no indication on how a RP shall use the content of the extension, in particular when it is critical. I have also difficulties to understand why this mapping information needs to be in the certificate since it will be in the audit trail of the CA anyway. What is important is how the RP shall use that information and my understanding is still the following: making sure the the certificate belongs to a person that has used a SAML token. So it is much straightforward to include in the certificate information about the SAML token itself rather than information on a mapping with the content of the DN which anyway is of no value for a RP because it cannot be verified. If a document is targeted to informational, it is because it may be useful outside the community which has an original interest in it. Denis > Denis, > > While I have no personal interest or use in this proposal myself, > I'm somewhat confused by your message. > > Denis Pinkas wrote: >> Allowing to have SAML attributes in a PKC would be a very good thing. >> However, the relying party DOES NOT care >> how these SAML attributes have been translated into a subject DN. It is >> the responsibility of the CA. > Stefan said that he _has_ RPs who care. Where is your problem with this? > > >> Thus, if the scope only remains to know how the correspondence was made >> between the SAML attributes and >> the subject DN, I don't believe that this document will be useful for >> the Internet community and thus I am still unconvinced >> that this document should progress as an Internet Draft. > "progress as Internet Draft"? > (I have not the slightest idea what that is.) > > From the document header, Stefan seems to be looking for an Individual > Submission with the intended document status "Informational". > > Were you thinking of a Standards track document? > Or were you thinking about a WG work item (Last thing I heard was that > PKIX is scheduled to shut down (as IETF WG) and not accepting any further > work items). Only the latter two would need any kind of "approval". > > > Stefan's primary interest seems to be sharing information about what he > does (or intends to do) with the IETF community. And Stefan seems to > solicit and accept feedback and suggestions from the PKIX community > to make this work more useful to others. > > >> If the scope is changed to allow to include SAML attributes as another >> name form in a PKC, then this is >> an important issue which deserves an Internet Draft. > Stefan indicated that he needs this extension to convey information > that does not qualify as SAN/otherName, so this feedback seems to be > missing the point. > > If you have a need for this, you might have to create your own proposal/I-D > to fit this purpose. > > > -Martin From stefan@aaa-sec.com Mon Mar 11 05:12:48 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EB2321F86FA for ; Mon, 11 Mar 2013 05:12:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.205 X-Spam-Level: X-Spam-Status: No, score=-102.205 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DATE_IN_PAST_03_06=0.044, HELO_EQ_SE=0.35, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D7lKdfN1GaGr for ; Mon, 11 Mar 2013 05:12:47 -0700 (PDT) Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id E8E6721F86CB for ; Mon, 11 Mar 2013 05:12:46 -0700 (PDT) Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id 9FB8B57413A for ; Mon, 11 Mar 2013 13:12:45 +0100 (CET) X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Wo2eqpZLLzTQ for ; Mon, 11 Mar 2013 13:12:44 +0100 (CET) Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id 126EB574164 for ; Mon, 11 Mar 2013 13:12:44 +0100 (CET) Received: (qmail 81421 invoked from network); 11 Mar 2013 12:12:43 -0000 Received: from unknown (HELO [130.129.130.12]) (stefan@fiddler.nu@[130.129.130.12]) (envelope-sender ) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 11 Mar 2013 12:12:43 -0000 User-Agent: Microsoft-MacOutlook/14.3.1.130117 Date: Mon, 11 Mar 2013 08:12:39 +0100 From: Stefan Santesson To: Denis Pinkas , Message-ID: Thread-Topic: [pkix] Comments on draft-santesson-auth-context-extension-04 In-Reply-To: <513DA6D4.2010208@bull.net> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Cc: pkix Subject: Re: [pkix] Comments on draft-santesson-auth-context-extension-04 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Mar 2013 12:12:48 -0000 Denis, If you don't understand how this information can be useful, that probably is because you don't have a problem that needs this information. If you don't have a problem that needs this information, why does any of this bother you? The matching rules are not necessary because matching of SAML attributes is defined by SAML. Anyway. Answering below; On 3/11/13 10:41 AM, "Denis Pinkas" wrote: >Martin, > >The problem is that we currently only have a static description for a >mapping but no indication on how >a RP shall use the content of the extension, in particular when it is >critical. The information is there. You may use it any way you like. There are many use-cases describing situations where this information is useful. Criticality only means that you need to recognise the extension in order to accept the cert, not that you have to use it in any particular way. > >I have also difficulties to understand why this mapping information >needs to be in the certificate since it will be in the audit trail of >the CA anyway. That is probably because you don't have a problem that requires this information in the cert. The CA audit trail is not available to the RP at time of cert validation. > >What is important is how the RP shall use that information and my >understanding is still the following: >making sure the the certificate belongs to a person that has used a SAML >token. The RP can use several strategies depending on the amount and type of information present in the extension. It either gives you the information you need as RP (filling an information gap) or it doesn't. If it does it makes it possible for you to accept the cert. > >So it is much straightforward to include in the certificate information >about the SAML token itself rather than >information on a mapping with the content of the DN which anyway is of >no value for a RP because it cannot be verified. If that is what you need, then feel free to define such extension. I need a certificate that carries a normal cert name. I just need extra information to understand what that name is. > >If a document is targeted to informational, it is because it may be >useful outside the community which has an original interest in it. Not necessarily. But if someone has a problem that is addressed here (which you obviously have not), then I would not mind make it useful outside of our project. /Stefan > >Denis > >> Denis, >> >> While I have no personal interest or use in this proposal myself, >> I'm somewhat confused by your message. >> >> Denis Pinkas wrote: >>> Allowing to have SAML attributes in a PKC would be a very good thing. >>> However, the relying party DOES NOT care >>> how these SAML attributes have been translated into a subject DN. It is >>> the responsibility of the CA. >> Stefan said that he _has_ RPs who care. Where is your problem with >>this? >> >> >>> Thus, if the scope only remains to know how the correspondence was made >>> between the SAML attributes and >>> the subject DN, I don't believe that this document will be useful for >>> the Internet community and thus I am still unconvinced >>> that this document should progress as an Internet Draft. >> "progress as Internet Draft"? >> (I have not the slightest idea what that is.) >> >> From the document header, Stefan seems to be looking for an Individual >> Submission with the intended document status "Informational". >> >> Were you thinking of a Standards track document? >> Or were you thinking about a WG work item (Last thing I heard was that >> PKIX is scheduled to shut down (as IETF WG) and not accepting any >>further >> work items). Only the latter two would need any kind of "approval". >> >> >> Stefan's primary interest seems to be sharing information about what he >> does (or intends to do) with the IETF community. And Stefan seems to >> solicit and accept feedback and suggestions from the PKIX community >> to make this work more useful to others. >> >> >>> If the scope is changed to allow to include SAML attributes as another >>> name form in a PKC, then this is >>> an important issue which deserves an Internet Draft. >> Stefan indicated that he needs this extension to convey information >> that does not qualify as SAN/otherName, so this feedback seems to be >> missing the point. >> >> If you have a need for this, you might have to create your own >>proposal/I-D >> to fit this purpose. >> >> >> -Martin > > >_______________________________________________ >pkix mailing list >pkix@ietf.org >https://www.ietf.org/mailman/listinfo/pkix From peter.sylvester@edelweb.fr Tue Mar 12 03:10:17 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B58EC21F86F7 for ; Tue, 12 Mar 2013 03:10:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.11 X-Spam-Level: X-Spam-Status: No, score=-1.11 tagged_above=-999 required=5 tests=[BAYES_05=-1.11] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k+-3sG9jg1v4 for ; Tue, 12 Mar 2013 03:10:17 -0700 (PDT) Received: from mx1.on-x.com (mx1.on-x.com [92.103.215.51]) by ietfa.amsl.com (Postfix) with ESMTP id 25A4D21F842A for ; Tue, 12 Mar 2013 03:10:17 -0700 (PDT) Received: from mx1.on-x.com (localhost [127.0.0.1]) by mx1.on-x.com (Postfix) with ESMTP id 90E1F5E118 for ; Tue, 12 Mar 2013 11:09:31 +0100 (CET) Received: from mail1.on-x.com (mail1.on-x.com [192.168.10.66]) by mx1.on-x.com (Postfix) with ESMTP id 82E335E0E0 for ; Tue, 12 Mar 2013 11:09:31 +0100 (CET) Received: from mail1.on-x.com (localhost [127.0.0.1]) by mail1.on-x.com (Postfix) with ESMTP id BA36B6209D for ; Tue, 12 Mar 2013 11:10:03 +0100 (CET) Received: from smtps.on-x.com (rp-mail1.on-x.com [192.168.14.66]) by mail1.on-x.com (Postfix) with ESMTP id A948F6209B for ; Tue, 12 Mar 2013 11:10:03 +0100 (CET) Received: from [192.168.7.169] (unknown [192.168.7.169]) by smtps.on-x.com (Postfix) with ESMTPSA id 5FFE55E2B4 for ; Tue, 12 Mar 2013 11:01:51 +0100 (CET) Message-ID: <513EFF05.20707@edelweb.fr> Date: Tue, 12 Mar 2013 11:10:13 +0100 From: Peter Sylvester User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130221 Thunderbird/17.0.3 MIME-Version: 1.0 To: "'pkix@ietf.org'" Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-AV-Checked: ClamAV using ClamSMTP Subject: [pkix] timestamp signature validation X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Mar 2013 10:10:17 -0000 Hi, is a 3161 conformant timestamping client supposed to verify attribute certficates that are included in the ESSCertid? Or, in other words, does someone knows about any profile that prohibits a TSA to include an ESScertid pointing to an X.509 attribute certificate. Peter From mrex@sap.com Tue Mar 12 10:46:47 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D26A11E80D2 for ; Tue, 12 Mar 2013 10:46:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.032 X-Spam-Level: X-Spam-Status: No, score=-10.032 tagged_above=-999 required=5 tests=[AWL=0.217, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s+ivtguZqnRy for ; Tue, 12 Mar 2013 10:46:42 -0700 (PDT) Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 6E8ED11E80F0 for ; Tue, 12 Mar 2013 10:46:41 -0700 (PDT) Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id r2CHka1t023247 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 12 Mar 2013 18:46:36 +0100 (MET) In-Reply-To: <513EFF05.20707@edelweb.fr> To: Peter Sylvester Date: Tue, 12 Mar 2013 18:46:36 +0100 (CET) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20130312174636.6921B1A622@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) X-SAP: out Cc: "'pkix@ietf.org'" Subject: Re: [pkix] timestamp signature validation X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: mrex@sap.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Mar 2013 17:46:47 -0000 Peter Sylvester wrote: > > is a 3161 conformant timestamping client > supposed to verify attribute certficates > that are included in the ESSCertid? > > Or, in other words, does someone knows > about any profile that prohibits a > TSA to include an ESScertid pointing to > an X.509 attribute certificate. Admittedly, I don't have the slightest clue what the term "attribute certificate" refers to. The ESSCertID in rfc3161 refers to the TSA signer certificate, which was used to sign the rfc3161 timestamp. http://tools.ietf.org/html/rfc3161#page-8 The time-stamp token MUST NOT contain any signatures other than the signature of the TSA. The certificate identifier (ESSCertID) of the TSA certificate MUST be included as a signerInfo attribute inside a SigningCertificate attribute. Which part of "SigningCertificate" is unclear to you? -Martin From piyush@ditenity.com Tue Mar 12 11:16:29 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D592811E8140 for ; Tue, 12 Mar 2013 11:16:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fd3ki5jIaoJw for ; Tue, 12 Mar 2013 11:16:28 -0700 (PDT) Received: from mail-oa0-f50.google.com (mail-oa0-f50.google.com [209.85.219.50]) by ietfa.amsl.com (Postfix) with ESMTP id 1CF2F11E8142 for ; Tue, 12 Mar 2013 11:16:27 -0700 (PDT) Received: by mail-oa0-f50.google.com with SMTP id l20so169258oag.9 for ; Tue, 12 Mar 2013 11:16:24 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-type:content-transfer-encoding :x-mailer:thread-index:content-language:x-gm-message-state; bh=ND1M8/Tm/NrggtM5Fzibt+mU1drzNUByArCn7bYmtbo=; b=NHsDxMBICy8e2/juJGeG/TsNonUYop6Wq5vtjDyXpb/9bFcqemhGJ0J+WEATf+E6CD 0dRbIIdEvqZlVrVhkhbufjgFarNR3mrxRIjY2F63OX37HdeqLaGuV6b8GhWBSlrHIyVj EXnIVQgPb7K3xxp5TfgdG2ixj4e79POojwQ44GjEHJeWFDFq8ihzFIEJj9De6wi9lBis g9qDIgAka6CjPPsgi/iwNYqbh5ioQmt8YuFMG74TJ3ylN8VifwASozryKgg1+nNhJwAD 2loWInCwGiacjXE2aN1jERhaPOCP47SN3lyFjmBfmfS0C2ieLtA36BI2P+f3qKOKcSP/ BG+Q== X-Received: by 10.60.32.11 with SMTP id e11mr13274583oei.50.1363112184342; Tue, 12 Mar 2013 11:16:24 -0700 (PDT) Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id v3sm23085926oev.5.2013.03.12.11.16.22 (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 12 Mar 2013 11:16:23 -0700 (PDT) From: "Piyush Jain" To: , "'Peter Sylvester'" References: <513EFF05.20707@edelweb.fr> <20130312174636.6921B1A622@ld9781.wdf.sap.corp> In-Reply-To: <20130312174636.6921B1A622@ld9781.wdf.sap.corp> Date: Tue, 12 Mar 2013 11:16:21 -0700 Message-ID: <015c01ce1f4d$b3f47b90$1bdd72b0$@ditenity.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQFHakPIjOlZE/MiK6WNNoBABsFaTpmvwr9A Content-Language: en-us X-Gm-Message-State: ALoCoQmgYzoHpzKo6rlv7dkcXmSTzjIfitDiVYEifH15ysLddcTHAyQ36wNN/uaY+wjhr1Q6gu7y Cc: pkix@ietf.org Subject: Re: [pkix] timestamp signature validation X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Mar 2013 18:16:29 -0000 For Martin: Attribute Certificates profile http://www.ietf.org/rfc/rfc3281.txt ESSCertID can also refer to an attribute certificate which is used to convey authorization information. For Peter: I have not come across a profile that mandates or prohibits use of attribute certificates for time-stamping. If you think about it, the RP needs to figure out if the TSA is trusted and is authorized to sign the time-stamp responses. If RP can establish this with some out of band mechanism, there is no need to even look at the attribute certificate. However, if the environment dictates that authorization info is conveyed using attribute certificates, then the RP must process and verify attribute certificates. But who uses attribute certificates anyway? -Piyush > -----Original Message----- > From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of > Martin Rex > Sent: Tuesday, March 12, 2013 10:47 AM > To: Peter Sylvester > Cc: 'pkix@ietf.org' > Subject: Re: [pkix] timestamp signature validation > > Peter Sylvester wrote: > > > > is a 3161 conformant timestamping client supposed to verify attribute > > certficates that are included in the ESSCertid? > > > > Or, in other words, does someone knows about any profile that > > prohibits a TSA to include an ESScertid pointing to an X.509 attribute > > certificate. > > Admittedly, I don't have the slightest clue what the term "attribute > certificate" refers to. > > The ESSCertID in rfc3161 refers to the TSA signer certificate, which was used > to sign the rfc3161 timestamp. > > http://tools.ietf.org/html/rfc3161#page-8 > > The time-stamp token MUST NOT contain any signatures other than the > signature of the TSA. The certificate identifier (ESSCertID) of the > TSA certificate MUST be included as a signerInfo attribute inside a > SigningCertificate attribute. > > Which part of "SigningCertificate" is unclear to you? > > -Martin > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix From eabalea@gmail.com Tue Mar 12 11:19:32 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4874421F86E3 for ; Tue, 12 Mar 2013 11:19:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.598 X-Spam-Level: X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C7KWRF6vCfrk for ; Tue, 12 Mar 2013 11:19:31 -0700 (PDT) Received: from mail-ve0-f178.google.com (mail-ve0-f178.google.com [209.85.128.178]) by ietfa.amsl.com (Postfix) with ESMTP id 6941721F8667 for ; Tue, 12 Mar 2013 11:19:31 -0700 (PDT) Received: by mail-ve0-f178.google.com with SMTP id db10so117767veb.37 for ; Tue, 12 Mar 2013 11:19:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=Ebf9eU/Pjgcv4YHhc25gpADRZWkRRWQHWmkYDjU5kk0=; b=y5WmlMNBmHe63HVoLuh+03zAfqF74no7EUnmG/xzB0P2pXnPmHZHKXKuVDE2vhQ5a8 vCcoTJekpW2C/2BNWIoqgsQfuAnVWJlh3FyUPDr3bp9Q05eGuO16R+cEd53xy+bxCxS5 h4LuME4k48WlSqsBrQhB3BuYZBXz8yRud6emzSUge9TU2ruzom5ukodB9eu1YLFsGAt/ BUke1g0KJCwyYA7URvcnZoJoBi+k4hYEReSj+7IznMqgxgqPGe7ryJ/OJe8J4tXlZJ80 HCJ1Z3qgYA4w+idgTzch7iK62YwzkCuXaITeBk+O8Knufl2etaQMcSGeoy+2p1c7wBy7 Cskg== MIME-Version: 1.0 X-Received: by 10.52.23.38 with SMTP id j6mr5999475vdf.121.1363112370805; Tue, 12 Mar 2013 11:19:30 -0700 (PDT) Received: by 10.52.156.49 with HTTP; Tue, 12 Mar 2013 11:19:30 -0700 (PDT) In-Reply-To: <20130312174636.6921B1A622@ld9781.wdf.sap.corp> References: <513EFF05.20707@edelweb.fr> <20130312174636.6921B1A622@ld9781.wdf.sap.corp> Date: Tue, 12 Mar 2013 19:19:30 +0100 Message-ID: From: Erwann Abalea To: mrex@sap.com Content-Type: multipart/alternative; boundary=20cf3079bfe2a794c604d7be5469 Cc: "pkix@ietf.org" Subject: Re: [pkix] timestamp signature validation X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Mar 2013 18:19:32 -0000 --20cf3079bfe2a794c604d7be5469 Content-Type: text/plain; charset=UTF-8 2013/3/12 Martin Rex > Peter Sylvester wrote: > > > > is a 3161 conformant timestamping client > > supposed to verify attribute certficates > > that are included in the ESSCertid? > > > > Or, in other words, does someone knows > > about any profile that prohibits a > > TSA to include an ESScertid pointing to > > an X.509 attribute certificate. > The only thing that makes me think that only public-key certificates can *sign* TSA is a small phrase taken from the section 2.4.1 (request format): If the certReq field is present and set to true, the TSA's public key certificate that is referenced by the ESSCertID identifier inside a SigningCertificate attribute in the response MUST be provided by the TSA in the certificates field from the SignedData structure in that response. That field may also contain other certificates. But otherwise, nothing seems to prevent adding attribute certificates in the CMS as additional certificates. > Admittedly, I don't have the slightest clue what the term > "attribute certificate" refers to. > That's the second type of X.509 certificates. The first one is about "public key certificates". -- Erwann. --20cf3079bfe2a794c604d7be5469 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
2013/3/12 Martin Rex <<= a href=3D"mailto:mrex@sap.com" target=3D"_blank">mrex@sap.com>
Peter Sylvester wrote:
>
> is a 3161 conformant timestamping client
> supposed to verify attribute certficates
> that are included in the ESSCertid?
>
> Or, in other words, does someone knows
> about any profile that prohibits a
> TSA to include an ESScertid pointing to
> an X.509 attribute certificate.

<= div>The only thing that makes me think that only public-key certificates ca= n *sign* TSA is a small phrase taken from the section 2.4.1 (request format= ):

=C2=A0 =C2=A0If the certReq field is present and s= et to true, the TSA's public key
=C2=A0 =C2=A0certificate tha= t is referenced by the ESSCertID identifier inside a
=C2=A0 =C2= =A0SigningCertificate attribute in the response MUST be provided by the
=C2=A0 =C2=A0TSA in the certificates field from the SignedData structu= re in that
=C2=A0 =C2=A0response. =C2=A0That field may also conta= in other certificates.

But otherwise, nothin= g seems to prevent adding attribute certificates in the CMS as additional c= ertificates.
=C2=A0
Admittedly, I don't have the slightest clue what the term
"attribute certificate" refers to.

That's the second type of X.509 certificates. The first one is ab= out "public key certificates".

--
Erwann. --20cf3079bfe2a794c604d7be5469-- From eabalea@gmail.com Tue Mar 12 11:23:57 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6811811E8115 for ; Tue, 12 Mar 2013 11:23:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.598 X-Spam-Level: X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7+4F7bGua64m for ; Tue, 12 Mar 2013 11:23:56 -0700 (PDT) Received: from mail-ve0-f182.google.com (mail-ve0-f182.google.com [209.85.128.182]) by ietfa.amsl.com (Postfix) with ESMTP id 81AD011E8109 for ; Tue, 12 Mar 2013 11:23:55 -0700 (PDT) Received: by mail-ve0-f182.google.com with SMTP id ox1so126951veb.13 for ; Tue, 12 Mar 2013 11:23:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=4jLd0ZreZONfvbqKJwDmSoQUVMuj9WbxivHWJvtuItI=; b=ymz2NziAamvoslH9zG7g/UT0ukauCcDb8HwGZl5tM8RHO+qVqtyux8gySZ4hn0nEoK 68Tt8qTb8xCKdsAL5KcouRHNmR5/fT1CmkPVBRUl4YwZSwlpAUWncHNSMOJxSI2VYE/v PoDs1yV97yh3wPUMOvG5meytkZFBSDE93ih+kRQbOk6ZHlPHFuJKoQ3HfA8u+rhQTgNA 7ewaU6N8PXJOk2tx4sAZqJamyD1tWrxMSTYencVchW9XkSHN9Q5HkcLSslRm4ioDjJeJ V965/j2Kz2Lao0NOUHpKvQvO3RmHUN4K5tzsCVN5Q7re4T3Rt+vDsuPOO5jtNPDeCHfy iQzQ== MIME-Version: 1.0 X-Received: by 10.220.221.143 with SMTP id ic15mr6715433vcb.32.1363112635056; Tue, 12 Mar 2013 11:23:55 -0700 (PDT) Received: by 10.52.156.49 with HTTP; Tue, 12 Mar 2013 11:23:54 -0700 (PDT) In-Reply-To: <015c01ce1f4d$b3f47b90$1bdd72b0$@ditenity.com> References: <513EFF05.20707@edelweb.fr> <20130312174636.6921B1A622@ld9781.wdf.sap.corp> <015c01ce1f4d$b3f47b90$1bdd72b0$@ditenity.com> Date: Tue, 12 Mar 2013 19:23:54 +0100 Message-ID: From: Erwann Abalea To: Piyush Jain Content-Type: multipart/alternative; boundary=14dae9cdc33b66ca2804d7be649b Cc: pkix@ietf.org Subject: Re: [pkix] timestamp signature validation X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Mar 2013 18:23:57 -0000 --14dae9cdc33b66ca2804d7be649b Content-Type: text/plain; charset=UTF-8 2013/3/12 Piyush Jain > > But who uses attribute certificates anyway? > At least one TSP in Czechoslovakia. With Qualified Certificates. The attribute certificates is additional to the signer. Other than that, I have never encountered attribute certificates in the wild. -- Erwann. --14dae9cdc33b66ca2804d7be649b Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
2013/3/12 Piyush Jain <= piyush@ditenity.co= m>

But who uses attribute certificates anyway?

=
At least one TSP in Czechoslovakia. With Qualified Certificates.= The attribute certificates is additional to the signer.

Other than that, I have never encountered attribute certificates= in the wild.

--
Erwann. --14dae9cdc33b66ca2804d7be649b-- From d.w.chadwick@kent.ac.uk Tue Mar 12 12:01:57 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B3FE11E8183 for ; Tue, 12 Mar 2013 12:01:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NGFELYhHLPLV for ; Tue, 12 Mar 2013 12:01:54 -0700 (PDT) Received: from mx2.kent.ac.uk (mx2.kent.ac.uk [129.12.21.33]) by ietfa.amsl.com (Postfix) with ESMTP id 8910111E828F for ; Tue, 12 Mar 2013 12:01:38 -0700 (PDT) Received: from vpnfa4e.kent.ac.uk ([129.12.250.78]) by mx2.kent.ac.uk with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.72) (envelope-from ) id 1UFUS9-0004m2-3c; Tue, 12 Mar 2013 19:01:37 +0000 Message-ID: <513F7B92.4020806@kent.ac.uk> Date: Tue, 12 Mar 2013 19:01:38 +0000 From: David Chadwick User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130215 Thunderbird/17.0.3 MIME-Version: 1.0 To: Erwann Abalea References: <513EFF05.20707@edelweb.fr> <20130312174636.6921B1A622@ld9781.wdf.sap.corp> <015c01ce1f4d$b3f47b90$1bdd72b0$@ditenity.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: pkix@ietf.org Subject: Re: [pkix] timestamp signature validation X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Mar 2013 19:01:58 -0000 Here's a few I know about Adobe did. It might still do. Entrust PKI did. It might still do Taiwan did. It might still do. and our PERMIS software still gets thousands of downloads a year David On 12/03/2013 18:23, Erwann Abalea wrote: > > 2013/3/12 Piyush Jain > > > > But who uses attribute certificates anyway? > > > At least one TSP in Czechoslovakia. With Qualified Certificates. The > attribute certificates is additional to the signer. > > Other than that, I have never encountered attribute certificates in the > wild. > > -- > Erwann. > > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix > From mrex@sap.com Tue Mar 12 12:04:54 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22B9321F8C09 for ; Tue, 12 Mar 2013 12:04:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.054 X-Spam-Level: X-Spam-Status: No, score=-10.054 tagged_above=-999 required=5 tests=[AWL=0.195, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ozlnQm7aER2c for ; Tue, 12 Mar 2013 12:04:49 -0700 (PDT) Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 703D421F8BF2 for ; Tue, 12 Mar 2013 12:04:49 -0700 (PDT) Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id r2CJ4ka3007106 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 12 Mar 2013 20:04:46 +0100 (MET) In-Reply-To: <015c01ce1f4d$b3f47b90$1bdd72b0$@ditenity.com> To: Piyush Jain Date: Tue, 12 Mar 2013 20:04:46 +0100 (CET) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20130312190446.659E71A622@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) X-SAP: out Cc: pkix@ietf.org Subject: Re: [pkix] timestamp signature validation X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: mrex@sap.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Mar 2013 19:04:54 -0000 Piyush Jain wrote: > For Martin: > Attribute Certificates profile http://www.ietf.org/rfc/rfc3281.txt > ESSCertID can also refer to an attribute certificate which is used to convey > authorization information. Thanks. > > For Peter: > I have not come across a profile that mandates or prohibits use of attribute > certificates for time-stamping. > > If you think about it, the RP needs to figure out if the TSA is trusted and > is authorized to sign the time-stamp responses. > If RP can establish this with some out of band mechanism, there is no need > to even look at the attribute certificate. I also believe that rfc-3161 section-2.3 is clear _and_ complete: http://tools.ietf.org/html/rfc3161#section-2.3 The mere technical possibility to additionally name attribute certs through ESSCertID (see http://tools.ietf.org/html/rfc2634#section-5.4.1), besides the signer cert seems like a 6th wheel on the cart. Frankly, even the use of ESSCertID looks like a 5th wheel on the cart to me. My implementation of a TSA client and TimeStamped-CMS verifiers completely ignore ESSCertID and use only the regular CMS signerInfo. -Martin From pgut001@cs.auckland.ac.nz Tue Mar 12 18:21:13 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED1A111E80F9 for ; Tue, 12 Mar 2013 18:21:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mf6Pdbjr5xRV for ; Tue, 12 Mar 2013 18:21:11 -0700 (PDT) Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.244]) by ietfa.amsl.com (Postfix) with ESMTP id 66E1611E80D1 for ; Tue, 12 Mar 2013 18:21:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1363137672; x=1394673672; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=RenP1H4WISMsAtCi1DGLBdx6t/CfLFul7nKaYIHxsr0=; b=PC+pL8XB59Fjcqke4VSYyInG8b5EHolIZHXglCswZv5tcZ4DoldSed/a O8heTgJMHZA38Hb2GanxEzi1lrfA/sJ/UFtmTHu2+ubJlpsi1euMQWAvQ NnGqEZEQu/DkFDj6McuKgAtuWqAx/DGAu4YWY1cEW9aFZgD9NgqkmHs4R g=; X-IronPort-AV: E=Sophos;i="4.84,833,1355050800"; d="scan'208";a="175102493" X-Ironport-HAT: MAIL-SERVERS - $RELAYED X-Ironport-Source: 130.216.4.112 - Outgoing - Outgoing Received: from uxchange10-fe1.uoa.auckland.ac.nz ([130.216.4.112]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 13 Mar 2013 14:21:07 +1300 Received: from UXCN10-2.UoA.auckland.ac.nz ([169.254.2.110]) by uxchange10-fe1.UoA.auckland.ac.nz ([130.216.4.112]) with mapi id 14.02.0318.004; Wed, 13 Mar 2013 14:21:06 +1300 From: Peter Gutmann To: "pkix@ietf.org" Thread-Topic: [pkix] timestamp signature validation Thread-Index: Ac4fiQjBY+lHT2LbRt+WF0prgs/Fog== Date: Wed, 13 Mar 2013 01:21:05 +0000 Message-ID: <9A043F3CF02CD34C8E74AC1594475C73375DCFA9@uxcn10-2.UoA.auckland.ac.nz> Accept-Language: en-GB, en-NZ, en-US Content-Language: en-GB X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [130.216.158.4] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [pkix] timestamp signature validation X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Mar 2013 01:21:14 -0000 Erwann Abalea writes:=0A= =0A= >At least one TSP in Czechoslovakia. With Qualified Certificates. The=0A= >attribute certificates is additional to the signer. Other than that, I hav= e=0A= >never encountered attribute certificates in the wild.=0A= =0A= Has anyone considered contacting the TSP (do you mean TSA?) to let them kno= w=0A= that they're doing this? Given some of the totally broken behaviour of bot= h=0A= TSAs and TSP clients, they may not even be aware that they're doing this. = It=0A= seems we're having a complex debate over something that may just be yet=0A= another TSA implementation bug.=0A= =0A= Peter.=0A= From mrex@sap.com Tue Mar 12 18:52:40 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E2CD11E80F3 for ; Tue, 12 Mar 2013 18:52:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.072 X-Spam-Level: X-Spam-Status: No, score=-10.072 tagged_above=-999 required=5 tests=[AWL=0.177, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QgRVkDqNrOvh for ; Tue, 12 Mar 2013 18:52:39 -0700 (PDT) Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 6320611E80D1 for ; Tue, 12 Mar 2013 18:52:39 -0700 (PDT) Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id r2D1qWAS005830 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 13 Mar 2013 02:52:32 +0100 (MET) In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73375DCFA9@uxcn10-2.UoA.auckland.ac.nz> To: Peter Gutmann Date: Wed, 13 Mar 2013 02:52:32 +0100 (CET) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20130313015232.054EC1A625@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) X-SAP: out Cc: "pkix@ietf.org" Subject: Re: [pkix] timestamp signature validation X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: mrex@sap.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Mar 2013 01:52:40 -0000 Peter Gutmann wrote: > Erwann Abalea writes: > > > >At least one TSP in Czechoslovakia. With Qualified Certificates. The > >attribute certificates is additional to the signer. Other than that, I have > >never encountered attribute certificates in the wild. > > Has anyone considered contacting the TSP (do you mean TSA?) to let them know > that they're doing this? Given some of the totally broken behaviour of both > TSAs and TSP clients, they may not even be aware that they're doing this. It > seems we're having a complex debate over something that may just be yet > another TSA implementation bug. I still don't understand how the presence of attribute certificates could interfere (rather then enabling an otherwise failing) timestamp verification. A TSA client that is not explicitly instructed to look for attribute certificates and to require specific authorization data ought to be completely ignorant of any certs besides the TSA signature cert. Or is there anything in rfc3161 that suggests looking at other certs? -Martin From kapetr@mizera.cz Wed Mar 13 01:52:39 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4A6321F8D56 for ; Wed, 13 Mar 2013 01:52:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KLgovCGuovH7 for ; Wed, 13 Mar 2013 01:52:39 -0700 (PDT) Received: from smtp.volny.cz (smtp.volny.cz [IPv6:2001:4de8:71c:62::33]) by ietfa.amsl.com (Postfix) with ESMTP id 4E2BB21F8D55 for ; Wed, 13 Mar 2013 01:52:37 -0700 (PDT) Received: from [10.6.6.6] (251-43-13-46.tmcz.cz [46.13.43.251]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: kapetr) by smtp.volny.cz (Postfix) with ESMTPSA id 59172260A7B for ; Wed, 13 Mar 2013 09:52:36 +0100 (CET) Message-ID: <51403E54.70800@mizera.cz> Date: Wed, 13 Mar 2013 09:52:36 +0100 From: kapetr@mizera.cz User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130221 Thunderbird/17.0.3 MIME-Version: 1.0 To: pkix@ietf.org Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [pkix] timestamp signature validation X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Mar 2013 08:54:19 -0000 Hello, thanks Peter Sylvester you know now about the problem with attr. certs in timestamps I have with TSA. It may be useful for you to see original thread with details and example in OpenSSL user forum. Thread subject: "possible Bug in OpenSSL - rfc 3161 - TSA service" See: http://marc.info/?l=openssl-users&w=2&r=1&s=possible+Bug+in+OpenSSL+-+rfc+3161+-+TSA&q=b --kapetr From eabalea@gmail.com Wed Mar 13 03:04:31 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11F4921F8654 for ; Wed, 13 Mar 2013 03:04:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.598 X-Spam-Level: X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tmAFQbUXXgGR for ; Wed, 13 Mar 2013 03:04:30 -0700 (PDT) Received: from mail-ve0-f176.google.com (mail-ve0-f176.google.com [209.85.128.176]) by ietfa.amsl.com (Postfix) with ESMTP id 324A321F8640 for ; Wed, 13 Mar 2013 03:04:30 -0700 (PDT) Received: by mail-ve0-f176.google.com with SMTP id cz10so570442veb.21 for ; Wed, 13 Mar 2013 03:04:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=5jrb5X9k+rHV1RvccKPrQJD+pHy9bYsa5pIJgfp6tQo=; b=AnggcH+iH5/jphjqb21ED86W6OQxj0iIheK2JdSqYGsed8U4+rSrn0CohVAs4/YOWG 1xlXHcOmFryqiGR6JXseArt6CkA/7+criSK7gU1nqKUrB0UxbB1UQw3f+n21GVlcBwzA mJxJ0a8+3w0z/9X/l11YKPCexLYUy+Sbmls7PGoR4CW06CVD3vrYHTuMEJRN2yrHPSg5 RpaUJf0bnq5sjTs70U/A1ZgXZtJ1wRyrq4CmBOf93XDoQuN8z6KbCBooEgRBfGQKqMw0 /TTfEggtPpINzpk402sFZpsol5+iSubF+h+Qf93bJ9kc9Rf0Bp5gXneMgiGqi6M4DHOz RHcQ== MIME-Version: 1.0 X-Received: by 10.52.90.243 with SMTP id bz19mr6806180vdb.112.1363169069694; Wed, 13 Mar 2013 03:04:29 -0700 (PDT) Received: by 10.52.156.49 with HTTP; Wed, 13 Mar 2013 03:04:29 -0700 (PDT) In-Reply-To: <20130313015232.054EC1A625@ld9781.wdf.sap.corp> References: <9A043F3CF02CD34C8E74AC1594475C73375DCFA9@uxcn10-2.UoA.auckland.ac.nz> <20130313015232.054EC1A625@ld9781.wdf.sap.corp> Date: Wed, 13 Mar 2013 11:04:29 +0100 Message-ID: From: Erwann Abalea To: mrex@sap.com Content-Type: multipart/alternative; boundary=20cf307c9aa42b087704d7cb88df Cc: "pkix@ietf.org" Subject: Re: [pkix] timestamp signature validation X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Mar 2013 10:04:31 -0000 --20cf307c9aa42b087704d7cb88df Content-Type: text/plain; charset=UTF-8 2013/3/13 Martin Rex > Peter Gutmann wrote: > > Erwann Abalea writes: > > > > > >At least one TSP in Czechoslovakia. With Qualified Certificates. The > [read "Czech Republic" instead, as it was notified in private] > > >attribute certificates is additional to the signer. Other than that, I > have > > >never encountered attribute certificates in the wild. > > > > Has anyone considered contacting the TSP (do you mean TSA?) to let them > know > > that they're doing this? Given some of the totally broken behaviour of > both > > TSAs and TSP clients, they may not even be aware that they're doing > this. It > > seems we're having a complex debate over something that may just be yet > > another TSA implementation bug. > They're aware they're doing this. It's on purpose. > I still don't understand how the presence of attribute certificates > could interfere (rather then enabling an otherwise failing) timestamp > verification. > A dark corner from RFC2634. SigningCertificate attribute contains a sequence of ESSCertID, and usually this sequence is composed of only one certificate. [...] If more than one certificate is present in the sequence of ESSCertIDs, the certificates after the first one limit the set of authorization certificates that are used during signature validation. Authorization certificates can be either attribute certificates or normal certificates. [...] Everywhere "certificate" is mentioned, it can either be a public-key certificate (here named "normal certificate") or an attribute certificate. (Deciding what to do facing several public-key certificates in such a situation isn't clear, even after reading that paragraph). A TSA client that is not explicitly instructed to look for > attribute certificates and to require specific authorization data > ought to be completely ignorant of any certs besides the TSA > signature cert. > > Or is there anything in rfc3161 that suggests looking at other certs? Other than following RFC2634, performing a correct chain validation, and verify authorizations? No. -- Erwann. --20cf307c9aa42b087704d7cb88df Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
2013/3/13 Martin Rex <<= a href=3D"mailto:mrex@sap.com" target=3D"_blank">mrex@sap.com>
Peter Gutmann wrote:
> Erwann Abalea <eabalea@gmail.c= om> writes:
> >
> >At least one TSP in Czechoslovakia. With Qualified Certificates. T= he
[read "Czech Republic" instead, as = it was notified in private]=C2=A0
> >attribute certificates is additional to the signer. Other than tha= t, I have
> >never encountered attribute certificates in the wild.
>
> Has anyone considered contacting the TSP (do you mean TSA?) to let the= m know
> that they're doing this? =C2=A0Given some of the totally broken be= haviour of both
> TSAs and TSP clients, they may not even be aware that they're doin= g this. =C2=A0It
> seems we're having a complex debate over something that may just b= e yet
> another TSA implementation bug.

<= div>They're aware they're doing this. It's on purpose.
=C2=A0
I still don't understand how the presence of attribut= e certificates
could interfere (rather then enabling an otherwise failing) timestamp
verification.

A dark corner from RFC263= 4. SigningCertificate attribute contains a sequence of ESSCertID, and usual= ly this sequence is composed of only one certificate.

[...]
=C2=A0 =C2=A0If more than one certificate is pres= ent in the sequence of
=C2=A0 =C2=A0ESSCertIDs, the certificates = after the first one limit the set of
=C2=A0 =C2=A0authorization c= ertificates that are used during signature validation.
=C2=A0 =C2=A0Authorization certificates can be either attribute certif= icates or
=C2=A0 =C2=A0normal certificates.
[...]=

Everywhere "certificate" is mentioned, = it can either be a public-key certificate (here named "normal certific= ate") or an attribute certificate.
(Deciding what to do facing several public-key certificates in such a = situation isn't clear, even after reading that paragraph).
A TSA client that is not explicitly instructed to look for
attribute certificates and to require specific authorization data
ought to be completely ignorant of any certs besides the TSA
signature cert.

Or is there anything in rfc3161 that suggests looking at other certs?

Other than following RFC2634, performing a= correct chain validation, and verify authorizations? No.

--
Erwann. --20cf307c9aa42b087704d7cb88df-- From peter.sylvester@edelweb.fr Wed Mar 13 03:30:37 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 053B621F8D28 for ; Wed, 13 Mar 2013 03:30:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.854 X-Spam-Level: X-Spam-Status: No, score=-1.854 tagged_above=-999 required=5 tests=[AWL=0.744, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l-tScsq8vRms for ; Wed, 13 Mar 2013 03:30:36 -0700 (PDT) Received: from mx1.on-x.com (mx1.on-x.com [92.103.215.51]) by ietfa.amsl.com (Postfix) with ESMTP id E538E21F8D27 for ; Wed, 13 Mar 2013 03:30:35 -0700 (PDT) Received: from mx1.on-x.com (localhost [127.0.0.1]) by mx1.on-x.com (Postfix) with ESMTP id 79E675E134 for ; Wed, 13 Mar 2013 11:29:48 +0100 (CET) Received: from mail1.on-x.com (mail1.on-x.com [192.168.10.66]) by mx1.on-x.com (Postfix) with ESMTP id 6561A5E12B for ; Wed, 13 Mar 2013 11:29:48 +0100 (CET) Received: from mail1.on-x.com (localhost [127.0.0.1]) by mail1.on-x.com (Postfix) with ESMTP id E28FF6209D for ; Wed, 13 Mar 2013 11:30:32 +0100 (CET) Received: from smtps.on-x.com (rp-mail1.on-x.com [192.168.14.66]) by mail1.on-x.com (Postfix) with ESMTP id D434B6209B for ; Wed, 13 Mar 2013 11:30:32 +0100 (CET) Received: from [192.168.7.169] (unknown [192.168.7.169]) by smtps.on-x.com (Postfix) with ESMTPSA id 6D54C5E1EF for ; Wed, 13 Mar 2013 11:22:12 +0100 (CET) Message-ID: <5140554A.4070806@edelweb.fr> Date: Wed, 13 Mar 2013 11:30:34 +0100 From: Peter Sylvester User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130221 Thunderbird/17.0.3 MIME-Version: 1.0 To: pkix@ietf.org References: <9A043F3CF02CD34C8E74AC1594475C73375DCFA9@uxcn10-2.UoA.auckland.ac.nz> <20130313015232.054EC1A625@ld9781.wdf.sap.corp> In-Reply-To: Content-Type: multipart/alternative; boundary="------------090508080601000605020002" X-AV-Checked: ClamAV using ClamSMTP Subject: Re: [pkix] timestamp signature validation X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Mar 2013 10:30:37 -0000 This is a multi-part message in MIME format. --------------090508080601000605020002 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit On 03/13/2013 11:04 AM, Erwann Abalea wrote: > > 2013/3/13 Martin Rex > > > Peter Gutmann wrote: > > Erwann Abalea > writes: > > > > > >At least one TSP in Czechoslovakia. With Qualified Certificates. The > > [read "Czech Republic" instead, as it was notified in private] > > > >attribute certificates is additional to the signer. Other than that, I have > > >never encountered attribute certificates in the wild. > > > > Has anyone considered contacting the TSP (do you mean TSA?) to let them know > > that they're doing this? Given some of the totally broken behaviour of both > > TSAs and TSP clients, they may not even be aware that they're doing this. It > > seems we're having a complex debate over something that may just be yet > > another TSA implementation bug. > > > They're aware they're doing this. It's on purpose. > > I still don't understand how the presence of attribute certificates > could interfere (rather then enabling an otherwise failing) timestamp > verification. > > > A dark corner from RFC2634. SigningCertificate attribute contains a sequence of ESSCertID, and > usually this sequence is composed of only one certificate. > > [...] > If more than one certificate is present in the sequence of > ESSCertIDs, the certificates after the first one limit the set of > authorization certificates that are used during signature validation. > Authorization certificates can be either attribute certificates or > normal certificates. > [...] > > Everywhere "certificate" is mentioned, it can either be a public-key certificate (here named > "normal certificate") or an attribute certificate. > (Deciding what to do facing several public-key certificates in such a situation isn't clear, even > after reading that paragraph). > > A TSA client that is not explicitly instructed to look for > attribute certificates and to require specific authorization data > ought to be completely ignorant of any certs besides the TSA > signature cert. > > Or is there anything in rfc3161 that suggests looking at other certs? > > > Other than following RFC2634, performing a correct chain validation, and verify authorizations? No. > I have a different opinuion. RFC 3161 mentions that a server must add an esscertid of the signing certficate. One uses thus a particular profile of esscertid. Whilst one can dedate the reason for that (i.e. to be conformant to the EU directive of signatures), this does obviuously not stop tsas to add other certs. But; For the security (whatever that means) of the time stamp any additional data are not relevant. A tsa client can just limit itself to just check the first occurence in the EssCertId sequence to match with the TSA's public key cert (and treat everything else similar as a non critical extension. If TSAs add other things and if some specialized client want to check this (with some hardcoded values of attribut certs) that outside the scope of RFC 3161. RFC 2634 does not require that ALL applications MUST verify all features as soon as they appear. at least as far as I understand it. this would be a devive task, how can an application learn the meaning of an attribute certificate? Peter --------------090508080601000605020002 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit
On 03/13/2013 11:04 AM, Erwann Abalea wrote:

2013/3/13 Martin Rex <mrex@sap.com>
Peter Gutmann wrote:
> Erwann Abalea <eabalea@gmail.com> writes:
> >
> >At least one TSP in Czechoslovakia. With Qualified Certificates. The
[read "Czech Republic" instead, as it was notified in private] 
> >attribute certificates is additional to the signer. Other than that, I have
> >never encountered attribute certificates in the wild.
>
> Has anyone considered contacting the TSP (do you mean TSA?) to let them know
> that they're doing this?  Given some of the totally broken behaviour of both
> TSAs and TSP clients, they may not even be aware that they're doing this.  It
> seems we're having a complex debate over something that may just be yet
> another TSA implementation bug.

They're aware they're doing this. It's on purpose.
 
I still don't understand how the presence of attribute certificates
could interfere (rather then enabling an otherwise failing) timestamp
verification.

A dark corner from RFC2634. SigningCertificate attribute contains a sequence of ESSCertID, and usually this sequence is composed of only one certificate.

[...]
   If more than one certificate is present in the sequence of
   ESSCertIDs, the certificates after the first one limit the set of
   authorization certificates that are used during signature validation.
   Authorization certificates can be either attribute certificates or
   normal certificates.
[...]

Everywhere "certificate" is mentioned, it can either be a public-key certificate (here named "normal certificate") or an attribute certificate.
(Deciding what to do facing several public-key certificates in such a situation isn't clear, even after reading that paragraph).

A TSA client that is not explicitly instructed to look for
attribute certificates and to require specific authorization data
ought to be completely ignorant of any certs besides the TSA
signature cert.

Or is there anything in rfc3161 that suggests looking at other certs?

Other than following RFC2634, performing a correct chain validation, and verify authorizations? No.


I have a different opinuion.

RFC 3161 mentions that a server must add
an esscertid of the signing certficate.
One uses thus a particular profile of esscertid.
Whilst one can dedate the reason for that (i.e. to be conformant
to the EU directive of signatures), this does obviuously not
stop tsas to add other certs.

But; For the security (whatever that means) of the time stamp any additional
data are not relevant.

A  tsa client can just limit itself to just check the first occurence in the EssCertId
sequence to match with the TSA's public key cert (and treat everything else
similar as a non critical extension.

If TSAs add other things and if some specialized client want to check this
(with some hardcoded values of attribut certs) that outside the scope
of RFC 3161.

RFC 2634 does not require that ALL applications MUST verify all features
as soon as they appear. at least as far as I understand it.
this would be a devive task, how can an application learn
the meaning of an attribute certificate?

Peter











--------------090508080601000605020002-- From pgut001@cs.auckland.ac.nz Wed Mar 13 05:30:22 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FC0321F8C1F for ; Wed, 13 Mar 2013 05:30:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J2MC-tKKqSaa for ; Wed, 13 Mar 2013 05:30:18 -0700 (PDT) Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.244]) by ietfa.amsl.com (Postfix) with ESMTP id 4874C21F85D9 for ; Wed, 13 Mar 2013 05:30:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1363177819; x=1394713819; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=HzTqNxXBZrYi3ff+wcx0Q3SVSQ42oLYKBZqlidK8+N8=; b=iycNIcGMlwJX/9fjQzGpCw0fm+JIszUIhNOhx0Uk7KrAvuFbokicb1BN MnCDZt3AkyOXj4/1sOn3tt9OJ+R9ZZtmJTJz5E5dpBxYwjCI+Q7QF1Eq2 ypYn7Wf+3A3gdLSyyfv1QCaLY+Lfh3UJLjctnLmZ2sMhSuTR+lY2V4EL1 A=; X-IronPort-AV: E=Sophos;i="4.84,836,1355050800"; d="scan'208";a="175205613" X-Ironport-HAT: MAIL-SERVERS - $RELAYED X-Ironport-Source: 130.216.4.106 - Outgoing - Outgoing Received: from uxchange10-fe2.uoa.auckland.ac.nz ([130.216.4.106]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 14 Mar 2013 01:30:17 +1300 Received: from UXCHANGE10-FE4.UoA.auckland.ac.nz (130.216.4.171) by uxchange10-fe2.UoA.auckland.ac.nz (130.216.4.106) with Microsoft SMTP Server (TLS) id 14.2.318.4; Thu, 14 Mar 2013 01:30:17 +1300 Received: from UXCN10-2.UoA.auckland.ac.nz ([169.254.2.110]) by uxchange10-fe4.UoA.auckland.ac.nz ([130.216.4.171]) with mapi id 14.02.0318.004; Thu, 14 Mar 2013 01:30:17 +1300 From: Peter Gutmann To: "pkix@ietf.org" Thread-Topic: [pkix] timestamp signature validation Thread-Index: Ac4f5oQ8jTA2M5GTR0+R2V3NX27Aqw== Date: Wed, 13 Mar 2013 12:30:16 +0000 Message-ID: <9A043F3CF02CD34C8E74AC1594475C73375E0301@uxcn10-2.UoA.auckland.ac.nz> Accept-Language: en-GB, en-NZ, en-US Content-Language: en-GB X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [130.216.158.4] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [pkix] timestamp signature validation X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Mar 2013 12:30:22 -0000 kapetr@mizera.cz writes:=0A= =0A= >It may be useful for you to see original thread with details and example i= n=0A= >OpenSSL user forum.=0A= >=0A= >Thread subject: "possible Bug in OpenSSL - rfc 3161 - TSA service"=0A= =0A= I like the comments made in the thread that "Adobe handles it so it must be= =0A= OK". That's a bit like saying "Internet Explorer handles it so it must be= =0A= valid HTML".=0A= =0A= Peter.=0A= From kent@bbn.com Wed Mar 13 08:26:09 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58ECC21F8EB1 for ; Wed, 13 Mar 2013 08:26:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.598 X-Spam-Level: X-Spam-Status: No, score=-106.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rR49q7WMfuhT for ; Wed, 13 Mar 2013 08:26:07 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id 3828221F8EAB for ; Wed, 13 Mar 2013 08:26:07 -0700 (PDT) Received: from dommiel.bbn.com ([192.1.122.15]:57708 helo=dhcp-1067.meeting.ietf.org) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1UFnZ8-00096s-0E for pkix@ietf.org; Wed, 13 Mar 2013 11:26:06 -0400 Message-ID: <51409A8D.7050106@bbn.com> Date: Wed, 13 Mar 2013 11:26:05 -0400 From: Stephen Kent User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130307 Thunderbird/17.0.4 MIME-Version: 1.0 To: pkix Content-Type: multipart/alternative; boundary="------------010909090906090407070500" Subject: [pkix] minutes posted X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Mar 2013 15:26:09 -0000 This is a multi-part message in MIME format. --------------010909090906090407070500 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit But the IETF web site doesn't show them, for some reason. So, they are reproduced below. Steve ------- *PKIX WG Meeting March 12, 2013* Edited by Steve Kent Co-Chairs: Stephen Kent Stefan Santesson The PKIX WG met once, during a 1.5 hour time slot, during IETF 86, in Orlando, FL. A total of approximately 49 individuals attended the meeting. ** *Document Status Review -- Stefan Santesson (3xA)* There has been progress in document status since November, 2012. -2 new RFCs: Update to 5280 (6818), DNS CAA (6844) -1 document in IESG evaluation (2560bis) -1 active I-D in the WG: EST (-05) (Slides) *The Future of PKIX -- Sean Turner (IECA)* Sean reiterated his plan to complete the orderly shutdown of PKIX. He says this is expected to be the last meeting of PKIX, which began in 1995. The WG list will remain open. (no slides) *PKIX WG Document* *Enrollment over Secure Transport (EST) -- Max Pritikin (Cisco)* Max described changes since the -04 version. He noted that there was a lot of helpful comments on the -05 version, which is causing changes that will result in an -06 version, which he is working on now. Improvements include substantial prose improvements, explicit vs. explicit TA terminology, use of well-know UIRs. For the -065 version, the authors will fix the MIME representations, to remove the PEM headers, and they will include improved security for server-side generation exchange. It was reported that there are now two independent implementations that interoperate, which would allow the document to move very quickly to full standard status. (Slides) ** *Non-WG Topic Presentation* *Authentication Context Extension - Stefan Santesson (3XA)* This proposal describes an X.509 certificate extension that can be used by an RP to help map subject identity info, in a federated identity management environment based on the use of SAML. Stefan provided examples based on European PKI deployments, which motivate this work. The extension makes use of XML, because that is the native encoding for SAML assertions. Stefan's slides included detailed examples. This is an independent submission. (Slides) --------------010909090906090407070500 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit But the IETF web site doesn't show them, for some reason. So, they are reproduced below.

Steve
-------

PKIX WG Meeting March 12, 2013

 

Edited by Steve Kent

Co-Chairs: Stephen Kent <kent@bbn.com>

 Stefan Santesson <stefans@aaa-sec.com>

 

The PKIX WG met once, during a 1.5 hour time slot, during IETF 86, in Orlando, FL. A total of approximately 49 individuals attended the meeting.

 

Document Status Review – Stefan Santesson (3xA)

There has been progress in document status since November, 2012.

-   2 new RFCs: Update to 5280 (6818), DNS CAA (6844)

-   1 document in IESG evaluation (2560bis)

-   1 active I-D in the WG: EST (-05)

(Slides)

 

The Future of PKIX – Sean Turner (IECA)

Sean reiterated his plan to complete the orderly shutdown of PKIX. He says this is expected to be the last meeting of PKIX, which began in 1995. The WG list will remain open. (no slides)

 

 

PKIX WG Document

 

Enrollment over Secure Transport (EST) – Max Pritikin (Cisco)

Max described changes since the -04 version. He noted that there was a lot of helpful comments on the -05 version, which is causing changes that will result in an -06 version, which he is working on now. Improvements include substantial prose improvements, explicit vs. explicit TA terminology, use of well-know UIRs. For the -065 version, the authors will fix the MIME representations, to remove the PEM headers, and they will include improved security for server-side generation exchange. It was reported that there are now two independent implementations that interoperate, which would allow the document to move very quickly to full standard status. (Slides)

 

 

Non-WG Topic Presentation

 

Authentication Context Extension - Stefan Santesson (3XA)

This proposal describes an X.509 certificate extension that can be used by an RP to help map subject identity info, in a federated identity management environment based on the use of SAML. Stefan provided examples based on European PKI deployments, which motivate this work. The extension makes use of XML, because that is the native encoding for SAML assertions. Stefan’s slides included detailed examples. This is an independent submission. (Slides)


--------------010909090906090407070500-- From mrex@sap.com Wed Mar 13 09:57:19 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC91921F898A for ; Wed, 13 Mar 2013 09:57:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.087 X-Spam-Level: X-Spam-Status: No, score=-10.087 tagged_above=-999 required=5 tests=[AWL=0.162, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m2H5ySWQa0zp for ; Wed, 13 Mar 2013 09:57:19 -0700 (PDT) Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id AE7AB21F894D for ; Wed, 13 Mar 2013 09:57:18 -0700 (PDT) Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id r2DGvG0R019731 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 13 Mar 2013 17:57:16 +0100 (MET) In-Reply-To: <5140554A.4070806@edelweb.fr> To: Peter Sylvester Date: Wed, 13 Mar 2013 17:57:16 +0100 (CET) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20130313165716.09CCD1A628@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) X-SAP: out Cc: pkix@ietf.org Subject: Re: [pkix] timestamp signature validation X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: mrex@sap.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Mar 2013 16:57:20 -0000 Peter Sylvester wrote: > > Erwann Abalea wrote: >> >> Martin Rex wrote: >>> >>> A TSA client that is not explicitly instructed to look for >>> attribute certificates and to require specific authorization data >>> ought to be completely ignorant of any certs besides the TSA >>> signature cert. >>> >>> Or is there anything in rfc3161 that suggests looking at other certs? >> >> Other than following RFC2634, performing a correct chain validation, >> and verify authorizations? No. The way rfc3161 is specified, it is only the ASN.1 type ESSCertID with respect to the TSA Signature certificate that is imported from rfc2634, not any of the semantics associated with attribute certificates. That doesn't preclude that specific TSA servers&clients could define clear semantics in which fashion such data could be come relevant for the verification of the timestamp. But absent such out-of-band preconfigured semantics, an rfc3161 TSA client ought to entirely ignore unsolicited ESSCertID entries and unsolicited certs in the TimeStampToken for the purpose of robustness and adherence to he "principle of least surprise". > > A tsa client can just limit itself to just check the first occurence > in the EssCertId sequence to match with the TSA's public key cert > (and treat everything else similar as a non critical extension. A TSA client may have a preconfigured list of valid TSA signers consisting of ToBeSigned structures, where an ESSCertID containing a certificate hash would have to be ignored anyway. Simply always using the SignerInfo->SignerIdentifier element (which is mandary at the ASN.1 level) rather than digging through the signed attributes for an awkward ESSCertID (which is optional at the ASN.1 level) saves a significant amount of complex and brittle code. And if the document itself already lists 8 patents that might be applicable, an implementor may want to scope his implementation to the exact functionality that is necessary for interop in order to limit the "IP trolls attack surface"... > > If TSAs add other things and if some specialized client want to check this > (with some hardcoded values of attribut certs) that outside the scope > of RFC 3161. Correct. http://tools.ietf.org/html/rfc2634#section-5.3 5.3 Related Signature Verification Context Some applications require that additional information be used as part of the signature validation process. In particular, authorization information from attribute certificates and other public key certificates or policy identifiers provide additional information about the abilities and intent of the signer. The signing certificate attribute described in Section 5.4 provides the ability to bind this context information as part of the signature. While specific applications can "require that additional information be used as part of the signature validation process", rfc3161 _by_itself_ is clearly no such application that does. -Martin From internet-drafts@ietf.org Wed Mar 13 10:18:24 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4E3A21F8CDB; Wed, 13 Mar 2013 10:18:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.6 X-Spam-Level: X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aUwWBkM5PJBq; Wed, 13 Mar 2013 10:18:24 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id EA2BA21F8E46; Wed, 13 Mar 2013 10:18:21 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 4.42 Message-ID: <20130313171821.3213.21227.idtracker@ietfa.amsl.com> Date: Wed, 13 Mar 2013 10:18:21 -0700 Cc: pkix@ietf.org Subject: [pkix] I-D Action: draft-ietf-pkix-rfc2560bis-15.txt X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Mar 2013 17:18:25 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Public-Key Infrastructure (X.509) Working= Group of the IETF. Title : X.509 Internet Public Key Infrastructure Online Certific= ate Status Protocol - OCSP Author(s) : Stefan Santesson Michael Myers Rich Ankney Ambarish Malpani Slava Galperin Carlisle Adams Filename : draft-ietf-pkix-rfc2560bis-15.txt Pages : 43 Date : 2013-03-13 Abstract: This document specifies a protocol useful in determining the current status of a digital certificate without requiring CRLs. Additional mechanisms addressing PKIX operational requirements are specified in separate documents. This document obsoletes RFC 2560 and RFC 6277, and updates RFC 5912. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-pkix-rfc2560bis There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-pkix-rfc2560bis-15 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-pkix-rfc2560bis-15 Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From turners@ieca.com Wed Mar 13 12:54:30 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B34611E80F3 for ; Wed, 13 Mar 2013 12:54:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -100.928 X-Spam-Level: X-Spam-Status: No, score=-100.928 tagged_above=-999 required=5 tests=[AWL=-1.329, BAYES_00=-2.599, J_CHICKENPOX_23=0.6, J_CHICKENPOX_31=0.6, J_CHICKENPOX_33=0.6, J_CHICKENPOX_64=0.6, J_CHICKENPOX_66=0.6, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nY1C6Nb8tthB for ; Wed, 13 Mar 2013 12:54:24 -0700 (PDT) Received: from gateway04.websitewelcome.com (gateway04.websitewelcome.com [64.5.38.14]) by ietfa.amsl.com (Postfix) with ESMTP id 3908711E80D2 for ; Wed, 13 Mar 2013 12:54:24 -0700 (PDT) Received: by gateway04.websitewelcome.com (Postfix, from userid 5007) id 19BE19F345F6E; Wed, 13 Mar 2013 14:54:17 -0500 (CDT) Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway04.websitewelcome.com (Postfix) with ESMTP id 05DB59F345F2A for ; Wed, 13 Mar 2013 14:54:17 -0500 (CDT) Received: from [198.180.150.142] (port=54885 helo=dhcp-5422.meeting.ietf.org) by gator1743.hostgator.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80) (envelope-from ) id 1UFrkk-0000pE-S7; Wed, 13 Mar 2013 14:54:23 -0500 Message-ID: <5140D96C.9070807@ieca.com> Date: Wed, 13 Mar 2013 15:54:20 -0400 From: Sean Turner User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130307 Thunderbird/17.0.4 MIME-Version: 1.0 To: Denis Pinkas References: <513DA081.7050404@bull.net> In-Reply-To: <513DA081.7050404@bull.net> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - gator1743.hostgator.com X-AntiAbuse: Original Domain - ietf.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - ieca.com X-BWhitelist: no X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: (dhcp-5422.meeting.ietf.org) [198.180.150.142]:54885 X-Source-Auth: sean.turner@ieca.com X-Email-Count: 12 X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20= Cc: Stefan Santesson , pkix Subject: Re: [pkix] Review of 2560-bis draft 8. Answer to WGLC X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Mar 2013 19:54:30 -0000 Denis, You probably saw version -15 was published. I reviewed your comments and I think it's time to move this draft down to IETF LC. spt On 3/11/13 5:14 AM, Denis Pinkas wrote: > *Stefan,* > > ** > > *The review of your individual draft, took me the time I had during the > week for the IETF stuff; > hence, why this reply has been delayed.* > > *The situation is rather simple, if we forget about the editorial comments, > you have accepted one minor text change and that’s all.* > > ** > > *So the major problems are not solved to my satisfaction.* > > ** > > *I have maintained below the portion of the text which needs to be > further discussed. ** > **My comments are in blue.* > > ** > > *There is a new and very important issue that I discovered while reading > your comments. ** > **See the discussion about singleExtensions and of responseExtensions.* > > *Comment 8*: You have changed the meaning of the revoked state in a way > that is not what I requested. > > The original text was: > > *The "revoked" state indicates that the certificate has been revoked* > > *(either permanantly or temporarily (on hold)).* > > The new text is: > > * The "revoked" state indicates that the certificate has been revoked* > > * either permanently or temporarily on hold (i.e. the revocation reason* > > * is certificateHold).* > > By doing this, you do not allow any other case in the future to have a > temporary revocation: “*temporarily on hold”***is not the same > as*“**temporarily revoked”**.* > > I propose the following rewording: > > *The "revoked" state indicates that the certificate has been revoked * > > * either permanently or temporarily (e.g. placed on hold).* > > I substituted "temporarily on hold" with "temporarily. The rest > unchanged since the only existing reason code for temporary revocation > is certificateHold. > > *As you say, the only CURRENT existing reason code for temporary > revocation is certificateHold. ** > **We must not PREVENT other reasons in the future to mean “temporary > revocation”, hence why the change is needed.* > > The way the text from draft 13 is now written seems to allow using > either *“unknown”*or *“revoked”*for non-issued certificates. > If this is the intent, then the good news is that this does not come > anymore into conflict with the French rules which apply > for the Administration since OCSP responders from CAs used by the French > Ministries having a direct access to the database of issued certificates > will be able to use *“unknown*”, rather than *“revoked”*and the reason > code *“onhold”.* > > However, the current text is still mandating the use of *Extended > Revoked Definition*, but the rational for its need it is very poor. > As I have said on the PKIX list, the fact that the revocation date is > January 1rst, 1970 is fully sufficient to know that we are in that very > special case, > and you have not provided a rational to say the contrary. > > I have. And I have pointed you to the minutes of the last PKIC meeting. > > The consensus of the WG is to have the extension for just those reasons. > > As implementer, I don't like heuristics. A date of Jan 1st 1970 may > indicate this behaviour, > but may just be a misconfiguration. It is not an explicit statement. > > So we could get rid of it, … but the text from section 4.4.8 states: > > * This extension MAY be present in other responses to signal that the* > > * responder implements the extended revoked definition in section 2.2.* > > I have difficulties to understand what is really meant there (“other > responses” ?), since the text states: > > * This extension indicates that the responder supports the extended* > > * definition of the "revoked" status to also include non-issued* > > * certificates according to section 2.2.* > > Since both “unknown” and revoked” can be used, it would be desirable to > be able to include the same extension in both cases, > but in that case that extension should be renamed. > > This extension can be included in all responses to signal that a > responder implements the expanded definition of revoked. > > Doing so makes this fact auditable without having to ask for a > non-issued cert. > > I would propose to rename it: "*non-issued certificate*” which means > that the associated CA has no record of ever having issued a certificate > with the certificate serial number in the request (I still consider it > as unnecessary in the case of “revoked”, but it would be very useful in > the case of “unknown”). > Of course, the text from section 4.4.8 would need to be revised. > > I propose the following: > > * * > > *4.4.8 Non-issued certificate extension* > > * This extension MUST be included in the OCSP response when the OCSP* > > * responder knows that the CA identified in the request has no record* > > * of ever having issued a certificate with the certificate serial* > > * number indicated in the request.* > > * Clients do not have to parse this extension in order to determine* > > * the status of certificates in responses.* > > * This extension is identified by the object identifier id-pkix-ocsp-* > > * non-issued-cert.* > > * id-pkix-ocsp-non-issued-cert OBJECT IDENTIFIER ::= {id-pkix-ocsp 9}* > > * The value of the extension SHALL be NULL. This extension MUST NOT be* > > * marked critical.* > > Then the text on page 8 would need to be rearranged. > > Your extension variant is a significant change to what has been agreed. > > Your extension would need to be a single response extension, and can't > be used to audit the behaviour of the OCSP responder > unless you send a request for a non-issued cert. > > *Hummm !!! We have a very important point there. Thanks to your comment, > I now realize that the proposed extension > applies to the whole response. However, this is not possible and I will > now explain why. An OCSP responder may receive > a delegation from several CAs. With some of them, it can use a direct > access to the database of certificates, > while for some others, it will use CRLs. So the meaning of “revoked” > will depend of the CA. * > > ** > > *This means that the indication cannot be global to the OCSP response. > If we use an extension, it can only apply ** > **to an individual response and thus MUST in singleExtensions instead of > responseExtensions.* > > ** > > *Since it is singleExtension, it can used to “audit the behaviour of the > OCSP responder” and I do not grasp your rational ** > **when you say “unless you send a request for a non-issued cert”. There > is no need for sending anything.* > > We want to avoid sending such fake requests for audit purposes as it may > interfere with systems at the responder trying to detect existence of > rouge certificates. > > *There is no need to sending fake requests.* > > This is a type of change that I can't make unless you get support from a > majority of the WG for the change of direction you propose. > > *The important point is that the text states:* > > ** > > *“The "revoked" state (…) _MAY also be returned_ if the associated CA > has no record of ever having issued a certificate > with the certificate serial number in the request, using any current or > previous issuing key (referred to as a > "non-issued" certificate in this document).”* > > ** > > *The test does **_not_**state “**_MUST_**also be returned”. This means > that it is also possible to reply “unknown” if the associated CA ** > **has no record of ever having issued a certificate with the certificate > serial number in the request. However, this is not ** > **straightforward when reading the text and thus the text should be made > more explicit.* > > ** > > *Now, we get to the main point. The reason for adding an extension is > NOT to say that an extended meaning of revoked ** > **is being used, but that the INDIVIDUAL response is given using a > direct access to the records of the certificates issued by the CA.* > > The current text is: > > * This state MAY also be returned if the* > > * associated CA has no record of ever having issued a certificate with* > > * the certificate serial number in the request, using any current or* > > * previous issuing key (referred to as a "non-issued" certificate in* > > * this document).* > > * The "unknown" state indicates that the responder doesn't know about* > > * the certificate being requested.* > > * NOTE: The "revoked" state for known non-issued certificate serial* > > * numbers is allowed in order to reduce the risk of relying* > > * parties using CRLs as a fall back mechanism, which would be* > > * considerably higher if an "unknown" response was returned.* > > * When a responder responds revoked to a status request for a non-* > > * issued certificate, the responder MUST include the extended revoked* > > * definition response extension (section 4.4.8) in the response,* > > * indicating that the OCSP responder supports the extended definition* > > * of revoked state to also cover non-issued certificates. In addition,* > > * the SingleResponse related to this non-issued certificate;* > > * - MUST provide the revocation reason certificateHold (6),* > > * - MUST specify the revocationTime January 1, 1970, and;* > > * - MUST NOT include a CRL References extension (section 4.4.2) or any* > > * CRL Entry Extensions (section 4.4.5).* > > Proposed text for a replacement: > > * The "unknown" state indicates that the responder doesn't know about* > > * the certificate being requested.* > > > > * If the OCSP responder knows that CA identified in the request has* > > * no record of ever having issued a certificate with the certificate* > > * serial number in the request, using any current or previous issuing* > > * key (referred to as a "non-issued" certificate in this document),* > > * the OCSP responder SHALL respond either “revoked “ or “unknown”.* > > This is unfortunately very common in your rewording efforts. When trying > to fix one thing, you create new even bigger problems. > > An infrastructure that provides reproduced responses will respond > "unauthorized". This text may be interpreted to interfere with such > operations. > > *I fear I don’t understand your argument about “unauthorized”, but > before replying see below my next comment.* > > Further, and worse. This is not backwards compatible. Current OCSP > responders may respond "good" even if they have access to CA records. > > *You say: “Current OCSP responders may respond "good" even if they have > access to CA records”. Originally RFC 2560 allowed > returning “good” for OCSP responder using CRLs. Since RFC 2560 provided > no way to indicate that a direct access to the database > was being used or not, it was not possible to do better. * > > ** > > *Now, if an OCSP responder has a direct access and indicates in the > response that it has such an access, do you really believe > that it will return good ? I don’t. * > > ** > > *If an OCSP responder wants to return “good”, it can still do it, but in > that case it will not signal that it is using a direct access ** > **and this is perfectly backwards compatible. So I do not “buy” your > argumentation.* > > ** > > *Now, may be you understand better why I propose to rename the extension > “4.4.8 Non-issued certificate extension” and ** > **also to change its semantics.* > > * Note: The "revoked" state for known non-issued certificate serial* > > * numbers is allowed in order to reduce the risk of relying parties* > > * using CRLs as a fall back mechanism, which would be possible when* > > * the "unknown" response is returned.* > > * When a responder responds revoked or unknown to a status request* > > * for a non-issued certificate, the responder MUST include the* > > * non-issued certificate extension (see section 4.4.8) in the* > > * response.* > > * When a responder responds revoked to a status request for a non-* > > * issued certificate, in addition, the responder:* > > * - MUST provide the revocation reason certificateHold (6),* > > * - MUST specify the revocationTime January 1, 1970, and;* > > * - MUST NOT include a CRL References extension (section 4.4.2) or any* > > * CRL Entry Extensions (section 4.4.5).* > > Finally, the last bullet on page 4 should be reworded: > > Current text: > > * o Section 4.4.8 specifies a new extension that indicates that the* > > * responder supports the extended use of the "revoked" response* > > * for non-issued certificates defined in section 2.2.* > > Proposed replacement text: > > * o Section 4.4.8 specifies a new extension that indicates that* > > * the OCSP responder knows that CA identified in the request* > > * has no record of ever having issued a certificate with the* > > * certificate serial number present in the request, as defined* > > * in section 2.2.* > > No. Again, this changes the scope of the extension and its audit properties. > > Such change requires WG consensus. > > *See earlier comments.* > > *Comment 9:*Solved, if the comment above may be solved. > > *Comment 20*:This comment is preliminary classified by you as “not > broken”. However, since you asked: “If you don’t replace 4.2.2.3, > then what really are you missing ?”, I will provide you with an answer. > > This is the wrong way to state the question. Providing an ASN.1 syntax > as in 4.2.1 is not enough: the use of every parameter MUST be explained > using English words. So if you explain the use of every parameter after > the description of the ASN.1 syntax in section 4.2.1. then section 4.2.2.3 > is no more needed and thus can be deleted. > > The answer to your question “what is really missing” is a description of > the use of every parameter listed in the ASN.1 in section 4.2.1 > > There are sufficient descriptions in the subsections following the ASN.1 > description. Your change proposals are not compatible with the minimalistic > approach adopted by the WG. > > *The key point is whether we want a “good” document or maintain the low > quality of the original document.*** > > *Comment 26*: You asked for explanations. Let me provide you with an > example when CRLs are being used by the OCSP responder in the background. > The OCSP responder needs to make sure that the CRL it uses is valid. If > it is simply using published CRLs (i.e. no trusted link with the CA), it > needs > to make sure that the CA which has issued the CRL has no been revoked. > > No, this is a misstatement. You don't revoke CAs. You revoke CA > certificates. > > *Right.* > > There might be a CA certificate that has been revoked for a reason that > does not affect the OCSP responder. > > * ..but the contrary may also apply.* > > These are operational policies that are outside the scope of the protocol. > > *The proposed text does not affect the protocol.* > > The proposed text in comment 26 is plain wrong, or at least misleading. > The OCSP responder does not have to validate the CRL up to any > particular root. > It may for example have been configured to directly trust the public key > used to validate the CRL. > > *T**his depends how it makes sure that it is reading the right CRL. It > may or may not use a root CA.* > > In France, there is a root CA for the Administration. However, the use > of that root CA is optional. Thus a Ministry may have its own root, > but may also have its key certified by the root CA of the > Administration. The OCSP responder may use the root CA of the Ministry, > while a relying party may use the root CA of the Administration (or the > reverse) to validate the CRL for the target certificate. > Thus the revocation status will be different if the certificate of the > CA of the Ministry is revoked by the root CA of the Administration. > > Which reinforces my point. How the OCSP responder is configured to trust > its information source is outside the scope of the protocol. > > The OCSP protocol never claims to provide the same conclusion about > revocation than another source the relying party may use. > > *We both agree; however would you point me where this is said in the > current draft? Since I could not find it, > I believe it is useful to highlight the point in the security > considerations section. > * > > * > * > > *Finally, I believe that the major point indicated earlier comes from > the original "bad writing" of RFC 2560.* > > *There is no clear distinction between what applies to > ***BasicOCSPResponse* and ***what applies *to Single Response.* > > *On page 15 from draft-14, the text still states in section 4.2.2.2 > Authorized Responder: > > "It is necessary however to ensure that the entity signing this > information is authorized to do so". > > This is vague. What is "this information " ? This text is within section > "4.2.2 Notes on OCSP Responses". > This does not help much. > > Is it BasicOCSPResponse ? If it is , this is wrong. > > It is SingleResponse, since a single response may be signed by the right > key and/or the right certificate, > but not another single response. > > How can a reader guess that it is SingleResponse ? > > Once again the quality of the text is really bad, and that text and some > other portions (3.2 Signed Response Acceptance Requirements) > would need to be changed. > * > > ** > > *Denis* > > > >> Denis, >> >> My replies in line; >> >> From: Denis Pinkas > >> Date: Monday, February 11, 2013 3:18 PM >> To: Stefan Santesson > >> Cc: Stephen Kent >, pkix >> > >> Subject: Re: [pkix] Review of 2560-bis draft 8. Answer to WGLC >> >> Stefan, >> >> I have finally reviewed your disposition of comments. I have used >> draft 13. >> >> I will not address the comments in sequence, but I will consider >> four categories: >> >> *Category 1)*Some comments which seem to be solved. Yes indeed, >> they may be a few of them ! >> >> *Category 2)*Some comments which might possibly be solved at the >> WG level. >> >> *Category 3)*Some comments that I will address at the IETF last >> call level, rather than the WG last call level, since I disagree >> that it is “new ways to say the same thing” and it is likely to be >> a waste of time for both of us to argue again at the WG level >> (these comments are commented as “not broken”). >> >> *Category 4)*Some typos and editorials found while reading draft 13. >> >> *CATEGORY 1* >> >> *Comment 4*(was editorial). >> >> *Comment 5.* >> >> ** >> >> *Comment 6. * >> >> *Comment 19*. Solved, since *“unknown”*seems now to be also >> allowed for non-issued certificates >> (even if the OCSP responder is using a direct access to the >> certificate database). See comment 8. >> >> *Comment 13*: Acceptable, since the text uses *“MAY”.* >> >> *Comment 18. * >> >> *Comment 22.* >> >> *Comment 23.* >> >> *Comment 28.* >> >> *CATEGORY 1* >> >> *Comment 8*: You have changed the meaning of the revoked state in >> a way that is not what I requested. >> >> The original text was: >> >> *The "revoked" state indicates that the certificate has been revoked* >> >> *(either permanantly or temporarily (on hold)).* >> >> The new text is: >> >> ** >> >> * The "revoked" state indicates that the certificate has been revoked* >> >> * either permanently or temporarily on hold (i.e. the revocation reason* >> >> * is certificateHold).* >> >> By doing this, you do not allow any other case in the future to >> have a temporary revocation: “*temporarily on hold”** >> *is not the same as*“**temporarily revoked”**.* >> >> I propose the following rewording: >> >> *The "revoked" state indicates that the certificate has been revoked * >> >> * either permanently or temporarily (e.g. placed on hold).* >> >> >> I substituted "temporarily on hold" with "temporarily. The rest >> unchanged since the only existing reason code for temporary revocation >> is certificateHold. >> >> >> >> The way the text from draft 13 is now written seems to allow using >> either *“unknown”*or *“revoked”*for non-issued certificates. >> If this is the intent, then the good news is that this does not >> come anymore into conflict with the French rules which apply for >> the Administration since OCSP responders from CAs used by the >> French Ministries having a direct access to the database >> of issued certificates will be able to use *“unknown*”, rather >> than *“revoked”*and the reason code *“onhold”.* >> >> However, the current text is still mandating the use of *Extended >> Revoked Definition*, but the rational for its need it is very poor. >> As I have said on the PKIX list, the fact that the revocation date >> is January 1rst, 1970 is fully sufficient to know that we are in that >> very special case, and you have not provided a rational to say the >> contrary. >> >> >> I have. And I have pointed you to the minutes of the last PKIC meeting. >> The consensus of the WG is to have the extension for just those reasons. >> >> As implementer, I don't like heuristics. A date of Jan 1st 1970 may >> indicate this behaviour, but may just be a misconfiguration. It is not >> an explicit statement. >> >> So we could get rid of it, … but the text from section 4.4.8 states: >> >> * This extension MAY be present in other responses to signal that the* >> >> * responder implements the extended revoked definition in section 2.2.* >> >> I have difficulties to understand what is really meant there >> (“other responses” ?), since the text states: >> >> * This extension indicates that the responder supports the extended* >> >> * definition of the "revoked" status to also include non-issued* >> >> * certificates according to section 2.2.* >> >> Since both “unknown” and revoked” can be used, it would be >> desirable to be able to include the same extension in both cases, >> but in that case that extension should be renamed. >> >> >> This extension can be included in all responses to signal that a >> responder implements the expanded definition of revoked. >> Doing so makes this fact auditable without having to ask for a >> non-issued cert. >> >> >> I would propose to rename it: "*non-issued certificate*” which >> means that the associated CA has no record of ever having issued >> a certificate with the certificate serial number in the request (I >> still consider it as unnecessary in the case of “revoked”, but it >> would be >> very useful in the case of “unknown”). Of course, the text from >> section 4.4.8 would need to be revised. >> >> I propose the following: >> >> *4.4.8 Non-issued certificate extension* >> >> * * >> >> * This extension MUST be included in the OCSP response when the OCSP* >> >> * responder knows that the CA identified in the request has no record* >> >> * of ever having issued a certificate with the certificate serial* >> >> * number indicated in the request.* >> >> * * >> >> * Clients do not have to parse this extension in order to determine* >> >> * the status of certificates in responses.* >> >> * * >> >> * This extension is identified by the object identifier id-pkix-ocsp-* >> >> * non-issued-cert.* >> >> * * >> >> * id-pkix-ocsp-non-issued-cert OBJECT IDENTIFIER ::= {id-pkix-ocsp 9}* >> >> * * >> >> * The value of the extension SHALL be NULL. This extension MUST NOT be* >> >> * marked critical.* >> >> Then the text on page 8 would need to be rearranged. >> >> >> Your extension variant is a significant change to what has been agreed. >> Your extension would need to be a single response extension, and can't >> be used to audit the behaviour of the OCSP responder unless you send a >> request for a non-issued cert. >> We want to avoid sending such fake requests for audit purposes as it >> may interfere with systems at the responder trying to detect existence >> of rouge certificates. >> >> This is a type of change that I can't make unless you get support from >> a majority of the WG for the change of direction you propose. >> >> The current text is: >> >> * This state MAY also be returned if the* >> >> * associated CA has no record of ever having issued a certificate with* >> >> * the certificate serial number in the request, using any current or* >> >> * previous issuing key (referred to as a "non-issued" certificate in* >> >> * this document).* >> >> * * >> >> * The "unknown" state indicates that the responder doesn't know about* >> >> * the certificate being requested.* >> >> * * >> >> * NOTE: The "revoked" state for known non-issued certificate serial* >> >> * numbers is allowed in order to reduce the risk of relying* >> >> * parties using CRLs as a fall back mechanism, which would be* >> >> * considerably higher if an "unknown" response was returned.* >> >> * * >> >> * When a responder responds revoked to a status request for a non-* >> >> * issued certificate, the responder MUST include the extended revoked* >> >> * definition response extension (section 4.4.8) in the response,* >> >> * indicating that the OCSP responder supports the extended definition* >> >> * of revoked state to also cover non-issued certificates. In addition,* >> >> * the SingleResponse related to this non-issued certificate;* >> >> * * >> >> * - MUST provide the revocation reason certificateHold (6),* >> >> * * >> >> * - MUST specify the revocationTime January 1, 1970, and;* >> >> * * >> >> * - MUST NOT include a CRL References extension (section 4.4.2) or any* >> >> * CRL Entry Extensions (section 4.4.5).* >> >> Proposed text for a replacement: >> >> * The "unknown" state indicates that the responder doesn't know about* >> >> * the certificate being requested.* >> >> * * >> >> * If the OCSP responder knows that CA identified in the request has* >> >> * no record of ever having issued a certificate with the certificate* >> >> * serial number in the request, using any current or previous issuing* >> >> * key (referred to as a "non-issued" certificate in this document),* >> >> * the OCSP responder SHALL respond either “revoked “ or “unknown”.* >> >> >> This is unfortunately very common in your rewording efforts. When >> trying to fix one thing, you create new even bigger problems. >> >> An infrastructure that provides reproduced responses will respond >> "unauthorized". This text may be interpreted to interfere with such >> operations. >> Further, and worse. This is not backwards compatible. Current OCSP >> responders may respond "good" even if they have access to CA records. >> >> * * >> >> * Note: The "revoked" state for known non-issued certificate serial* >> >> * numbers is allowed in order to reduce the risk of relying parties* >> >> * using CRLs as a fall back mechanism, which would be possible when* >> >> * the "unknown" response is returned.* >> >> * * >> >> * When a responder responds revoked or unknown to a status request* >> >> * for a non-issued certificate, the responder MUST include the* >> >> * non-issued certificate extension (see section 4.4.8) in the* >> >> * response.* >> >> * * >> >> * When a responder responds revoked to a status request for a non-* >> >> * issued certificate, in addition, the responder:* >> >> * * >> >> * - MUST provide the revocation reason certificateHold (6),* >> >> * * >> >> * - MUST specify the revocationTime January 1, 1970, and;* >> >> * * >> >> * - MUST NOT include a CRL References extension (section 4.4.2) or any* >> >> * CRL Entry Extensions (section 4.4.5).* >> >> Finally, the last bullet on page 4 should be reworded: >> >> Current text: >> >> * o Section 4.4.8 specifies a new extension that indicates that the* >> >> * responder supports the extended use of the "revoked" response* >> >> * for non-issued certificates defined in section 2.2.* >> >> ** >> >> Proposed replacement text: >> >> * o Section 4.4.8 specifies a new extension that indicates that* >> >> * the OCSP responder knows that CA identified in the request* >> >> * has no record of ever having issued a certificate with the* >> >> * certificate serial number present in the request, as defined* >> >> * in section 2.2.* >> >> >> No. Again, this changes the scope of the extension and its audit >> properties. >> Such change requires WG consensus. >> >> >> *Comment 9:*Solved, if the comment above may be solved. >> >> *Comment 20*:This comment is preliminary classified by you as “not >> broken”. However, since you asked: “If you don’t replace 4.2.2.3, >> then what really are you missing ?”, I will provide you with an >> answer. >> >> This is the wrong way to state the question. Providing an ASN.1 >> syntax as in 4.2.1 is not enough: the use of every parameter >> MUST be explained using English words. So if you explain the use >> of every parameter after the description of the ASN.1 syntax >> in section 4.2.1. then section 4.2.2.3 is no more needed and thus >> can be deleted. >> >> The answer to your question “what is really missing” is a >> description of the use of every parameter listed in the ASN.1 in >> section 4.2.1 >> >> >> There are sufficient descriptions in the subsections following the >> ASN.1 description. Your change proposals are not compatible with the >> minimalistic approach adopted by the WG. >> >> >> *Comment 21.* >> >> While I can agree in general with the intent of the text, I do not >> understand the first sentence of the Note which speaks of “CA key >> rollover” >> and is copied below: >> >> * Note: CA key rollover is not prohibited when issuing a certificate* >> >> * for an authorized responder for backwards compatibility with* >> >> * RFC 2560 [RFC2560]. That is, it is not prohibited to issue a* >> >> * certificate for an authorized responder using a different* >> >> * issuing key than the key used to issued the certificate being* >> >> * checked for revocation. However, such practice is strongly* >> >> * discouraged since clients are not required to recognize a* >> >> * responder with such certificate as an authorized responder.* >> >> I would propose to delete it, since it does not add anything and >> thus to have: >> >> * Note: For backwards compatibility with RFC 2560 [RFC2560], it is* >> >> * not prohibited to issue a certificate for an authorized* >> >> * responder using a different issuing key than the key used to* >> >> * issued the certificate being checked for revocation.* >> >> * However, such practice is strongly discouraged since clients* >> >> * are not required to recognize a responder with such* >> >> * certificate as an authorized responder.* >> >> >> I agree, your text is better. Updated. >> >> *Comment 24*: The ASN.1 module in annex B.1 is still wrong, since >> it does not define NoCheck. >> >> >> No you are wrong. We have confirmed with several ASN.1 experts that >> definition of NoCheck is not necessary to define null content. >> The current definition is perfectly valid ASN.1 >> >> *Comment 26*: You asked for explanations. Let me provide you with >> an example when CRLs are being used by the OCSP responder >> in the background. The OCSP responder needs to make sure that the >> CRL it uses is valid. If it is simply using published CRLs >> (i.e. no trusted link with the CA), it needs to make sure that the >> CA which has issued the CRL has no been revoked. >> >> >> No, this is a misstatement. You don't revoke CAs. You revoke CA >> certificates. There might be a CA certificate that has been revoked >> for a reason that does not affect the OCSP responder. >> These are operational policies that are outside the scope of the protocol. >> >> The proposed text in comment 26 is plain wrong, or at least >> misleading. The OCSP responder does not have to validate the CRL up to >> any particular root. It may for example have been configured to >> directly trust the public key used to validate the CRL. >> >> >> In France, there is a root CA for the Administration. However, the >> use of that root CA is optional. Thus a Ministry may have its own >> root, >> but may also have its key certified by the root CA of the >> Administration. The OCSP responder may use the root CA of the >> Ministry, >> while a relying party may use the root CA of the Administration >> (or the reverse) to validate the CRL for the target certificate. >> Thus the revocation status will be different if the certificate of >> the CA of the Ministry is revoked by the root CA of the >> Administration. >> >> >> Which reinforces my point. How the OCSP responder is configured to >> trust its information source is outside the scope of the protocol. >> >> The OCSP protocol never claims to provide the same conclusion about >> revocation than another source the relying party may use. >> >> I skip category 3 as this will be dealt with in IESG last call. >> >> >> *CATEGORY 3* >> >> *Comments*2, 3, 7, 10, 12, 14, 15, 16, 17, 25 and 27. >> >> *CATEGORY 4* >> >> Page 4. The indentation of the bullets in section 1 is not uniform. >> Bullets 1, 4, 5 and 9 have problems. >> >> Page 4. The fact that there is now an Annex B.2 dealing with the >> 2008 ASN.1 syntax is missing. This should be added. >> >> Page 10. Change “*Se further section 4.2.2.2”*into “*See further >> section 4.2.2.2” >> * >> >> >> >> Thanks. I have fixed them all. >> >> /Stefan >> >> >> Denis >> ** >> >> ===================================================================================== >> >> >> >>> Denis, >>> >>> Responding to your comments below. >>> >>> However, one general remark to make recurring comments easier to >>> understand. >>> >>> The WG decided to adopt a minimalistic approach to updating RFC >>> 2560. That means that >>> >>> 1. We don't change anything from RFC 2560 unless it is broken, >>> or the industry clearly need clarifications in order to avoid >>> interoperability issues. >>> 2. We retain the document structure of RFC 2560 as much as >>> possible to allow easy comparison of what the changes are in >>> comparison with RFC 2560. >>> >>> >>> One can always think up more clever ways to write things out in >>> words. But that also comes with a risk. >>> The current words has been around for a long time and we know >>> from experience which words worked to produce working >>> implementations, and which did not. >>> Introducing new ways to say the same thing may introduce new >>> problems and people might disagree on what the new perfect >>> wording should be. And this could go on forever. >>> >>> So when my reply is "Not broken", then that is because the >>> current wording does not have such problems that is merits a change. >>> >>> >>> >>> From: Denis Pinkas >> > >>> Date: Sunday, January 20, 2013 5:12 PM >>> To: Stefan Santesson >> >, Stephen Kent >> > >>> Cc: pkix > >>> Subject: Re: [pkix] Review of 2560-bis draft 8. Answer to WGLC >>> >>> Please find 32 comments on draft-ietf-pkix-rfc2560bis >>> >>> 1.The document states: >>> >>> **>> responded to separately> >>> >>> >>> Responded to separately. >>> >>> 2.The current text from section 2 states: >>> >>> 2. Protocol Overview >>> >>> >>> >>> In lieu of or as a supplement to checking against a periodic CRL, it >>> >>> may be necessary to obtain*timely information* regarding the >>> >>> revocation status of a certificate (cf. RFC5280], Section 3.3). >>> >>> Examples include high-value funds transfer or large stock trades. >>> >>> >>> >>> The Online Certificate Status Protocol (OCSP) enables applications to >>> >>> determine the (revocation) state of an identified certificate. OCSP >>> >>> may be used to satisfy some of the operational requirements of >>> >>> providing*more timely revocation information* than is possible with >>> >>> CRLs and may also be used to obtain additional status information. >>> >>> >>> >>> This text is misleading because readers may think that OCPS necessarily provides “timely information”. >>> >>> >>> >>> >>> "may" does not mean "necessarily". >>> >>> Proposed text replacement: >>> >>> >>> >>> *The Online Certificate Status Protocol (OCSP) is a >>> client-server * >>> >>> *protocol which enables applications to obtain the revocation >>> status * >>> >>> *of one or more certificates either "good", "revoked", or >>> "unknown".* >>> >>> ** >>> >>> *The revocation status may be provided by the server either >>> using a * >>> >>> *real time access to a database of issued certificates, or >>> using a * >>> >>> *batch access to a database of issued certificates, or using a * >>> >>> *real time access to a database of revocation statuses of >>> issued * >>> >>> *certificates, or using a batch access to a database of >>> revocation * >>> >>> *statuses of issued certificates, or using CRLs, or using a * >>> >>> *combination of base CRLs and delta CRLs.* >>> >>> ** >>> >>> *In the first case, it is possible to obtain timely >>> revocation status * >>> >>> *information, whereas in the other cases, the freshness of the * >>> >>> *revocation status is not better than the mechanisms it is >>> based on.* >>> >>> >>> >>> >>> >>> >>> Not broken >>> >>> 3.The current text from section 2 states: >>> >>> >>> >>> An OCSP client issues a status request to an OCSP responder and >>> >>> Suspends acceptance of*the certificate in question* until the >>> >>> responder provides a response. >>> >>> >>> >>> This protocol specifies the data that needs to be exchanged between >>> >>> an application checking the status of a certificate and the server >>> >>> providing that status. >>> >>> >>> >>> Thus is insufficient for an overview. More details are needed to know what the document provides, >>> in particular that the request may contain several requests for several certificates issued by different CAs. >>> The possibility of using extensions should also be advertised. >>> >>> >>> >>> Proposed text replacement: >>> >>> >>> >>> When using OCSP, an OCSP client issues a certificate revocation >>> >>> status request to an OCSP responder *for one or more >>> certificates * >>> >>> *issued by the same CA or for one or more certificates issued >>> by * >>> >>> *different CAs *and then suspends acceptance of the >>> certificate(s) >>> >>> in question until the responder provides a response. >>> >>> This document specifies the data that needs to be exchanged >>> between >>> >>> an application checking the status of a certificate and the >>> server >>> >>> providing that status. >>> >>> *OCSP may also provide additional status information using * >>> >>> *extensions. * >>> >>> >>> Not broken >>> >>> 4.Page 6. Editorial. Punctuation and a CR/LF are missing. >>> >>> The text states: >>> >>> * 3. the request contains the information needed by the responder If* >>> >>> * any one of the prior conditions are not met, the OCSP responder* >>> >>> * produces an error message; otherwise, it returns a definitive* >>> >>> * response.* >>> >>> It should state: >>> >>> * 4. the request contains the information needed by the responder.* >>> >>> * * >>> >>> * If any one of the prior conditions are not met, the OCSP responder* >>> >>> * produces an error message; otherwise, it returns a definitive* >>> >>> * response.* >>> >>> >>> Fixed in draft 10. >>> >>> 5.On page 7, the text states: >>> >>> ** >>> >>> *All definitive response messages SHALL be digitally signed. >>> The key* >>> >>> *used to sign the response MUST belong to one of the following:* >>> >>> * * >>> >>> * - the CA who issued the certificate in question* >>> >>> * - a Trusted Responder whose public key is trusted by the requester* >>> >>> * - a CA Designated Responder (Authorized Responder) who holds a* >>> >>> * specially marked certificate issued directly by the CA, indicating* >>> >>> * that the responder may issue OCSP responses for that CA.* >>> >>> ** >>> >>> The paragraph is ambiguous on several aspects. >>> >>> Delegation is addressed in at least three different places, >>> but with different terms and conditions. >>> If some one picks a sentence in one paragraph rather than >>> another, it will lead to a different conclusion. >>> RFCs are supposed to be clear. >>> >>> On page 10, the current text states in section*2.6 OCSP >>> Signature Authority Delegation *states: >>> >>> >>> >>> *The key that signs a certificate's status information need >>> not be the* >>> >>> *same key that signed the certificate.**A certificate's issuer* >>> >>> *explicitly delegates OCSP signing authority by issuing a >>> certificate* >>> >>> *containing a unique value for extendedKeyUsage in the OCSP >>> signer's* >>> >>> *certificate. This certificate MUST be issued directly to the* >>> >>> *responder by the cognizant CA.* >>> >>> >>> >>> On page 16, there is a section >>> *4.2.2.2***called*“**Authorized Responders”*dealing with the >>> same topic. >>> >>> Section 4.2.2.2 states: >>> >>> *The key that signs a certificate's status information need >>> not be the* >>> >>> *same key that signed the certificate**. It is necessary >>> however to* >>> >>> *ensure that the entity signing this information is >>> authorized to do* >>> >>> *so.Therefore, a certificate's issuer MAY either sign the OCSP* >>> >>> *responses itself or it MAY explicitly designate this >>> authority to* >>> >>> *another entity.OCSP signing delegation SHALL be designated >>> by the* >>> >>> *inclusion of id-kp-OCSPSigning in an extendedKeyUsage >>> certificate* >>> >>> *extension included in the OCSP response signer's >>> certificate.This* >>> >>> *certificate MUST be issued directly by the CA that issued the* >>> >>> *certificate in question.* >>> >>> ** >>> >>> *The CA SHOULD use the same issuing key to issue a delegation* >>> >>> *certificate as was used to sign the certificate being >>> checked for* >>> >>> *revocation. Systems relying on OCSP responses MUST recognize a* >>> >>> *delegation certificate as being issued by the CA that issued >>> the* >>> >>> *certificate in question only if the delegation certificate >>> and the* >>> >>> *certificate being checked for revocation was signed by the >>> same key.*** >>> >>> The last sentence above in yellow is the key sentence that is >>> missing in the two other sections. >>> >>> >>> >>> Most implementations only support the case where the OCSP Responder receives an OCSP certificate that is signed by the same key >>> that was used to sign the target certificate. They do not support the case where the OCSP Responder receives an OCSP certificate >>> that is signed by a key that is different from the one that was used to sign the target certificate. >>> >>> It is inappropriate to have three sections dealing with the >>> same topic with a slightly different meaning. >>> >>> It is proposed the following. >>> >>> On page 7, after: >>> >>> * - a CA Designated Responder (Authorized Responder) who holds a* >>> >>> * specially marked certificate issued directly by the CA, indicating* >>> >>> * that the responder may issue OCSP responses for that CA.* >>> >>> it is proposed to add “(*see section 4.2.2.2 for further >>> details**)”*, so that the reader knows that more details are >>> provided later on. >>> >>> Then we do not need two sections to address delegation which >>> start with the same sentence: >>> >>> >>> “*The key that signs a certificate's status information need >>> not be the same key that signed the certificate”.* >>> >>> ** >>> >>> It is thus proposed to delete section 2.6. >>> >>> Section 4.2.2.2 will thus remain the single section providing >>> full details. >>> >>> >>> >>> >>> I have added references to section 4.2.2.2 in the quoted sections >>> in 2.2 and 2.6. >>> (will be included in draft 11) >>> >>> >>> 6. Page 7, the text states: >>> >>> * A definitive response message is composed of:* >>> >>> * * >>> >>> * - version of the response syntax* >>> >>> * - name of the responder* >>> >>> * - responses for each of the certificates in a request* >>> >>> * - optional extensions* >>> >>> * - signature algorithm OID* >>> >>> * - signature computed across hash of the response* >>> >>> This description does not fit with the ASN.1 syntax which is >>> detailed later on, and in particular: >>> >>> * ResponseData ::= SEQUENCE {* >>> >>> * version [0] EXPLICIT Version DEFAULT v1,* >>> >>> * **responderID ResponderID,* >>> >>> * producedAt GeneralizedTime,* >>> >>> * responses SEQUENCE OF SingleResponse,* >>> >>> * responseExtensions [1] EXPLICIT Extensions OPTIONAL }* >>> >>> Proposed text replacement: >>> >>> *A definitive response message is composed of:* >>> >>> ** >>> >>> *- a response status and if there is no error, the following:* >>> >>> *- the version of the response syntax,* >>> >>> *- an identifier of the OCSP server,* >>> >>> *- the time at which the response was produced,* >>> >>> *- single responses for each of the target certificates,* >>> >>> *- optional extensions,* >>> >>> *- the signature algorithm OID,* >>> >>> *- the signature computed across hash of the response, and* >>> >>> *- optional certificates.* >>> >>> >>> This is an overview section. We ought not try to duplicate the >>> level of detail provided in the detailed protocol section. >>> A "definitive response" according to tho 2.1 is a response to an >>> error-free request, so your first remark is redundant. >>> >>> I have added a note about time to the current list, and changed >>> "name" to identifier in bullet 2. >>> (will be included in draft 11) >>> >>> 7.The text states on page 7: >>> >>> *The response for each of the certificates in a request >>> consists of* >>> >>> ** >>> >>> *-target certificate identifier* >>> >>> *-certificate status value* >>> >>> *-response validity interval* >>> >>> *-optional extensions* >>> >>> However, there are no explanations for the purpose of these >>> parameters and how they should be processed. >>> >>> There are also no explanations on how to process a single >>> response and how to verify that it is its presence within the >>> signed structure >>> is valid or not valid. This is a major deficiency of the >>> current description of RC 2560 where there is no explanation >>> on how to validate >>> a single response. >>> >>> Text proposal to be added after: >>> >>> *The purpose of the identifier of the OCSP server is to allow >>> OCSP * >>> >>> *clients to find whether the definitive response was signed >>> by a CA * >>> >>> *or by an OCSP Responder.* >>> >>> ** >>> >>> *The identifier of the OCSP server SHOULD either be the name >>> or the * >>> >>> *key from a CA, or the name or the key from a OCSP Responder.* >>> >>> ** >>> >>> *Unless there exist local rules (which are outside the scope >>> of this * >>> >>> *document) for verifying that a single response is correctly >>> signed, * >>> >>> *the following applies:* >>> >>> *When the identifier matches with the name of the CA which >>> has issued * >>> >>> *the target certificate or corresponds to the key used to >>> issue the * >>> >>> *target certificate, then a single response is correctly signed * >>> >>> *only if the digital signature of the OCSP response is valid >>> using the * >>> >>> *key used to sign the target certificate.* >>> >>> ** >>> >>> *When the identifier does not match with the name of the CA >>> which has * >>> >>> *issued the target certificate or does not correspond to the >>> key used * >>> >>> *to issue the target certificate, then an single response is >>> correctly * >>> >>> *signed only if :* >>> >>> ** >>> >>> *(a) there exists in the response an OCSP certificate issued by * >>> >>> *the CA which has issued the target certificate which is * >>> >>> *signed by the same key as the one used to issue the * >>> >>> *target certificate, and* >>> >>> ** >>> >>> *(b) the digital signature of the OCSP response is valid using * >>> >>> *the subjectPublicKey contained in this OCSP certificate.* >>> >>> >>> Not broken. >>> All of this is already covered by the document. >>> >>> 8.The text states on page 7: >>> >>> The "revoked" state indicates that the certificate has been >>> revoked >>> >>> *(either permanently or temporarily (on hold)). *This state >>> MAY also be >>> >>> returned if the responder knows that the requested >>> certificate has >>> >>> *never been issued during the history of the associated CA >>> *using any >>> >>> current or previous issuing key. ** >>> >>> The text is ambiguous because there are two embedded >>> parenthesis and it is unclear whether the inner parenthesis >>> means “i.e” or “e.g”. >>> This single sentence may let think that on hold is the single >>> case for temporarily revocation. Since neither X.509 nor RFC >>> 5280 address >>> the case of a temporary revocation in the context of an OCSP >>> response (but only in the context of CRLs), we are able to >>> add another case >>> of temporary revocation which will only apply in the context >>> of OCSP. >>> >>> The above sentence using the terms“*never been issued during >>> the history of the associated CA*“does not capture the fact >>> that it could be issued in the future, hence why using“*not >>> yet been used”*would be more appropriate. >>> >>> Finally, it would have been more logical to use “unknown”. So >>> it is important to add a note to explain why we have chosen >>> that case for “legacy clients”, >>> otherwise the people who have not participate to the >>> exchanges will not understand. >>> >>> Proposed text replacement: >>> >>> *The "revoked" state indicates that the certificate has been revoked,* >>> >>> * either permanently or temporarily.* >>> >>> >>> >>> A certificate may be temporarily revoked either because it is >>> >>> placed on hold (*i.e. the revocation reason is certificateHold*) or >>> >>> because the responder is able to know, using a positive list of >>> >>> issued certificates, that the serial number from the requested >>> >>> certificate has*not yet been used* by the CA to issue a certificate >>> >>> (*i.e. the revocation reason is notIssuedOrIrregularlyIssued*). >>> >>> >>> >>> *NOTE: The "revoked" state is used rather than the “unknown” state, to* >>> >>> * make sure that relying parties that were conformant to RFC 2560* >>> >>> * will not use CRLs as a fall back mechanism.* >>> >>> >>> >>> >>> I removed the double parenthesis and adopted your clarification >>> with regard to "on hold". >>> >>> The text in draft 10 has changed from what you have commented on. >>> I believe that text is better. >>> >>> You "Note" has problems. >>> >>> 1. We do not prevent responders to respond "unknown" if their >>> assessment is that this is an appropriate response, >>> considering what they know about the requested serial number. >>> Thus the term "is used" is misleading. >>> 2. This mechanisms does not "make sure" that the clients do >>> anything. It's up to the discretion of the relying party to >>> decide what source of revocation checking they rely on. This >>> does however reduce the risk of clients falling back to CRL:s >>> 3. This mechanism is not just relevant to old clients, but also >>> to new one for the same reason. >>> >>> >>> I have adopted a modified version of your Note: >>> >>> NOTE: The "revoked" state for known non-issued certificate serial >>> numbers is allowed in order to reduce the risk of relying >>> parties using CRLs as a fall back mechanism, which would be >>> considerably higher if an "unknown" response was returned. >>> >>> >>> >>> 9.The text states on page 8: >>> >>> *When a responder responds revoked to a status request for a >>> non-* >>> >>> *issued certificate, the responder MUST also;* >>> >>> ** >>> >>> *- include the extended revoked definition response extension* >>> >>> *(section 4.8), indicating that the OCSP responder supports the* >>> >>> *extended definition of revoked state to also cover non-issued* >>> >>> *certificates,* >>> >>> ** >>> >>> *- provide the revocation reason certificateHold (6), and;* >>> >>> ** >>> >>> *- specify the revocation date January 1, 1970. * >>> >>> As already explained on the PKIX list, using the revocation >>> reason**certificateHold is not appropriate >>> because it changes the meaning of certificateHold. >>> >>> The extended revoked definition response extension is a means >>> to signal that it not a true certificate hold but a “not >>> issued certificate”. >>> Legacy applications cannot take advantage of it. >>> >>> Some applications which handle non repudiation enter a >>> waiting state when the revocation reason certificateHold is >>> used thus >>> it is not appropriate to overload the meaning. >>> >>> ** >>> >>> It is possible to use another enumeration for signalling that >>> specific case: >>> >>> notIssuedOrIrregularlyIssued (7). >>> >>> ** >>> >>> Thus for new applications it would be much better to use >>> notIssuedOrIrregularlyIssued (7) as already proposed on the >>> PKIX list. >>> >>> The above sentence uses the text: >>> >>> >>> >>> “a status request for a*non-issued certificate*” >>> >>> >>> >>> whereas it would be more appropriate to state: >>> >>> >>> >>> “a status request for a* serial number which has not been used by the CA or used irregularly to issue a certificate”.* >>> >>> * * >>> >>> Placing the ASN.1 description at such a place in the document is inappropriate since the ASN.1 structures have not yet been described. >>> Thus only the functional aspects should be mentioned, but not the ASN.1 implications. >>> >>> * * >>> >>> BTW, the description should follow the same order as the ASN.1. This is not the case. >>> >>> >>> >>> This text should be deleted from this section and the appropriate text should be added when the parameters of the response are described. >>> >>> >>> >>> The text proposed in the previous comment should be sufficient at this time of reading. >>> >>> >>> >>> In addition, section*4.4.8Extended Revoked Definition *should >>> be deleted.** >>> >>> >>> >>> >>> >>> >>> The referred text has been updates in draft 09. >>> >>> This has been discussed on the list and you have yet to convince >>> the list of your new reason code. >>> I disagree as the risk of running into problems with the deployed >>> base of application is hugely larger with introduction of a new >>> reason code, rather than using certificateHold. >>> No application should be broken, since no application have >>> business asking for non-issued cert serial numbers in the first >>> place. Secondly, no application can assume that a certificateHold >>> reason will be cleared any time soon. >>> >>> >>> 10.The text states on page 8: >>> >>> *2.4Semantics of thisUpdate, nextUpdate and producedAt* >>> >>> This section is misplaced. At this time of reading, the >>> reader does not know that thisUpdate, nextUpdate and >>> producedAt are values >>> used by the ASN.1 structures. It is appropriate to describe >>> what theses parameters mean when the ASN.1 syntax is described. >>> The current ASN.1 syntax is very badly described. One would >>> expect that after every ASN.1 structure description every >>> parameter is described. >>> Unfortunately this is not the case. >>> >>> The text from this section is not aligned with the text that >>> is present in section 4.2.2.1. >>> >>> In particular, in section 2.4: >>> >>> ** >>> >>> *If nextUpdate is not set, the responder is indicating that >>> newer* >>> >>> *revocation information is available all the time.* >>> >>> While in section 4.2.2.1: >>> >>> *Responses where the nextUpdate value is not set are equivalent * >>> >>> *to a CRL with no time for nextUpdate (see Section 2.4).* >>> >>> It is not appropriate to have two different descriptions in >>> two different places. >>> >>> Delete section 2.4. See comment number 19 for the description >>> of these parameters. >>> >>> >>> Not broken. >>> The current text segments fits well into a protocol overview section. >>> >>> 11.Section 2.5 is also misplaced. They use values from the >>> ASN.1 syntax which has not yet been described. >>> They should be moved or incorporated in the document once the >>> ASN.1 description has been done. >>> >>> >>> Not broken. >>> >>> 12.Remainder: Section 2.6 should be deleted (see comment >>> number 5). >>> >>> >>> Not broken. >>> >>> 13.Section 2.7 states: >>> >>> *2.7CA Key Compromise* >>> >>> ** >>> >>> *If an OCSP responder knows that a particular CA's private >>> key has* >>> >>> *been compromised, it MAY return the revoked state for all* >>> >>> *certificates issued by that CA.* >>> >>> This section is misleading and should be removed. The reason >>> is the following: >>> >>> The relying party must verify that the singleResponse is >>> signed by a responder which is entitled to do so. >>> >>> a) If the CA key has been compromised and if the response is >>> signed by that CA key then the singleResponse will be discarded >>> when performing the certification path validation _whatever >>> the content of the response may be_. >>> >>> b) If the CA key which has issued the OCSP certificate has >>> been compromised and if the response is signed by the key >>> present >>> in the OCSP certificate then the singleResponse will be >>> discarded when performing the certification path validation >>> _whatever the content of the response may be_. >>> >>> Security must be provided using the validation of the >>> certification path. Thus it does not matter what the OCSP >>> responder states. >>> >>> >>> >>> Not broken. >>> An OCSP responder does not have to be chained to the broken CA. >>> The relying party may have other trust configuration at choice. >>> >>> >>> >>> 14.The text states on page 11: >>> >>> *3.2Signed Response Acceptance Requirements* >>> >>> ** >>> >>> *Prior to accepting a signed response as valid, OCSP clients >>> SHALL* >>> >>> *confirm that:* >>> >>> ** >>> >>> *1. The certificate identified in a received response >>> corresponds to* >>> >>> *that which was identified in the corresponding request;* >>> >>> ** >>> >>> *2. The signature on the response is valid;* >>> >>> ** >>> >>> *3. The identity of the signer matches the intended recipient >>> of the* >>> >>> *request.* >>> >>> ** >>> >>> *4. The signer is currently authorized to sign the response.* >>> >>> ** >>> >>> *5. The time at which the status being indicated is known to be* >>> >>> *correct (thisUpdate) is sufficiently recent.* >>> >>> ** >>> >>> *6. When available, the time at or before which newer >>> information will* >>> >>> *be available about the status of the certificate >>> (nextUpdate) is* >>> >>> *greater than the current time.* >>> >>> This section is misplaced since it uses terms from the ASN.1 >>> syntax and the protocol description has not yet been made, >>> since it is the next section 4. Its text is not correct either. >>> >>> This description does not take into account the fact that >>> a*BasicOCSPResponse *may contain one or several >>> *SingleResponses. * >>> In particular, the sentence“*The signer is currently >>> authorized to sign the response*” is misleading because a signer >>> may be authorized to include some***SingleResponses *but not >>> necessarily all of them. >>> >>> The appropriate explanations should be done after the >>> description of the response, when describing the processing >>> of the response. >>> >>> Delete that section. >>> >>> >>> Not broken. >>> >>> 15.On page 12, after the ASN.1 description, the only >>> parameters which are described are: >>> >>> *hashAlgorithm,**issuerNameHash, issuerKeyHash and serialNumber.* >>> >>> ** >>> >>> This is insufficient.In order to cover the full list of >>> parameters, the following text is proposed: >>> >>> *requestorName is optional and MAY be used by the server for >>> access * >>> >>> *control and audit purposes.* >>> >>> ** >>> >>> *requestList contains one or more single requests.* >>> >>> ** >>> >>> *requestExtensions is OPTIONAL.Any specific extension is >>> OPTIONAL.* >>> >>> *The critical flag SHOULD NOT be set for any of them. Section >>> 4.4 * >>> >>> *suggests several useful extensions.Additional extensions MAY >>> be * >>> >>> *defined in additional RFCs.* >>> >>> ** >>> >>> *reqCert contains the identifier of a target certificate.* >>> >>> ** >>> >>> *issuerNameHash is the hash of the Issuer's distinguished >>> name.The * >>> >>> *hash shall be calculated over the DER encoding of the >>> issuer's name * >>> >>> *field in the certificate being checked. * >>> >>> ** >>> >>> *issuerKeyHash is the hash of the Issuer's public key.The hash * >>> >>> *shall be calculated over the value (excluding tag and >>> length) of the * >>> >>> *subject public key field in the issuer's certificate.The hash * >>> >>> *algorithm used for both these hashes, is identified in * >>> >>> *hashAlgorithm. * >>> >>> ** >>> >>> *The primary reason to use the hash of the CA's public key in * >>> >>> *addition to the hash of the CA's name, to identify the issuer, * >>> >>> *is that it is possible that two CAs may choose to use the same * >>> >>> *name (uniqueness in the Name is a recommendation that cannot >>> be * >>> >>> *enforced). Two CAs will never, however, have the same public >>> key * >>> >>> *unless the CAs either explicitly decided to share their >>> private * >>> >>> *key, or the key of one of the CAs was compromised.* >>> >>> ** >>> >>> *serialNumber is the serial number of the certificate for which * >>> >>> *status is being requested.* >>> >>> ** >>> >>> *singleRequestExtensions is OPTIONAL.Any specific extension is * >>> >>> *OPTIONAL.The critical flag SHOULD NOT be set for any of them. * >>> >>> ** >>> >>> *The requestor MAY choose to sign the OCSP request.In that >>> case, the* >>> >>> *signature is computed over the tbsRequest structure.If the >>> request* >>> >>> *is signed, the requestor SHALL specify its name in the >>> requestorName* >>> >>> *field.Also, for signed requests, the requestor MAY include* >>> >>> *certificates that help the OCSP responder verify the >>> requestor's* >>> >>> *signature in the certs field of Signature.* >>> >>> >>> Not broken. >>> The current text is short, but it is actually sufficient from the >>> context of the ASN.1 definitions of the section. This is a >>> detailed protocol section and the reader need to understand ASN.1 >>> in any case to understand and implement the section. >>> The information about criticality is already covered in the >>> extension section. >>> >>> >>> 16.Section 4.1.2 is called:“*Notes on the Request Syntax”* >>> >>> The first paragraph has been moved after the description >>> of*issuerKeyHash *and thus is no more needed. >>> >>> The second paragraph has been moved after the description >>> of*requestExtensions. * >>> However, the sentence >>> “ *Unrecognized extensions MUST be ignored (unless they have >>> the critical flag set and are not understood)*” >>> has been deleted since it applies to the OCSP responder and >>> not to the OCSP client. Thus it is no more needed. >>> >>> The third paragraph applies to signed requests. However, it >>> should belong to a section dedicated on how clients should >>> build OCPS requests, >>> which is currently missing. See the next comment. >>> >>> This section should be deleted. >>> >>> >>> Not broken. >>> >>> 17.There should be a new section called: “*Requirements for >>> OCSP clients”. * >>> >>> It is important first to re-advertise that the request may be >>> about several certificates. >>> Thus it is important to describe the process for building a >>> request, which is currently missing. >>> >>> *An OCSP request allows getting in the same response the >>> revocation * >>> >>> *status of one or more certificates.In order to request the * >>> >>> *status of one or more certificates in a single request, OCSP * >>> >>> *clients SHALL follow the following rules :* >>> >>> ** >>> >>> *For each candidate certificate, OCSP clients SHALL verify * >>> >>> *whether there exists a locally defined rule for the >>> certificate in * >>> >>> *question which indicates the URI where the OCSP responder is * >>> >>> *located.If this rule exists, it SHALL be followed. * >>> >>> ** >>> >>> *Otherwise, OCSP clients SHALL determine whether the candidate * >>> >>> *certificate contains an AIA extension with an accessMethod >>> which * >>> >>> *contains the id-ad-ocsp OID.If it is the case, the >>> accessLocation * >>> >>> *contains a uniformResourceIdentifier (URI) which indicates the * >>> >>> *location of the OCSP server for that certificate. * >>> >>> ** >>> >>> *Certificates that contain the same URI MAY be grouped in a >>> single * >>> >>> *request.* >>> >>> ** >>> >>> *Note:For each candidate certificate, when performing the path * >>> >>> *validation algorithm, the OCSP client SHOULD verify that the * >>> >>> *current time is within the validity period of the target * >>> >>> *certificate.Certificates which are outside their validity * >>> >>> *period SHOULD NOT be included in the request.* >>> >>> *The requestor MAY choose to sign the OCSP request. In that >>> case, the* >>> >>> *signature is computed over the tbsRequest structure. If the >>> request* >>> >>> *is signed, the requestor SHALL specify its name in the >>> requestorName* >>> >>> *field. Also, for signed requests, the requestor MAY include* >>> >>> *certificates that help the OCSP responder verify the >>> requestor's* >>> >>> *signature in the certs field of Signature.* >>> >>> >>> Not broken. >>> >>> Your text may provide guidance that could be useful to some >>> implementers, but is completely beyond this document and further, >>> not generally applicable or true. >>> As an example, an organisation may setup an in house locally >>> configured OCSP responder that responds to all certificates "out >>> there" that is relevant to that organisation. >>> Such clients would just blindly send OCSP requests to their local >>> responder, disregarding any information in the cert. >>> It's totally beyond this spec to have an opinion about this. >>> >>> >>> 18.The text states on page 14: >>> >>> *The responder MAY include certificates in the* >>> >>> *certs field of BasicOCSPResponse that help the OCSP client >>> verify the* >>> >>> *responder's signature. If no certificates are included then >>> certs* >>> >>> *SHOULD be absent.* >>> >>> While this sentence is true, it is not sufficient. In order >>> to allow verifying every *SingleResponse*, >>> it is important to include the relevant certificates which >>> are pertinent to every *SingleResponse.* >>> >>> Proposed full text replacement: >>> >>> The responder MAY include certificates in the certs field of >>> >>> BasicOCSPResponse that help the OCSP client verify the >>> responder's >>> >>> signature. >>> >>> *For every SingleResponse where the responder is not a CA, the * >>> >>> *responder SHALL include the relevant OCSP certificate in the >>> certs * >>> >>> *field of BasicOCSPResponse in order to allow the OCSP client * >>> >>> *verifying the responder was entitled to include that >>> SingleResponse * >>> >>> *in the signed BasicOCSPResponse.* >>> >>> ** >>> >>> **If no certificates are included then certs SHOULD be absent. >>> >>> >>> Not broken. >>> >>> This requirement would break backwards compatibility with RFC 2560. >>> Further this would not be needed for a locally configured responder. >>> >>> 19.Page 15. The ASN.1 syntax should be changed in order to be >>> able to use the enumeration case 7 that is not used for CRLs. >>> This leads to the following change: >>> >>> Current text: >>> >>> ** >>> >>> *revocationReason[0]EXPLICIT CRLReason OPTIONAL }* >>> >>> Proposed text change: >>> >>> Current text: >>> >>> ** >>> >>> *revocationReason [0]EXPLICIT RevocationReason OPTIONAL }* >>> >>> *RevocationReason ::= ENUMERATED {* >>> >>> *unspecified(0),* >>> >>> *keyCompromise(1),* >>> >>> *cACompromise(2),* >>> >>> *affiliationChanged(3),* >>> >>> *superseded(4),* >>> >>> *cessationOfOperation(5),* >>> >>> *certificateHold(6),* >>> >>> *notIssuedOrIrregularlyIssued (7),* >>> >>> *removeFromCRL(8),* >>> >>> *privilegeWithdrawn(9),* >>> >>> *aACompromise(10) }* >>> >>> >>> Not broken. >>> >>> You have to convince the list about your new reason code. >>> >>> 20.Page 15. After the ASN.1 syntax, there is no description >>> of every parameter, neither on its use >>> (except a few words in section*4.2.2.1 Time >>> *about*thisUpdate, nextUpdate and producedAt).* >>> >>> ** >>> >>> Every parameter needs to be described and explained. >>> >>> ** >>> >>> *responderID indicates either the name or the key from a CA, >>> or the * >>> >>> *name or the key from a OCSP Responder.* >>> >>> ** >>> >>> *producedAt indicates the time at which this response was >>> signed.* >>> >>> ** >>> >>> *responses contains one or more single responses.* >>> >>> ** >>> >>> *responseExtensions is OPTIONAL.Any specific extension is >>> OPTIONAL.* >>> >>> *The critical flag may or may not be set.* >>> >>> ** >>> >>> *certID is usually a copy of the same field which was placed >>> in the * >>> >>> *request, but for OCSP responders which pre-produce signed >>> responses * >>> >>> *certID may be the identifier of a target certificate that >>> was not * >>> >>> *present in the request (see the end of section 4.2).* >>> >>> ** >>> >>> *certStatus indicates the status of the certificate: either >>> good, * >>> >>> *revoked or unknown.* >>> >>> ** >>> >>> *thisUpdate indicates the time at which the status being >>> indicated * >>> >>> *is known to be correct.* >>> >>> ** >>> >>> *nextUpdate indicates the time at or before which newer >>> information * >>> >>> *will be available about the status of the certificate.If * >>> >>> *nextUpdate is not set, the server is indicating that newer * >>> >>> *revocation information is available all the time. * >>> >>> ** >>> >>> *If nextUpdate is set, it often corresponds to the {thisUpdate, * >>> >>> *nextUpdate} interval in CRLs.Responses whose nextUpdate >>> value is * >>> >>> *earlier than the local UTC time value SHOULD be considered * >>> >>> *unreliable.Responses whose thisUpdate time is later than the >>> local * >>> >>> *UTC time SHOULD be considered unreliable.* >>> >>> ** >>> >>> *singleExtensions is OPTIONAL.Any specific extension is >>> OPTIONAL.* >>> >>> *The critical flag SHOULD NOT be set for any of them.* >>> >>> ** >>> >>> *revocationTime indicates the time at which the certificate was * >>> >>> *revoked.* >>> >>> ** >>> >>> *revocationReason is OPTIONAL. It includes all the cases that >>> are * >>> >>> *present in CRLReason used for CRLs and an additional case 7 >>> which is* >>> >>> *not used for CRLs.Case 7 is called >>> notIssuedOrIrregularlyIssued. * >>> >>> ** >>> >>> *- "notIssued" corresponds to the case where the certificate * >>> >>> *serial number that was sent was erroneous and has not yet * >>> >>> *been used by the CA at the time of the query,* >>> >>> ** >>> >>> *- "irregularlyIssued" corresponds to the case where the * >>> >>> *certificate serial number that was sent really exists in a * >>> >>> *certificate that is correctly signed, but to its knowledge * >>> >>> *the CA has not issued a certificate with such a serial * >>> >>> *number. As an example, it may have been issued by the CA * >>> >>> *because the RA was compromised. * >>> >>> ** >>> >>> * When a responder responds revoked to a status request for which it* >>> >>> * knows that the serial number has not been used by the CA or has* >>> >>> * been irregularly used irregularly to issue a certificate, then* >>> >>> * in RevokedInfo the responder MUST:* >>> >>> * * >>> >>> * - specify the revocationTime : January 1, 1970,* >>> >>> * - provide the revocationReason: notIssuedOrIrregularlyIssued (7).* >>> >>> * * >>> >>> * and in SingleResponse the responder MUST NOT include the nextUpdate.* >>> >>> ** >>> >>> *The response MUST include a SingleResponse for each >>> certificate in* >>> >>> *the request and SHOULD NOT include any additional >>> SingleResponse* >>> >>> *elements.However, there is one exception: * >>> >>> ** >>> >>> *OCSP responders MAY pre-produce signed responses specifying >>> the * >>> >>> *status of certificates at a specified time.The time at which * >>> >>> *the status was known to be correct SHALL be reflected in the * >>> >>> *thisUpdate field of the response. * >>> >>> ** >>> >>> *OCSP responders that pre-generate status responses MAY return * >>> >>> *responses that include additional SingleResponse elements if* >>> >>> *necessary to improve response pre-generation performance or >>> cache* >>> >>> *efficiency (as permitted in [RFC5019]).* >>> >>> Since the text above provides all the explanations at the >>> level of the ASN.1 parameters, the general text >>> from section*4.2.2.3 Basic Response *is no more need and >>> should be deleted.** >>> >>> ** >>> >>> >>> Preliminary I would say "not broken". >>> If you don't replace 4.2.2.3, then what really are you missing? >>> >>> 21.0n page 16, there is a section >>> *4.2.2.2***called*“**Authorized Responders”*** >>> >>> Section 4.2.2.2 states: >>> >>> *(…)* >>> >>> *This certificate MUST be issued directly by the CA that >>> issued the* >>> >>> *certificate in question.* >>> >>> ** >>> >>> *The CA SHOULD use the same issuing key to issue a delegation* >>> >>> *certificate as was used to sign the certificate being >>> checked for* >>> >>> *revocation. Systems relying on OCSP responses MUST recognize a* >>> >>> *delegation certificate as being issued by the CA that issued >>> the* >>> >>> *certificate in question only if the delegation certificate >>> and the* >>> >>> *certificate being checked for revocation was signed by the >>> same key.* >>> >>> This section would need to reformatted to address CA >>> requirements first and then OCSP responder requirements: >>> >>> *(…)* >>> >>> *This certificate MUST be issued directly by the CA that >>> issued the* >>> >>> *certificate in question.The CA SHOULD use the same issuing >>> key to * >>> >>> *issue a delegation certificate as was used to sign the >>> certificate * >>> >>> *being checked for revocation. * >>> >>> ** >>> >>> *Systems relying on OCSP responses MUST _be able to_ >>> recognize a * >>> >>> *delegation certificate as being issued by the CA that issued >>> the * >>> >>> *certificate in question if the delegation certificate and * >>> >>> *the certificate being checked _were_ signed by the same key.* >>> >>> >>> I disagree. The CA is actually free to do anything, but cannot >>> expect the client to recognise the responder as authorised unless >>> the same private key is used. >>> The current text places the requirement where they belong. >>> >>> 22.On page 17, the text states: >>> >>> *They MUST reject the* >>> >>> *response if the certificate required to validate the >>> signature on the* >>> >>> *response fails to meet at least one of the following criteria:* >>> >>> This is ambiguous. It is inappropriate to have a negative >>> statement like“*They MUST reject”. * >>> The sentence should be turned in the positive form“*They >>> SHALL accept”* >>> >>> Since the ASN.1 syntax has now be described, it is possible >>> to be more specific. >>> >>> The first occurrence of the word “response” should be changed >>> into “singleResponse”, while the second occurrence >>> of the word “response” should be changed into “ResponseData” >>> >>> Proposed text replacement: >>> >>> *They SHALL accept a singleResponse if the certificate >>> required to * >>> >>> *validate the signature placed on the ResponseData meets one >>> of the * >>> >>> *following criteria:* >>> >>> >>> >>> No, this change is not backwards compatible. >>> So state the requirements for rejection is not equivalent to >>> stating requirements for acceptance. >>> There may be other locally configured reasons to reject in >>> addition to those listed in the standard. >>> >>> >>> 23.On page 17, the text states: >>> >>> *3. Includes a value of id-kp-OCSPSigning in an ExtendedKeyUsage* >>> >>> *extension and is issued by the CA that issued the >>> certificate in* >>> >>> *question as stated above."* >>> >>> In order to be crystal clear, it is proposed to change the >>> wording in the following way: >>> >>> *3. Includes a value of id-kp-OCSPSigning in an ExtendedKeyUsage* >>> >>> *extension and was signed by the CA using the same key that >>> used * >>> >>> *to issue the certificate in question.* >>> >>> >>> No, issuing with another key is not prohibited, and may be >>> accepted by some clients as an authorised responder. >>> >>> 24.On page 17, the text states: >>> >>> *This SHOULD be a non-critical extension. The value of the >>> extension * >>> >>> *SHALL be NULL.* >>> >>> ** >>> >>> The ASN.1 syntax is missing. Add: >>> >>> ** >>> >>> *NoCheck ::= NULL* >>> >>> ** >>> >>> >>> Moving this to a separate discussion. >>> I'm not sure what the preferred way to describe this is. >>> >>> >>> 25.Remainder: On page 18, the general text from >>> section***4.2.2.3 Basic Response***is no more needed and >>> should be deleted. See comment 20. >>> >>> ** >>> >>> >>> Not broken. >>> >>> 26.On page 24, text should be added to the Security >>> consideration section: >>> >>> *Different results when using OCSP and CRLs* >>> >>> ** >>> >>> *OCSP clients or verifiers must build and verify a >>> certification path * >>> >>> *for each target certificate up to a trusted root.When an OCSP * >>> >>> *Responder is using published CRLs, it must also build and >>> verify a * >>> >>> *certification path for the CRLs it uses up to a trusted root.* >>> >>> ** >>> >>> *However, it should be realized that the root used by an OCSP * >>> >>> *Responder to verified these CRLs is not necessarily the same >>> as the * >>> >>> *one that would be used by the OCSP client, if it were going >>> to verify * >>> >>> *the CRLs itself.Hence the revocation status may not be >>> identical * >>> >>> *in both cases.* >>> >>> ** >>> >>> ** >>> >>> >>> I don't understand this one. >>> >>> 27.On page 24, text should be added to the Security >>> consideration section: >>> >>> ** >>> >>> *Denial of service attack using a flood of queries* >>> >>> ** >>> >>> *A denial of service vulnerability is evident with respect to >>> a flood * >>> >>> *of queries.The production of a cryptographic signature * >>> >>> *significantly affects response generation cycle time, thereby * >>> >>> *exacerbating the situation. * >>> >>> ** >>> >>> *The flood of queries may either come from a flood attack or >>> from the * >>> >>> *fact that there are too many certificates supported by the >>> same OCSP * >>> >>> *responder.In the later case, the number of queries can be * >>> >>> *reduced by using a technique similar to the splitting of CRLs: * >>> >>> ** >>> >>> *When a block of certificates have been issued with the same * >>> >>> *accessLocation in the AIA extension field of these >>> certificates, * >>> >>> *then the accessLocation should be changed.In this way, a given * >>> >>> *OCSP server will only be responsible for a block of >>> certificates.* >>> >>> ** >>> >>> >>> If the security considerations section is talking about splitting >>> OCSP responders in this way, then the document itself need to >>> introduce the subject. >>> I would suggest that it is beyond this update to do so. >>> >>> ** >>> >>> 28.On page 31, the text states. >>> >>> *An alternative to this module that conforms to the 2002 >>> version of * >>> >>> *ASN.1 may be found in Section 4 of [RFC5912]. * >>> >>> ** >>> >>> RFC 5912 omits to define the nocheck extension. Thus it is >>> inappropriate to refer to RFC 5912. >>> >>> The corrected module should be defined in this new draft. >>> A corrected module is providedin *draft-pinkas-rfc2560bis-03.* >>> >>> >>> Will move this (as stated above) to a separate discussion. >>> >>> 29.Different topics are not covered by the document. These >>> topics are important. >>> The following comments propose text to be placed in annexes. >>> Three annexes are being proposed. >>> >>> Note: The texts are extracted from*draft-pinkas-rfc2560bis-03.* >>> >>> >>> Not broken. >>> Each such amendment need to be thoroughly reviewed and motivated. >>> >>> >>> 30.First annex being proposed. This annex is important, >>> because key rollover is not addressed in the draft. >>> >>> *KEY ROLLOVER* >>> >>> ** >>> >>> *1. CA that directly supports an OCSP service* >>> >>> ** >>> >>> *When a CA that directly supports an OCSP service performs a >>> key * >>> >>> *rollover:* >>> >>> ** >>> >>> *- for certificates issued under the old key, the CA SHALL >>> continue * >>> >>> *to sign the revocation status of OCSP responses with that >>> old key * >>> >>> *at least until all these certificates are expired, and* >>> >>> ** >>> >>> *- for certificates issued under the new key, the CA SHALL >>> change the * >>> >>> *accessLocation in the AIA extension field of these >>> certificates * >>> >>> *and sign the revocation status of OCSP responses with that >>> new key * >>> >>> *at least until all these certificates are expired.* >>> >>> ** >>> >>> *Note: The change in accessLocation is necessary when the CA >>> rekeys * >>> >>> *to meet the following constraints imposed by this standard: * >>> >>> ** >>> >>> *1) a BasicOCSPResponse can only be signed using a single * >>> >>> *private key; * >>> >>> ** >>> >>> *2) the response must be signed using the same CA key that * >>> >>> *was used to sign the certificate in question; and* >>> >>> ** >>> >>> *3) the OCSP response needs to cover all the certificates * >>> >>> *queried in the OCSP request.* >>> >>> *2. CA that uses OCSP responders* >>> >>> *When a CA that uses OCSP Responders performs a key rollover, >>> then * >>> >>> *it MUST either designate a new OCSP Responder or keep the >>> current * >>> >>> *OCSP Responder(s).* >>> >>> ** >>> >>> *If the CA designates a new OCSP Responder, then it SHALL >>> change the * >>> >>> *accessLocation in the AIA extension field for the newly issued * >>> >>> *certificates and issue an OCSP certificate to the new OCSP >>> Responder * >>> >>> *using its new key.* >>> >>> ** >>> >>> *If the CA keeps the same OCSP Responder(s), then it SHALL >>> continue * >>> >>> *to use the same accessLocation(s) in the AIA extension field >>> for the * >>> >>> *newly issued certificates and issue an OCSP certificate to the * >>> >>> *appropriate OCSP Responder(s) using its new key.* >>> >>> ** >>> >>> *Note: The CA may need to continue issuing certificates to >>> the OCSP * >>> >>> *Responder(s) using the old CA key until all the certificates >>> issued * >>> >>> *under the CA' old key for which the OCSP Responder(s) are * >>> >>> *authoritative have expired.* >>> >>> ** >>> >>> *3. OCSP Responder key rollover* >>> >>> ** >>> >>> *When an OCSP Responder performs a key rollover >>> (asynchronously from * >>> >>> *a CA key rollover), then each CA which has designated an OCSP * >>> >>> *Responder SHALL issue a new certificate for that OCSP >>> Responder and * >>> >>> *for each of its issuing keys which meets the following >>> property: * >>> >>> ** >>> >>> *- the issuing key has been used to sign at least one >>> certificate * >>> >>> *which contains an AIA extension designating that OCSP >>> Responder * >>> >>> *and that certificate is not yet expired.* >>> >>> ** >>> >>> *An OCSP Responder key rollover does not affect the values of >>> the * >>> >>> *URIs that are placed in the accessLocation field from the >>> target * >>> >>> *certificates.One or more OCSP Responder MAY respond to an OCSP * >>> >>> *request addressed at a given URI picked from the >>> accessLocation * >>> >>> *field from a target certificate.Each OCSP Responder MAY use a * >>> >>> *different signing key, as long as it got an OCSP certificate * >>> >>> *appropriate for that signing key and for the target >>> certificate. * >>> >>> 31.Second annex being proposed. This annex is important >>> because it describes the validation of an OCSP response in >>> the past >>> which is of a particular importance when validating >>> electronic signatures. >>> >>> *Response processing by an OCSP client* >>> >>> ** >>> >>> *OCSP responses can be verified at the current time by an >>> OCSP client * >>> >>> *when receiving a response, whereas old responses can be >>> verified at * >>> >>> *a time in the past by a verifier.The algorithm below addresses * >>> >>> *both cases.* >>> >>> ** >>> >>> *Prior to processing a basic response, OCSP clients MUST >>> determine * >>> >>> *the checking time, which may be either the current time or a >>> time * >>> >>> *in the past.* >>> >>> ** >>> >>> *OCSP clients or verifiers SHALL check if the response contains * >>> >>> *responseExtensions. If such an extension is found and is >>> recognized, * >>> >>> *it MUST be processed.If such a critical extension is found and * >>> >>> *is not recognized, the whole OCSP response MUST be >>> considered as * >>> >>> *invalid.* >>> >>> ** >>> >>> *If the checking time is the current time, and if a nonce >>> extension * >>> >>> *has been used in the request and is recognized (see section >>> 4.5.1), * >>> >>> *OCSP clients MUST check whether the same nonce is present in >>> the * >>> >>> *response.If the nonce is not present or is different, then the * >>> >>> *OCSP response MUST be discarded.* >>> >>> ** >>> >>> *Only the single response(s) which are/is of interest SHALL be * >>> >>> *checked.* >>> >>> ** >>> >>> *STEP 1* >>> >>> ** >>> >>> *OCSP clients or verifiers SHALL verify that the certificate * >>> >>> *identified in a single response is of interest.Otherwise, >>> proceed * >>> >>> *to step 3.* >>> >>> ** >>> >>> *If the certificate status included in a single certificate >>> response * >>> >>> *is "unknown", then the revocation status of that certificate >>> is * >>> >>> *"unknown", and proceed to step 3.* >>> >>> ** >>> >>> *If the certificate status from the single certificate >>> response is * >>> >>> *either "good" or "revoked", OCSP clients or verifiers SHALL >>> check * >>> >>> *that the checking time is within the validity period of the >>> target * >>> >>> *certificate.If it is not the case, then the revocation >>> status of * >>> >>> *that certificate is "unknown" and proceed to step 3.* >>> >>> ** >>> >>> *If the checking time is the current time, and if a nonce has >>> been * >>> >>> *used in the request, then proceed to step 2.* >>> >>> ** >>> >>> *If the checking time is the current time, and if no nonce >>> has been * >>> >>> *used in the request, OCSP clients MUST check that the >>> producedAt* >>> >>> *field is within a time window that is "close enough" to the >>> current * >>> >>> *time. * >>> >>> ** >>> >>> *Note: the notion of "close enough" is a local matter.It can >>> be set * >>> >>> *to a few minutes to allow for small UTC time differences * >>> >>> *between the client and the server or to a few hours in case * >>> >>> *the server is producing pre-computed responses.* >>> >>> ** >>> >>> *If the checking time is a time in the past, verifiers MUST >>> check * >>> >>> *that the producedAt field is in accordance with the >>> verification * >>> >>> *rules (e.g. close and/or after the date of a time-stamp token).* >>> >>> ** >>> >>> *In addition, if the nextUpdate field is present, OCSP >>> clients MUST * >>> >>> *check that the time which is indicated is greater than the >>> checking * >>> >>> *time, otherwise the single response MUST be discarded.* >>> >>> ** >>> >>> *If checks are successful, then OCSP clients MUST process the * >>> >>> *singleExtensions field, if it is present. * >>> >>> ** >>> >>> *If the criticality flag is set and the extension is not >>> understood, * >>> >>> *then the status of the certificate shall be "unknown" and >>> proceed to * >>> >>> *step 3.Otherwise, proceed to step 2. * >>> >>> ** >>> >>> *If the extension is understood, then the extension MUST be * >>> >>> *processed.According to its content proceed either to step 2 >>> or to * >>> >>> *step 3. * >>> >>> ** >>> >>> *STEP 2* >>> >>> ** >>> >>> *OCSP clients or verifiers MUST build and verify a >>> certification path * >>> >>> *for that certificate up to a trusted root, so that they have >>> the * >>> >>> *knowledge of the CA public key value that was used to sign the * >>> >>> *target certificate.The revocation status of each certificate >>> of * >>> >>> *that certification path (except the target certificate) >>> SHALL be * >>> >>> *checked.* >>> >>> ** >>> >>> *If no path can be built or if one of the certificates of the >>> path is * >>> >>> *revoked, then the revocation status of that certificate is >>> "unknown", * >>> >>> *and proceed to step 3. * >>> >>> ** >>> >>> *If the certification path (except the target certificate) is >>> valid, * >>> >>> *then two cases need to be considered:* >>> >>> ** >>> >>> *a) If the responderID matches with the name or the key from >>> the CA * >>> >>> *which has issued the target certificate, then check whether >>> the * >>> >>> *OCSP response is signed by the same key that was used to sign * >>> >>> *the target certificate.* >>> >>> ** >>> >>> *If it is the case, then the revocation status of that * >>> >>> *certificate as indicated in the certStatus field is * >>> >>> *accepted and proceed to step 3.* >>> >>> ** >>> >>> *If it is not the case, then the revocation status of that * >>> >>> *certificate is "unknown" and proceed to step 3.* >>> >>> ** >>> >>> *b) If the responderID does not match with the name or the >>> key from * >>> >>> *the CA which has issued the target certificate, then it >>> indicates * >>> >>> *the name or the key from an OCSP Responder.Check whether there * >>> >>> *exists a local rule which applies to this target certificate >>> to * >>> >>> *verify that the signature of the BasicOCSPResponse is valid >>> for * >>> >>> *that single response.If this rule exists, it SHALL be >>> followed. * >>> >>> ** >>> >>> *Otherwise check whether there is an OCSP certificate (i.e. >>> which * >>> >>> *has both the ocspSigning OID in the extended key usage >>> extension * >>> >>> *and the digitalSignature bit in the key usage extension) >>> signed * >>> >>> *by the same key that was used to sign the target certificate. * >>> >>> *This certificate MUST be present in the certs field from the * >>> >>> *BasicOCSPResponse. * >>> >>> ** >>> >>> *If such certificate is not found or is invalid, then the * >>> >>> *revocation status of that certificate is "unknown" and * >>> >>> *proceed to step 3.* >>> >>> ** >>> >>> *If such certificate exists and if the checking time is * >>> >>> *within the validity period of this certificate, then it MUST * >>> >>> *be verified whether the OCSP response can be verified using * >>> >>> *the public key that is present in the OCSP Certificate. * >>> >>> ** >>> >>> *If it is not the case, then the revocation status of that * >>> >>> *certificate is "unknown" and proceed to step 3.* >>> >>> ** >>> >>> *If it is the case, then it MUST be verified that the OCSP * >>> >>> *Certificate has not been revoked.* >>> >>> ** >>> >>> *If one of these conditions is met, then the status for the >>> target * >>> >>> *certificate as indicated in the certStatus field is accepted, * >>> >>> *otherwise the revocation status is "unknown".* >>> >>> ** >>> >>> *STEP 3* >>> >>> ** >>> >>> *If there exists another single certificate status response >>> for a * >>> >>> *target certificate that is of interest, then proceed to step >>> 1. * >>> >>> *Otherwise the basic response is now processed.* >>> >>> 32.Third annex being proposed. This annex is important >>> because it provides guidance on how to build an OCSP >>> responder in the three cases. >>> Many text portions are similar, but three full texts are >>> provided in order to provide a better clarity for each of the >>> three cases. >>> >>> *1. Request processing by OCSP servers* >>> >>> ** >>> >>> *The behavior of an OCSP server will be different whether the >>> OCSP * >>> >>> *server is a CA acting as an OCSP responder, is an OCSP >>> Responder * >>> >>> *which received a delegation from one or more CAs, or is a >>> locally * >>> >>> *trusted Responder.* >>> >>> ** >>> >>> *1.1. Processing by a CA acting as an OCSP responder* >>> >>> ** >>> >>> *The OCSP responder SHALL maintain a list of entries. Each >>> entry * >>> >>> *SHALL contain:* >>> >>> ** >>> >>> *- the URI associated to the OCSP responder, from which the >>> OCSP * >>> >>> *requests are received, * >>> >>> ** >>> >>> *- the DN from a CA,* >>> >>> ** >>> >>> *- an issuing public key from a CA,* >>> >>> ** >>> >>> *- the method(s) used to know for which subset of certificates * >>> >>> *issued by the CA it is responsible for, * >>> >>> ** >>> >>> *- the method(s) used to obtain the revocation status of that * >>> >>> *subset of certificates issued under that CA issuing public >>> key, * >>> >>> *and* >>> >>> ** >>> >>> *- the method used to gain access and sign with the private key * >>> >>> *corresponding to the issuing public key.* >>> >>> ** >>> >>> *For a given URI value, the OCSP responder SHALL only use one >>> CA * >>> >>> *key pair value. * >>> >>> ** >>> >>> *When it receives an OCSP request on that URI, the OCSP >>> responder * >>> >>> *SHALL handle exceptions according to section 2.3. * >>> >>> ** >>> >>> *If the OCSP request contains the name of a requestor, the OCSP * >>> >>> *responder SHALL verify whether there exists a locally >>> defined rule * >>> >>> *which regulates access control.If this rule exists, it SHALL >>> be * >>> >>> *followed.* >>> >>> ** >>> >>> *Then, for each target certificate, the OCSP responder SHALL >>> verify * >>> >>> *whether both the hash of the issuer's DN and the hash of the >>> issuer * >>> >>> *public key which are present in the request are eligible to a * >>> >>> *locally defined rule which indicates that the OCSP responder >>> is * >>> >>> *responsible to provide the revocation status of that target * >>> >>> *certificate.If this rule exists, it SHALL be followed.* >>> >>> ** >>> >>> *Otherwise, the OCSP responder SHALL determine whether it is * >>> >>> *responsible to provide the revocation status of that target * >>> >>> *certificate according to the following rule.* >>> >>> ** >>> >>> *For each target certificate, the OCSP responder SHALL verify >>> whether * >>> >>> *both the hash of the issuer's DN and the hash of the issuer >>> public * >>> >>> *key which are present in the request match respectively with >>> the DN * >>> >>> *and the hash of the public key of contained in an entry from >>> the * >>> >>> *list of entries maintained by this OCSP responder. * >>> >>> ** >>> >>> *When there is no match, then the OCSP responder SHALL >>> indicate the * >>> >>> *"unknown" status and proceed with the next target >>> certificate from * >>> >>> *the OCSP request.* >>> >>> ** >>> >>> *When there is a match, then the OCSP responder SHALL use the >>> serial * >>> >>> *number of the target certificate that is present in the >>> request and * >>> >>> *determine the revocation status of that certificate >>> according to * >>> >>> *the method(s) defined in the entry. * >>> >>> ** >>> >>> *When the revocation status is provided by the server using a >>> real * >>> >>> *time access to a database of revocation statuses of issued * >>> >>> *certificates, then the thisUpdate field SHALL be present in the* >>> >>> *SingleResponse response whereas the nextUpdate field SHALL be * >>> >>> *missing. * >>> >>> ** >>> >>> *Otherwise, both the thisUpdate and the nextUpdate fields >>> SHALL be * >>> >>> *present in the SingleResponse. * >>> >>> ** >>> >>> *The time at which this response will be signed MUST be >>> indicated in * >>> >>> *the producedAt field from the SingleResponse.* >>> >>> ** >>> >>> *If a singleRequestExtensions is present in the request it >>> MUST be * >>> >>> *processed.* >>> >>> ** >>> >>> *If there is another target certificate present in the >>> request, it * >>> >>> *SHALL be processed in the same way.* >>> >>> ** >>> >>> *If a requestExtensions is present in the request it MUST be * >>> >>> *processed.* >>> >>> ** >>> >>> *The OCSP response MUST be signed using the CA issuing >>> private key.* >>> >>> ** >>> >>> ** >>> >>> *1.2. Processing by an OCSP Responder* >>> >>> ** >>> >>> *For each CA from which the OCSP Responder has received a >>> delegation, * >>> >>> *the OCSP Responder SHALL maintain a list of entries. * >>> >>> ** >>> >>> *Each entry SHALL contain:* >>> >>> ** >>> >>> *- the URI associated to this OCSP Responder, from which the >>> OCSP * >>> >>> *requests are received, * >>> >>> ** >>> >>> *- the DN from a CA,* >>> >>> ** >>> >>> *- an issuing public key from a CA,* >>> >>> ** >>> >>> *- the method(s) used to know for which subset of certificates * >>> >>> *issued by the CA it is responsible for, * >>> >>> ** >>> >>> *- the method(s) used to obtain the revocation status of that * >>> >>> *subset of certificates issued under that CA issuing public key,* >>> >>> ** >>> >>> *- an OCSP certificate, * >>> >>> ** >>> >>> *- the OCSP public key contained in that OCSP certificate, and* >>> >>> ** >>> >>> *- the method used to gain access and sign with the OCSP >>> private * >>> >>> *key corresponding to that OCSP certificate.* >>> >>> ** >>> >>> *For a given URI value, the OCSP Responder SHALL only use one >>> OCSP * >>> >>> *key pair value.Therefore there cannot be two entries with the * >>> >>> *same URI value and a different OCSP public key value.* >>> >>> ** >>> >>> *NOTE: a BasicOCSPResponse can only be signed using a single >>> private * >>> >>> *key. * >>> >>> ** >>> >>> *The OCSP certificate SHALL be signed by the CA issuing >>> private key * >>> >>> *which corresponds to the issuing CA public key that is in this * >>> >>> *entry.* >>> >>> ** >>> >>> *When it receives an OCSP request, the OCSP responder SHALL >>> handle * >>> >>> *exceptions according to section 2.3. * >>> >>> ** >>> >>> *If the OCSP request contains the name of a requestor, the OCSP * >>> >>> *responder SHALL verify whether there exists a locally >>> defined rule * >>> >>> *which regulates access control.If this rule exists, it SHALL >>> be * >>> >>> *followed.* >>> >>> ** >>> >>> *For each target certificate, the OCSP Responder SHALL verify * >>> >>> *whether both the hash of the issuer's DN and the hash of the >>> issuer * >>> >>> *public key which are present in the OCSP request match with >>> those * >>> >>> *from an entry.* >>> >>> ** >>> >>> *When there is no match, then the OCSP Responder SHALL >>> indicate the * >>> >>> *"unknown" status and proceed with the next target >>> certificate from * >>> >>> *the OCSP request.* >>> >>> ** >>> >>> *When there is a match, the OCSP Responder SHALL use the serial * >>> >>> *number of the target certificate this is present in the OCSP * >>> >>> *request to determine the revocation status of that certificate * >>> >>> *according to the method(s) indicated in the entry. * >>> >>> ** >>> >>> *When the revocation status is provided by the server using a >>> real * >>> >>> *time access to a database of revocation statuses of issued * >>> >>> *certificates, then the thisUpdate field SHALL be present in the* >>> >>> *SingleResponse response whereas the nextUpdate field SHALL be * >>> >>> *missing. * >>> >>> ** >>> >>> *Otherwise, both the thisUpdate and the nextUpdate fields >>> SHALL be * >>> >>> *present in the SingleResponse. * >>> >>> ** >>> >>> *The time at which this response will be signed MUST be >>> indicated in * >>> >>> *the producedAt field from the SingleResponse.* >>> >>> ** >>> >>> *If a singleRequestExtensions is present in the request it >>> MUST be * >>> >>> *processed.* >>> >>> ** >>> >>> *If there is another target certificate present in the >>> request, it * >>> >>> *SHALL be processed in the same way.* >>> >>> ** >>> >>> *If a requestExtensions is present in the request it SHALL be * >>> >>> *processed.* >>> >>> ** >>> >>> *The OCSP response MUST be signed using the OCSP private key.* >>> >>> ** >>> >>> *Unless there is a local rule which states differently, for >>> every * >>> >>> *target certificate which matches both with the hash of a CA >>> DN and an * >>> >>> *issuing public key from an entry, the OCSP certificate of >>> that entry * >>> >>> *SHALL be placed in the certs field.* >>> >>> ** >>> >>> *It may happen, that none of the target certificates from the >>> OCSP* >>> >>> *request matches both with the hash of a CA DN and an issuing >>> public * >>> >>> *key from an entry.In that case and unless a local rule states * >>> >>> *differently, the certs field from the BasicOCSPResponse >>> SHOULD be * >>> >>> *kept empty (to limit the disclose of the names of the CAs >>> from which * >>> >>> *the OCSP Responder received a delegation from).* >>> >>> ** >>> >>> *1.3. Processing by a locally trusted Responder* >>> >>> ** >>> >>> *For each CA for which the locally trusted Responder is * >>> >>> *authoritative, the OCSP Responder SHALL maintain a list of >>> entries. * >>> >>> ** >>> >>> *Each entry SHALL contain:* >>> >>> ** >>> >>> *- the URI associated to this OCSP Responder, from which the >>> OCSP * >>> >>> *requests are received, * >>> >>> ** >>> >>> *- the DN from a CA,* >>> >>> ** >>> >>> *- an issuing public key from a CA,* >>> >>> ** >>> >>> *- the method(s) used to know for which subset of certificates * >>> >>> *issued by the CA it is responsible for, * >>> >>> ** >>> >>> *- the method(s) used to obtain the revocation status of that * >>> >>> *subset of certificates issued under that CA issuing public key,* >>> >>> ** >>> >>> *- the method used to gain access to the private key in order >>> to * >>> >>> *sign the OCSP response. * >>> >>> ** >>> >>> *For a given URI value, the OCSP Responder SHALL only use one >>> private * >>> >>> *key.Therefore there cannot be two entries with the same URI >>> value * >>> >>> *and a different method to gain access to the appropriate >>> private key.* >>> >>> ** >>> >>> *NOTE: a BasicOCSPResponse can only be signed using a single >>> private * >>> >>> *key. * >>> >>> ** >>> >>> *When it receives an OCSP request, the OCSP responder SHALL >>> handle * >>> >>> *exceptions according to section 2.3. * >>> >>> ** >>> >>> *If the OCSP request contains the name of a requestor, the OCSP * >>> >>> *responder SHALL verify whether there exists a locally >>> defined rule * >>> >>> *which regulates access control.If this rule exists, it SHALL >>> be * >>> >>> *followed.* >>> >>> ** >>> >>> *For each target certificate, the OCSP Responder SHALL verify * >>> >>> *whether both the hash of the issuer's DN and the hash of the >>> issuer * >>> >>> *public key which are present in the OCSP request match with >>> those * >>> >>> *from an entry.* >>> >>> ** >>> >>> *When there is no match, then the OCSP Responder SHALL >>> indicate the * >>> >>> *"unknown" status and proceed with the next target >>> certificate from * >>> >>> *the OCSP request.* >>> >>> ** >>> >>> *When there is a match, the OCSP Responder SHALL use the serial * >>> >>> *number of the target certificate this is present in the OCSP * >>> >>> *request to determine the revocation status of that certificate * >>> >>> *according to the method(s) indicated in the entry. * >>> >>> ** >>> >>> *When the revocation status is provided by the server using a >>> real * >>> >>> *time access to a database of revocation statuses of issued * >>> >>> *certificates, then the thisUpdate field SHALL be present in the* >>> >>> *SingleResponse response whereas the nextUpdate field SHALL be * >>> >>> *missing. * >>> >>> ** >>> >>> *Otherwise, both the thisUpdate and the nextUpdate fields >>> SHALL be * >>> >>> *present in the SingleResponse. * >>> >>> ** >>> >>> *The time at which this response will be signed MUST be >>> indicated in * >>> >>> *the producedAt field from the SingleResponse.* >>> >>> ** >>> >>> *If a singleRequestExtensions is present in the request it >>> MUST be * >>> >>> *processed.* >>> >>> ** >>> >>> *If there is another target certificate present in the >>> request, it * >>> >>> *SHALL be processed in the same way.* >>> >>> ** >>> >>> *If a requestExtensions is present in the request it SHALL be * >>> >>> *processed.* >>> >>> ** >>> >>> *The OCSP response MUST be signed using the OCSP private key.* >>> >>> ** >>> >>> *The certs field may contain no, one or several OCSP >>> certificates * >>> >>> *according to local rules followed by the locally trusted >>> Responder.* >>> >>> >>> Not broken. >>> >>> /Stefan >>> >>> End of comments >>> >>> >>> Denis >>> >>> _______________________________________________ pkix mailing >>> list pkix@ietf.org >>> https://www.ietf.org/mailman/listinfo/pkix >>> >> > From iesg-secretary@ietf.org Wed Mar 13 13:08:38 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9814B11E8158; Wed, 13 Mar 2013 13:08:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.552 X-Spam-Level: X-Spam-Status: No, score=-102.552 tagged_above=-999 required=5 tests=[AWL=0.048, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YPmhcuRt1ayw; Wed, 13 Mar 2013 13:08:38 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A16D11E8148; Wed, 13 Mar 2013 13:08:38 -0700 (PDT) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: The IESG To: IETF-Announce X-Test-IDTracker: no X-IETF-IDTracker: 4.43 Message-ID: <20130313200838.8488.76211.idtracker@ietfa.amsl.com> Date: Wed, 13 Mar 2013 13:08:38 -0700 Cc: pkix@ietf.org Subject: [pkix] Last Call: (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ietf@ietf.org List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Mar 2013 20:08:38 -0000 The IESG has received a request from the Public-Key Infrastructure (X.509) WG (pkix) to consider the following document: - 'X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2013-03-27. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document specifies a protocol useful in determining the current status of a digital certificate without requiring CRLs. Additional mechanisms addressing PKIX operational requirements are specified in separate documents. This document obsoletes RFC 2560 and RFC 6277, and updates RFC 5912. The file can be obtained via http://datatracker.ietf.org/doc/draft-ietf-pkix-rfc2560bis/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-ietf-pkix-rfc2560bis/ballot/ No IPR declarations have been submitted directly on this I-D. From iesg-secretary@ietf.org Wed Mar 13 13:08:38 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C32C511E815C for ; Wed, 13 Mar 2013 13:08:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.552 X-Spam-Level: X-Spam-Status: No, score=-102.552 tagged_above=-999 required=5 tests=[AWL=0.048, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T20rII7u7G+f; Wed, 13 Mar 2013 13:08:38 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 32C8A11E814C; Wed, 13 Mar 2013 13:08:38 -0700 (PDT) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: The IESG To: IANA X-Test-IDTracker: no X-IETF-IDTracker: 4.43 X-IETF-Draft-string: draft-ietf-pkix-rfc2560bis X-IETF-Draft-revision: 15 Message-ID: <20130313200838.8488.1343.idtracker@ietfa.amsl.com> Date: Wed, 13 Mar 2013 13:08:38 -0700 Cc: pkix@ietf.org Subject: [pkix] Last Call: (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: noreply@ietf.org List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Mar 2013 20:08:38 -0000 The IESG has received a request from the Public-Key Infrastructure (X.509) WG (pkix) to consider the following document: - 'X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2013-03-27. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document specifies a protocol useful in determining the current status of a digital certificate without requiring CRLs. Additional mechanisms addressing PKIX operational requirements are specified in separate documents. This document obsoletes RFC 2560 and RFC 6277, and updates RFC 5912. The file can be obtained via http://datatracker.ietf.org/doc/draft-ietf-pkix-rfc2560bis/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-ietf-pkix-rfc2560bis/ballot/ No IPR declarations have been submitted directly on this I-D. From wwwrun@rfc-editor.org Fri Mar 15 18:11:55 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E794011E8107 for ; Fri, 15 Mar 2013 18:11:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.6 X-Spam-Level: X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yEgrSt-JfdjZ for ; Fri, 15 Mar 2013 18:11:55 -0700 (PDT) Received: from rfc-editor.org (unknown [IPv6:2001:1890:123a::1:2f]) by ietfa.amsl.com (Postfix) with ESMTP id 643D911E80F7 for ; Fri, 15 Mar 2013 18:11:55 -0700 (PDT) Received: by rfc-editor.org (Postfix, from userid 30) id 6F42FB1E002; Fri, 15 Mar 2013 18:11:28 -0700 (PDT) To: philliph@comodo.com, rob.stradling@comodo.com, stephen.farrell@cs.tcd.ie, turners@ieca.com, kent@bbn.com, stefan@aaa-sec.com From: RFC Errata System Message-Id: <20130316011128.6F42FB1E002@rfc-editor.org> Date: Fri, 15 Mar 2013 18:11:28 -0700 (PDT) Cc: pkix@ietf.org, rfc-editor@rfc-editor.org Subject: [pkix] [Editorial Errata Reported] RFC6844 (3547) X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Mar 2013 01:11:56 -0000 The following errata report has been submitted for RFC6844, "DNS Certification Authority Authorization (CAA) Resource Record". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata_search.php?rfc=6844&eid=3547 -------------------------------------- Type: Editorial Reported by: Sean Turner Section: s7.2 Original Text ------------- auth Reserved [HB2011] path Reserved [HB2011] policy Reserved [HB2011] Corrected Text -------------- auth Reserved [RFC6844] path Reserved [RFC6844] policy Reserved [RFC6844] Notes ----- Better to use the datatracker history to find the values than the expired drafts. Instructions: ------------- This errata is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party (IESG) can log in to change the status and edit the report, if necessary. -------------------------------------- RFC6844 (draft-ietf-pkix-caa-15) -------------------------------------- Title : DNS Certification Authority Authorization (CAA) Resource Record Publication Date : January 2013 Author(s) : P. Hallam-Baker, R. Stradling Category : PROPOSED STANDARD Source : Public-Key Infrastructure (X.509) Area : Security Stream : IETF Verifying Party : IESG From turners@ieca.com Fri Mar 15 18:34:25 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30C0711E810C for ; Fri, 15 Mar 2013 18:34:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.481 X-Spam-Level: X-Spam-Status: No, score=-101.481 tagged_above=-999 required=5 tests=[AWL=1.119, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AJlj0MqItbei for ; Fri, 15 Mar 2013 18:34:24 -0700 (PDT) Received: from gateway06.websitewelcome.com (gateway06.websitewelcome.com [64.5.38.4]) by ietfa.amsl.com (Postfix) with ESMTP id ACD8511E8109 for ; Fri, 15 Mar 2013 18:34:24 -0700 (PDT) Received: by gateway06.websitewelcome.com (Postfix, from userid 5007) id 3DDDBB53B9DE9; Fri, 15 Mar 2013 20:34:24 -0500 (CDT) Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway06.websitewelcome.com (Postfix) with ESMTP id 16B17B53B9D9F for ; Fri, 15 Mar 2013 20:34:24 -0500 (CDT) Received: from [198.180.150.142] (port=55686 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80) (envelope-from ) id 1UGg0t-0008NL-EG; Fri, 15 Mar 2013 20:34:23 -0500 Message-ID: <5143CC1D.3080309@ieca.com> Date: Fri, 15 Mar 2013 21:34:21 -0400 From: Sean Turner User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130307 Thunderbird/17.0.4 MIME-Version: 1.0 To: Andrew Sullivan References: <20130316011128.6F42FB1E002@rfc-editor.org> <3F64D1DB-12F8-4373-9C78-9110120E61CA@crankycanuck.ca> In-Reply-To: <3F64D1DB-12F8-4373-9C78-9110120E61CA@crankycanuck.ca> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - gator1743.hostgator.com X-AntiAbuse: Original Domain - ietf.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - ieca.com X-BWhitelist: no X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: (thunderfish.local) [198.180.150.142]:55686 X-Source-Auth: sean.turner@ieca.com X-Email-Count: 3 X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20= Cc: "stefan@aaa-sec.com" , "philliph@comodo.com" , "pkix@ietf.org" , RFC Errata System Subject: Re: [pkix] [Editorial Errata Reported] RFC6844 (3547) X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Mar 2013 01:34:25 -0000 The IANA folks asked phb/me to submit this so they'd get instructed to update the registry. spt On 3/15/13 9:17 PM, Andrew Sullivan wrote: > I'm inclined not to call this an erratum in the draft. But the registry ought to be updated if it hasn't been. > From mrex@sap.com Fri Mar 15 21:28:00 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACE961F0D35 for ; Fri, 15 Mar 2013 21:28:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.832 X-Spam-Level: X-Spam-Status: No, score=-9.832 tagged_above=-999 required=5 tests=[AWL=-0.417, BAYES_00=-2.599, FM_ASCII_ART_SPACINGc=0.833, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O+ow735xdXwo for ; Fri, 15 Mar 2013 21:27:59 -0700 (PDT) Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 791E01F0D0F for ; Fri, 15 Mar 2013 21:27:58 -0700 (PDT) Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id r2G4Rn2s028675 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 16 Mar 2013 05:27:49 +0100 (MET) In-Reply-To: To: Erwann Abalea Date: Sat, 16 Mar 2013 05:27:48 +0100 (CET) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20130316042748.DCB6B1A642@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) X-SAP: out Cc: "pkix@ietf.org" Subject: Re: [pkix] timestamp signature validation X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: mrex@sap.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Mar 2013 04:28:00 -0000 Erwann Abalea wrote: > > A dark corner from RFC2634. SigningCertificate attribute contains a > sequence of ESSCertID, and usually this sequence is composed of only one > certificate. There seem to be more dark areas that just "corners" in rfc2634 and its alleged update rfc5035. The first thing that puzzles me: why does ESSCertID use such an extremely awkward "ESSCertID"? http://tools.ietf.org/html/rfc2634#page-48 ESSCertID ::= SEQUENCE { certHash Hash, issuerSerial IssuerSerial OPTIONAL } Hash ::= OCTET STRING -- SHA1 hash of entire certificate IssuerSerial ::= SEQUENCE { issuer GeneralNames, serialNumber CertificateSerialNumber } When creating an ESSCertID, the certHash is computed over the entire DER encoded certificate including the signature. The issuerSerial would normally be present unless the value can be inferred from other information. When encoding IssuerSerial, serialNumber is the serial number that uniquely identifies the certificate. For non-attribute certificates, the issuer MUST contain only the issuer name from the certificate encoded in the directoryName choice of GeneralNames. For attribute certificates, the issuer MUST contain the issuer name field from the attribute certificate. It says: "... the isser MUST contain only the issuer name from the certificate encoded in the directoryName choice of GeneralNames" But that seems non sensical. The definition of GeneralNames from rfc5280 looks like this: GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName so GeneralNames does _not_ contain a CHOICE. There may be a (close to) inifinite number of GeneralName types contained in that GeneralNames sequence, but that seems awkward. Looking at what values issuer can have in certs (from 5280 again): TBSCertificate ::= SEQUENCE { version [0] Version DEFAULT v1, serialNumber CertificateSerialNumber, signature AlgorithmIdentifier, *> issuer Name, validity Validity, subject Name, subjectPublicKeyInfo SubjectPublicKeyInfo, issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version MUST be v2 or v3 subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version MUST be v2 or v3 extensions [3] Extensions OPTIONAL -- If present, version MUST be v3 -- } or in CRLs: TBSCertList ::= SEQUENCE { version Version OPTIONAL, -- if present, MUST be v2 signature AlgorithmIdentifier, *> issuer Name, thisUpdate Time, nextUpdate Time OPTIONAL, revokedCertificates SEQUENCE OF SEQUENCE { userCertificate CertificateSerialNumber, revocationDate Time, crlEntryExtensions Extensions OPTIONAL -- if present, version MUST be v2 } OPTIONAL, crlExtensions [0] Extensions OPTIONAL } -- if present, version MUST be v2 And looking at how CMS (rfc2630) defined IssuerAndSerial IssuerAndSerialNumber ::= SEQUENCE { *> issuer Name, serialNumber CertificateSerialNumber } CertificateSerialNumber ::= INTEGER I fall to understand why ESSCertID uses something so extremely complicated as a "SEQUENCE of GeneralName", where everyone else has been using "Name"? It gets even weirder in rfc5035: ESSCertIDv2 ::= SEQUENCE { hashAlgorithm AlgorithmIdentifier DEFAULT {algorithm id-sha256}, certHash Hash, issuerSerial IssuerSerial OPTIONAL } I'm puzzled why rfc5035 defines ESSCertIDv2 in a fashion that it is thoroughly binary incompatible with ESSCertID from rfc2634? Had it used "DEFAULT {algorithm id-sha1}," instead, then it would share the same ASN.1 DER encoding with ESSCertID from rfc2634 when SHA-1 is used for the hash, vaguely similar how the Validity in X.509v3 certificates is being slowly migrated from UTCTime to a subset of GeneralizedTime. -Martin From pgut001@cs.auckland.ac.nz Fri Mar 15 23:08:33 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9494C21F89A5 for ; Fri, 15 Mar 2013 23:08:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qhOeKnEjA1Js for ; Fri, 15 Mar 2013 23:08:31 -0700 (PDT) Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.244]) by ietfa.amsl.com (Postfix) with ESMTP id 3179521F86DC for ; Fri, 15 Mar 2013 23:08:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1363414111; x=1394950111; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=GRQUjXp4LOkyGIqy7hxmIfFLuNYO6JBcH1aSc23z/D8=; b=mrcunsjKh0p4ylzyVDoQfdlJgzxA08ZnRfOqujHcXvsLeCZ7Uv13oe+7 dcq7ECOiPRZyhG4lNfn7LzYT9jRgR3z4j18S9+zZtjlzQ0nvjxcs+WeLJ A8WxPg4VjyFzbBTjQXmhAZGvYw9qeDvsQDxobTDCNNHL7LtuUO5nnQHZU A=; X-IronPort-AV: E=Sophos;i="4.84,856,1355050800"; d="scan'208";a="175717420" X-Ironport-HAT: MAIL-SERVERS - $RELAYED X-Ironport-Source: 130.216.4.112 - Outgoing - Outgoing Received: from uxchange10-fe1.uoa.auckland.ac.nz ([130.216.4.112]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 16 Mar 2013 19:08:29 +1300 Received: from UXCHANGE10-FE4.UoA.auckland.ac.nz (130.216.4.171) by uxchange10-fe1.UoA.auckland.ac.nz (130.216.4.112) with Microsoft SMTP Server (TLS) id 14.2.318.4; Sat, 16 Mar 2013 19:08:29 +1300 Received: from UXCN10-2.UoA.auckland.ac.nz ([169.254.2.110]) by uxchange10-fe4.UoA.auckland.ac.nz ([130.216.4.171]) with mapi id 14.02.0318.004; Sat, 16 Mar 2013 19:08:29 +1300 From: Peter Gutmann To: IETF PKIX Thread-Topic: [pkix] timestamp signature validation Thread-Index: Ac4iDK0k9qVDbw+wSdmvCJZXdeOqMg== Date: Sat, 16 Mar 2013 06:08:28 +0000 Message-ID: <9A043F3CF02CD34C8E74AC1594475C73375E1D4A@uxcn10-2.UoA.auckland.ac.nz> Accept-Language: en-GB, en-NZ, en-US Content-Language: en-GB X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [130.216.158.4] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [pkix] timestamp signature validation X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Mar 2013 06:08:33 -0000 Martin Rex writes:=0A= =0A= >The first thing that puzzles me: why does ESSCertID use such an extremely= =0A= >awkward "ESSCertID"?=0A= =0A= The PKIX charter explicitly prohibits doing anything in a logical,=0A= straightforward way (look at... well, I hardly know where to start in terms= of=0A= referencing RFCs for this, there's so many). However the issue has been=0A= quickly resolved (as have many other of the more awkward requirements in RF= Cs)=0A= by everyone agreeing that an ESSCertID is:=0A= =0A= ESSCertID ::=3D SEQUENCE { certHash OCTET STRING SIZE(20) -- SHA1 hash }= =0A= =0A= >I'm puzzled why rfc5035 defines ESSCertIDv2 in a fashion that it is=0A= >thoroughly binary incompatible with ESSCertID from rfc2634?=0A= =0A= See above. As an implementer you just deal with these things and move on,= =0A= it's not worth breaking your head over it.=0A= =0A= Peter.=0A= From eabalea@gmail.com Sat Mar 16 07:51:40 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C60D021F8A80 for ; Sat, 16 Mar 2013 07:51:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0qC6T2NxThdO for ; Sat, 16 Mar 2013 07:51:39 -0700 (PDT) Received: from mail-ve0-f179.google.com (mail-ve0-f179.google.com [209.85.128.179]) by ietfa.amsl.com (Postfix) with ESMTP id E1E0121F8A6F for ; Sat, 16 Mar 2013 07:51:38 -0700 (PDT) Received: by mail-ve0-f179.google.com with SMTP id da11so3403804veb.10 for ; Sat, 16 Mar 2013 07:51:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=8zNz+rzjGN0pNZd93k5rh4q0/4ur2/pkCMA0c5JKDeY=; b=GX6dgWEAdFeZTeim19PJhBupGj9vVihx01UrpQACIk7pYes3Y5BXNiGf+QPQ9a4mOO Hso54NVsIMPK5mGoM/X2+iHGAqL0MB49IxuPfUJ804qHjTYO22pcDhr599geCU0ib6tZ vSORaZgx6E89h1rTOMuQ1QyGnxO0DlAQwiBqYL6ieZJBB8GmOd5P0bUeWZWvqnZPFlel DsR3q4uGEJwcgqmmHRFY2L1qjqg5tMT9Zr0h/SsjgQ2G+GAxw55UyxHrZ14sB0y8tuTV F+wTLMVdD6OrFoxxP46f5c5CpzT4ttDhPFcJ4GKQ66HF5Rr7+/+wwSYk5JPcQXRIf9Dx VJ3A== MIME-Version: 1.0 X-Received: by 10.52.37.109 with SMTP id x13mr10458984vdj.10.1363445498021; Sat, 16 Mar 2013 07:51:38 -0700 (PDT) Received: by 10.52.156.49 with HTTP; Sat, 16 Mar 2013 07:51:37 -0700 (PDT) In-Reply-To: <20130316042748.DCB6B1A642@ld9781.wdf.sap.corp> References: <20130316042748.DCB6B1A642@ld9781.wdf.sap.corp> Date: Sat, 16 Mar 2013 15:51:37 +0100 Message-ID: From: Erwann Abalea To: mrex@sap.com Content-Type: text/plain; charset=UTF-8 Cc: "pkix@ietf.org" Subject: Re: [pkix] timestamp signature validation X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Mar 2013 14:51:40 -0000 2013/3/16 Martin Rex : > Erwann Abalea wrote: >> >> A dark corner from RFC2634. SigningCertificate attribute contains a >> sequence of ESSCertID, and usually this sequence is composed of only one >> certificate. > > There seem to be more dark areas that just "corners" in rfc2634 > and its alleged update rfc5035. > > The first thing that puzzles me: why does ESSCertID use such > an extremely awkward "ESSCertID"? > > http://tools.ietf.org/html/rfc2634#page-48 > > > ESSCertID ::= SEQUENCE { > certHash Hash, > issuerSerial IssuerSerial OPTIONAL > } > > Hash ::= OCTET STRING -- SHA1 hash of entire certificate > > IssuerSerial ::= SEQUENCE { > issuer GeneralNames, > serialNumber CertificateSerialNumber > } > > When creating an ESSCertID, the certHash is computed over the entire > DER encoded certificate including the signature. The issuerSerial > would normally be present unless the value can be inferred from other > information. > > When encoding IssuerSerial, serialNumber is the serial number that > uniquely identifies the certificate. For non-attribute certificates, > the issuer MUST contain only the issuer name from the certificate > encoded in the directoryName choice of GeneralNames. For attribute > certificates, the issuer MUST contain the issuer name field from the > attribute certificate. > > > It says: > > "... the isser MUST contain only the issuer name from the certificate > encoded in the directoryName choice of GeneralNames" > > But that seems non sensical. > > The definition of GeneralNames from rfc5280 looks like this: > > GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName > > so GeneralNames does _not_ contain a CHOICE. GeneralNames is a SEQUENCE of GeneralName, and GeneralName is a CHOICE (among them, directoryName, of type Name). > There may be a (close to) inifinite number of GeneralName types > contained in that GeneralNames sequence, but that seems awkward. > > Looking at what values issuer can have in certs (from 5280 again): > > TBSCertificate ::= SEQUENCE { > version [0] Version DEFAULT v1, > serialNumber CertificateSerialNumber, > signature AlgorithmIdentifier, > *> issuer Name, > validity Validity, > subject Name, > subjectPublicKeyInfo SubjectPublicKeyInfo, > issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, > -- If present, version MUST be v2 or v3 > subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, > -- If present, version MUST be v2 or v3 > extensions [3] Extensions OPTIONAL > -- If present, version MUST be v3 -- } > > or in CRLs: > > TBSCertList ::= SEQUENCE { > version Version OPTIONAL, > -- if present, MUST be v2 > signature AlgorithmIdentifier, > *> issuer Name, > thisUpdate Time, > nextUpdate Time OPTIONAL, > revokedCertificates SEQUENCE OF SEQUENCE { > userCertificate CertificateSerialNumber, > revocationDate Time, > crlEntryExtensions Extensions OPTIONAL > -- if present, version MUST be v2 > } OPTIONAL, > crlExtensions [0] Extensions OPTIONAL } > -- if present, version MUST be v2 > > And looking at how CMS (rfc2630) defined IssuerAndSerial > > IssuerAndSerialNumber ::= SEQUENCE { > *> issuer Name, > serialNumber CertificateSerialNumber } > > CertificateSerialNumber ::= INTEGER > > I fall to understand why ESSCertID uses something so extremely complicated > as a "SEQUENCE of GeneralName", where everyone else has been using "Name"? True. But after all, when you encode the AuthorityKeyIdentifier extension, the authorityCertIssuer is also of GeneralNames type. > It gets even weirder in rfc5035: > > ESSCertIDv2 ::= SEQUENCE { > hashAlgorithm AlgorithmIdentifier > DEFAULT {algorithm id-sha256}, > certHash Hash, > issuerSerial IssuerSerial OPTIONAL > } > > > I'm puzzled why rfc5035 defines ESSCertIDv2 in a fashion that it is > thoroughly binary incompatible with ESSCertID from rfc2634? > > Had it used "DEFAULT {algorithm id-sha1}," instead, then it would > share the same ASN.1 DER encoding with ESSCertID from rfc2634 when > SHA-1 is used for the hash, vaguely similar how the Validity in > X.509v3 certificates is being slowly migrated from UTCTime to a subset > of GeneralizedTime. True again. -- Erwann. From ajs@crankycanuck.ca Fri Mar 15 18:17:39 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82D0811E810B for ; Fri, 15 Mar 2013 18:17:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.556 X-Spam-Level: X-Spam-Status: No, score=0.556 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_INFO=1.448, HOST_MISMATCH_NET=0.311, MIME_QP_LONG_LINE=1.396] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xW-4C0D6dfzs for ; Fri, 15 Mar 2013 18:17:39 -0700 (PDT) Received: from mx1.yitter.info (ow5p.x.rootbsd.net [208.79.81.114]) by ietfa.amsl.com (Postfix) with ESMTP id DB62F11E80D9 for ; Fri, 15 Mar 2013 18:17:38 -0700 (PDT) Received: from [25.14.32.217] (unknown [74.198.9.217]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.yitter.info (Postfix) with ESMTPSA id B6DD98A031; Sat, 16 Mar 2013 01:17:37 +0000 (UTC) References: <20130316011128.6F42FB1E002@rfc-editor.org> In-Reply-To: <20130316011128.6F42FB1E002@rfc-editor.org> Mime-Version: 1.0 (1.0) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Message-Id: <3F64D1DB-12F8-4373-9C78-9110120E61CA@crankycanuck.ca> X-Mailer: iPhone Mail (10B145) From: Andrew Sullivan Date: Fri, 15 Mar 2013 21:17:36 -0400 To: RFC Errata System X-Mailman-Approved-At: Mon, 18 Mar 2013 07:25:54 -0700 Cc: "stefan@aaa-sec.com" , "rfc-editor@rfc-editor.org" , "pkix@ietf.org" , "philliph@comodo.com" Subject: Re: [pkix] [Editorial Errata Reported] RFC6844 (3547) X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Mar 2013 01:17:39 -0000 I'm inclined not to call this an erratum in the draft. But the registry ough= t to be updated if it hasn't been.=20 --=20 Andrew Sullivan=20 Please excuse my clumbsy thums.=20 On 2013-03-15, at 21:11, RFC Errata System wrote= : > The following errata report has been submitted for RFC6844, > "DNS Certification Authority Authorization (CAA) Resource Record". >=20 > -------------------------------------- > You may review the report below and at: > http://www.rfc-editor.org/errata_search.php?rfc=3D6844&eid=3D3547 >=20 > -------------------------------------- > Type: Editorial > Reported by: Sean Turner >=20 > Section: s7.2 >=20 > Original Text > ------------- > auth Reserved [HB2011] > path Reserved [HB2011] > policy Reserved [HB2011] >=20 > Corrected Text > -------------- > auth Reserved [RFC6844] > path Reserved [RFC6844] > policy Reserved [RFC6844] >=20 > Notes > ----- > Better to use the datatracker history to find the values than the expired d= rafts. >=20 > Instructions: > ------------- > This errata is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party (IESG) > can log in to change the status and edit the report, if necessary.=20 >=20 > -------------------------------------- > RFC6844 (draft-ietf-pkix-caa-15) > -------------------------------------- > Title : DNS Certification Authority Authorization (CAA) Reso= urce Record > Publication Date : January 2013 > Author(s) : P. Hallam-Baker, R. Stradling > Category : PROPOSED STANDARD > Source : Public-Key Infrastructure (X.509) > Area : Security > Stream : IETF > Verifying Party : IESG > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix From ajs@crankycanuck.ca Fri Mar 15 18:52:36 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB9DF11E8126 for ; Fri, 15 Mar 2013 18:52:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.556 X-Spam-Level: X-Spam-Status: No, score=0.556 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_INFO=1.448, HOST_MISMATCH_NET=0.311, MIME_QP_LONG_LINE=1.396] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gsh9CMtIWZYd for ; Fri, 15 Mar 2013 18:52:36 -0700 (PDT) Received: from mx1.yitter.info (ow5p.x.rootbsd.net [208.79.81.114]) by ietfa.amsl.com (Postfix) with ESMTP id 45E0E11E80C5 for ; Fri, 15 Mar 2013 18:52:36 -0700 (PDT) Received: from [25.14.32.217] (unknown [74.198.9.217]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.yitter.info (Postfix) with ESMTPSA id 875BE8A031; Sat, 16 Mar 2013 01:52:35 +0000 (UTC) References: <20130316011128.6F42FB1E002@rfc-editor.org> <3F64D1DB-12F8-4373-9C78-9110120E61CA@crankycanuck.ca> <5143CC1D.3080309@ieca.com> In-Reply-To: <5143CC1D.3080309@ieca.com> Mime-Version: 1.0 (1.0) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Message-Id: X-Mailer: iPhone Mail (10B145) From: Andrew Sullivan Date: Fri, 15 Mar 2013 21:52:32 -0400 To: Sean Turner X-Mailman-Approved-At: Mon, 18 Mar 2013 07:25:54 -0700 Cc: "stefan@aaa-sec.com" , RFC Errata System , "philliph@comodo.com" , "pkix@ietf.org" Subject: Re: [pkix] [Editorial Errata Reported] RFC6844 (3547) X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Mar 2013 01:52:37 -0000 Hrm. Well, I can see that, I guess. No objection, then.=20 --=20 Andrew Sullivan=20 Please excuse my clumbsy thums.=20 On 2013-03-15, at 21:34, Sean Turner wrote: > The IANA folks asked phb/me to submit this so they'd get instructed to upd= ate the registry. >=20 > spt >=20 > On 3/15/13 9:17 PM, Andrew Sullivan wrote: >> I'm inclined not to call this an erratum in the draft. But the registry o= ught to be updated if it hasn't been. > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix From mrex@sap.com Mon Mar 18 10:49:38 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF76321F8FD7 for ; Mon, 18 Mar 2013 10:49:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.11 X-Spam-Level: X-Spam-Status: No, score=-10.11 tagged_above=-999 required=5 tests=[AWL=0.139, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZDEubGG5A3yJ for ; Mon, 18 Mar 2013 10:49:30 -0700 (PDT) Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 92F2021F8FD6 for ; Mon, 18 Mar 2013 10:49:29 -0700 (PDT) Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id r2IHnRwm006990 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 18 Mar 2013 18:49:27 +0100 (MET) In-Reply-To: To: Erwann Abalea Date: Mon, 18 Mar 2013 18:49:27 +0100 (CET) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20130318174927.401291A647@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) X-SAP: out Cc: "pkix@ietf.org" Subject: Re: [pkix] timestamp signature validation X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: mrex@sap.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Mar 2013 17:49:38 -0000 Erwann Abalea wrote: > Martin Rex : > > > > http://tools.ietf.org/html/rfc2634#page-48 > > > > > > ESSCertID ::= SEQUENCE { > > certHash Hash, > > issuerSerial IssuerSerial OPTIONAL > > } > > > > Hash ::= OCTET STRING -- SHA1 hash of entire certificate > > > > IssuerSerial ::= SEQUENCE { > > issuer GeneralNames, > > serialNumber CertificateSerialNumber > > } > > > > When creating an ESSCertID, the certHash is computed over the entire > > DER encoded certificate including the signature. The issuerSerial > > would normally be present unless the value can be inferred from other > > information. > > > > When encoding IssuerSerial, serialNumber is the serial number that > > uniquely identifies the certificate. For non-attribute certificates, > > the issuer MUST contain only the issuer name from the certificate > > encoded in the directoryName choice of GeneralNames. For attribute > > certificates, the issuer MUST contain the issuer name field from the > > attribute certificate. > > > > > I fall to understand why ESSCertID uses something so extremely complicated > > as a "SEQUENCE of GeneralName", where everyone else has been using "Name"? > > True. But after all, when you encode the AuthorityKeyIdentifier > extension, the authorityCertIssuer is also of GeneralNames type. Did you notice the MUST requirements in the second paragraph, that I quoted from rfc2634 (setences 2+3)? rfc2634 does not allow anything else than the "issuer Name," from TBSCertificate to appear in issuerSerial of ESSCertID. -Martin From DPKemp@missi.ncsc.mil Mon Mar 18 12:28:22 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A44E21F86B2 for ; Mon, 18 Mar 2013 12:28:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S3Rps4MLHWwR for ; Mon, 18 Mar 2013 12:28:14 -0700 (PDT) Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by ietfa.amsl.com (Postfix) with ESMTP id DD9FD21F8F53 for ; Mon, 18 Mar 2013 12:28:12 -0700 (PDT) Received: from clavin.missi.ncsc.mil (odysseus.missi.ncsc.mil [144.51.60.172]) by stingray.missi.ncsc.mil with ESMTP id r2IJSCwQ056122 for ; Mon, 18 Mar 2013 15:28:12 -0400 (EDT) Received: from SQUID.missi.ncsc.mil ([fe80::e032:d4c7:c51f:85ec]) by odysseus.missi.ncsc.mil ([144.51.60.172]) with mapi id 14.01.0438.000; Mon, 18 Mar 2013 15:26:46 -0400 From: "Kemp, David P." To: "pkix@ietf.org" Thread-Topic: [pkix] timestamp signature validation Thread-Index: AQHOJADK2Uqkh7fU4Uy2g/gSujpD75ir04Sw Date: Mon, 18 Mar 2013 19:26:45 +0000 Message-ID: <5B1D7E570380A64989D4C069F7D14BC87C597B36@SQUID.missi.ncsc.mil> References: <20130318174927.401291A647@ld9781.wdf.sap.corp> In-Reply-To: <20130318174927.401291A647@ld9781.wdf.sap.corp> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [144.51.54.46] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [pkix] timestamp signature validation X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Mar 2013 19:28:22 -0000 If you want to be less complex (restrict issuer names to directory name onl= y) it's easy to profile the ESS syntax to do so. If the ESS syntax said "Name", it would be impossible to use anything else = (such as rfc822Name) if issuer SANs later became fashionable. Usage should be determined by policy; syntax strives to be policy-neutral. -----Original Message----- From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Mar= tin Rex Sent: Monday, March 18, 2013 1:49 PM To: Erwann Abalea Cc: pkix@ietf.org Subject: Re: [pkix] timestamp signature validation Erwann Abalea wrote: > Martin Rex : > > > > http://tools.ietf.org/html/rfc2634#page-48 > > > > > > ESSCertID ::=3D SEQUENCE { > > certHash Hash, > > issuerSerial IssuerSerial OPTIONAL > > } > > > > Hash ::=3D OCTET STRING -- SHA1 hash of entire certificate > > > > IssuerSerial ::=3D SEQUENCE { > > issuer GeneralNames, > > serialNumber CertificateSerialNumber > > } > > > > When creating an ESSCertID, the certHash is computed over the entire > > DER encoded certificate including the signature. The issuerSerial > > would normally be present unless the value can be inferred from othe= r > > information. > > > > When encoding IssuerSerial, serialNumber is the serial number that > > uniquely identifies the certificate. For non-attribute certificates, > > the issuer MUST contain only the issuer name from the certificate > > encoded in the directoryName choice of GeneralNames. For attribute > > certificates, the issuer MUST contain the issuer name field from the > > attribute certificate. > > > > > I fall to understand why ESSCertID uses something so extremely=20 > > complicated as a "SEQUENCE of GeneralName", where everyone else has bee= n using "Name"? >=20 > True. But after all, when you encode the AuthorityKeyIdentifier=20 > extension, the authorityCertIssuer is also of GeneralNames type. Did you notice the MUST requirements in the second paragraph, that I quoted= from rfc2634 (setences 2+3)? rfc2634 does not allow anything else than the "issuer Name," from TBSCertificate to appear in issuerSerial of ESSCertID. -Martin _______________________________________________ pkix mailing list pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix From mrex@sap.com Mon Mar 18 22:20:15 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B2EB21F8915 for ; Mon, 18 Mar 2013 22:20:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.145 X-Spam-Level: X-Spam-Status: No, score=-10.145 tagged_above=-999 required=5 tests=[AWL=0.104, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FWbFu2gUdsNN for ; Mon, 18 Mar 2013 22:20:14 -0700 (PDT) Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 91CD621F8A4E for ; Mon, 18 Mar 2013 22:20:14 -0700 (PDT) Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id r2J5KCMn005287 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 19 Mar 2013 06:20:12 +0100 (MET) In-Reply-To: <5B1D7E570380A64989D4C069F7D14BC87C597B36@SQUID.missi.ncsc.mil> To: "Kemp, David P." Date: Tue, 19 Mar 2013 06:19:37 +0100 (CET) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20130319051937.65B931A648@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) X-SAP: out Cc: "pkix@ietf.org" Subject: Re: [pkix] timestamp signature validation X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: mrex@sap.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Mar 2013 05:20:15 -0000 Kemp, David P. wrote: > > If you want to be less complex (restrict issuer names to directory > name only) it's easy to profile the ESS syntax to do so. rfc2634 _already_ contains a MUST requirement that restricts the issuer name to directoryName only. > > If the ESS syntax said "Name", it would be impossible to use anything > else (such as rfc822Name) if issuer SANs later became fashionable. As far as rfc2634 is concerned, that is _de_facto_ impossible. It has to be expected that conforming implementations will properly enforce the rfc2634 "MUST contain only the issuer name from the certificate encoded in the directoryName choice" and reject ESSCertIDs that contains anything else than directroyName. > > Usage should be determined by policy; syntax strives to be policy-neutral. That is only possible when the semantics are well-defined from the beginning, i.e. what is allowed to be present, and what to do with it when an implementation does not recognize/support that data. For rfc2634 the situation is brief and clear: only directoryName is permitted, this is a MUST requirement, so any other content MUST result in the complete rejection of the ESSCertID. -Martin From prvs=0790d06f14=rybar@nbusr.sk Tue Mar 19 03:13:41 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BAF221F8837 for ; Tue, 19 Mar 2013 03:13:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.907 X-Spam-Level: * X-Spam-Status: No, score=1.907 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HELO_EQ_SK=1.35, HOST_EQ_SK=0.555, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oi-3m+Y6utup for ; Tue, 19 Mar 2013 03:13:40 -0700 (PDT) Received: from mail.nbusr.sk (mail.nbusr.sk [84.245.65.227]) by ietfa.amsl.com (Postfix) with ESMTP id 944CC21F8825 for ; Tue, 19 Mar 2013 03:13:39 -0700 (PDT) Message-Id: <201303191013.r2JADbD1099451@mail.nbusr.sk> From: "Peter Rybar" To: pkix@ietf.org Date: Tue, 19 Mar 2013 11:13:36 +0100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0003_01CE2492.CD3598B0" X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157 Thread-Index: Ac4kimrETw5nVtLwQ3O31l808b00DQ== X-NAI-Spam-Flag: NO X-NAI-Spam-Level: ** X-NAI-Spam-Threshold: 6 X-NAI-Spam-Score: 2.5 X-NAI-Spam-Version: 2.3.0.9362 : core <4522> : streams <923663> : uri <1371248> Cc: 'Peter Rybar' Subject: [pkix] Two results when explicit-policy-indicator is set X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Mar 2013 10:13:41 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_0003_01CE2492.CD3598B0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Dear All, =20 I would like to ask you, where are defined in some sub-clauses of = Clause 6 "Certification Path Validation" of RFC 5280 the final steps of = certificate policy processing which are equivalent to steps defined in = the Clause 10.5.4 "Final processing" in "Certification path processing = procedure" of ITU-T Rec. X.509 (11/2008)? http://www.itu.int/rec/T-REC-X.509-200811-I/en =20 10.5.4 Final processing of ITU-T Rec. X.509 " a) Determine the authorities-constrained-policy-set from the = authorities-constrained-policy-set table. If the table is empty, then = the authorities-constrained-policy-set is the empty or null set. If the = authorities-constrained-policy-set[0, path-depth] is any-policy, then = the authorities-constrained-policy-set is any-policy. Otherwise, the = authorities-constrained-policy-set is, for each row in the table, the = value in the left-most cell which does not contain the identifier = any-policy. b) Calculate the user-constrained-policy-set by forming the intersection = of the authorities-constrained-policy-set and the initial-policy-set.=20 c) If the explicit-policy-indicator is set, check that neither the = authorities-constrained-policy-set nor the user-constrained-policy-set = is empty. " =20 According to ITU-T Rec. X.509 we have two results when = explicit-policy-indicator is set: authorities-constrained-policy-set user-constrained-policy-set =20 Are also defined such results in RFC 5280 and where? =20 Peter Rybar National Security Authority Information Security and Electronic Signature Department Budatinska 30, 850 07 Bratislava 57, Slovak Republic tel.: +421 2 6869 2163 mob.: +421 902 891 155 fax: +421 2 6869 1701 e-mail: peter.rybar@nbusr.sk e-mail: peterryb@gmail.com =20 ------=_NextPart_000_0003_01CE2492.CD3598B0 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable

Dear All,

 

I would like to ask you, where are defined in = some sub-clauses of =C2=A0Clause 6 "Certification Path Validation" of RFC 5280 = the final steps of certificate policy processing which are equivalent to steps = defined in the Clause 10.5.4 "Final processing" in "Certification = path processing procedure" of ITU-T Rec. X.509 = (11/2008)?

http://www.itu.in= t/rec/T-REC-X.509-200811-I/en

 

10.5.4 Final processing of ITU-T Rec. = X.509

"

a) Determine the = authorities-constrained-policy-set from the authorities-constrained-policy-set table. If the table is = empty, then the authorities-constrained-policy-set is the empty or null set. If the authorities-constrained-policy-set[0, path-depth] is any-policy, then = the authorities-constrained-policy-set is any-policy. Otherwise, the authorities-constrained-policy-set is, for each row in the table, the = value in the left-most cell which does not contain the identifier = any-policy.

b) Calculate the user-constrained-policy-set = by forming the intersection of the authorities-constrained-policy-set and = the initial-policy-set.

c) If the explicit-policy-indicator is set, = check that neither the authorities-constrained-policy-set nor the = user-constrained-policy-set is empty.

"

 

According to ITU-T Rec. X.509 we have two = results when explicit-policy-indicator is set:

authorities-constrained-policy-set<= /span>

user-constrained-policy-set<= /font>

 

Are also defined such results in RFC 5280 and = where?

 

Peter = Rybar
National Security Authority
Information Security and Electronic Signature = Department

Budatinska 30, 850 07 Bratislava 57, Slovak = Republic
tel.: +421 2 6869 2163
mob.: +421 902 891 155
fax: +421 2 6869 1701
e-mail: peter.rybar@nbusr.sk
e-mail: peterryb@gmail.com

 

------=_NextPart_000_0003_01CE2492.CD3598B0-- From bilal.ashraf@ascertia.com Tue Mar 19 04:25:07 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F94721F8801 for ; Tue, 19 Mar 2013 04:25:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bx5PzDMbCD1e for ; Tue, 19 Mar 2013 04:25:06 -0700 (PDT) Received: from mail.ascertia.com (www.ascertia.com [94.136.44.32]) by ietfa.amsl.com (Postfix) with ESMTP id 9B0EA21F87DF for ; Tue, 19 Mar 2013 04:25:05 -0700 (PDT) Received: from [192.168.0.85] ([202.141.240.172]) by ascertia.com with MailEnable ESMTP; Tue, 19 Mar 2013 11:27:50 +0000 Message-ID: <51484ACD.4060306@ascertia.com> Date: Tue, 19 Mar 2013 16:23:57 +0500 From: Bilal Ashraf User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130307 Thunderbird/17.0.4 MIME-Version: 1.0 To: pkix@ietf.org References: <201303191013.r2JADbD1099451@mail.nbusr.sk> In-Reply-To: <201303191013.r2JADbD1099451@mail.nbusr.sk> Content-Type: multipart/alternative; boundary="------------090503000701030708050301" Subject: Re: [pkix] Two results when explicit-policy-indicator is set X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Mar 2013 11:25:07 -0000 This is a multi-part message in MIME format. --------------090503000701030708050301 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Hi, In RFC 5280, section 6.1.5. Wrap-Up Procedure, before computation of=20 6.1.5 (g), the value of valid_policy_tree is basically the=20 authorities-constrained-policy-set. After intersection of=20 valid_policy_tree (i.e. authorities-constrained-policy-set) with the=20 user-initial-policy-set in 6.1.5 (g), the resultant value will be=20 user-constrained-policy-set. Hope this works. Regards, Bilal. On 3/19/2013 3:13 PM, Peter Rybar wrote: > > Dear All, > > I would like to ask you, where are defined in some sub-clauses of=20 > Clause 6 "Certification Path Validation" of RFC 5280 the final steps=20 > of certificate policy processing which are equivalent to steps defined = > in the Clause 10.5.4 "Final processing" in "Certification path=20 > processing procedure" of ITU-T Rec. X.509 (11/2008)? > > http://www.itu.int/rec/T-REC-X.509-200811-I/en > > 10.5.4 Final processing of ITU-T Rec. X.509 > > " > > a) Determine the authorities-constrained-policy-set from the=20 > authorities-constrained-policy-set table. If the table is empty, then=20 > the authorities-constrained-policy-set is the empty or null set. If=20 > the authorities-constrained-policy-set[0, path-depth] is any-policy,=20 > then the authorities-constrained-policy-set is any-policy. Otherwise,=20 > the authorities-constrained-policy-set is, for each row in the table,=20 > the value in the left-most cell which does not contain the identifier=20 > any-policy. > > b) Calculate the user-constrained-policy-set by forming the=20 > intersection of the authorities-constrained-policy-set and the=20 > initial-policy-set. > > c) If the explicit-policy-indicator is set, check that neither the=20 > authorities-constrained-policy-set nor the user-constrained-policy-set = > is empty. > > " > > According to ITU-T Rec. X.509 we have two results when=20 > explicit-policy-indicator is set: > > authorities-constrained-policy-set > > user-constrained-policy-set > > Are also defined such results in RFC 5280 and where? > > Peter Rybar > National Security Authority > Information Security and Electronic Signature Department > > Budatinska 30, 850 07 Bratislava 57, Slovak Republic > tel.: +421 2 6869 2163 > mob.: +421 902 891 155 > fax: +421 2 6869 1701 > e-mail: peter.rybar@nbusr.sk > e-mail: peterryb@gmail.com > > > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix --------------090503000701030708050301 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit
Hi,

In RFC 5280, section 6.1.5. Wrap-Up Procedure, before computation of 6.1.5 (g), the value of valid_policy_tree is basically the authorities-constrained-policy-set. After intersection of valid_policy_tree (i.e. authorities-constrained-policy-set) with the user-initial-policy-set in 6.1.5 (g), the resultant value will be user-constrained-policy-set.

Hope this works.

Regards,
Bilal.

On 3/19/2013 3:13 PM, Peter Rybar wrote:

Dear All,

 

I would like to ask you, where are defined in some sub-clauses of  Clause 6 "Certification Path Validation" of RFC 5280 the final steps of certificate policy processing which are equivalent to steps defined in the Clause 10.5.4 "Final processing" in "Certification path processing procedure" of ITU-T Rec. X.509 (11/2008)?

http://www.itu.int/rec/T-REC-X.509-200811-I/en

 

10.5.4 Final processing of ITU-T Rec. X.509

"

a) Determine the authorities-constrained-policy-set from the authorities-constrained-policy-set table. If the table is empty, then the authorities-constrained-policy-set is the empty or null set. If the authorities-constrained-policy-set[0, path-depth] is any-policy, then the authorities-constrained-policy-set is any-policy. Otherwise, the authorities-constrained-policy-set is, for each row in the table, the value in the left-most cell which does not contain the identifier any-policy.

b) Calculate the user-constrained-policy-set by forming the intersection of the authorities-constrained-policy-set and the initial-policy-set.

c) If the explicit-policy-indicator is set, check that neither the authorities-constrained-policy-set nor the user-constrained-policy-set is empty.

"

 

According to ITU-T Rec. X.509 we have two results when explicit-policy-indicator is set:

authorities-constrained-policy-set

user-constrained-policy-set

 

Are also defined such results in RFC 5280 and where?

 

Peter Rybar
National Security Authority
Information Security and Electronic Signature Department

Budatinska 30, 850 07 Bratislava 57, Slovak Republic
tel.: +421 2 6869 2163
mob.: +421 902 891 155
fax: +421 2 6869 1701
e-mail: peter.rybar@nbusr.sk
e-mail: peterryb@gmail.com

 



_______________________________________________
pkix mailing list
pkix@ietf.org
https://www.ietf.org/mailman/listinfo/pkix

--------------090503000701030708050301-- From mrex@sap.com Fri Mar 22 23:52:10 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9193621F88F5; Fri, 22 Mar 2013 23:52:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.234 X-Spam-Level: X-Spam-Status: No, score=-10.234 tagged_above=-999 required=5 tests=[AWL=0.015, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id egrPzwHMy2YT; Fri, 22 Mar 2013 23:52:10 -0700 (PDT) Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id A6FB221F88F1; Fri, 22 Mar 2013 23:52:09 -0700 (PDT) Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id r2N6q8E1025684 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 23 Mar 2013 07:52:08 +0100 (MET) In-Reply-To: <20130313200838.8488.76211.idtracker@ietfa.amsl.com> To: ietf@ietf.org Date: Sat, 23 Mar 2013 07:52:08 +0100 (CET) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20130323065208.090391A65A@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) X-SAP: out Cc: pkix@ietf.org Subject: Re: [pkix] Last Call: (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: mrex@sap.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Mar 2013 06:52:10 -0000 The IESG wrote: > > The IESG has received a request from the Public-Key Infrastructure > (X.509) WG (pkix) to consider the following document: > - 'X.509 Internet Public Key Infrastructure Online Certificate Status > Protocol - OCSP' > as Proposed Standard > > The IESG plans to make a decision in the next few weeks, and solicits > final comments on this action. Please send substantive comments to the > ietf@ietf.org mailing lists by 2013-03-27. I'm having an issue with a subtle, backwards-incompatible change of the semantics of the exception case with the error code "unauthorized", which tries to rewrite history 13 years into the without actually fitting the OCSP spec. It's about the second change from the introduction: o Section 2.3 extends the use of the "unauthorized" error response, as specified in [RFC5019]. While it is true that the error code abuse originally first appeared in rfc5019, the change was never declared as an update to rfc2560, nor filed as an errata to rfc2560. The original Exception cases in rfc2560 define the following semantics: http://tools.ietf.org/html/rfc2560#section-2.3 2.3 Exception Cases In case of errors, the OCSP Responder may return an error message. These messages are not signed. Errors can be of the following types: -- malformedRequest -- internalError -- tryLater -- sigRequired -- unauthorized [...] The response "sigRequired" is returned in cases where the server requires the client sign the request in order to construct a response. The response "unauthorized" is returned in cases where the client is not authorized to make this query to this server. The proposed "extended" semantics from the rfc2560bis draft: http://tools.ietf.org/html/draft-ietf-pkix-rfc2560bis-15#page-9 The response "unauthorized" is returned in cases where the client is not authorized to make this query to this server or the server is not capable of responding authoritatively (cf. [RFC5019], Section 2.2.3). The rfc5019 semantics "The server can not provide an authoritative response to this specific request" is incompatible with the semantics "you are not authorized to sumbit OCSP requests to this service". There is another serious conflict with the rfc5019 repurposed error code semantics and rfc2560. While rfc5019 is limited to a single status request, rfc2560 and rfc2560bis both allow a list of several Requests to be sent in a single OCSPRequest PDU. An OCSP response, however, is not allowed to contain responseBytes when an error code is returned inthe response status: http://tools.ietf.org/html/draft-ietf-pkix-rfc2560bis-15#section-4.2.1 4.2.1 ASN.1 Specification of the OCSP Response An OCSP response at a minimum consists of a responseStatus field indicating the processing status of the prior request. If the value of responseStatus is one of the error conditions, responseBytes are not set. OCSPResponse ::= SEQUENCE { responseStatus OCSPResponseStatus, responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } So it is impossible to convey "OCSP responder is not capable of responding authoritatively" for a subset of Requests in the requestList and regular status for the remaining Requests in the List by using a repurposed "unauthorized" error code. The current draft neither mention this contradiction, nor does it provide any guidance how an implementation should behave in this situation. I would appreciate if this problem of draft-*-rfc2560bis could be fixed prior to making it a successor for rfc2560. -Martin From stefan@aaa-sec.com Mon Mar 25 19:35:47 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36F9E21F8837 for ; Mon, 25 Mar 2013 19:35:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.249 X-Spam-Level: X-Spam-Status: No, score=-102.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YW80qjSZs8hU for ; Mon, 25 Mar 2013 19:35:47 -0700 (PDT) Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id B44B021F888E for ; Mon, 25 Mar 2013 19:35:46 -0700 (PDT) Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id 1B7EF1CE220F for ; Tue, 26 Mar 2013 03:35:45 +0100 (CET) X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id NC5Hjwok40Ie for ; Tue, 26 Mar 2013 03:35:44 +0100 (CET) Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id 74F631CE2212 for ; Tue, 26 Mar 2013 03:35:44 +0100 (CET) Received: (qmail 20646 invoked from network); 26 Mar 2013 02:35:44 -0000 Received: from 81-232-51-61-no39.business.telia.com (HELO [192.168.0.104]) (stefan@fiddler.nu@[81.232.51.61]) (envelope-sender ) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 26 Mar 2013 02:35:44 -0000 User-Agent: Microsoft-MacOutlook/14.3.2.130206 Date: Tue, 26 Mar 2013 03:35:44 +0100 From: Stefan Santesson To: , Message-ID: Thread-Topic: [pkix] Last Call: (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard In-Reply-To: <20130323065208.090391A65A@ld9781.wdf.sap.corp> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Cc: pkix@ietf.org Subject: Re: [pkix] Last Call: (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2013 02:35:47 -0000 Martin, Whether we like it or not. This is the legacy. There is no way for a client to know whether the OCSP responder implements RFC 2560 only or in combination with RFC 5019. So therefore, the update that was introduced in 5019 must be expected by all clients from all responders. Therefore it is included in 2560bis. What in your mind, would be a better solution? /Stefan On 3/23/13 7:52 AM, "Martin Rex" wrote: >The IESG wrote: >> >> The IESG has received a request from the Public-Key Infrastructure >> (X.509) WG (pkix) to consider the following document: >> - 'X.509 Internet Public Key Infrastructure Online Certificate Status >> Protocol - OCSP' >> as Proposed Standard >> >> The IESG plans to make a decision in the next few weeks, and solicits >> final comments on this action. Please send substantive comments to the >> ietf@ietf.org mailing lists by 2013-03-27. > >I'm having an issue with a subtle, backwards-incompatible change >of the semantics of the exception case with the error code >"unauthorized", which tries to rewrite history 13 years into the >without actually fitting the OCSP spec. > >It's about the second change from the introduction: > > o Section 2.3 extends the use of the "unauthorized" error > response, as specified in [RFC5019]. > >While it is true that the error code abuse originally first appeared >in rfc5019, the change was never declared as an update to rfc2560, >nor filed as an errata to rfc2560. > >The original Exception cases in rfc2560 define the following semantics: > > http://tools.ietf.org/html/rfc2560#section-2.3 > > 2.3 Exception Cases > > In case of errors, the OCSP Responder may return an error message. > These messages are not signed. Errors can be of the following types: > > -- malformedRequest > -- internalError > -- tryLater > -- sigRequired > -- unauthorized > > [...] > > The response "sigRequired" is returned in cases where the server > requires the client sign the request in order to construct a > response. > > The response "unauthorized" is returned in cases where the client is > not authorized to make this query to this server. > > >The proposed "extended" semantics from the rfc2560bis draft: > > http://tools.ietf.org/html/draft-ietf-pkix-rfc2560bis-15#page-9 > > The response "unauthorized" is returned in cases where the client is > not authorized to make this query to this server or the server is not > capable of responding authoritatively (cf. [RFC5019], Section 2.2.3). > >The rfc5019 semantics "The server can not provide an authoritative >response >to this specific request" is incompatible with the semantics "you are not >authorized to sumbit OCSP requests to this service". > >There is another serious conflict with the rfc5019 repurposed error code >semantics and rfc2560. While rfc5019 is limited to a single status >request, >rfc2560 and rfc2560bis both allow a list of several Requests to >be sent in a single OCSPRequest PDU. An OCSP response, however, is >not allowed to contain responseBytes when an error code is returned >inthe response status: > > http://tools.ietf.org/html/draft-ietf-pkix-rfc2560bis-15#section-4.2.1 > > 4.2.1 ASN.1 Specification of the OCSP Response > > An OCSP response at a minimum consists of a responseStatus field > indicating the processing status of the prior request. If the value > of responseStatus is one of the error conditions, responseBytes are > not set. > > OCSPResponse ::= SEQUENCE { > responseStatus OCSPResponseStatus, > responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } > > >So it is impossible to convey "OCSP responder is not capable of >responding authoritatively" for a subset of Requests in the requestList >and regular status for the remaining Requests in the List by using >a repurposed "unauthorized" error code. > >The current draft neither mention this contradiction, nor does it >provide any guidance how an implementation should behave in this >situation. > > >I would appreciate if this problem of draft-*-rfc2560bis could be fixed >prior to making it a successor for rfc2560. > > >-Martin From mrex@sap.com Mon Mar 25 22:28:57 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A22FA21F8910; Mon, 25 Mar 2013 22:28:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.249 X-Spam-Level: X-Spam-Status: No, score=-10.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xh3xHpPUmKC5; Mon, 25 Mar 2013 22:28:57 -0700 (PDT) Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id A52C921F890D; Mon, 25 Mar 2013 22:28:56 -0700 (PDT) Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id r2Q5SrUb007801 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 26 Mar 2013 06:28:54 +0100 (MET) In-Reply-To: To: Stefan Santesson Date: Tue, 26 Mar 2013 06:28:53 +0100 (CET) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20130326052853.CE89A1A663@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) X-SAP: out Cc: pkix@ietf.org, ietf@ietf.org Subject: Re: [pkix] Last Call: (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: mrex@sap.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2013 05:28:57 -0000 Stefan Santesson wrote: > > Whether we like it or not. This is the legacy. > There is no way for a client to know whether the OCSP responder implements > RFC 2560 only or in combination with RFC 5019. > > So therefore, the update that was introduced in 5019 must be expected by > all clients from all responders. Therefore it is included in 2560bis. > > What in your mind, would be a better solution? Simply listing two mutually exclusive semantics for a single error code looks like a very bad idea. The correct solution would be to assign a new error code for the semantics desirec by rfc5019 and fix rfc5019 and its implementiations. And then mention the rfc5019 semantics for the error code "unauthorized" in rfc2560bis as defective and deprecated. rfc5019 is hardwired to SHA1 for the cert hashing algorithm, so it will need to get updated at some point already. The second issue is to explain that the errorcode response for "can not produce an authoritative response" is not applicable to OCSPRequests that contain more than one element in the requestList, because the OCSP client will not know to which elements in the request the error code response applies. Actually, it would be sensible to define two more new error codes, one that indicates that the OCSP server does not support multiple requestList entries, and one that indicates to the client that the server does not support one of the OCSP protocol extensions requested by the client (multiple requests is not a protocol extension). -Martin > On 3/23/13 7:52 AM, "Martin Rex" wrote: > > >The IESG wrote: > >> > >> The IESG has received a request from the Public-Key Infrastructure > >> (X.509) WG (pkix) to consider the following document: > >> - 'X.509 Internet Public Key Infrastructure Online Certificate Status > >> Protocol - OCSP' > >> as Proposed Standard > >> > >> The IESG plans to make a decision in the next few weeks, and solicits > >> final comments on this action. Please send substantive comments to the > >> ietf@ietf.org mailing lists by 2013-03-27. > > > >I'm having an issue with a subtle, backwards-incompatible change > >of the semantics of the exception case with the error code > >"unauthorized", which tries to rewrite history 13 years into the > >without actually fitting the OCSP spec. > > > >It's about the second change from the introduction: > > > > o Section 2.3 extends the use of the "unauthorized" error > > response, as specified in [RFC5019]. > > > >While it is true that the error code abuse originally first appeared > >in rfc5019, the change was never declared as an update to rfc2560, > >nor filed as an errata to rfc2560. > > > >The original Exception cases in rfc2560 define the following semantics: > > > > http://tools.ietf.org/html/rfc2560#section-2.3 > > > > 2.3 Exception Cases > > > > In case of errors, the OCSP Responder may return an error message. > > These messages are not signed. Errors can be of the following types: > > > > -- malformedRequest > > -- internalError > > -- tryLater > > -- sigRequired > > -- unauthorized > > > > [...] > > > > The response "sigRequired" is returned in cases where the server > > requires the client sign the request in order to construct a > > response. > > > > The response "unauthorized" is returned in cases where the client is > > not authorized to make this query to this server. > > > > > >The proposed "extended" semantics from the rfc2560bis draft: > > > > http://tools.ietf.org/html/draft-ietf-pkix-rfc2560bis-15#page-9 > > > > The response "unauthorized" is returned in cases where the client is > > not authorized to make this query to this server or the server is not > > capable of responding authoritatively (cf. [RFC5019], Section 2.2.3). > > > >The rfc5019 semantics "The server can not provide an authoritative > >response > >to this specific request" is incompatible with the semantics "you are not > >authorized to sumbit OCSP requests to this service". > > > >There is another serious conflict with the rfc5019 repurposed error code > >semantics and rfc2560. While rfc5019 is limited to a single status > >request, > >rfc2560 and rfc2560bis both allow a list of several Requests to > >be sent in a single OCSPRequest PDU. An OCSP response, however, is > >not allowed to contain responseBytes when an error code is returned > >inthe response status: > > > > http://tools.ietf.org/html/draft-ietf-pkix-rfc2560bis-15#section-4.2.1 > > > > 4.2.1 ASN.1 Specification of the OCSP Response > > > > An OCSP response at a minimum consists of a responseStatus field > > indicating the processing status of the prior request. If the value > > of responseStatus is one of the error conditions, responseBytes are > > not set. > > > > OCSPResponse ::= SEQUENCE { > > responseStatus OCSPResponseStatus, > > responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } > > > > > >So it is impossible to convey "OCSP responder is not capable of > >responding authoritatively" for a subset of Requests in the requestList > >and regular status for the remaining Requests in the List by using > >a repurposed "unauthorized" error code. > > > >The current draft neither mention this contradiction, nor does it > >provide any guidance how an implementation should behave in this > >situation. > > > > > >I would appreciate if this problem of draft-*-rfc2560bis could be fixed > >prior to making it a successor for rfc2560. > > > > > >-Martin > > From stefan@aaa-sec.com Tue Mar 26 01:57:16 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B3A521F894D for ; Tue, 26 Mar 2013 01:57:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.249 X-Spam-Level: X-Spam-Status: No, score=-102.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fPwivD3aPPDO for ; Tue, 26 Mar 2013 01:57:15 -0700 (PDT) Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id 5BF1021F8959 for ; Tue, 26 Mar 2013 01:57:14 -0700 (PDT) Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id A8ED41CF8F1A for ; Tue, 26 Mar 2013 09:57:12 +0100 (CET) X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id x6hTDH30Qkrm for ; Tue, 26 Mar 2013 09:57:09 +0100 (CET) Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id DC6C01CF93AA for ; Tue, 26 Mar 2013 09:47:26 +0100 (CET) Received: (qmail 42172 invoked from network); 26 Mar 2013 08:47:26 -0000 Received: from gw.aaa-sec.ideon.se (HELO [192.168.1.2]) (stefan@fiddler.nu@[85.235.7.89]) (envelope-sender ) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 26 Mar 2013 08:47:26 -0000 User-Agent: Microsoft-MacOutlook/14.3.2.130206 Date: Tue, 26 Mar 2013 09:47:27 +0100 From: Stefan Santesson To: Message-ID: Thread-Topic: [pkix] Last Call: (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard In-Reply-To: <20130326052853.CE89A1A663@ld9781.wdf.sap.corp> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Cc: pkix@ietf.org, ietf@ietf.org Subject: Re: [pkix] Last Call: (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2013 08:57:16 -0000 Unfortunately what you suggest would not be backwards compatible, and can't be done within the present effort. Responders using 5019 need to work in foreseeable time with legacy clients that knows nothing about the update you suggest. This group and the IETF made a decision when publishing 5019, that using "unauthorized" in the present manner was a reasonable tradeoff. I still think it is. Unless you can convince the community of your course of action, I don't see this happening. /Stefan On 3/26/13 6:28 AM, "Martin Rex" wrote: >Stefan Santesson wrote: >> >> Whether we like it or not. This is the legacy. >> There is no way for a client to know whether the OCSP responder >>implements >> RFC 2560 only or in combination with RFC 5019. >> >> So therefore, the update that was introduced in 5019 must be expected by >> all clients from all responders. Therefore it is included in 2560bis. >> >> What in your mind, would be a better solution? > >Simply listing two mutually exclusive semantics for a single error code >looks like a very bad idea. The correct solution would be to assign >a new error code for the semantics desirec by rfc5019 and fix rfc5019 >and its implementiations. And then mention the rfc5019 semantics for >the error code "unauthorized" in rfc2560bis as defective and deprecated. > >rfc5019 is hardwired to SHA1 for the cert hashing algorithm, so >it will need to get updated at some point already. > >The second issue is to explain that the errorcode response for "can not >produce an authoritative response" is not applicable to OCSPRequests >that contain more than one element in the requestList, because the >OCSP client will not know to which elements in the request the error >code response applies. > >Actually, it would be sensible to define two more new error codes, >one that indicates that the OCSP server does not support multiple >requestList entries, and one that indicates to the client that the >server does not support one of the OCSP protocol extensions requested >by the client (multiple requests is not a protocol extension). > > >-Martin > >> On 3/23/13 7:52 AM, "Martin Rex" wrote: >> >> >The IESG wrote: >> >> >> >> The IESG has received a request from the Public-Key Infrastructure >> >> (X.509) WG (pkix) to consider the following document: >> >> - 'X.509 Internet Public Key Infrastructure Online Certificate Status >> >> Protocol - OCSP' >> >> as Proposed Standard >> >> >> >> The IESG plans to make a decision in the next few weeks, and solicits >> >> final comments on this action. Please send substantive comments to >>the >> >> ietf@ietf.org mailing lists by 2013-03-27. >> > >> >I'm having an issue with a subtle, backwards-incompatible change >> >of the semantics of the exception case with the error code >> >"unauthorized", which tries to rewrite history 13 years into the >> >without actually fitting the OCSP spec. >> > >> >It's about the second change from the introduction: >> > >> > o Section 2.3 extends the use of the "unauthorized" error >> > response, as specified in [RFC5019]. >> > >> >While it is true that the error code abuse originally first appeared >> >in rfc5019, the change was never declared as an update to rfc2560, >> >nor filed as an errata to rfc2560. >> > >> >The original Exception cases in rfc2560 define the following semantics: >> > >> > http://tools.ietf.org/html/rfc2560#section-2.3 >> > >> > 2.3 Exception Cases >> > >> > In case of errors, the OCSP Responder may return an error message. >> > These messages are not signed. Errors can be of the following types: >> > >> > -- malformedRequest >> > -- internalError >> > -- tryLater >> > -- sigRequired >> > -- unauthorized >> > >> > [...] >> > >> > The response "sigRequired" is returned in cases where the server >> > requires the client sign the request in order to construct a >> > response. >> > >> > The response "unauthorized" is returned in cases where the client is >> > not authorized to make this query to this server. >> > >> > >> >The proposed "extended" semantics from the rfc2560bis draft: >> > >> > http://tools.ietf.org/html/draft-ietf-pkix-rfc2560bis-15#page-9 >> > >> > The response "unauthorized" is returned in cases where the client is >> > not authorized to make this query to this server or the server is >>not >> > capable of responding authoritatively (cf. [RFC5019], Section >>2.2.3). >> > >> >The rfc5019 semantics "The server can not provide an authoritative >> >response >> >to this specific request" is incompatible with the semantics "you are >>not >> >authorized to sumbit OCSP requests to this service". >> > >> >There is another serious conflict with the rfc5019 repurposed error >>code >> >semantics and rfc2560. While rfc5019 is limited to a single status >> >request, >> >rfc2560 and rfc2560bis both allow a list of several Requests to >> >be sent in a single OCSPRequest PDU. An OCSP response, however, is >> >not allowed to contain responseBytes when an error code is returned >> >inthe response status: >> > >> > >>http://tools.ietf.org/html/draft-ietf-pkix-rfc2560bis-15#section-4.2.1 >> > >> > 4.2.1 ASN.1 Specification of the OCSP Response >> > >> > An OCSP response at a minimum consists of a responseStatus field >> > indicating the processing status of the prior request. If the value >> > of responseStatus is one of the error conditions, responseBytes are >> > not set. >> > >> > OCSPResponse ::= SEQUENCE { >> > responseStatus OCSPResponseStatus, >> > responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } >> > >> > >> >So it is impossible to convey "OCSP responder is not capable of >> >responding authoritatively" for a subset of Requests in the requestList >> >and regular status for the remaining Requests in the List by using >> >a repurposed "unauthorized" error code. >> > >> >The current draft neither mention this contradiction, nor does it >> >provide any guidance how an implementation should behave in this >> >situation. >> > >> > >> >I would appreciate if this problem of draft-*-rfc2560bis could be fixed >> >prior to making it a successor for rfc2560. >> > >> > >> >-Martin >> >> From mrex@sap.com Tue Mar 26 04:13:20 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C741121F8A18; Tue, 26 Mar 2013 04:13:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.249 X-Spam-Level: X-Spam-Status: No, score=-10.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SRBMGr3gz+bD; Tue, 26 Mar 2013 04:13:20 -0700 (PDT) Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id ECE8921F88D6; Tue, 26 Mar 2013 04:13:19 -0700 (PDT) Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id r2QBDBZt021510 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 26 Mar 2013 12:13:11 +0100 (MET) In-Reply-To: To: Stefan Santesson Date: Tue, 26 Mar 2013 12:13:11 +0100 (CET) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20130326111311.8BCE01A668@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) X-SAP: out Cc: pkix@ietf.org, ietf@ietf.org Subject: Re: [pkix] Last Call: (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: mrex@sap.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2013 11:13:20 -0000 Stefan Santesson wrote: > Unfortunately what you suggest would not be backwards compatible, > and can't be done within the present effort. I'm sorry, I can not follow your arguments. Adding 3 more OCSPResponseStatus error codes { no_authoritative_data(7), single_requests_only(8), unsupported_extension(8) } with well-defined and conflict-free semantics to the existing enum would be perfectly backwards compatible. Whether and when implementations of rfc5019 or its successor can make use of additional error codes with well-defined semantics is a seperate issue. Sending multiple entries in a requestList is a perfectly valid client option in rfc2560. rfc5019 has a requirement for single entries. What response does rfc5019 define in case that it receives an OCSP request with multiple entries in requestList. Keep in mind that OCSP responders are typically located through Authority Identifier Access "id-ad-ocsp", and that cert extension is specified to provide for the conventions of rfc2560 -- *NOT* the subset of rfc5019: http://tools.ietf.org/html/rfc5280#page-51 The id-ad-ocsp OID is used when revocation information for the certificate containing this extension is available using the Online Certificate Status Protocol (OCSP) [RFC2560]. When id-ad-ocsp appears as accessMethod, the accessLocation field is the location of the OCSP responder, using the conventions defined in [RFC2560]. > > Responders using 5019 need to work in foreseeable time with legacy clients > that knows nothing about the update you suggest. > This group and the IETF made a decision when publishing 5019, that using > "unauthorized" in the present manner was a reasonable tradeoff. > > I still think it is. Could you point me to any kind of discussion of this "tradeoff"? I'm having difficulties finding that information. The first draft that became rfc5019 seems to have appeared here: http://www.ietf.org/mail-archive/web/pkix/current/msg17432.html and it already contained the abuse of the "unauthorized(7)" error code. I see a first complaint on the mailing list about the error code abuse here on 02-Nov-2004: http://www.ietf.org/mail-archive/web/pkix/current/msg17270.html but the reponse is -crickets-. In what way is the client going to treat "unauthorized(6)" special and different from other error codes, such as "internalError(2)" or "malformedRequest(3)", and where in rfc5019 is that special behaviour defined? -Martin From stefan@aaa-sec.com Tue Mar 26 04:41:02 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B2D221F8A8E for ; Tue, 26 Mar 2013 04:41:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.249 X-Spam-Level: X-Spam-Status: No, score=-102.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ArumLfDLK9DU for ; Tue, 26 Mar 2013 04:41:01 -0700 (PDT) Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id 8895621F8A7E for ; Tue, 26 Mar 2013 04:41:01 -0700 (PDT) Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id 00EBF1D2307D for ; Tue, 26 Mar 2013 12:41:00 +0100 (CET) X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id I4ZLcR22xxBh for ; Tue, 26 Mar 2013 12:40:59 +0100 (CET) Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id 796481D23078 for ; Tue, 26 Mar 2013 12:40:59 +0100 (CET) Received: (qmail 28543 invoked from network); 26 Mar 2013 11:40:59 -0000 Received: from gw.aaa-sec.ideon.se (HELO [192.168.1.207]) (stefan@fiddler.nu@[85.235.7.89]) (envelope-sender ) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 26 Mar 2013 11:40:59 -0000 User-Agent: Microsoft-MacOutlook/14.3.2.130206 Date: Tue, 26 Mar 2013 12:41:04 +0100 From: Stefan Santesson To: Message-ID: Thread-Topic: [pkix] Last Call: (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard In-Reply-To: <20130326111311.8BCE01A668@ld9781.wdf.sap.corp> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Cc: pkix@ietf.org, ietf@ietf.org Subject: Re: [pkix] Last Call: (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2013 11:41:02 -0000 On 3/26/13 12:13 PM, "Martin Rex" wrote: >Adding 3 more OCSPResponseStatus error codes { no_authoritative_data(7), >single_requests_only(8), unsupported_extension(8) } with well-defined and >conflict-free semantics to the existing enum would be perfectly backwards >compatible. Of course it is backwards compatible with the standard, but not with the installed base. What would happen to the installed base of clients if OCSP responders would change from current "unauthorized" to one of your new error codes? /Stefan From mrex@sap.com Tue Mar 26 05:03:07 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 876F021F877B; Tue, 26 Mar 2013 05:03:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.249 X-Spam-Level: X-Spam-Status: No, score=-10.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QMOLXCMrBY2L; Tue, 26 Mar 2013 05:03:06 -0700 (PDT) Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 964DE21F8721; Tue, 26 Mar 2013 05:03:06 -0700 (PDT) Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id r2QC341L001761 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 26 Mar 2013 13:03:04 +0100 (MET) In-Reply-To: <20130326111311.8BCE01A668@ld9781.wdf.sap.corp> To: mrex@sap.com Date: Tue, 26 Mar 2013 13:03:04 +0100 (CET) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20130326120304.4CD011A668@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) X-SAP: out Cc: Stefan Santesson , ietf@ietf.org, pkix@ietf.org Subject: Re: [pkix] Last Call: (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: mrex@sap.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2013 12:03:07 -0000 Following up to myself: The real discussion seemed to have started in 2006... Some folks had a pretty reasonable opinion at some point of the discussion, e.g. Russ Houseley: http://www.ietf.org/mail-archive/web/pkix/current/msg03570.html and then there is lots of real dirty horse-trading in the PKIX discussion. Oh, here is a message from the Security AD back then (Sam Hartman), commenting on requirements for rfc2560bis (the I-D under last call right now!): http://www.ietf.org/mail-archive/web/pkix/current/msg03515.html What I don't understand: during the PKIX discussion there seemed to be some consensus that a prerequisite to abuse the "unauthorized(6)" would an update of rfc2560 would be required. But rfc5019 *NEVER* updated rfc2560!! But what puzzles me most is why is there a problem with defining new error codes in the first place? In order to NEVER EVER have such a problem again in any future IETF spec, there should be a requirement for error code partioning upfront into good, temporary and final, and there should be reserved error code points that clients will have to handle gracefully and well-behaved when they receive it. I find it most difficult to believe that there are OCSP clients out there that would crash and burn if they received an OCSPResponseStatus (7),(8) or (9), rather than an "unauthorized(6)", undefined or a different undefined return code for the underspecified error situations created by rfc5019 (and rfc2560, as Sam correctly points out). Should there be such broken clients, then you really do not want to use them in the first place, because *EVERYONE* can feed those OCSP clients arbitrary error codes in unsigned OCSPResponses. -Martin Martin Rex wrote: > Stefan Santesson wrote: > > Unfortunately what you suggest would not be backwards compatible, > > and can't be done within the present effort. > > I'm sorry, I can not follow your arguments. > > Adding 3 more OCSPResponseStatus error codes { no_authoritative_data(7), > single_requests_only(8), unsupported_extension(8) } with well-defined and > conflict-free semantics to the existing enum would be perfectly backwards > compatible. > > Whether and when implementations of rfc5019 or its successor can make > use of additional error codes with well-defined semantics is a seperate > issue. > > Sending multiple entries in a requestList is a perfectly valid client > option in rfc2560. rfc5019 has a requirement for single entries. > What response does rfc5019 define in case that it receives an OCSP request > with multiple entries in requestList. > > Keep in mind that OCSP responders are typically located through > Authority Identifier Access "id-ad-ocsp", and that cert extension is > specified to provide for the conventions of rfc2560 -- *NOT* the subset > of rfc5019: > > http://tools.ietf.org/html/rfc5280#page-51 > > The id-ad-ocsp OID is used when revocation information for the > certificate containing this extension is available using the Online > Certificate Status Protocol (OCSP) [RFC2560]. > > When id-ad-ocsp appears as accessMethod, the accessLocation field is > the location of the OCSP responder, using the conventions defined in > [RFC2560]. > > > > > > > Responders using 5019 need to work in foreseeable time with legacy clients > > that knows nothing about the update you suggest. > > This group and the IETF made a decision when publishing 5019, that using > > "unauthorized" in the present manner was a reasonable tradeoff. > > > > I still think it is. > > Could you point me to any kind of discussion of this "tradeoff"? > I'm having difficulties finding that information. > > The first draft that became rfc5019 seems to have appeared here: > > http://www.ietf.org/mail-archive/web/pkix/current/msg17432.html > > and it already contained the abuse of the "unauthorized(7)" error code. > > > I see a first complaint on the mailing list about the error code abuse here > on 02-Nov-2004: > > http://www.ietf.org/mail-archive/web/pkix/current/msg17270.html > > but the reponse is -crickets-. > > > In what way is the client going to treat "unauthorized(6)" special and > different from other error codes, such as "internalError(2)" or > "malformedRequest(3)", and where in rfc5019 is that special behaviour > defined? > > > -Martin From mrex@sap.com Tue Mar 26 05:10:21 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B54D21F859B; Tue, 26 Mar 2013 05:10:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.249 X-Spam-Level: X-Spam-Status: No, score=-10.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3PnICsugUZKa; Tue, 26 Mar 2013 05:10:20 -0700 (PDT) Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 7D86121F8595; Tue, 26 Mar 2013 05:10:20 -0700 (PDT) Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id r2QCACj7019523 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 26 Mar 2013 13:10:13 +0100 (MET) In-Reply-To: To: Stefan Santesson Date: Tue, 26 Mar 2013 13:09:50 +0100 (CET) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20130326120950.0BF7F1A668@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) X-SAP: out Cc: pkix@ietf.org, ietf@ietf.org Subject: Re: [pkix] Last Call: (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: mrex@sap.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2013 12:10:21 -0000 Stefan Santesson wrote: > On 3/26/13 12:13 PM, "Martin Rex" wrote: > > >Adding 3 more OCSPResponseStatus error codes { no_authoritative_data(7), > >single_requests_only(8), unsupported_extension(8) } with well-defined and > >conflict-free semantics to the existing enum would be perfectly backwards > >compatible. > > Of course it is backwards compatible with the standard, but not with the > installed base. > > What would happen to the installed base of clients if OCSP responders > would change from current "unauthorized" to one of your new error codes? As it was already mentinoned here: http://www.ietf.org/mail-archive/web/pkix/current/msg04489.html I would no longer get a popup from my OCSP client that tells my that I'm unauthorized to submit OCSPRequests to that server, and that the server has been moved to a blacklist, and that I will have to manually enable this server after obtaining proper authorization before my client will send any further requests that OCSP server. No longer being interactively bothered about this error seems like a very valuable improvement! -Martin From stefan@aaa-sec.com Tue Mar 26 05:25:49 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C4C121F8B0B for ; Tue, 26 Mar 2013 05:25:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.249 X-Spam-Level: X-Spam-Status: No, score=-102.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PRtZaShDzj5f for ; Tue, 26 Mar 2013 05:25:49 -0700 (PDT) Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id 0516621F8AF0 for ; Tue, 26 Mar 2013 05:25:48 -0700 (PDT) Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id 7B9AA1D24290 for ; Tue, 26 Mar 2013 13:25:47 +0100 (CET) X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id mXyZVGJv0Tk8 for ; Tue, 26 Mar 2013 13:25:44 +0100 (CET) Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id E9E901D24373 for ; Tue, 26 Mar 2013 13:25:08 +0100 (CET) Received: (qmail 80128 invoked from network); 26 Mar 2013 12:25:08 -0000 Received: from gw.aaa-sec.ideon.se (HELO [192.168.1.2]) (stefan@fiddler.nu@[85.235.7.89]) (envelope-sender ) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 26 Mar 2013 12:25:08 -0000 User-Agent: Microsoft-MacOutlook/14.3.2.130206 Date: Tue, 26 Mar 2013 13:25:05 +0100 From: Stefan Santesson To: Message-ID: Thread-Topic: [pkix] Last Call: (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard In-Reply-To: <20130326120950.0BF7F1A668@ld9781.wdf.sap.corp> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Cc: pkix@ietf.org, ietf@ietf.org Subject: Re: [pkix] Last Call: (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2013 12:25:49 -0000 What OCSP client are you using that behaves like this? On 3/26/13 1:09 PM, "Martin Rex" wrote: >I would no longer get a popup from my OCSP client that tells my >that I'm unauthorized to submit OCSPRequests to that server, and that >the server has been moved to a blacklist From mrex@sap.com Tue Mar 26 05:39:50 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3773F21F8AD4; Tue, 26 Mar 2013 05:39:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.249 X-Spam-Level: X-Spam-Status: No, score=-10.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8FI7Q6wgecnI; Tue, 26 Mar 2013 05:39:49 -0700 (PDT) Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 735D221F8ACE; Tue, 26 Mar 2013 05:39:49 -0700 (PDT) Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id r2QCdlum025043 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 26 Mar 2013 13:39:48 +0100 (MET) In-Reply-To: To: Stefan Santesson Date: Tue, 26 Mar 2013 13:39:47 +0100 (CET) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20130326123947.1AC061A668@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) X-SAP: out Cc: pkix@ietf.org, ietf@ietf.org Subject: Re: [pkix] Last Call: (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: mrex@sap.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2013 12:39:50 -0000 Stefan Santesson wrote: > What OCSP client are you using that behaves like this? > > On 3/26/13 1:09 PM, "Martin Rex" wrote: > > >I would no longer get a popup from my OCSP client that tells my > >that I'm unauthorized to submit OCSPRequests to that server, and that > >the server has been moved to a blacklist Every sensible implementation of rfc2560 that does not happen to be based on rfc5019. I knew about rfc2560 for several years, but I only learned about the existence of rfc5019 a few weeks ago -- because of the bogus change to the "unauthorized" semantics in the rfc2560bis I-D. -Martin From stefan@aaa-sec.com Tue Mar 26 05:54:48 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E95521F8B18 for ; Tue, 26 Mar 2013 05:54:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.249 X-Spam-Level: X-Spam-Status: No, score=-102.249 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, HELO_EQ_SE=0.35, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xtFc6irBo77e for ; Tue, 26 Mar 2013 05:54:47 -0700 (PDT) Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id 5E9C621F8B0C for ; Tue, 26 Mar 2013 05:54:47 -0700 (PDT) Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id E3F5B1D24DFB for ; Tue, 26 Mar 2013 13:54:45 +0100 (CET) X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id SW15gC6fH9sJ for ; Tue, 26 Mar 2013 13:54:45 +0100 (CET) Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id 8D48D1D24DF4 for ; Tue, 26 Mar 2013 13:54:45 +0100 (CET) Received: (qmail 80786 invoked from network); 26 Mar 2013 12:54:44 -0000 Received: from gw.aaa-sec.ideon.se (HELO [192.168.1.2]) (stefan@fiddler.nu@[85.235.7.89]) (envelope-sender ) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 26 Mar 2013 12:54:44 -0000 User-Agent: Microsoft-MacOutlook/14.3.2.130206 Date: Tue, 26 Mar 2013 13:54:40 +0100 From: Stefan Santesson To: Message-ID: Thread-Topic: [pkix] Last Call: (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard In-Reply-To: <20130326123947.1AC061A668@ld9781.wdf.sap.corp> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Cc: pkix@ietf.org, ietf@ietf.org Subject: Re: [pkix] Last Call: (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2013 12:54:48 -0000 I take it that the answer to my question is none. Which is what I suspected. The semantics of "unauthorized" does not give you the basis for such functionality. And 5019 is very widely deployed. I'm going to sep down from this discussion and see how it goes. It is not me you have to convince. It's the community of implementers. /Stefan On 3/26/13 1:39 PM, "Martin Rex" wrote: >Stefan Santesson wrote: >> What OCSP client are you using that behaves like this? >> >> On 3/26/13 1:09 PM, "Martin Rex" wrote: >> >> >I would no longer get a popup from my OCSP client that tells my >> >that I'm unauthorized to submit OCSPRequests to that server, and that >> >the server has been moved to a blacklist > >Every sensible implementation of rfc2560 that does not happen to >be based on rfc5019. > >I knew about rfc2560 for several years, but I only learned about the >existence of rfc5019 a few weeks ago -- because of the bogus change >to the "unauthorized" semantics in the rfc2560bis I-D. > > >-Martin From mrex@sap.com Tue Mar 26 07:01:48 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5155C21F8BBB; Tue, 26 Mar 2013 07:01:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.249 X-Spam-Level: X-Spam-Status: No, score=-10.249 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rRVTudZSLfuM; Tue, 26 Mar 2013 07:01:47 -0700 (PDT) Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 69F2B21F8BBA; Tue, 26 Mar 2013 07:01:47 -0700 (PDT) Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id r2QE1eae014122 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 26 Mar 2013 15:01:40 +0100 (MET) In-Reply-To: To: Stefan Santesson Date: Tue, 26 Mar 2013 15:01:39 +0100 (CET) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20130326140139.F21ED1A668@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) X-SAP: out Cc: pkix@ietf.org, ietf@ietf.org Subject: Re: [pkix] Last Call: (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: mrex@sap.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2013 14:01:48 -0000 Stefan Santesson wrote: > I take it that the answer to my question is none. Why would an rfc5019 client have a problem with a (7) instead of (6) OCSPResponseStatus? And what about an error code for "only a single request" that rfc5019 fails to specify. > > Which is what I suspected. The semantics of "unauthorized" does not give > you the basis for such functionality. > And 5019 is very widely deployed. The way I read this message from the security AD back then: http://www.ietf.org/mail-archive/web/pkix/current/msg03515.html rfc5019 was only passed on the promise from PKIX that it would clean up rfc2560bis -- the I-D under last call here. So the IESG should return this I-D to PKIX and have them provide the updates that they agreed to do. -Martin From hartmans@mit.edu Tue Mar 26 07:07:49 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C02D621F853D; Tue, 26 Mar 2013 07:07:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.37 X-Spam-Level: X-Spam-Status: No, score=-102.37 tagged_above=-999 required=5 tests=[AWL=0.229, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5hrHFlreW6BG; Tue, 26 Mar 2013 07:07:49 -0700 (PDT) Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) by ietfa.amsl.com (Postfix) with ESMTP id 379B521F8533; Tue, 26 Mar 2013 07:07:48 -0700 (PDT) Received: from carter-zimmerman.suchdamage.org (c-98-216-0-82.hsd1.ma.comcast.net [98.216.0.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS id F42312014B; Tue, 26 Mar 2013 10:06:54 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id B9B434497; Tue, 26 Mar 2013 10:07:45 -0400 (EDT) From: Sam Hartman To: ietf@ietf.org, pkix@ietf.org References: <20130326120304.4CD011A668@ld9781.wdf.sap.corp> Date: Tue, 26 Mar 2013 10:07:45 -0400 In-Reply-To: <20130326120304.4CD011A668@ld9781.wdf.sap.corp> (Martin Rex's message of "Tue, 26 Mar 2013 13:03:04 +0100 (CET)") Message-ID: User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: [pkix] Last Call: (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2013 14:07:49 -0000 >>>>> "Martin" == Martin Rex writes: Martin> Oh, here is a message from the Security AD back then (Sam Martin> Hartman), commenting on requirements for rfc2560bis (the I-D Martin> under last call right now!): Martin> http://www.ietf.org/mail-archive/web/pkix/current/msg03515.html To be clear, I didn't comment on which error codes were overloaded to do what. My point was simply that there needs to be a minimal set of client behavior that is guaranteed to work (if permitted by responder policy) with any responder. That's the level of interoperability we generally require from our specs. It sounds like Martin would like to be able to distinguish three client behaviors: 1) Use less of the spec and send me a simpler request 2) I can't help you with this particular request 3) Please go away and never come back That's a fine desire. In my opinion, it's also fine for us to decide for interoperability, simplicity or other reasons that we're combining all that into one error and clients don't get to make this distinction. From david.black@emc.com Mon Mar 25 17:26:50 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF14821F877A; Mon, 25 Mar 2013 17:26:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5hcJPQFrOspA; Mon, 25 Mar 2013 17:26:49 -0700 (PDT) Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id A9A6E21F8775; Mon, 25 Mar 2013 17:26:49 -0700 (PDT) Received: from hop04-l1d11-si01.isus.emc.com (HOP04-L1D11-SI01.isus.emc.com [10.254.111.54]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r2Q0QLCS014019 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 25 Mar 2013 20:26:22 -0400 Received: from mailhub.lss.emc.com (mailhubhoprd03.lss.emc.com [10.254.221.145]) by hop04-l1d11-si01.isus.emc.com (RSA Interceptor); Mon, 25 Mar 2013 20:26:01 -0400 Received: from mxhub19.corp.emc.com (mxhub19.corp.emc.com [10.254.93.48]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r2Q0PxP6025800; Mon, 25 Mar 2013 20:26:00 -0400 Received: from mxhub39.corp.emc.com (128.222.70.106) by mxhub19.corp.emc.com (10.254.93.48) with Microsoft SMTP Server (TLS) id 8.3.297.1; Mon, 25 Mar 2013 20:25:59 -0400 Received: from mx15a.corp.emc.com ([169.254.1.81]) by mxhub39.corp.emc.com ([128.222.70.106]) with mapi; Mon, 25 Mar 2013 20:25:59 -0400 From: "Black, David" To: "sts@aaa-sec.com" , "mmyers@fastq.com" , "ambarish@gmail.com" , "slava.galperin@gmail.com" , "cadams@eecs.uottawa.ca" , "gen-art@ietf.org" Date: Mon, 25 Mar 2013 20:25:57 -0400 Thread-Topic: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 Thread-Index: Ac4puHxAH7Fxh7AxT6S6tCMO9vgxrg== Message-ID: <8D3D17ACE214DC429325B2B98F3AE71293AEEDBC@MX15A.corp.emc.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EMM-MHVC: 1 X-Mailman-Approved-At: Tue, 26 Mar 2013 07:24:33 -0700 Cc: "pkix@ietf.org" , "Black, David" , "ietf@ietf.org" Subject: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2013 00:26:50 -0000 Authors, I am the assigned Gen-ART reviewer for this draft. For background on Gen-AR= T, please see the FAQ at . Please resolve these comments along with any other Last Call comments you m= ay receive. Document: draft-ietf-pkix-rfc2560bis-15 Reviewer: David L. Black Review Date: March 25, 2013 IETF LC End Date: March 27, 2013 Summary: This draft is on the right track but has open issues, described in the revi= ew. This draft updates the OCSP protocol for obtaining certificate status with some minor extensions. Because this is a "bis" draft, I reviewed the diffs against RFC 2560. I did not check the ASN.1. I also did not see a writeup for this draft in the data tracker, and so will rely on the document shepherd to ensure that the ASN.1 has been checked when the writeup is prepared. I found five open issues, all of which are minor, plus one idnits item that is probably ok, but should be double-checked. Minor issues: [1] Section 2.2: NOTE: The "revoked" state for known non-issued certificate serial=09 numbers is allowed in order to reduce the risk of relying=09 parties using CRLs as a fall back mechanism, which would be=09 considerably higher if an "unknown" response was returned. Given this explanation, I'm surprised that the use of "revoked" instead of "unknown" for a known non-issued certificate is a "MAY" requirement and not a "SHOULD" requirement. Why is that the case? It appears that the reason is that the use of "revoked" in this situation may be dangerous when serial numbers can be predicted for certificates that will be issued in the future. If that's what's going on, this concern is already explained in the security considerations section, but it should also be mentioned here for completeness. [2] Section 4.2.2.2: The key that signs a certificate's status information need not be the same key that signed the certificate. It is necessary however to ensure that the entity signing this information is authorized to do so. Therefore, a certificate's issuer MAY either sign the OCSP responses itself or it MAY explicitly designate this authority to another entity. The two instances of "MAY" in the above text were both "MUST" in RFC 2560. The RFC 2560 text construction of "MUST" or "MUST" is a bit odd, but the tw= o "MAY"s in this draft are even worse, as they allow "MAY do something else entirely", despite being enclosed in an either-or construct. I strongly suspect that the latter was not intended, so the following would be clearer= : The key that signs a certificate's status information need not be the same key that signed the certificate. It is necessary however to ensure that the entity signing this information is authorized to do so. Therefore, a certificate's issuer MUST do one of the following: - sign the OCSP responses itself, or - explicitly designate this authority to another entity. [3] Section 4.3: Is the "SHOULD" requirement still appropriate for the DSA with SHA-1 combo (vs. a "MAY" requirement)? This requirement was a "MUST" in RFC 2560, but I wonder about actual usage of DSA in practice. [4] Section 5, last paragraph: Responding a "revoked" state to certificate that has never been=09 issued may enable someone to obtain a revocation response for a=09 certificate that is not yet issued, but soon will be issued, if the=09 CA issues certificates using sequential certificate serial number=09 assignment. The above text after starting with the "if" is too narrow - it should say: if the certificate serial number of the certificate that will be issued can be predicted or guessed by the requester. Such prediction is easy for a CA that issues certificates using sequential certificate serial number assignment. There's also a nit in original text - its first line should be: Responding with a "revoked" state for a certificate that has never been=09 [5] Section 5.1.1: In archival applications it is quite possible that an OCSP responder=09 might be asked to report the validity of a certificate on a date in=09 the distant past. Such a certificate might employ a signing method=09 that is no longer considered acceptably secure. In such=09 circumstances the responder MUST NOT generate a signature using a=09 signing mechanism that is not considered acceptably secure. This could use an additional warning that certificate archival should not rely solely on signatures in archived certificates for ensuring the validity and integrity of the archived certificates because the signature algorithm(s) may transition to no longer being considered acceptably secure at some point after the certificates are archived. Nits: idnits 2.12.15 said: -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If yo= u have contacted all the original authors and they are all willing to gr= ant the BCP78 rights to the IETF Trust, then this is fine, and you can ign= ore this comment. If not, you may need to add the pre-RFC5378 disclaimer.= =20 (See the Legal Provisions document at http://trustee.ietf.org/license-info for more information.) This looks like it's ok because all the authors of RFC 2560 are also author= s of this draft, but it should be double-checked. Thanks, --David ---------------------------------------------------- David L. Black, Distinguished Engineer EMC Corporation, 176 South St., Hopkinton, MA=A0 01748 +1 (508) 293-7953=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 FAX: +1 (508) 293-778= 6 david.black@emc.com=A0=A0=A0=A0=A0=A0=A0 Mobile: +1 (978) 394-7754 ---------------------------------------------------- From stefan@aaa-sec.com Mon Mar 25 19:21:07 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9E9121F88B9 for ; Mon, 25 Mar 2013 19:21:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.249 X-Spam-Level: X-Spam-Status: No, score=-102.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id obMusobzcq6u for ; Mon, 25 Mar 2013 19:21:07 -0700 (PDT) Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id B4D1621F889D for ; Mon, 25 Mar 2013 19:21:05 -0700 (PDT) Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id 749141CE1F33 for ; Tue, 26 Mar 2013 03:21:03 +0100 (CET) X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id aaNchGw3io4k for ; Tue, 26 Mar 2013 03:21:02 +0100 (CET) Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id B58E21CE1F37 for ; Tue, 26 Mar 2013 03:21:02 +0100 (CET) Received: (qmail 93270 invoked from network); 26 Mar 2013 02:21:02 -0000 Received: from 81-232-51-61-no39.business.telia.com (HELO [192.168.0.104]) (stefan@fiddler.nu@[81.232.51.61]) (envelope-sender ) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 26 Mar 2013 02:21:02 -0000 User-Agent: Microsoft-MacOutlook/14.3.2.130206 Date: Tue, 26 Mar 2013 03:21:02 +0100 From: Stefan Santesson To: "Black, David" , "sts@aaa-sec.com" , "mmyers@fastq.com" , "ambarish@gmail.com" , "slava.galperin@gmail.com" , "cadams@eecs.uottawa.ca" , "gen-art@ietf.org" Message-ID: Thread-Topic: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 In-Reply-To: <8D3D17ACE214DC429325B2B98F3AE71293AEEDBC@MX15A.corp.emc.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-Mailman-Approved-At: Tue, 26 Mar 2013 07:24:33 -0700 Cc: "pkix@ietf.org" , "ietf@ietf.org" Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2013 02:21:07 -0000 Hi David, Thanks for the review. My reply in line. On 3/26/13 1:25 AM, "Black, David" wrote: >Authors, > >I am the assigned Gen-ART reviewer for this draft. For background on >Gen-ART, please >see the FAQ at . > >Please resolve these comments along with any other Last Call comments you >may receive. > >Document: draft-ietf-pkix-rfc2560bis-15 >Reviewer: David L. Black >Review Date: March 25, 2013 >IETF LC End Date: March 27, 2013 > >Summary: >This draft is on the right track but has open issues, described in the >review. > >This draft updates the OCSP protocol for obtaining certificate status >with some minor extensions. > >Because this is a "bis" draft, I reviewed the diffs against RFC 2560. > >I did not check the ASN.1. I also did not see a writeup for this draft >in the data tracker, and so will rely on the document shepherd to >ensure that the ASN.1 has been checked when the writeup is prepared. > >I found five open issues, all of which are minor, plus one idnits item >that is probably ok, but should be double-checked. > >Minor issues: > >[1] Section 2.2: > > NOTE: The "revoked" state for known non-issued certificate serial > numbers is allowed in order to reduce the risk of relying > parties using CRLs as a fall back mechanism, which would be > considerably higher if an "unknown" response was returned. > >Given this explanation, I'm surprised that the use of "revoked" instead of >"unknown" for a known non-issued certificate is a "MAY" requirement and >not a "SHOULD" requirement. Why is that the case? > >It appears that the reason is that the use of "revoked" in this situation >may be dangerous when serial numbers can be predicted for certificates >that >will be issued in the future. If that's what's going on, this concern is >already explained in the security considerations section, but it should >also be mentioned here for completeness. No, this is not the main reason. The main reason is the one stated as a Note: in this section: NOTE: The "revoked" state for known non-issued certificate serial numbers is allowed in order to reduce the risk of relying parties using CRLs as a fall back mechanism, which would be considerably higher if an "unknown" response was returned. > >[2] Section 4.2.2.2: > > The key that signs a certificate's status information need not be the > same key that signed the certificate. It is necessary however to > ensure that the entity signing this information is authorized to do > so. Therefore, a certificate's issuer MAY either sign the OCSP > responses itself or it MAY explicitly designate this authority to > another entity. > >The two instances of "MAY" in the above text were both "MUST" in RFC 2560. > >The RFC 2560 text construction of "MUST" or "MUST" is a bit odd, but the >two >"MAY"s in this draft are even worse, as they allow "MAY do something else >entirely", despite being enclosed in an either-or construct. I strongly >suspect that the latter was not intended, so the following would be >clearer: > > The key that signs a certificate's status information need not be the > same key that signed the certificate. It is necessary however to > ensure that the entity signing this information is authorized to do > so. Therefore, a certificate's issuer MUST do one of the following: > - sign the OCSP responses itself, or > - explicitly designate this authority to another entity. I Agree. I will adopt your text. > >[3] Section 4.3: > >Is the "SHOULD" requirement still appropriate for the DSA with SHA-1 combo >(vs. a "MAY" requirement)? This requirement was a "MUST" in RFC 2560, but >I wonder about actual usage of DSA in practice. The change in algorithm requirements was provided by RFC 6277, and further refined in this draft in accordance with requests from Sean Turner. > >[4] Section 5, last paragraph: > > Responding a "revoked" state to certificate that has never been > issued may enable someone to obtain a revocation response for a > certificate that is not yet issued, but soon will be issued, if the > CA issues certificates using sequential certificate serial number > assignment. > >The above text after starting with the "if" is too narrow - it should say: > > if the certificate serial number of the certificate that > will be issued can be predicted or guessed by the requester. > Such prediction is easy for a CA that issues certificates > using sequential certificate serial number assignment. > >There's also a nit in original text - its first line should be: > > Responding with a "revoked" state for a certificate that has never been Good suggestions. I will update accordingly. > >[5] Section 5.1.1: > > In archival applications it is quite possible that an OCSP responder > might be asked to report the validity of a certificate on a date in > the distant past. Such a certificate might employ a signing method > that is no longer considered acceptably secure. In such > circumstances the responder MUST NOT generate a signature using a > signing mechanism that is not considered acceptably secure. > >This could use an additional warning that certificate archival should >not rely solely on signatures in archived certificates for ensuring the >validity and integrity of the archived certificates because the signature >algorithm(s) may transition to no longer being considered acceptably >secure at some point after the certificates are archived. This note if I remember correctly is imported from RFC 6277, which is incorporated into this document. The reason behind the text is only to avoid usages of insecure algorithms. Historical validation is a real can of worms that I really would like to keep a tight lid on. I really want to avoid doing recommendations in this space as it may trigger a whole flood of things that could be equally important to say about this subject. > >Nits: > >idnits 2.12.15 said: > > -- The document seems to lack a disclaimer for pre-RFC5378 work, but may > have content which was first submitted before 10 November 2008. If >you > have contacted all the original authors and they are all willing to >grant > the BCP78 rights to the IETF Trust, then this is fine, and you can >ignore > this comment. If not, you may need to add the pre-RFC5378 >disclaimer. > (See the Legal Provisions document at > http://trustee.ietf.org/license-info for more information.) > >This looks like it's ok because all the authors of RFC 2560 are also >authors of >this draft, but it should be double-checked. I defer this one to Sean. I think he has this one under control. Thanks again for the review. /Stefan > >Thanks, >--David >---------------------------------------------------- >David L. Black, Distinguished Engineer >EMC Corporation, 176 South St., Hopkinton, MA 01748 >+1 (508) 293-7953 FAX: +1 (508) 293-7786 >david.black@emc.com Mobile: +1 (978) 394-7754 >---------------------------------------------------- > > From mrex@sap.com Tue Mar 26 07:30:26 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2855021F8BCF; Tue, 26 Mar 2013 07:30:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.249 X-Spam-Level: X-Spam-Status: No, score=-10.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BhsaENhuVUtj; Tue, 26 Mar 2013 07:30:22 -0700 (PDT) Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 6DC1921F8A08; Tue, 26 Mar 2013 07:30:22 -0700 (PDT) Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id r2QEUG7s010474 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 26 Mar 2013 15:30:16 +0100 (MET) In-Reply-To: To: Sam Hartman Date: Tue, 26 Mar 2013 15:30:05 +0100 (CET) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20130326143005.60EA71A668@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) X-SAP: out Cc: pkix@ietf.org, ietf@ietf.org Subject: Re: [pkix] Last Call: (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: mrex@sap.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2013 14:30:26 -0000 Sam Hartman wrote: > Martin Rex writes: > Martin> http://www.ietf.org/mail-archive/web/pkix/current/msg03515.html > > To be clear, I didn't comment on which error codes were overloaded to do > what. My point was simply that there needs to be a minimal set of > client behavior that is guaranteed to work (if permitted by responder > policy) with any responder. That's the level of interoperability we > generally require from our specs. > > It sounds like Martin would like to be able to distinguish three client > behaviors: > > 1) Use less of the spec and send me a simpler request > > 2) I can't help you with this particular request > > 3) Please go away and never come back > > That's a fine desire. In my opinion, it's also fine for us to decide > for interoperability, simplicity or other reasons that we're combining > all that into one error and clients don't get to make this distinction. When the rfc2560 semantics of "unauthorized(6)" and the rfc5019 semantics of "unauthorized(6)" are merged into one, then this error code ought to be renamed to "whatever(6)", because it will be impossible for a client to know what a server really meant! Whether an OCSP responder is rfc2560 compliant or whether it adheres to rfc5019 subset can neither be determined from the id-ad-ocsp AIA information of an X.509v3 certificate nor from an OCSPResponse that conveys a responseStatus (6). Why don't we add sensible, well-defined OCSPResponseStatus error code now during rfc2560bis, and see how and when we can make appropriate use of those in clients. -Martin From SChokhani@cygnacom.com Tue Mar 26 14:46:38 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9488E21F8CB1 for ; Tue, 26 Mar 2013 14:46:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uvXu54elGiJL for ; Tue, 26 Mar 2013 14:46:37 -0700 (PDT) Received: from ipedge2.cygnacom.com (ipedge2.cygnacom.com [216.191.252.27]) by ietfa.amsl.com (Postfix) with ESMTP id 8736F21F8717 for ; Tue, 26 Mar 2013 14:46:37 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.84,913,1355115600"; d="scan'208,217";a="5194255" Received: from unknown (HELO scygexch7.cygnacom.com) ([10.4.60.22]) by ipedge2.cygnacom.com with ESMTP; 26 Mar 2013 17:46:36 -0400 Received: from scygexch7.cygnacom.com ([::1]) by scygexch7.cygnacom.com ([::1]) with mapi; Tue, 26 Mar 2013 17:46:36 -0400 From: Santosh Chokhani To: 'pkix' Date: Tue, 26 Mar 2013 17:46:35 -0400 Thread-Topic: URI Name Constraint and URN Thread-Index: Ac4qa2My9dgaluVHQ+eSP3hIs2otNg== Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_B83745DA469B7847811819C5005244AFF3DC9BFCscygexch7cygnac_" MIME-Version: 1.0 Subject: [pkix] URI Name Constraint and URN X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2013 21:46:38 -0000 --_000_B83745DA469B7847811819C5005244AFF3DC9BFCscygexch7cygnac_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I have been wrestling with what one should with a certificate if the SAN in= the certificate contains URN and when you get to the certificate, the name= constraint state variable indicates permitted and/or excluded values for t= he URI name form. I think name constraint is not applicable to URN since it does not have an = "authority" and thus "host" component by definition. Thus, regardless of t= he name constraint state variable, presence of URN should not cause name co= nstraint violation. But, when I read 5280, I find the text implying otherwise or ambiguous. Santosh Chokhani CygnaCom Solutions, Inc. --_000_B83745DA469B7847811819C5005244AFF3DC9BFCscygexch7cygnac_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I have been wres= tling with what one should with a certificate if the SAN in the certificate= contains URN and when you get to the certificate, the name constraint stat= e variable indicates permitted and/or excluded values for the URI name form= .

 

I think name constraint is not applicable to URN since it does not have= an “authority” and thus “host” component by defini= tion.  Thus, regardless of the name constraint state variable, presenc= e of URN should not cause name constraint violation.

 

But, when I read 528= 0, I find the text implying otherwise or ambiguous.

 

 

Santosh Chokhani

C= ygnaCom Solutions, Inc.

 

= --_000_B83745DA469B7847811819C5005244AFF3DC9BFCscygexch7cygnac_-- From david.cooper@nist.gov Tue Mar 26 15:04:04 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4374E21F89E9 for ; Tue, 26 Mar 2013 15:04:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.141 X-Spam-Level: X-Spam-Status: No, score=-5.141 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o5TlyUaQs4CO for ; Tue, 26 Mar 2013 15:04:03 -0700 (PDT) Received: from wsget2.nist.gov (wsget2.nist.gov [129.6.13.151]) by ietfa.amsl.com (Postfix) with ESMTP id ED2C521F888C for ; Tue, 26 Mar 2013 15:04:02 -0700 (PDT) Received: from WSXGHUB1.xchange.nist.gov (129.6.18.96) by wsget2.nist.gov (129.6.13.151) with Microsoft SMTP Server (TLS) id 14.3.123.3; Tue, 26 Mar 2013 18:03:42 -0400 Received: from smtp.nist.gov (129.6.16.226) by WSXGHUB1.xchange.nist.gov (129.6.18.96) with Microsoft SMTP Server id 8.3.298.1; Tue, 26 Mar 2013 18:03:58 -0400 Received: from st26.ncsl.nist.gov (st26.ncsl.nist.gov [129.6.54.72]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id r2QM3wbP014388; Tue, 26 Mar 2013 18:03:58 -0400 Message-ID: <51521B4E.8020101@nist.gov> Date: Tue, 26 Mar 2013 18:03:58 -0400 From: "David A. Cooper" User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130308 Thunderbird/17.0.4 MIME-Version: 1.0 To: Santosh Chokhani References: In-Reply-To: Content-Type: text/html; charset="windows-1252" Content-Transfer-Encoding: 8bit Cc: 'pkix' Subject: Re: [pkix] URI Name Constraint and URN X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2013 22:04:04 -0000
Santosh,

Here is what RFC 5280 says:
For URIs, the constraint applies to the host part of the name.  The constraint MUST be specified as a fully qualified domain name and MAY specify a host or a domain.  Examples would be "host.example.com" and ".example.com".  When the constraint begins with a period, it MAY be expanded with one or more labels.  That is, the constraint ".example.com" is satisfied by both host.example.com and my.host.example.com.  However, the constraint ".example.com" is not satisfied by "example.com".  When the constraint does not begin with a period, it specifies a host.  If a constraint is applied to the uniformResourceIdentifier name form and a subsequent certificate includes a subjectAltName extension with a uniformResourceIdentifier that does not include an authority component with a host name specified as a fully qualified domain name (e.g., if the URI either does not include an authority component or includes an authority component in which the host name is specified as an IP address), then the application MUST reject the certificate.

This seems to quite unambiguously say that the application MUST reject the certificate.

On 03/26/2013 05:46 PM, Santosh Chokhani wrote:

I have been wrestling with what one should with a certificate if the SAN in the certificate contains URN and when you get to the certificate, the name constraint state variable indicates permitted and/or excluded values for the URI name form.

 

I think name constraint is not applicable to URN since it does not have an “authority” and thus “host” component by definition.  Thus, regardless of the name constraint state variable, presence of URN should not cause name constraint violation.

 

But, when I read 5280, I find the text implying otherwise or ambiguous.

 

 

Santosh Chokhani

CygnaCom Solutions, Inc.

 


From piyush@ditenity.com Tue Mar 26 15:07:04 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38EDF21F8A22 for ; Tue, 26 Mar 2013 15:07:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.598 X-Spam-Level: X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xl1Qfvvlqqvy for ; Tue, 26 Mar 2013 15:07:03 -0700 (PDT) Received: from mail-oa0-f46.google.com (mail-oa0-f46.google.com [209.85.219.46]) by ietfa.amsl.com (Postfix) with ESMTP id 2488E21F8A4A for ; Tue, 26 Mar 2013 15:07:02 -0700 (PDT) Received: by mail-oa0-f46.google.com with SMTP id k1so8167952oag.5 for ; Tue, 26 Mar 2013 15:07:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:references:in-reply-to:subject:date:message-id :mime-version:content-type:x-mailer:thread-index:content-language :x-gm-message-state; bh=K0Iu2chRtOZtokF4QsN7k2C44XRGYGEpjVdbjZtc2LI=; b=Cc7lv5f3ZP7HhAyJQhlSyPidC07fzlPNxkW9TYP7DNsOLfv68B/ctrIQYz/5wHmhjP G0lt7nYlAkMLw/P3QP0XX3aVpt0+k8vuDsaqs5QtOlyN1kinyhTMwohsm56HrNosNY1B MmjpfE/prhQvbmiO33k5DKdAljoKVTXYHzAixaN7i+stZrOxiw2TIT2NU+EfvGL+cEzB ryaqtD42bMLf0u7WBwynD4ZXe+rmttM+IsifEaPBVPMsA15yhAeUWqyzd7KaKn8pq8kJ WNekhAcI+EGdb4c6noj77kUZQf4yosHNQ68ba/dMKn7ufMR2jBlRUtnZp5eCqCU/CYjO nnYA== X-Received: by 10.60.5.165 with SMTP id t5mr14696255oet.117.1364335621676; Tue, 26 Mar 2013 15:07:01 -0700 (PDT) Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id m7sm19037876obk.2.2013.03.26.15.07.00 (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 26 Mar 2013 15:07:01 -0700 (PDT) From: "Piyush Jain" To: "'Santosh Chokhani'" , "'pkix'" References: In-Reply-To: Date: Tue, 26 Mar 2013 15:06:58 -0700 Message-ID: <032501ce2a6e$3da892b0$b8f9b810$@ditenity.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0326_01CE2A33.914E4E90" X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQFBcdZFHbegNGK8fT2XQw9Yvo9tTpnR9neg Content-Language: en-us X-Gm-Message-State: ALoCoQmAIuvyuvwR+z3FDSjqK6BsAX22ldnCEh4rkM9zHTCBNpbJoCt+xaE6ZrQqOoZQy9e0eBIV Subject: Re: [pkix] URI Name Constraint and URN X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2013 22:07:04 -0000 This is a multipart message in MIME format. ------=_NextPart_000_0326_01CE2A33.914E4E90 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit >From 5280 (e.g., if the URI either does not include an authority component or includes an authority component in which the host name is specified as an IP address), then the application MUST reject the certificate. It clearly says that if authority component is missing, certificate must be rejected. From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Santosh Chokhani Sent: Tuesday, March 26, 2013 2:47 PM To: 'pkix' Subject: [pkix] URI Name Constraint and URN I have been wrestling with what one should with a certificate if the SAN in the certificate contains URN and when you get to the certificate, the name constraint state variable indicates permitted and/or excluded values for the URI name form. I think name constraint is not applicable to URN since it does not have an "authority" and thus "host" component by definition. Thus, regardless of the name constraint state variable, presence of URN should not cause name constraint violation. But, when I read 5280, I find the text implying otherwise or ambiguous. Santosh Chokhani CygnaCom Solutions, Inc. ------=_NextPart_000_0326_01CE2A33.914E4E90 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

From 5280

(e.g., if the URI either

   does not include an authority component = or includes an authority

   component in which the host name is = specified as an IP address), then

   the application MUST reject the = certificate.

 

It clearly says that if = authority component is missing, certificate must be = rejected.

 

From:= = pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of = Santosh Chokhani
Sent: Tuesday, March 26, 2013 2:47 = PM
To: 'pkix'
Subject: [pkix] URI Name Constraint = and URN

 

I have been = wrestling with what one should with a certificate if the SAN in the = certificate contains URN and when you get to the certificate, the name = constraint state variable indicates permitted and/or excluded values for = the URI name form.

 

I think name = constraint is not applicable to URN since it does not have an = “authority” and thus “host” component by = definition.  Thus, regardless of the name constraint state = variable, presence of URN should not cause name constraint = violation.

 

But, when I read 5280, I find the text implying = otherwise or ambiguous.

 

 

Santosh = Chokhani

CygnaCom Solutions, = Inc.

 

------=_NextPart_000_0326_01CE2A33.914E4E90-- From turners@ieca.com Tue Mar 26 15:04:51 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4753521F8A3F for ; Tue, 26 Mar 2013 15:04:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.289 X-Spam-Level: X-Spam-Status: No, score=-102.289 tagged_above=-999 required=5 tests=[AWL=-0.024, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FBY1Njkvbva5 for ; Tue, 26 Mar 2013 15:04:50 -0700 (PDT) Received: from gateway12.websitewelcome.com (gateway12.websitewelcome.com [67.18.55.9]) by ietfa.amsl.com (Postfix) with ESMTP id B167C21F8A38 for ; Tue, 26 Mar 2013 15:04:50 -0700 (PDT) Received: by gateway12.websitewelcome.com (Postfix, from userid 5007) id 6B8128F007031; Tue, 26 Mar 2013 17:04:50 -0500 (CDT) Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway12.websitewelcome.com (Postfix) with ESMTP id 5D2E68F00700D for ; Tue, 26 Mar 2013 17:04:50 -0500 (CDT) Received: from [108.45.16.214] (port=58014 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80) (envelope-from ) id 1UKbz7-0000XS-TE; Tue, 26 Mar 2013 17:04:49 -0500 Message-ID: <51521B80.20702@ieca.com> Date: Tue, 26 Mar 2013 18:04:48 -0400 From: Sean Turner User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130307 Thunderbird/17.0.4 MIME-Version: 1.0 To: "Black, David" References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - gator1743.hostgator.com X-AntiAbuse: Original Domain - ietf.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - ieca.com X-BWhitelist: no X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: (thunderfish.local) [108.45.16.214]:58014 X-Source-Auth: sean.turner@ieca.com X-Email-Count: 2 X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20= X-Mailman-Approved-At: Wed, 27 Mar 2013 06:17:54 -0700 Cc: "ambarish@gmail.com" , "ietf@ietf.org" , "slava.galperin@gmail.com" , "cadams@eecs.uottawa.ca" , Stefan Santesson , "gen-art@ietf.org" , "sts@aaa-sec.com" , "pkix@ietf.org" Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2013 22:04:51 -0000 On 3/25/13 10:21 PM, Stefan Santesson wrote: > Hi David, >> Nits: >> >> idnits 2.12.15 said: >> >> -- The document seems to lack a disclaimer for pre-RFC5378 work, but may >> have content which was first submitted before 10 November 2008. If >> you >> have contacted all the original authors and they are all willing to >> grant >> the BCP78 rights to the IETF Trust, then this is fine, and you can >> ignore >> this comment. If not, you may need to add the pre-RFC5378 >> disclaimer. >> (See the Legal Provisions document at >> http://trustee.ietf.org/license-info for more information.) >> >> This looks like it's ok because all the authors of RFC 2560 are also >> authors of >> this draft, but it should be double-checked. > > > I defer this one to Sean. I think he has this one under control. I actually contacted all but one of the authors of RFC 2560. The ones I did get in contact with indicated it was fine to publishing under the new rules. The one I did not contact is deceased. I decided it would be in poor taste to contact the widower on this issue. Based on discussions with people who knew the author very well and the minimal changes in the draft, I'm comfortable progressing the document with the deceased authors name on it and without the disclaimer. spt From david.black@emc.com Tue Mar 26 16:52:34 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14F4621F89DA; Tue, 26 Mar 2013 16:52:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tOx0FsI4V+h9; Tue, 26 Mar 2013 16:52:33 -0700 (PDT) Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 6D2E721F8995; Tue, 26 Mar 2013 16:52:28 -0700 (PDT) Received: from hop04-l1d11-si03.isus.emc.com (HOP04-L1D11-SI03.isus.emc.com [10.254.111.23]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r2QNqBYh030687 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 26 Mar 2013 19:52:12 -0400 Received: from mailhub.lss.emc.com (mailhubhoprd05.lss.emc.com [10.254.222.129]) by hop04-l1d11-si03.isus.emc.com (RSA Interceptor); Tue, 26 Mar 2013 19:52:00 -0400 Received: from mxhub17.corp.emc.com (mxhub17.corp.emc.com [10.254.93.46]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r2QNpwnT003845; Tue, 26 Mar 2013 19:51:59 -0400 Received: from mx15a.corp.emc.com ([169.254.1.81]) by mxhub17.corp.emc.com ([10.254.93.46]) with mapi; Tue, 26 Mar 2013 19:51:58 -0400 From: "Black, David" To: Stefan Santesson , "sts@aaa-sec.com" , "mmyers@fastq.com" , "ambarish@gmail.com" , "slava.galperin@gmail.com" , "cadams@eecs.uottawa.ca" , "gen-art@ietf.org" Date: Tue, 26 Mar 2013 19:51:57 -0400 Thread-Topic: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 Thread-Index: Ac4pyJaMxJ9W2tdMQLmlD1t1be5jSQAs375w Message-ID: <8D3D17ACE214DC429325B2B98F3AE71293D36522@MX15A.corp.emc.com> References: <8D3D17ACE214DC429325B2B98F3AE71293AEEDBC@MX15A.corp.emc.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EMM-MHVC: 1 X-Mailman-Approved-At: Wed, 27 Mar 2013 06:17:54 -0700 Cc: "pkix@ietf.org" , "ietf@ietf.org" , "Black, David" Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Mar 2013 23:52:34 -0000 Hi Stefan, This looks good - thank you for the prompt response. It looks like my speculation on item [1] was wrong, so could you respond to the question below, please?: > >[1] Section 2.2: > > > > NOTE: The "revoked" state for known non-issued certificate serial > > numbers is allowed in order to reduce the risk of relying > > parties using CRLs as a fall back mechanism, which would be > > considerably higher if an "unknown" response was returned. > > > >Given this explanation, I'm surprised that the use of "revoked" instead = of > >"unknown" for a known non-issued certificate is a "MAY" requirement and > >not a "SHOULD" requirement. Why is that the case? -------------- Beyond that, the proposed actions (or proposed non-actions) on items [2]-[5= ] are fine with me, Sean's taken care of the author permissions item from idnits, and I assume someone has or will check the ASN.1 . Thanks, --David > -----Original Message----- > From: Stefan Santesson [mailto:stefan@aaa-sec.com] > Sent: Monday, March 25, 2013 10:21 PM > To: Black, David; sts@aaa-sec.com; mmyers@fastq.com; ambarish@gmail.com; > slava.galperin@gmail.com; cadams@eecs.uottawa.ca; gen-art@ietf.org > Cc: pkix@ietf.org; Sean Turner; ietf@ietf.org > Subject: Re: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 >=20 > Hi David, >=20 > Thanks for the review. > My reply in line. >=20 > On 3/26/13 1:25 AM, "Black, David" wrote: >=20 > >Authors, > > > >I am the assigned Gen-ART reviewer for this draft. For background on > >Gen-ART, please > >see the FAQ at = . > > > >Please resolve these comments along with any other Last Call comments yo= u > >may receive. > > > >Document: draft-ietf-pkix-rfc2560bis-15 > >Reviewer: David L. Black > >Review Date: March 25, 2013 > >IETF LC End Date: March 27, 2013 > > > >Summary: > >This draft is on the right track but has open issues, described in the > >review. > > > >This draft updates the OCSP protocol for obtaining certificate status > >with some minor extensions. > > > >Because this is a "bis" draft, I reviewed the diffs against RFC 2560. > > > >I did not check the ASN.1. I also did not see a writeup for this draft > >in the data tracker, and so will rely on the document shepherd to > >ensure that the ASN.1 has been checked when the writeup is prepared. > > > >I found five open issues, all of which are minor, plus one idnits item > >that is probably ok, but should be double-checked. > > > >Minor issues: > > > >[1] Section 2.2: > > > > NOTE: The "revoked" state for known non-issued certificate serial > > numbers is allowed in order to reduce the risk of relying > > parties using CRLs as a fall back mechanism, which would be > > considerably higher if an "unknown" response was returned. > > > >Given this explanation, I'm surprised that the use of "revoked" instead = of > >"unknown" for a known non-issued certificate is a "MAY" requirement and > >not a "SHOULD" requirement. Why is that the case? > > > >It appears that the reason is that the use of "revoked" in this situatio= n > >may be dangerous when serial numbers can be predicted for certificates > >that > >will be issued in the future. If that's what's going on, this concern i= s > >already explained in the security considerations section, but it should > >also be mentioned here for completeness. >=20 > No, this is not the main reason. The main reason is the one stated as a > Note: in this section: >=20 > NOTE: The "revoked" state for known non-issued certificate serial numbers > is allowed in order to reduce the risk of relying parties using CRLs as a > fall back mechanism, which would be considerably higher if an "unknown" > response was returned. >=20 >=20 > > > >[2] Section 4.2.2.2: > > > > The key that signs a certificate's status information need not be the > > same key that signed the certificate. It is necessary however to > > ensure that the entity signing this information is authorized to do > > so. Therefore, a certificate's issuer MAY either sign the OCSP > > responses itself or it MAY explicitly designate this authority to > > another entity. > > > >The two instances of "MAY" in the above text were both "MUST" in RFC 256= 0. > > > >The RFC 2560 text construction of "MUST" or "MUST" is a bit odd, but the= two > >"MAY"s in this draft are even worse, as they allow "MAY do something els= e > >entirely", despite being enclosed in an either-or construct. I strongly > >suspect that the latter was not intended, so the following would be > >clearer: > > > > The key that signs a certificate's status information need not be the > > same key that signed the certificate. It is necessary however to > > ensure that the entity signing this information is authorized to do > > so. Therefore, a certificate's issuer MUST do one of the following: > > - sign the OCSP responses itself, or > > - explicitly designate this authority to another entity. >=20 >=20 > I Agree. I will adopt your text. >=20 > > > >[3] Section 4.3: > > > >Is the "SHOULD" requirement still appropriate for the DSA with SHA-1 com= bo > >(vs. a "MAY" requirement)? This requirement was a "MUST" in RFC 2560, b= ut > >I wonder about actual usage of DSA in practice. >=20 > The change in algorithm requirements was provided by RFC 6277, and furthe= r > refined in this draft in accordance with requests from Sean Turner. >=20 > > > >[4] Section 5, last paragraph: > > > > Responding a "revoked" state to certificate that has never been > > issued may enable someone to obtain a revocation response for a > > certificate that is not yet issued, but soon will be issued, if the > > CA issues certificates using sequential certificate serial number > > assignment. > > > >The above text after starting with the "if" is too narrow - it should sa= y: > > > > if the certificate serial number of the certificate that > > will be issued can be predicted or guessed by the requester. > > Such prediction is easy for a CA that issues certificates > > using sequential certificate serial number assignment. > > > >There's also a nit in original text - its first line should be: > > > > Responding with a "revoked" state for a certificate that has never been >=20 > Good suggestions. I will update accordingly. >=20 > > > >[5] Section 5.1.1: > > > > In archival applications it is quite possible that an OCSP responder > > might be asked to report the validity of a certificate on a date in > > the distant past. Such a certificate might employ a signing method > > that is no longer considered acceptably secure. In such > > circumstances the responder MUST NOT generate a signature using a > > signing mechanism that is not considered acceptably secure. > > > >This could use an additional warning that certificate archival should > >not rely solely on signatures in archived certificates for ensuring the > >validity and integrity of the archived certificates because the signatur= e > >algorithm(s) may transition to no longer being considered acceptably > >secure at some point after the certificates are archived. >=20 > This note if I remember correctly is imported from RFC 6277, which is > incorporated into this document. The reason behind the text is only to > avoid usages of insecure algorithms. > Historical validation is a real can of worms that I really would like to > keep a tight lid on. I really want to avoid doing recommendations in this > space as it may trigger a whole flood of things that could be equally > important to say about this subject. >=20 > > > >Nits: > > > >idnits 2.12.15 said: > > > > -- The document seems to lack a disclaimer for pre-RFC5378 work, but m= ay > > have content which was first submitted before 10 November 2008. If > >you > > have contacted all the original authors and they are all willing to > >grant > > the BCP78 rights to the IETF Trust, then this is fine, and you can > >ignore > > this comment. If not, you may need to add the pre-RFC5378 > >disclaimer. > > (See the Legal Provisions document at > > http://trustee.ietf.org/license-info for more information.) > > > >This looks like it's ok because all the authors of RFC 2560 are also > >authors of > >this draft, but it should be double-checked. >=20 >=20 > I defer this one to Sean. I think he has this one under control. >=20 >=20 > Thanks again for the review. >=20 > /Stefan >=20 >=20 > > > >Thanks, > >--David > >---------------------------------------------------- > >David L. Black, Distinguished Engineer > >EMC Corporation, 176 South St., Hopkinton, MA 01748 > >+1 (508) 293-7953 FAX: +1 (508) 293-7786 > >david.black@emc.com Mobile: +1 (978) 394-7754 > >---------------------------------------------------- > > > > >=20 >=20 From stefan@aaa-sec.com Wed Mar 27 04:46:55 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A03921F911F for ; Wed, 27 Mar 2013 04:46:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.249 X-Spam-Level: X-Spam-Status: No, score=-102.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qn2q1JlapBvS for ; Wed, 27 Mar 2013 04:46:55 -0700 (PDT) Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id 97AF821F9114 for ; Wed, 27 Mar 2013 04:46:54 -0700 (PDT) Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id 5897A10FEC5C for ; Wed, 27 Mar 2013 12:44:16 +0100 (CET) X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id z3GXBfp87pkU for ; Wed, 27 Mar 2013 12:44:13 +0100 (CET) Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id 4291510FEC46 for ; Wed, 27 Mar 2013 12:44:12 +0100 (CET) Received: (qmail 82956 invoked from network); 27 Mar 2013 11:44:11 -0000 Received: from 81-232-51-61-no39.business.telia.com (HELO [192.168.0.104]) (stefan@fiddler.nu@[81.232.51.61]) (envelope-sender ) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 27 Mar 2013 11:44:11 -0000 User-Agent: Microsoft-MacOutlook/14.3.2.130206 Date: Wed, 27 Mar 2013 12:44:07 +0100 From: Stefan Santesson To: "Black, David" , "sts@aaa-sec.com" , "mmyers@fastq.com" , "ambarish@gmail.com" , "slava.galperin@gmail.com" , "cadams@eecs.uottawa.ca" , "gen-art@ietf.org" Message-ID: Thread-Topic: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 In-Reply-To: <8D3D17ACE214DC429325B2B98F3AE71293D36522@MX15A.corp.emc.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-Mailman-Approved-At: Wed, 27 Mar 2013 06:17:52 -0700 Cc: "pkix@ietf.org" , "ietf@ietf.org" Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Mar 2013 11:46:55 -0000 Hi David, Yes I missed to respond to that aspect. This is a bit complicated, but we have a large legacy to take into account where some responders implements just RFC 2560, while some deliver pre-generated responses according to RFC 5019 (Light-weight OCSP). LW responders are not capable of producing a signed response at the time of responding and in case such responder finds a request for a certificate where no pre-produced response exists, it will reply with an unsigned error response "unauthorized", which also is a legitimate way to respond. So the actual OCSP responder may actually know that the certificate was never issued, but since it delivers pre-produced responder through a CDN, it can not provide a revoked response in real time. So the major aim with the current writing is to declare that the revoked response is a MAY because there are other valid alternatives. We also want to avoid putting down a SHOULD respond revoked if a certificate is known to be not-issued, because that would require us to define what "known to be non-issued" actually means. And that could be quite tricky as OCSP responders by no means are required to have this knowledge. The OCSP responder simply have a number of tools to prevent the client from accepting a bad certificate. This update of OCSP simply allows responders to use the "revoked" response as a preventive measure, without mandating it. This is also related to activities in the CA Browser Forum where they put down requirements on responders complying with CAB rules to not respond "good" to certificates that were never issued. With this update in OCSP, they can now mandate in their policies both the fact that their responders MUST know if a certificate was never issued and MUST respond "revoked". So we allow other communities to raise the bar even if the base standard defines the response as optional. In theory we could possibly say that responding revoked is optional, but if you choose between revoked and unknown then you SHOULD favour revoked over unknown. But such nested requirements just feels bad and impossible to test compliance against. I'd much rather just leave it optional. I think the Note gives a clear recommendation on this and the rationale without spelling it out as a requirement. Does this answer your question? On 3/27/13 12:51 AM, "Black, David" wrote: >Hi Stefan, > >This looks good - thank you for the prompt response. > >It looks like my speculation on item [1] was wrong, so could you respond >to the question below, please?: > >> >[1] Section 2.2: >> > >> > NOTE: The "revoked" state for known non-issued certificate serial >> > numbers is allowed in order to reduce the risk of relying >> > parties using CRLs as a fall back mechanism, which would be >> > considerably higher if an "unknown" response was returned. >> > >> >Given this explanation, I'm surprised that the use of "revoked" >>instead of >> >"unknown" for a known non-issued certificate is a "MAY" requirement and >> >not a "SHOULD" requirement. Why is that the case? > >-------------- > >Beyond that, the proposed actions (or proposed non-actions) on items >[2]-[5] >are fine with me, Sean's taken care of the author permissions item from >idnits, and I assume someone has or will check the ASN.1 . > >Thanks, >--David > >> -----Original Message----- >> From: Stefan Santesson [mailto:stefan@aaa-sec.com] >> Sent: Monday, March 25, 2013 10:21 PM >> To: Black, David; sts@aaa-sec.com; mmyers@fastq.com; ambarish@gmail.com; >> slava.galperin@gmail.com; cadams@eecs.uottawa.ca; gen-art@ietf.org >> Cc: pkix@ietf.org; Sean Turner; ietf@ietf.org >> Subject: Re: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 >> >> Hi David, >> >> Thanks for the review. >> My reply in line. >> >> On 3/26/13 1:25 AM, "Black, David" wrote: >> >> >Authors, >> > >> >I am the assigned Gen-ART reviewer for this draft. For background on >> >Gen-ART, please >> >see the FAQ at >>. >> > >> >Please resolve these comments along with any other Last Call comments >>you >> >may receive. >> > >> >Document: draft-ietf-pkix-rfc2560bis-15 >> >Reviewer: David L. Black >> >Review Date: March 25, 2013 >> >IETF LC End Date: March 27, 2013 >> > >> >Summary: >> >This draft is on the right track but has open issues, described in the >> >review. >> > >> >This draft updates the OCSP protocol for obtaining certificate status >> >with some minor extensions. >> > >> >Because this is a "bis" draft, I reviewed the diffs against RFC 2560. >> > >> >I did not check the ASN.1. I also did not see a writeup for this draft >> >in the data tracker, and so will rely on the document shepherd to >> >ensure that the ASN.1 has been checked when the writeup is prepared. >> > >> >I found five open issues, all of which are minor, plus one idnits item >> >that is probably ok, but should be double-checked. >> > >> >Minor issues: >> > >> >[1] Section 2.2: >> > >> > NOTE: The "revoked" state for known non-issued certificate serial >> > numbers is allowed in order to reduce the risk of relying >> > parties using CRLs as a fall back mechanism, which would be >> > considerably higher if an "unknown" response was returned. >> > >> >Given this explanation, I'm surprised that the use of "revoked" >>instead of >> >"unknown" for a known non-issued certificate is a "MAY" requirement and >> >not a "SHOULD" requirement. Why is that the case? >> > >> >It appears that the reason is that the use of "revoked" in this >>situation >> >may be dangerous when serial numbers can be predicted for certificates >> >that >> >will be issued in the future. If that's what's going on, this concern >>is >> >already explained in the security considerations section, but it should >> >also be mentioned here for completeness. >> >> No, this is not the main reason. The main reason is the one stated as a >> Note: in this section: >> >> NOTE: The "revoked" state for known non-issued certificate serial >>numbers >> is allowed in order to reduce the risk of relying parties using CRLs as >>a >> fall back mechanism, which would be considerably higher if an "unknown" >> response was returned. >> >> >> > >> >[2] Section 4.2.2.2: >> > >> > The key that signs a certificate's status information need not be the >> > same key that signed the certificate. It is necessary however to >> > ensure that the entity signing this information is authorized to do >> > so. Therefore, a certificate's issuer MAY either sign the OCSP >> > responses itself or it MAY explicitly designate this authority to >> > another entity. >> > >> >The two instances of "MAY" in the above text were both "MUST" in RFC >>2560. >> > >> >The RFC 2560 text construction of "MUST" or "MUST" is a bit odd, but >>the two >> >"MAY"s in this draft are even worse, as they allow "MAY do something >>else >> >entirely", despite being enclosed in an either-or construct. I >>strongly >> >suspect that the latter was not intended, so the following would be >> >clearer: >> > >> > The key that signs a certificate's status information need not be the >> > same key that signed the certificate. It is necessary however to >> > ensure that the entity signing this information is authorized to do >> > so. Therefore, a certificate's issuer MUST do one of the following: >> > - sign the OCSP responses itself, or >> > - explicitly designate this authority to another entity. >> >> >> I Agree. I will adopt your text. >> >> > >> >[3] Section 4.3: >> > >> >Is the "SHOULD" requirement still appropriate for the DSA with SHA-1 >>combo >> >(vs. a "MAY" requirement)? This requirement was a "MUST" in RFC 2560, >>but >> >I wonder about actual usage of DSA in practice. >> >> The change in algorithm requirements was provided by RFC 6277, and >>further >> refined in this draft in accordance with requests from Sean Turner. >> >> > >> >[4] Section 5, last paragraph: >> > >> > Responding a "revoked" state to certificate that has never been >> > issued may enable someone to obtain a revocation response for a >> > certificate that is not yet issued, but soon will be issued, if the >> > CA issues certificates using sequential certificate serial number >> > assignment. >> > >> >The above text after starting with the "if" is too narrow - it should >>say: >> > >> > if the certificate serial number of the certificate that >> > will be issued can be predicted or guessed by the requester. >> > Such prediction is easy for a CA that issues certificates >> > using sequential certificate serial number assignment. >> > >> >There's also a nit in original text - its first line should be: >> > >> > Responding with a "revoked" state for a certificate that has never >>been >> >> Good suggestions. I will update accordingly. >> >> > >> >[5] Section 5.1.1: >> > >> > In archival applications it is quite possible that an OCSP responder >> > might be asked to report the validity of a certificate on a date in >> > the distant past. Such a certificate might employ a signing method >> > that is no longer considered acceptably secure. In such >> > circumstances the responder MUST NOT generate a signature using a >> > signing mechanism that is not considered acceptably secure. >> > >> >This could use an additional warning that certificate archival should >> >not rely solely on signatures in archived certificates for ensuring the >> >validity and integrity of the archived certificates because the >>signature >> >algorithm(s) may transition to no longer being considered acceptably >> >secure at some point after the certificates are archived. >> >> This note if I remember correctly is imported from RFC 6277, which is >> incorporated into this document. The reason behind the text is only to >> avoid usages of insecure algorithms. >> Historical validation is a real can of worms that I really would like to >> keep a tight lid on. I really want to avoid doing recommendations in >>this >> space as it may trigger a whole flood of things that could be equally >> important to say about this subject. >> >> > >> >Nits: >> > >> >idnits 2.12.15 said: >> > >> > -- The document seems to lack a disclaimer for pre-RFC5378 work, but >>may >> > have content which was first submitted before 10 November 2008. >>If >> >you >> > have contacted all the original authors and they are all willing >>to >> >grant >> > the BCP78 rights to the IETF Trust, then this is fine, and you can >> >ignore >> > this comment. If not, you may need to add the pre-RFC5378 >> >disclaimer. >> > (See the Legal Provisions document at >> > http://trustee.ietf.org/license-info for more information.) >> > >> >This looks like it's ok because all the authors of RFC 2560 are also >> >authors of >> >this draft, but it should be double-checked. >> >> >> I defer this one to Sean. I think he has this one under control. >> >> >> Thanks again for the review. >> >> /Stefan >> >> >> > >> >Thanks, >> >--David >> >---------------------------------------------------- >> >David L. Black, Distinguished Engineer >> >EMC Corporation, 176 South St., Hopkinton, MA 01748 >> >+1 (508) 293-7953 FAX: +1 (508) 293-7786 >> >david.black@emc.com Mobile: +1 (978) 394-7754 >> >---------------------------------------------------- >> > >> > >> >> > From mrex@sap.com Wed Mar 27 07:14:46 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F6AB21F90E3; Wed, 27 Mar 2013 07:14:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.249 X-Spam-Level: X-Spam-Status: No, score=-10.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J5EkJBr8CxXD; Wed, 27 Mar 2013 07:14:45 -0700 (PDT) Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 696DA21F8EAB; Wed, 27 Mar 2013 07:14:45 -0700 (PDT) Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id r2REEbis007118 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 27 Mar 2013 15:14:37 +0100 (MET) In-Reply-To: To: Stefan Santesson Date: Wed, 27 Mar 2013 15:14:37 +0100 (CET) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20130327141437.9F5481A674@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) X-SAP: out Cc: pkix@ietf.org, ietf@ietf.org Subject: Re: [pkix] Last Call: (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: mrex@sap.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Mar 2013 14:14:46 -0000 Stefan Santesson wrote: > "Martin Rex" wrote: > > >Adding 3 more OCSPResponseStatus error codes { no_authoritative_data(7), > >single_requests_only(8), unsupported_extension(8) } with well-defined and > >conflict-free semantics to the existing enum would be perfectly backwards > >compatible. > > Of course it is backwards compatible with the standard, but not with the > installed base. > > What would happen to the installed base of clients if OCSP responders > would change from current "unauthorized" to one of your new error codes? Actually, please look at the I-D text again. Even if the Servers would change their response to a new error code for the "I can not respond authoritatively", it will be 100% backwards compatible with the clients. That is at least what proposed change implies! So lets assign new error codes and have Server change their response! "Backwards compatibility" is relevant in the same fashion as interoperability -- interoperability among independent implementations as well as interop between new implementations and the installed base. Since the current change only "conveys" information, and does that in an extremely ambiguous fashion, moving to a new error code is provably NOT going to be any problem to interop, The desired client behaviour is completely unspecified, so *ANY* client behaviour will be acceptable. Based on the current text, your claim must be bogus, that assignment of new error codes for this purpose would be backwards incompatible. What I can not yet completely rule out, though, is that there are some currently unstated expectations / desired behaviour that you would want to retain, and which is currently undocumented. Should that be the case, then it is paramount that any such expectation about desired behaviour is ADDED to the document, in order to enable interop with independent implementations. It is conceivable that such "desired/expected" behaviour consists of some kind of "blacklisting" that had been previously implemented for the "unauthorized(7)" error code, and that the inventors of the rfc5019 profile (VeriSign and Microsoft) wanted to take advantage of. Should that be the case, then I would really be curious what kind of blacklisting that is that implementors are thinking of when they express their concern a move to a newly assigned error code would be "backwards incompatible". Is it about the caching of that responses on clients? Is there any "negative response caching"? Are negative responses cached "per server" or per (requested) certificate status? -Martin From stefan@aaa-sec.com Wed Mar 27 08:45:52 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32DA321F9150 for ; Wed, 27 Mar 2013 08:45:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.249 X-Spam-Level: X-Spam-Status: No, score=-102.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BSxQIkCFy-Q1 for ; Wed, 27 Mar 2013 08:45:51 -0700 (PDT) Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id 5C17B21F910B for ; Wed, 27 Mar 2013 08:45:50 -0700 (PDT) Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id 5D64C533047 for ; Wed, 27 Mar 2013 16:45:49 +0100 (CET) X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id JK7u6W76-eyX for ; Wed, 27 Mar 2013 16:45:46 +0100 (CET) Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id C3A56533944 for ; Wed, 27 Mar 2013 16:32:53 +0100 (CET) Received: (qmail 74466 invoked from network); 27 Mar 2013 15:32:53 -0000 Received: from 81-232-51-61-no39.business.telia.com (HELO [192.168.0.104]) (stefan@fiddler.nu@[81.232.51.61]) (envelope-sender ) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 27 Mar 2013 15:32:53 -0000 User-Agent: Microsoft-MacOutlook/14.3.2.130206 Date: Wed, 27 Mar 2013 16:32:49 +0100 From: Stefan Santesson To: Message-ID: Thread-Topic: [pkix] Last Call: (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard In-Reply-To: <20130327141437.9F5481A674@ld9781.wdf.sap.corp> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Cc: pkix@ietf.org, ietf@ietf.org Subject: Re: [pkix] Last Call: (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Mar 2013 15:45:52 -0000 It is risky to assume that existing clients would work appropriately if you send them a new never seen before error code. I'm not willing to assume that unless a big pile of current implementers assures me that this is the case. /Stefan On 3/27/13 3:14 PM, "Martin Rex" wrote: >Stefan Santesson wrote: >> "Martin Rex" wrote: >> >> >Adding 3 more OCSPResponseStatus error codes { >>no_authoritative_data(7), >> >single_requests_only(8), unsupported_extension(8) } with well-defined >>and >> >conflict-free semantics to the existing enum would be perfectly >>backwards >> >compatible. >> >> Of course it is backwards compatible with the standard, but not with the >> installed base. >> >> What would happen to the installed base of clients if OCSP responders >> would change from current "unauthorized" to one of your new error codes? > > >Actually, please look at the I-D text again. Even if the Servers would >change their response to a new error code for the "I can not respond >authoritatively", it will be 100% backwards compatible with the clients. > >That is at least what proposed change implies! > >So lets assign new error codes and have Server change their response! > > > >"Backwards compatibility" is relevant in the same fashion as >interoperability >-- interoperability among independent implementations as well as interop >between new implementations and the installed base. > >Since the current change only "conveys" information, and does that in >an extremely ambiguous fashion, moving to a new error code is provably >NOT going to be any problem to interop, The desired client behaviour >is completely unspecified, so *ANY* client behaviour will be acceptable. > > >Based on the current text, your claim must be bogus, that assignment of >new error codes for this purpose would be backwards incompatible. > > >What I can not yet completely rule out, though, is that there are some >currently unstated expectations / desired behaviour that you would >want to retain, and which is currently undocumented. Should that be >the case, then it is paramount that any such expectation about desired >behaviour is ADDED to the document, in order to enable interop with >independent implementations. > >It is conceivable that such "desired/expected" behaviour consists of some >kind of "blacklisting" that had been previously implemented for the >"unauthorized(7)" error code, and that the inventors of the rfc5019 >profile (VeriSign and Microsoft) wanted to take advantage of. > >Should that be the case, then I would really be curious what kind of >blacklisting that is that implementors are thinking of when they >express their concern a move to a newly assigned error code would >be "backwards incompatible". Is it about the caching of that responses >on clients? Is there any "negative response caching"? Are negative >responses cached "per server" or per (requested) certificate status? > > >-Martin From mrex@sap.com Wed Mar 27 09:00:09 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2030121F9052; Wed, 27 Mar 2013 09:00:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.249 X-Spam-Level: X-Spam-Status: No, score=-10.249 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gPghi+mM9Ny8; Wed, 27 Mar 2013 09:00:08 -0700 (PDT) Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id C431721F9244; Wed, 27 Mar 2013 09:00:07 -0700 (PDT) Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id r2RG00dK001686 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 27 Mar 2013 17:00:00 +0100 (MET) In-Reply-To: To: Stefan Santesson Date: Wed, 27 Mar 2013 16:59:23 +0100 (CET) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20130327155923.0DF831A677@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) X-SAP: out Cc: pkix@ietf.org, ietf@ietf.org Subject: Re: [pkix] Last Call: (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: mrex@sap.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Mar 2013 16:00:09 -0000 Stefan Santesson wrote: > > It is risky to assume that existing clients would work appropriately > if you send them a new never seen before error code. > > I'm not willing to assume that unless a big pile of current implementers > assures me that this is the case. As I wrote: As long as the spec is _entirely_silent_ about expected/desirable behaviour of the client on receipt of a repurposed "unauthorized(7)" OCSPResponseStatus, the new error code with be provable "backwards compatible" within the definition of the specification, because *ANY* client behaviour will formally provable meet the spec and therefore "be interoperable". How indiviual OCSP clients behave in particular, and whether all implementors appreciate the behaviour of their own implementation will then be _irrelevant_. ... which is why I believe that leaving client behaviour for the receipt of OCSPResponseStatus error code entirely unspecified is a bad idea, and for the repurposed "unauthorized(7)" it's a really bad idea. rfc5019 only talks about caching of signed OCSP responses: http://tools.ietf.org/html/rfc5019#section-6.1 -Martin From mrex@sap.com Wed Mar 27 14:11:56 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34C0B21F8C6F; Wed, 27 Mar 2013 14:11:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.249 X-Spam-Level: X-Spam-Status: No, score=-10.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4VD4catz3maC; Wed, 27 Mar 2013 14:11:55 -0700 (PDT) Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 416C821F88BF; Wed, 27 Mar 2013 14:11:55 -0700 (PDT) Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id r2RLBrxT012932 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 27 Mar 2013 22:11:53 +0100 (MET) In-Reply-To: To: Sam Hartman Date: Wed, 27 Mar 2013 22:11:53 +0100 (CET) X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="US-ASCII" Message-Id: <20130327211153.9DEBC1A678@ld9781.wdf.sap.corp> From: mrex@sap.com (Martin Rex) X-SAP: out Cc: pkix@ietf.org, ietf@ietf.org Subject: Re: [pkix] Last Call: (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: mrex@sap.com List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Mar 2013 21:11:56 -0000 Sam Hartman wrote: > Martin Rex wrote: >> Oh, here is a message from the Security AD back then (Sam >> Hartman), commenting on requirements for rfc2560bis (the I-D >> under last call right now!): >> >> http://www.ietf.org/mail-archive/web/pkix/current/msg03515.html > > To be clear, I didn't comment on which error codes were overloaded to do > what. My point was simply that there needs to be a minimal set of > client behavior that is guaranteed to work (if permitted by responder > policy) with any responder. That's the level of interoperability we > generally require from our specs. > > It sounds like Martin would like to be able to distinguish three client > behaviors: > > 1) Use less of the spec and send me a simpler request > > 2) I can't help you with this particular request > > 3) Please go away and never come back > > That's a fine desire. In my opinion, it's also fine for us to decide > for interoperability, simplicity or other reasons that we're combining > all that into one error and clients don't get to make this distinction. True. It was the Security co-AD Russ Housley who indicated _early_ during the discussion of that draft (2.5 years after it had been adopted as a WG item) that he considered some of the suggested abuses of existing error codes "unacceptable": http://www.ietf.org/mail-archive/web/pkix/current/msg03570.html So far, I haven't found any arguments that could reasonably invalidate Russ' initial assessment on the "unacceptable" the error code abuse, i.e. any kind of transparent trade-off and the facts it could be based on. Looking as Russ' comment again, I check the documents again on the exact behaviour required from an rfc5019 server when receiving an OCSP request with a requestList. Myself, I'm surprised and confused by the answer: the rfc5019 server is prohibited from returning an error! rfc2560 neither provides and option nor an error code to refuse a response based on the presence of multiple entries in request list. The limit of a single entry in the requestList ist *CLEARLY* limited to clients conforming to the rfc5019 profile, it is neither limited to the requests sent to rfc5019 servers, nor does it apply to rfc5019 servers themselves -> "this profile ensures interoperability with a fully conformant OCSP 2560 client": http://tools.ietf.org/html/rfc5019#page-4 End of Section 1: In the case where out-of-band mechanisms may not be available, this profile ensures that interoperability will still occur between a fully conformant OCSP 2560 client and a responder that is operating in a mode as described in this specification. 2.1.1. OCSPRequest Structure OCSPRequests conformant to this profile MUST include only one Request in the OCSPRequest.RequestList structure. Other than what I had assumed from Russ' message about unacceptable error code abuse, rfc5019 does not define what kind or error code to (ab)use if a request contains more than one entry in requestList, and contains this explicit guidance: http://tools.ietf.org/html/rfc5019#section-2.2.1 2.2.1. OCSPResponse Structure In the case where a responder does not have the ability to respond to an OCSP request containing a option not supported by the server, it SHOULD return the most complete response it can. For example, in the case where a responder only supports pre-produced responses and does not have the ability to respond to an OCSP request containing a nonce, it SHOULD return a response that does not include a nonce. But when there are multiple entries received in a requestList from a "fully conformant OCSP 2560 client", to which rfc5019 allegedly ensures interoperability, then the option to return "unauthorized" to indicate inability to obtain authoritative information, and results in self-contraditory design. I strongly believe this stuff needs some housekeeping applied. The currently proposed minimal change of the description for the "unauthorized" error code in rfc2560bis is only going to make the mess worse, this is neither a solution, nor an improvement to anything. -Martin From SChokhani@cygnacom.com Wed Mar 27 15:04:12 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17ED421F9005 for ; Wed, 27 Mar 2013 15:04:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B6kz1+nN8DMF for ; Wed, 27 Mar 2013 15:04:10 -0700 (PDT) Received: from ipedge2.cygnacom.com (ipedge2.cygnacom.com [216.191.252.27]) by ietfa.amsl.com (Postfix) with ESMTP id 2B30521F8FFB for ; Wed, 27 Mar 2013 15:04:10 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.84,920,1355115600"; d="scan'208,217";a="5245881" Received: from unknown (HELO scygexch7.cygnacom.com) ([10.4.60.22]) by ipedge2.cygnacom.com with ESMTP; 27 Mar 2013 18:04:09 -0400 Received: from scygexch7.cygnacom.com ([::1]) by scygexch7.cygnacom.com ([::1]) with mapi; Wed, 27 Mar 2013 18:04:09 -0400 From: Santosh Chokhani To: Piyush Jain , 'pkix' Date: Wed, 27 Mar 2013 18:04:08 -0400 Thread-Topic: [pkix] URI Name Constraint and URN Thread-Index: Ac4rNwCs7LyJzZ8wReu52cCWeO6YrA== Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_B83745DA469B7847811819C5005244AFF3DC9C5Escygexch7cygnac_" MIME-Version: 1.0 Subject: Re: [pkix] URI Name Constraint and URN X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Mar 2013 22:04:12 -0000 --_000_B83745DA469B7847811819C5005244AFF3DC9C5Escygexch7cygnac_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable David and Piyush, Thanks. I agree with you for the most part. But, the first sentence in that paragr= aph can be used to think otherwise: "For URIs, the constraint applies to th= e host part of the name". Anyway, that is not my primary point. I think the URI schemes that cannot = have host name component should be exempt from name constraint since there = is nothing to constrain. Today, we have actual certificates that have URN in them and rejecting them= on the basis of upstream URI constraints (which typically apply to URL) do= es not make sense to me. My question is was that simply an oversight or is there a reason URN should= be rejected. One could also argue when using URN scheme, the name is not = hierarchical and there is no point in constraining it. From: Piyush Jain [mailto:piyush@ditenity.com] Sent: Tuesday, March 26, 2013 6:07 PM To: Santosh Chokhani; 'pkix' Subject: RE: [pkix] URI Name Constraint and URN >From 5280 (e.g., if the URI either does not include an authority component or includes an authority component in which the host name is specified as an IP address), then the application MUST reject the certificate. It clearly says that if authority component is missing, certificate must be= rejected. From: pkix-bounces@ietf.org [mailto:pkix-boun= ces@ietf.org] On Behalf Of Santosh Chokhani Sent: Tuesday, March 26, 2013 2:47 PM To: 'pkix' Subject: [pkix] URI Name Constraint and URN I have been wrestling with what one should with a certificate if the SAN in= the certificate contains URN and when you get to the certificate, the name= constraint state variable indicates permitted and/or excluded values for t= he URI name form. I think name constraint is not applicable to URN since it does not have an = "authority" and thus "host" component by definition. Thus, regardless of t= he name constraint state variable, presence of URN should not cause name co= nstraint violation. But, when I read 5280, I find the text implying otherwise or ambiguous. Santosh Chokhani CygnaCom Solutions, Inc. --_000_B83745DA469B7847811819C5005244AFF3DC9C5Escygexch7cygnac_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

David and Piyush,

<= span style=3D'color:#1F497D'> 

Thanks.

 

I agree with you for the most pa= rt.  But, the first sentence in that paragraph can be used to think ot= herwise: “For URIs, the constraint applies to the host part of= the name”.

 

<= p class=3DMsoNormal>Anyway, that is not my pr= imary point.  I think the URI schemes that cannot have host name compo= nent should be exempt from name constraint since there is nothing to constr= ain.

 

Today, we have actual certificates that have URN in them and rejectin= g them on the basis of upstream URI constraints (which typically apply to U= RL) does not make sense to me.

<= span style=3D'color:#1F497D'> 

My question is was that simply an oversigh= t or is there a reason URN should be rejected.  One could also argue w= hen using URN scheme, the name is not hierarchical and there is no point in= constraining it.

 

Fr= om: Piyush Jain [mailto:piyush@ditenity.com]
Sent: Tuesday, M= arch 26, 2013 6:07 PM
To: Santosh Chokhani; 'pkix'
Subject:= RE: [pkix] URI Name Constraint and URN

 

From 5280

(e.g., = if the URI either

   does n= ot include an authority component or includes an authority

   component in which the host name is spec= ified as an IP address), then

 &= nbsp; the application MUST reject the certificate.

 

It clearly says that if= authority component is missing, certificate must be rejected.

 

From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Santo= sh Chokhani
Sent: Tuesday, March 26, 2013 2:47 PM
To: '= pkix'
Subject: [pkix] URI Name Constraint and URN

 

I have been wrestling with what one should with a certificate if the = SAN in the certificate contains URN and when you get to the certificate, th= e name constraint state variable indicates permitted and/or excluded values= for the URI name form.

 

I think name constraint is not applicable to URN = since it does not have an “authority” and thus “host̶= 1; component by definition.  Thus, regardless of the name constraint s= tate variable, presence of URN should not cause name constraint violation.<= o:p>

 

But, when I read 5280, I find the text implying otherwise or ambiguous.

 

 

Santosh Chokhani

<= p class=3DMsoNormal>CygnaCom Solutions, Inc.

 

= --_000_B83745DA469B7847811819C5005244AFF3DC9C5Escygexch7cygnac_-- From stefan@aaa-sec.com Wed Mar 27 08:39:27 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FCEE21F91E5 for ; Wed, 27 Mar 2013 08:39:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.249 X-Spam-Level: X-Spam-Status: No, score=-102.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PSCKGrTm1bUk for ; Wed, 27 Mar 2013 08:39:27 -0700 (PDT) Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id 40A7E21F9141 for ; Wed, 27 Mar 2013 08:39:26 -0700 (PDT) Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id 2885D53358E for ; Wed, 27 Mar 2013 16:39:25 +0100 (CET) X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 4f1y9XEdjTIq for ; Wed, 27 Mar 2013 16:39:21 +0100 (CET) Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id DCECF533E2A for ; Wed, 27 Mar 2013 16:37:51 +0100 (CET) Received: (qmail 98137 invoked from network); 27 Mar 2013 15:37:51 -0000 Received: from 81-232-51-61-no39.business.telia.com (HELO [192.168.0.104]) (stefan@fiddler.nu@[81.232.51.61]) (envelope-sender ) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 27 Mar 2013 15:37:51 -0000 User-Agent: Microsoft-MacOutlook/14.3.2.130206 Date: Wed, 27 Mar 2013 16:37:45 +0100 From: Stefan Santesson To: "Black, David" , "sts@aaa-sec.com" , "mmyers@fastq.com" , "ambarish@gmail.com" , "slava.galperin@gmail.com" , "cadams@eecs.uottawa.ca" , "gen-art@ietf.org" Message-ID: Thread-Topic: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 In-Reply-To: <8D3D17ACE214DC429325B2B98F3AE71293D36628@MX15A.corp.emc.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-Mailman-Approved-At: Thu, 28 Mar 2013 07:33:38 -0700 Cc: "pkix@ietf.org" , "ietf@ietf.org" Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Mar 2013 15:39:27 -0000 I could. My worry is just that this is such a contentious subject and it took us x hundreds of emails to reach this state, that if I add more explanations, people will start disagreeing with it and that we end up in a long debate on how to correctly express this. Is this important enough to do that? /Stefan On 3/27/13 3:30 PM, "Black, David" wrote: >Hi Stefan, > >> Does this answer your question? > >Yes, please add some of that explanation to the next version of the draft >;-). >Coverage of existing responder behavior/limitations (important "running >code" >concerns, IMHO) and alternatives to using "revoked" ("have a number of >tools >to prevent the client from accepting a bad certificate") seem particularly >relevant. > >Thanks, >--David > >> -----Original Message----- >> From: Stefan Santesson [mailto:stefan@aaa-sec.com] >> Sent: Wednesday, March 27, 2013 7:44 AM >> To: Black, David; sts@aaa-sec.com; mmyers@fastq.com; ambarish@gmail.com; >> slava.galperin@gmail.com; cadams@eecs.uottawa.ca; gen-art@ietf.org >> Cc: pkix@ietf.org; Sean Turner; ietf@ietf.org >> Subject: Re: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 >> >> Hi David, >> >> Yes I missed to respond to that aspect. >> >> This is a bit complicated, but we have a large legacy to take into >>account >> where some responders implements just RFC 2560, while some deliver >> pre-generated responses according to RFC 5019 (Light-weight OCSP). LW >> responders are not capable of producing a signed response at the time of >> responding and in case such responder finds a request for a certificate >> where no pre-produced response exists, it will reply with an unsigned >> error response "unauthorized", which also is a legitimate way to >>respond. >> So the actual OCSP responder may actually know that the certificate was >> never issued, but since it delivers pre-produced responder through a >>CDN, >> it can not provide a revoked response in real time. >> >> So the major aim with the current writing is to declare that the revoked >> response is a MAY because there are other valid alternatives. >> >> We also want to avoid putting down a SHOULD respond revoked if a >> certificate is known to be not-issued, because that would require us to >> define what "known to be non-issued" actually means. And that could be >> quite tricky as OCSP responders by no means are required to have this >> knowledge. >> >> The OCSP responder simply have a number of tools to prevent the client >> from accepting a bad certificate. >> This update of OCSP simply allows responders to use the "revoked" >>response >> as a preventive measure, without mandating it. >> >> This is also related to activities in the CA Browser Forum where they >>put >> down requirements on responders complying with CAB rules to not respond >> "good" to certificates that were never issued. >> With this update in OCSP, they can now mandate in their policies both >>the >> fact that their responders MUST know if a certificate was never issued >>and >> MUST respond "revoked". >> >> So we allow other communities to raise the bar even if the base standard >> defines the response as optional. >> >> In theory we could possibly say that responding revoked is optional, but >> if you choose between revoked and unknown then you SHOULD favour revoked >> over unknown. But such nested requirements just feels bad and impossible >> to test compliance against. I'd much rather just leave it optional. I >> think the Note gives a clear recommendation on this and the rationale >> without spelling it out as a requirement. >> >> Does this answer your question? >> >> >> On 3/27/13 12:51 AM, "Black, David" wrote: >> >> >Hi Stefan, >> > >> >This looks good - thank you for the prompt response. >> > >> >It looks like my speculation on item [1] was wrong, so could you >>respond >> >to the question below, please?: >> > >> >> >[1] Section 2.2: >> >> > >> >> > NOTE: The "revoked" state for known non-issued certificate serial >> >> > numbers is allowed in order to reduce the risk of relying >> >> > parties using CRLs as a fall back mechanism, which would be >> >> > considerably higher if an "unknown" response was returned. >> >> > >> >> >Given this explanation, I'm surprised that the use of "revoked" >> >>instead of >> >> >"unknown" for a known non-issued certificate is a "MAY" requirement >>and >> >> >not a "SHOULD" requirement. Why is that the case? >> > >> >-------------- >> > >> >Beyond that, the proposed actions (or proposed non-actions) on items >> >[2]-[5] >> >are fine with me, Sean's taken care of the author permissions item from >> >idnits, and I assume someone has or will check the ASN.1 . >> > >> >Thanks, >> >--David >> > >> >> -----Original Message----- >> >> From: Stefan Santesson [mailto:stefan@aaa-sec.com] >> >> Sent: Monday, March 25, 2013 10:21 PM >> >> To: Black, David; sts@aaa-sec.com; mmyers@fastq.com; >>ambarish@gmail.com; >> >> slava.galperin@gmail.com; cadams@eecs.uottawa.ca; gen-art@ietf.org >> >> Cc: pkix@ietf.org; Sean Turner; ietf@ietf.org >> >> Subject: Re: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 >> >> >> >> Hi David, >> >> >> >> Thanks for the review. >> >> My reply in line. >> >> >> >> On 3/26/13 1:25 AM, "Black, David" wrote: >> >> >> >> >Authors, >> >> > >> >> >I am the assigned Gen-ART reviewer for this draft. For background on >> >> >Gen-ART, please >> >> >see the FAQ at >> >>. >> >> > >> >> >Please resolve these comments along with any other Last Call >>comments >> >>you >> >> >may receive. >> >> > >> >> >Document: draft-ietf-pkix-rfc2560bis-15 >> >> >Reviewer: David L. Black >> >> >Review Date: March 25, 2013 >> >> >IETF LC End Date: March 27, 2013 >> >> > >> >> >Summary: >> >> >This draft is on the right track but has open issues, described in >>the >> >> >review. >> >> > >> >> >This draft updates the OCSP protocol for obtaining certificate >>status >> >> >with some minor extensions. >> >> > >> >> >Because this is a "bis" draft, I reviewed the diffs against RFC >>2560. >> >> > >> >> >I did not check the ASN.1. I also did not see a writeup for this >>draft >> >> >in the data tracker, and so will rely on the document shepherd to >> >> >ensure that the ASN.1 has been checked when the writeup is prepared. >> >> > >> >> >I found five open issues, all of which are minor, plus one idnits >>item >> >> >that is probably ok, but should be double-checked. >> >> > >> >> >Minor issues: >> >> > >> >> >[1] Section 2.2: >> >> > >> >> > NOTE: The "revoked" state for known non-issued certificate serial >> >> > numbers is allowed in order to reduce the risk of relying >> >> > parties using CRLs as a fall back mechanism, which would be >> >> > considerably higher if an "unknown" response was returned. >> >> > >> >> >Given this explanation, I'm surprised that the use of "revoked" >> >>instead of >> >> >"unknown" for a known non-issued certificate is a "MAY" requirement >>and >> >> >not a "SHOULD" requirement. Why is that the case? >> >> > >> >> >It appears that the reason is that the use of "revoked" in this >> >>situation >> >> >may be dangerous when serial numbers can be predicted for >>certificates >> >> >that >> >> >will be issued in the future. If that's what's going on, this >>concern >> >>is >> >> >already explained in the security considerations section, but it >>should >> >> >also be mentioned here for completeness. >> >> >> >> No, this is not the main reason. The main reason is the one stated >>as a >> >> Note: in this section: >> >> >> >> NOTE: The "revoked" state for known non-issued certificate serial >> >>numbers >> >> is allowed in order to reduce the risk of relying parties using CRLs >>as >> >>a >> >> fall back mechanism, which would be considerably higher if an >>"unknown" >> >> response was returned. >> >> >> >> >> >> > >> >> >[2] Section 4.2.2.2: >> >> > >> >> > The key that signs a certificate's status information need not be >>the >> >> > same key that signed the certificate. It is necessary however to >> >> > ensure that the entity signing this information is authorized to do >> >> > so. Therefore, a certificate's issuer MAY either sign the OCSP >> >> > responses itself or it MAY explicitly designate this authority to >> >> > another entity. >> >> > >> >> >The two instances of "MAY" in the above text were both "MUST" in RFC >> >>2560. >> >> > >> >> >The RFC 2560 text construction of "MUST" or "MUST" is a bit odd, but >> >>the two >> >> >"MAY"s in this draft are even worse, as they allow "MAY do something >> >>else >> >> >entirely", despite being enclosed in an either-or construct. I >> >>strongly >> >> >suspect that the latter was not intended, so the following would be >> >> >clearer: >> >> > >> >> > The key that signs a certificate's status information need not be >>the >> >> > same key that signed the certificate. It is necessary however to >> >> > ensure that the entity signing this information is authorized to do >> >> > so. Therefore, a certificate's issuer MUST do one of the >>following: >> >> > - sign the OCSP responses itself, or >> >> > - explicitly designate this authority to another entity. >> >> >> >> >> >> I Agree. I will adopt your text. >> >> >> >> > >> >> >[3] Section 4.3: >> >> > >> >> >Is the "SHOULD" requirement still appropriate for the DSA with SHA-1 >> >>combo >> >> >(vs. a "MAY" requirement)? This requirement was a "MUST" in RFC >>2560, >> >>but >> >> >I wonder about actual usage of DSA in practice. >> >> >> >> The change in algorithm requirements was provided by RFC 6277, and >> >>further >> >> refined in this draft in accordance with requests from Sean Turner. >> >> >> >> > >> >> >[4] Section 5, last paragraph: >> >> > >> >> > Responding a "revoked" state to certificate that has never been >> >> > issued may enable someone to obtain a revocation response for a >> >> > certificate that is not yet issued, but soon will be issued, if the >> >> > CA issues certificates using sequential certificate serial number >> >> > assignment. >> >> > >> >> >The above text after starting with the "if" is too narrow - it >>should >> >>say: >> >> > >> >> > if the certificate serial number of the certificate that >> >> > will be issued can be predicted or guessed by the requester. >> >> > Such prediction is easy for a CA that issues certificates >> >> > using sequential certificate serial number assignment. >> >> > >> >> >There's also a nit in original text - its first line should be: >> >> > >> >> > Responding with a "revoked" state for a certificate that has never >> >>been >> >> >> >> Good suggestions. I will update accordingly. >> >> >> >> > >> >> >[5] Section 5.1.1: >> >> > >> >> > In archival applications it is quite possible that an OCSP >>responder >> >> > might be asked to report the validity of a certificate on a date in >> >> > the distant past. Such a certificate might employ a signing method >> >> > that is no longer considered acceptably secure. In such >> >> > circumstances the responder MUST NOT generate a signature using a >> >> > signing mechanism that is not considered acceptably secure. >> >> > >> >> >This could use an additional warning that certificate archival >>should >> >> >not rely solely on signatures in archived certificates for ensuring >>the >> >> >validity and integrity of the archived certificates because the >> >>signature >> >> >algorithm(s) may transition to no longer being considered acceptably >> >> >secure at some point after the certificates are archived. >> >> >> >> This note if I remember correctly is imported from RFC 6277, which is >> >> incorporated into this document. The reason behind the text is only >>to >> >> avoid usages of insecure algorithms. >> >> Historical validation is a real can of worms that I really would >>like to >> >> keep a tight lid on. I really want to avoid doing recommendations in >> >>this >> >> space as it may trigger a whole flood of things that could be equally >> >> important to say about this subject. >> >> >> >> > >> >> >Nits: >> >> > >> >> >idnits 2.12.15 said: >> >> > >> >> > -- The document seems to lack a disclaimer for pre-RFC5378 work, >>but >> >>may >> >> > have content which was first submitted before 10 November 2008. >> >>If >> >> >you >> >> > have contacted all the original authors and they are all >>willing >> >>to >> >> >grant >> >> > the BCP78 rights to the IETF Trust, then this is fine, and you >>can >> >> >ignore >> >> > this comment. If not, you may need to add the pre-RFC5378 >> >> >disclaimer. >> >> > (See the Legal Provisions document at >> >> > http://trustee.ietf.org/license-info for more information.) >> >> > >> >> >This looks like it's ok because all the authors of RFC 2560 are also >> >> >authors of >> >> >this draft, but it should be double-checked. >> >> >> >> >> >> I defer this one to Sean. I think he has this one under control. >> >> >> >> >> >> Thanks again for the review. >> >> >> >> /Stefan >> >> >> >> >> >> > >> >> >Thanks, >> >> >--David >> >> >---------------------------------------------------- >> >> >David L. Black, Distinguished Engineer >> >> >EMC Corporation, 176 South St., Hopkinton, MA 01748 >> >> >+1 (508) 293-7953 FAX: +1 (508) 293-7786 >> >> >david.black@emc.com Mobile: +1 (978) 394-7754 >> >> >---------------------------------------------------- >> >> > >> >> > >> >> >> >> >> > >> >> > From stefan@aaa-sec.com Thu Mar 28 03:34:18 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18E5421F92E8 for ; Thu, 28 Mar 2013 03:34:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.171 X-Spam-Level: X-Spam-Status: No, score=-102.171 tagged_above=-999 required=5 tests=[AWL=0.078, BAYES_00=-2.599, HELO_EQ_SE=0.35, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kg0ECRJ4eNIc for ; Thu, 28 Mar 2013 03:34:17 -0700 (PDT) Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id 6F78B21F92E3 for ; Thu, 28 Mar 2013 03:34:17 -0700 (PDT) Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id 4883D1CFAA80 for ; Thu, 28 Mar 2013 11:34:16 +0100 (CET) X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id gGdi_JF6qs02 for ; Thu, 28 Mar 2013 11:34:07 +0100 (CET) Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id BEC881CFAAC6 for ; Thu, 28 Mar 2013 11:34:06 +0100 (CET) Received: (qmail 79091 invoked from network); 28 Mar 2013 10:34:06 -0000 Received: from gw.aaa-sec.ideon.se (HELO [192.168.1.2]) (stefan@fiddler.nu@[85.235.7.89]) (envelope-sender ) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 28 Mar 2013 10:34:06 -0000 User-Agent: Microsoft-MacOutlook/14.3.2.130206 Date: Thu, 28 Mar 2013 11:34:02 +0100 From: Stefan Santesson To: "Black, David" , "sts@aaa-sec.com" , "mmyers@fastq.com" , "ambarish@gmail.com" , "slava.galperin@gmail.com" , "cadams@eecs.uottawa.ca" , "gen-art@ietf.org" Message-ID: Thread-Topic: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 In-Reply-To: <8D3D17ACE214DC429325B2B98F3AE71293D366B6@MX15A.corp.emc.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-Mailman-Approved-At: Thu, 28 Mar 2013 07:33:38 -0700 Cc: "pkix@ietf.org" , "ietf@ietf.org" Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Mar 2013 10:34:18 -0000 I have given this a go by expanding the note as follows: NOTE: The "revoked" state for known non-issued certificate serial numbers is allowed in order to reduce the risk of relying parties using CRLs as a fall back mechanism, which would be considerably higher if an "unknown" response was returned. The "revoked" status is still optional in this context in order to maintain backwards compatibility with deployments of RFC 2560. For example, the responder may not have any knowledge about whether a requested serial number has been assigned to any issued certificate, or the responder may provide pre produced responses in accordance with RFC 5019 and, for that reason, is not capable of providing a signed response for all non-issued certificate serial numbers. Does this solve you issue. I think this is as far as dare to go without risking a heated debate. /Stefan On 3/27/13 5:08 PM, "Black, David" wrote: >Stefan, > >> Is this important enough to do that? > >IMHO, yes - the "running code" aspects of existing responder >behavior/limitations >are definitely important enough for an RFC like this that revises a >protocol spec, >and the alternatives to "revoked" feel like an important complement to >those >aspects (discussion what to do instead when responder >behavior/limitations are >encountered). > >I appreciate the level of work that may be involved in capturing this, as >I've had my share of contentious discussions in WGs that I chair - FWIW, >I'm currently chairing my 4th and 5th WGs. OTOH, when a WG has put that >much >time/effort into reaching a (compromise) decision, it really is valuable >to record why the decision was reached to avoid recovering that ground >in the future and (specific to this situation) to give implementers some >more context/information on how the protocol is likely to work in >practice. > >Thanks, >--David > >> -----Original Message----- >> From: Stefan Santesson [mailto:stefan@aaa-sec.com] >> Sent: Wednesday, March 27, 2013 11:38 AM >> To: Black, David; sts@aaa-sec.com; mmyers@fastq.com; ambarish@gmail.com; >> slava.galperin@gmail.com; cadams@eecs.uottawa.ca; gen-art@ietf.org >> Cc: pkix@ietf.org; Sean Turner; ietf@ietf.org >> Subject: Re: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 >> >> I could. >> >> My worry is just that this is such a contentious subject and it took us >>x >> hundreds of emails to reach this state, that if I add more explanations, >> people will start disagreeing with it and that we end up in a long >>debate >> on how to correctly express this. >> >> Is this important enough to do that? >> >> /Stefan >> >> >> On 3/27/13 3:30 PM, "Black, David" wrote: >> >> >Hi Stefan, >> > >> >> Does this answer your question? >> > >> >Yes, please add some of that explanation to the next version of the >>draft >> >;-). >> >Coverage of existing responder behavior/limitations (important "running >> >code" >> >concerns, IMHO) and alternatives to using "revoked" ("have a number of >> >tools >> >to prevent the client from accepting a bad certificate") seem >>particularly >> >relevant. >> > >> >Thanks, >> >--David >> > >> >> -----Original Message----- >> >> From: Stefan Santesson [mailto:stefan@aaa-sec.com] >> >> Sent: Wednesday, March 27, 2013 7:44 AM >> >> To: Black, David; sts@aaa-sec.com; mmyers@fastq.com; >>ambarish@gmail.com; >> >> slava.galperin@gmail.com; cadams@eecs.uottawa.ca; gen-art@ietf.org >> >> Cc: pkix@ietf.org; Sean Turner; ietf@ietf.org >> >> Subject: Re: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 >> >> >> >> Hi David, >> >> >> >> Yes I missed to respond to that aspect. >> >> >> >> This is a bit complicated, but we have a large legacy to take into >> >>account >> >> where some responders implements just RFC 2560, while some deliver >> >> pre-generated responses according to RFC 5019 (Light-weight OCSP). LW >> >> responders are not capable of producing a signed response at the >>time of >> >> responding and in case such responder finds a request for a >>certificate >> >> where no pre-produced response exists, it will reply with an unsigned >> >> error response "unauthorized", which also is a legitimate way to >> >>respond. >> >> So the actual OCSP responder may actually know that the certificate >>was >> >> never issued, but since it delivers pre-produced responder through a >> >>CDN, >> >> it can not provide a revoked response in real time. >> >> >> >> So the major aim with the current writing is to declare that the >>revoked >> >> response is a MAY because there are other valid alternatives. >> >> >> >> We also want to avoid putting down a SHOULD respond revoked if a >> >> certificate is known to be not-issued, because that would require us >>to >> >> define what "known to be non-issued" actually means. And that could >>be >> >> quite tricky as OCSP responders by no means are required to have this >> >> knowledge. >> >> >> >> The OCSP responder simply have a number of tools to prevent the >>client >> >> from accepting a bad certificate. >> >> This update of OCSP simply allows responders to use the "revoked" >> >>response >> >> as a preventive measure, without mandating it. >> >> >> >> This is also related to activities in the CA Browser Forum where they >> >>put >> >> down requirements on responders complying with CAB rules to not >>respond >> >> "good" to certificates that were never issued. >> >> With this update in OCSP, they can now mandate in their policies both >> >>the >> >> fact that their responders MUST know if a certificate was never >>issued >> >>and >> >> MUST respond "revoked". >> >> >> >> So we allow other communities to raise the bar even if the base >>standard >> >> defines the response as optional. >> >> >> >> In theory we could possibly say that responding revoked is optional, >>but >> >> if you choose between revoked and unknown then you SHOULD favour >>revoked >> >> over unknown. But such nested requirements just feels bad and >>impossible >> >> to test compliance against. I'd much rather just leave it optional. I >> >> think the Note gives a clear recommendation on this and the rationale >> >> without spelling it out as a requirement. >> >> >> >> Does this answer your question? >> >> >> >> >> >> On 3/27/13 12:51 AM, "Black, David" wrote: >> >> >> >> >Hi Stefan, >> >> > >> >> >This looks good - thank you for the prompt response. >> >> > >> >> >It looks like my speculation on item [1] was wrong, so could you >> >>respond >> >> >to the question below, please?: >> >> > >> >> >> >[1] Section 2.2: >> >> >> > >> >> >> > NOTE: The "revoked" state for known non-issued >>certificate serial >> >> >> > numbers is allowed in order to reduce the risk of >>relying >> >> >> > parties using CRLs as a fall back mechanism, >>which would be >> >> >> > considerably higher if an "unknown" response was >>returned. >> >> >> > >> >> >> >Given this explanation, I'm surprised that the use of "revoked" >> >> >>instead of >> >> >> >"unknown" for a known non-issued certificate is a "MAY" >>requirement >> >>and >> >> >> >not a "SHOULD" requirement. Why is that the case? >> >> > >> >> >-------------- >> >> > >> >> >Beyond that, the proposed actions (or proposed non-actions) on items >> >> >[2]-[5] >> >> >are fine with me, Sean's taken care of the author permissions item >>from >> >> >idnits, and I assume someone has or will check the ASN.1 . >> >> > >> >> >Thanks, >> >> >--David >> >> > >> >> >> -----Original Message----- >> >> >> From: Stefan Santesson [mailto:stefan@aaa-sec.com] >> >> >> Sent: Monday, March 25, 2013 10:21 PM >> >> >> To: Black, David; sts@aaa-sec.com; mmyers@fastq.com; >> >>ambarish@gmail.com; >> >> >> slava.galperin@gmail.com; cadams@eecs.uottawa.ca; gen-art@ietf.org >> >> >> Cc: pkix@ietf.org; Sean Turner; ietf@ietf.org >> >> >> Subject: Re: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 >> >> >> >> >> >> Hi David, >> >> >> >> >> >> Thanks for the review. >> >> >> My reply in line. >> >> >> >> >> >> On 3/26/13 1:25 AM, "Black, David" wrote: >> >> >> >> >> >> >Authors, >> >> >> > >> >> >> >I am the assigned Gen-ART reviewer for this draft. For >>background on >> >> >> >Gen-ART, please >> >> >> >see the FAQ at >> >> >>. >> >> >> > >> >> >> >Please resolve these comments along with any other Last Call >> >>comments >> >> >>you >> >> >> >may receive. >> >> >> > >> >> >> >Document: draft-ietf-pkix-rfc2560bis-15 >> >> >> >Reviewer: David L. Black >> >> >> >Review Date: March 25, 2013 >> >> >> >IETF LC End Date: March 27, 2013 >> >> >> > >> >> >> >Summary: >> >> >> >This draft is on the right track but has open issues, described >>in >> >>the >> >> >> >review. >> >> >> > >> >> >> >This draft updates the OCSP protocol for obtaining certificate >> >>status >> >> >> >with some minor extensions. >> >> >> > >> >> >> >Because this is a "bis" draft, I reviewed the diffs against RFC >> >>2560. >> >> >> > >> >> >> >I did not check the ASN.1. I also did not see a writeup for this >> >>draft >> >> >> >in the data tracker, and so will rely on the document shepherd to >> >> >> >ensure that the ASN.1 has been checked when the writeup is >>prepared. >> >> >> > >> >> >> >I found five open issues, all of which are minor, plus one idnits >> >>item >> >> >> >that is probably ok, but should be double-checked. >> >> >> > >> >> >> >Minor issues: >> >> >> > >> >> >> >[1] Section 2.2: >> >> >> > >> >> >> > NOTE: The "revoked" state for known non-issued >>certificate serial >> >> >> > numbers is allowed in order to reduce the risk of >>relying >> >> >> > parties using CRLs as a fall back mechanism, >>which would be >> >> >> > considerably higher if an "unknown" response was >>returned. >> >> >> > >> >> >> >Given this explanation, I'm surprised that the use of "revoked" >> >> >>instead of >> >> >> >"unknown" for a known non-issued certificate is a "MAY" >>requirement >> >>and >> >> >> >not a "SHOULD" requirement. Why is that the case? >> >> >> > >> >> >> >It appears that the reason is that the use of "revoked" in this >> >> >>situation >> >> >> >may be dangerous when serial numbers can be predicted for >> >>certificates >> >> >> >that >> >> >> >will be issued in the future. If that's what's going on, this >> >>concern >> >> >>is >> >> >> >already explained in the security considerations section, but it >> >>should >> >> >> >also be mentioned here for completeness. >> >> >> >> >> >> No, this is not the main reason. The main reason is the one stated >> >>as a >> >> >> Note: in this section: >> >> >> >> >> >> NOTE: The "revoked" state for known non-issued certificate serial >> >> >>numbers >> >> >> is allowed in order to reduce the risk of relying parties using >>CRLs >> >>as >> >> >>a >> >> >> fall back mechanism, which would be considerably higher if an >> >>"unknown" >> >> >> response was returned. >> >> >> >> >> >> >> >> >> > >> >> >> >[2] Section 4.2.2.2: >> >> >> > >> >> >> > The key that signs a certificate's status information >>need not be >> >>the >> >> >> > same key that signed the certificate. It is necessary >>however to >> >> >> > ensure that the entity signing this information is >>authorized to >> do >> >> >> > so. Therefore, a certificate's issuer MAY either sign >>the OCSP >> >> >> > responses itself or it MAY explicitly designate this >>authority to >> >> >> > another entity. >> >> >> > >> >> >> >The two instances of "MAY" in the above text were both "MUST" in >>RFC >> >> >>2560. >> >> >> > >> >> >> >The RFC 2560 text construction of "MUST" or "MUST" is a bit odd, >>but >> >> >>the two >> >> >> >"MAY"s in this draft are even worse, as they allow "MAY do >>something >> >> >>else >> >> >> >entirely", despite being enclosed in an either-or construct. I >> >> >>strongly >> >> >> >suspect that the latter was not intended, so the following would >>be >> >> >> >clearer: >> >> >> > >> >> >> > The key that signs a certificate's status information >>need not be >> >>the >> >> >> > same key that signed the certificate. It is necessary >>however to >> >> >> > ensure that the entity signing this information is >>authorized to >> do >> >> >> > so. Therefore, a certificate's issuer MUST do one of the >> >>following: >> >> >> > - sign the OCSP responses itself, or >> >> >> > - explicitly designate this authority to another >>entity. >> >> >> >> >> >> >> >> >> I Agree. I will adopt your text. >> >> >> >> >> >> > >> >> >> >[3] Section 4.3: >> >> >> > >> >> >> >Is the "SHOULD" requirement still appropriate for the DSA with >>SHA-1 >> >> >>combo >> >> >> >(vs. a "MAY" requirement)? This requirement was a "MUST" in RFC >> >>2560, >> >> >>but >> >> >> >I wonder about actual usage of DSA in practice. >> >> >> >> >> >> The change in algorithm requirements was provided by RFC 6277, and >> >> >>further >> >> >> refined in this draft in accordance with requests from Sean >>Turner. >> >> >> >> >> >> > >> >> >> >[4] Section 5, last paragraph: >> >> >> > >> >> >> > Responding a "revoked" state to certificate that has >>never been >> >> >> > issued may enable someone to obtain a revocation response >>for a >> >> >> > certificate that is not yet issued, but soon will be >>issued, if >> the >> >> >> > CA issues certificates using sequential certificate >>serial number >> >> >> > assignment. >> >> >> > >> >> >> >The above text after starting with the "if" is too narrow - it >> >>should >> >> >>say: >> >> >> > >> >> >> > if the certificate serial number of the certificate that >> >> >> > will be issued can be predicted or guessed by the >>requester. >> >> >> > Such prediction is easy for a CA that issues certificates >> >> >> > using sequential certificate serial number assignment. >> >> >> > >> >> >> >There's also a nit in original text - its first line should be: >> >> >> > >> >> >> > Responding with a "revoked" state for a certificate that >>has never >> >> >>been >> >> >> >> >> >> Good suggestions. I will update accordingly. >> >> >> >> >> >> > >> >> >> >[5] Section 5.1.1: >> >> >> > >> >> >> > In archival applications it is quite possible that an OCSP >> >>responder >> >> >> > might be asked to report the validity of a certificate on >>a date >> in >> >> >> > the distant past. Such a certificate might employ a >>signing method >> >> >> > that is no longer considered acceptably secure. In such >> >> >> > circumstances the responder MUST NOT generate a signature >>using a >> >> >> > signing mechanism that is not considered acceptably >>secure. >> >> >> > >> >> >> >This could use an additional warning that certificate archival >> >>should >> >> >> >not rely solely on signatures in archived certificates for >>ensuring >> >>the >> >> >> >validity and integrity of the archived certificates because the >> >> >>signature >> >> >> >algorithm(s) may transition to no longer being considered >>acceptably >> >> >> >secure at some point after the certificates are archived. >> >> >> >> >> >> This note if I remember correctly is imported from RFC 6277, >>which is >> >> >> incorporated into this document. The reason behind the text is >>only >> >>to >> >> >> avoid usages of insecure algorithms. >> >> >> Historical validation is a real can of worms that I really would >> >>like to >> >> >> keep a tight lid on. I really want to avoid doing recommendations >>in >> >> >>this >> >> >> space as it may trigger a whole flood of things that could be >>equally >> >> >> important to say about this subject. >> >> >> >> >> >> > >> >> >> >Nits: >> >> >> > >> >> >> >idnits 2.12.15 said: >> >> >> > >> >> >> > -- The document seems to lack a disclaimer for pre-RFC5378 >>work, >> >>but >> >> >>may >> >> >> > have content which was first submitted before 10 November >>2008. >> >> >>If >> >> >> >you >> >> >> > have contacted all the original authors and they are all >> >>willing >> >> >>to >> >> >> >grant >> >> >> > the BCP78 rights to the IETF Trust, then this is fine, and >>you >> >>can >> >> >> >ignore >> >> >> > this comment. If not, you may need to add the pre-RFC5378 >> >> >> >disclaimer. >> >> >> > (See the Legal Provisions document at >> >> >> > http://trustee.ietf.org/license-info for more information.) >> >> >> > >> >> >> >This looks like it's ok because all the authors of RFC 2560 are >>also >> >> >> >authors of >> >> >> >this draft, but it should be double-checked. >> >> >> >> >> >> >> >> >> I defer this one to Sean. I think he has this one under control. >> >> >> >> >> >> >> >> >> Thanks again for the review. >> >> >> >> >> >> /Stefan >> >> >> >> >> >> >> >> >> > >> >> >> >Thanks, >> >> >> >--David >> >> >> >---------------------------------------------------- >> >> >> >David L. Black, Distinguished Engineer >> >> >> >EMC Corporation, 176 South St., Hopkinton, MA 01748 >> >> >> >+1 (508) 293-7953 FAX: +1 (508) 293-7786 >> >> >> >david.black@emc.com Mobile: +1 (978) 394-7754 >> >> >> >---------------------------------------------------- >> >> >> > >> >> >> > >> >> >> >> >> >> >> >> > >> >> >> >> >> > >> >> > From david.black@emc.com Wed Mar 27 07:30:48 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06EB721F912B; Wed, 27 Mar 2013 07:30:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m2q0N1G6T0yz; Wed, 27 Mar 2013 07:30:46 -0700 (PDT) Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id EC75E21F9140; Wed, 27 Mar 2013 07:30:34 -0700 (PDT) Received: from hop04-l1d11-si02.isus.emc.com (HOP04-L1D11-SI02.isus.emc.com [10.254.111.55]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r2REUA3S027507 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 27 Mar 2013 10:30:11 -0400 Received: from mailhub.lss.emc.com (mailhubhoprd01.lss.emc.com [10.254.221.251]) by hop04-l1d11-si02.isus.emc.com (RSA Interceptor); Wed, 27 Mar 2013 10:30:05 -0400 Received: from mxhub32.corp.emc.com (mxhub32.corp.emc.com [128.222.70.172]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r2REU2uG005177; Wed, 27 Mar 2013 10:30:03 -0400 Received: from mx15a.corp.emc.com ([169.254.1.81]) by mxhub32.corp.emc.com ([128.222.70.172]) with mapi; Wed, 27 Mar 2013 10:30:02 -0400 From: "Black, David" To: Stefan Santesson , "sts@aaa-sec.com" , "mmyers@fastq.com" , "ambarish@gmail.com" , "slava.galperin@gmail.com" , "cadams@eecs.uottawa.ca" , "gen-art@ietf.org" Date: Wed, 27 Mar 2013 10:30:01 -0400 Thread-Topic: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 Thread-Index: Ac4q4WTuNCfXXbFoRiakprKeTlGimgAFVYQg Message-ID: <8D3D17ACE214DC429325B2B98F3AE71293D36628@MX15A.corp.emc.com> References: <8D3D17ACE214DC429325B2B98F3AE71293D36522@MX15A.corp.emc.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EMM-MHVC: 1 X-Mailman-Approved-At: Thu, 28 Mar 2013 07:33:50 -0700 Cc: "pkix@ietf.org" , "ietf@ietf.org" , "Black, David" Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Mar 2013 14:30:48 -0000 Hi Stefan, > Does this answer your question? Yes, please add some of that explanation to the next version of the draft ;= -). Coverage of existing responder behavior/limitations (important "running cod= e" concerns, IMHO) and alternatives to using "revoked" ("have a number of tool= s to prevent the client from accepting a bad certificate") seem particularly relevant. Thanks, --David > -----Original Message----- > From: Stefan Santesson [mailto:stefan@aaa-sec.com] > Sent: Wednesday, March 27, 2013 7:44 AM > To: Black, David; sts@aaa-sec.com; mmyers@fastq.com; ambarish@gmail.com; > slava.galperin@gmail.com; cadams@eecs.uottawa.ca; gen-art@ietf.org > Cc: pkix@ietf.org; Sean Turner; ietf@ietf.org > Subject: Re: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 >=20 > Hi David, >=20 > Yes I missed to respond to that aspect. >=20 > This is a bit complicated, but we have a large legacy to take into accoun= t > where some responders implements just RFC 2560, while some deliver > pre-generated responses according to RFC 5019 (Light-weight OCSP). LW > responders are not capable of producing a signed response at the time of > responding and in case such responder finds a request for a certificate > where no pre-produced response exists, it will reply with an unsigned > error response "unauthorized", which also is a legitimate way to respond. > So the actual OCSP responder may actually know that the certificate was > never issued, but since it delivers pre-produced responder through a CDN, > it can not provide a revoked response in real time. >=20 > So the major aim with the current writing is to declare that the revoked > response is a MAY because there are other valid alternatives. >=20 > We also want to avoid putting down a SHOULD respond revoked if a > certificate is known to be not-issued, because that would require us to > define what "known to be non-issued" actually means. And that could be > quite tricky as OCSP responders by no means are required to have this > knowledge. >=20 > The OCSP responder simply have a number of tools to prevent the client > from accepting a bad certificate. > This update of OCSP simply allows responders to use the "revoked" respons= e > as a preventive measure, without mandating it. >=20 > This is also related to activities in the CA Browser Forum where they put > down requirements on responders complying with CAB rules to not respond > "good" to certificates that were never issued. > With this update in OCSP, they can now mandate in their policies both the > fact that their responders MUST know if a certificate was never issued an= d > MUST respond "revoked". >=20 > So we allow other communities to raise the bar even if the base standard > defines the response as optional. >=20 > In theory we could possibly say that responding revoked is optional, but > if you choose between revoked and unknown then you SHOULD favour revoked > over unknown. But such nested requirements just feels bad and impossible > to test compliance against. I'd much rather just leave it optional. I > think the Note gives a clear recommendation on this and the rationale > without spelling it out as a requirement. >=20 > Does this answer your question? >=20 >=20 > On 3/27/13 12:51 AM, "Black, David" wrote: >=20 > >Hi Stefan, > > > >This looks good - thank you for the prompt response. > > > >It looks like my speculation on item [1] was wrong, so could you respond > >to the question below, please?: > > > >> >[1] Section 2.2: > >> > > >> > NOTE: The "revoked" state for known non-issued certificate serial > >> > numbers is allowed in order to reduce the risk of relying > >> > parties using CRLs as a fall back mechanism, which would be > >> > considerably higher if an "unknown" response was returned. > >> > > >> >Given this explanation, I'm surprised that the use of "revoked" > >>instead of > >> >"unknown" for a known non-issued certificate is a "MAY" requirement a= nd > >> >not a "SHOULD" requirement. Why is that the case? > > > >-------------- > > > >Beyond that, the proposed actions (or proposed non-actions) on items > >[2]-[5] > >are fine with me, Sean's taken care of the author permissions item from > >idnits, and I assume someone has or will check the ASN.1 . > > > >Thanks, > >--David > > > >> -----Original Message----- > >> From: Stefan Santesson [mailto:stefan@aaa-sec.com] > >> Sent: Monday, March 25, 2013 10:21 PM > >> To: Black, David; sts@aaa-sec.com; mmyers@fastq.com; ambarish@gmail.co= m; > >> slava.galperin@gmail.com; cadams@eecs.uottawa.ca; gen-art@ietf.org > >> Cc: pkix@ietf.org; Sean Turner; ietf@ietf.org > >> Subject: Re: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 > >> > >> Hi David, > >> > >> Thanks for the review. > >> My reply in line. > >> > >> On 3/26/13 1:25 AM, "Black, David" wrote: > >> > >> >Authors, > >> > > >> >I am the assigned Gen-ART reviewer for this draft. For background on > >> >Gen-ART, please > >> >see the FAQ at > >>. > >> > > >> >Please resolve these comments along with any other Last Call comments > >>you > >> >may receive. > >> > > >> >Document: draft-ietf-pkix-rfc2560bis-15 > >> >Reviewer: David L. Black > >> >Review Date: March 25, 2013 > >> >IETF LC End Date: March 27, 2013 > >> > > >> >Summary: > >> >This draft is on the right track but has open issues, described in th= e > >> >review. > >> > > >> >This draft updates the OCSP protocol for obtaining certificate status > >> >with some minor extensions. > >> > > >> >Because this is a "bis" draft, I reviewed the diffs against RFC 2560. > >> > > >> >I did not check the ASN.1. I also did not see a writeup for this dra= ft > >> >in the data tracker, and so will rely on the document shepherd to > >> >ensure that the ASN.1 has been checked when the writeup is prepared. > >> > > >> >I found five open issues, all of which are minor, plus one idnits ite= m > >> >that is probably ok, but should be double-checked. > >> > > >> >Minor issues: > >> > > >> >[1] Section 2.2: > >> > > >> > NOTE: The "revoked" state for known non-issued certificate serial > >> > numbers is allowed in order to reduce the risk of relying > >> > parties using CRLs as a fall back mechanism, which would be > >> > considerably higher if an "unknown" response was returned. > >> > > >> >Given this explanation, I'm surprised that the use of "revoked" > >>instead of > >> >"unknown" for a known non-issued certificate is a "MAY" requirement a= nd > >> >not a "SHOULD" requirement. Why is that the case? > >> > > >> >It appears that the reason is that the use of "revoked" in this > >>situation > >> >may be dangerous when serial numbers can be predicted for certificate= s > >> >that > >> >will be issued in the future. If that's what's going on, this concer= n > >>is > >> >already explained in the security considerations section, but it shou= ld > >> >also be mentioned here for completeness. > >> > >> No, this is not the main reason. The main reason is the one stated as = a > >> Note: in this section: > >> > >> NOTE: The "revoked" state for known non-issued certificate serial > >>numbers > >> is allowed in order to reduce the risk of relying parties using CRLs a= s > >>a > >> fall back mechanism, which would be considerably higher if an "unknown= " > >> response was returned. > >> > >> > >> > > >> >[2] Section 4.2.2.2: > >> > > >> > The key that signs a certificate's status information need not be th= e > >> > same key that signed the certificate. It is necessary however to > >> > ensure that the entity signing this information is authorized to do > >> > so. Therefore, a certificate's issuer MAY either sign the OCSP > >> > responses itself or it MAY explicitly designate this authority to > >> > another entity. > >> > > >> >The two instances of "MAY" in the above text were both "MUST" in RFC > >>2560. > >> > > >> >The RFC 2560 text construction of "MUST" or "MUST" is a bit odd, but > >>the two > >> >"MAY"s in this draft are even worse, as they allow "MAY do something > >>else > >> >entirely", despite being enclosed in an either-or construct. I > >>strongly > >> >suspect that the latter was not intended, so the following would be > >> >clearer: > >> > > >> > The key that signs a certificate's status information need not be th= e > >> > same key that signed the certificate. It is necessary however to > >> > ensure that the entity signing this information is authorized to do > >> > so. Therefore, a certificate's issuer MUST do one of the following: > >> > - sign the OCSP responses itself, or > >> > - explicitly designate this authority to another entity. > >> > >> > >> I Agree. I will adopt your text. > >> > >> > > >> >[3] Section 4.3: > >> > > >> >Is the "SHOULD" requirement still appropriate for the DSA with SHA-1 > >>combo > >> >(vs. a "MAY" requirement)? This requirement was a "MUST" in RFC 2560= , > >>but > >> >I wonder about actual usage of DSA in practice. > >> > >> The change in algorithm requirements was provided by RFC 6277, and > >>further > >> refined in this draft in accordance with requests from Sean Turner. > >> > >> > > >> >[4] Section 5, last paragraph: > >> > > >> > Responding a "revoked" state to certificate that has never been > >> > issued may enable someone to obtain a revocation response for a > >> > certificate that is not yet issued, but soon will be issued, if the > >> > CA issues certificates using sequential certificate serial number > >> > assignment. > >> > > >> >The above text after starting with the "if" is too narrow - it should > >>say: > >> > > >> > if the certificate serial number of the certificate that > >> > will be issued can be predicted or guessed by the requester. > >> > Such prediction is easy for a CA that issues certificates > >> > using sequential certificate serial number assignment. > >> > > >> >There's also a nit in original text - its first line should be: > >> > > >> > Responding with a "revoked" state for a certificate that has never > >>been > >> > >> Good suggestions. I will update accordingly. > >> > >> > > >> >[5] Section 5.1.1: > >> > > >> > In archival applications it is quite possible that an OCSP responder > >> > might be asked to report the validity of a certificate on a date in > >> > the distant past. Such a certificate might employ a signing method > >> > that is no longer considered acceptably secure. In such > >> > circumstances the responder MUST NOT generate a signature using a > >> > signing mechanism that is not considered acceptably secure. > >> > > >> >This could use an additional warning that certificate archival should > >> >not rely solely on signatures in archived certificates for ensuring t= he > >> >validity and integrity of the archived certificates because the > >>signature > >> >algorithm(s) may transition to no longer being considered acceptably > >> >secure at some point after the certificates are archived. > >> > >> This note if I remember correctly is imported from RFC 6277, which is > >> incorporated into this document. The reason behind the text is only to > >> avoid usages of insecure algorithms. > >> Historical validation is a real can of worms that I really would like = to > >> keep a tight lid on. I really want to avoid doing recommendations in > >>this > >> space as it may trigger a whole flood of things that could be equally > >> important to say about this subject. > >> > >> > > >> >Nits: > >> > > >> >idnits 2.12.15 said: > >> > > >> > -- The document seems to lack a disclaimer for pre-RFC5378 work, bu= t > >>may > >> > have content which was first submitted before 10 November 2008. > >>If > >> >you > >> > have contacted all the original authors and they are all willing > >>to > >> >grant > >> > the BCP78 rights to the IETF Trust, then this is fine, and you c= an > >> >ignore > >> > this comment. If not, you may need to add the pre-RFC5378 > >> >disclaimer. > >> > (See the Legal Provisions document at > >> > http://trustee.ietf.org/license-info for more information.) > >> > > >> >This looks like it's ok because all the authors of RFC 2560 are also > >> >authors of > >> >this draft, but it should be double-checked. > >> > >> > >> I defer this one to Sean. I think he has this one under control. > >> > >> > >> Thanks again for the review. > >> > >> /Stefan > >> > >> > >> > > >> >Thanks, > >> >--David > >> >---------------------------------------------------- > >> >David L. Black, Distinguished Engineer > >> >EMC Corporation, 176 South St., Hopkinton, MA 01748 > >> >+1 (508) 293-7953 FAX: +1 (508) 293-7786 > >> >david.black@emc.com Mobile: +1 (978) 394-7754 > >> >---------------------------------------------------- > >> > > >> > > >> > >> > > >=20 >=20 From david.black@emc.com Wed Mar 27 09:14:47 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D602A21F9145; Wed, 27 Mar 2013 09:14:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pxTVQYBlErm6; Wed, 27 Mar 2013 09:14:45 -0700 (PDT) Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 27D5621F9068; Wed, 27 Mar 2013 09:14:44 -0700 (PDT) Received: from hop04-l1d11-si03.isus.emc.com (HOP04-L1D11-SI03.isus.emc.com [10.254.111.23]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r2RG8xbe023144 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 27 Mar 2013 12:09:01 -0400 Received: from mailhub.lss.emc.com (mailhubhoprd03.lss.emc.com [10.254.221.145]) by hop04-l1d11-si03.isus.emc.com (RSA Interceptor); Wed, 27 Mar 2013 12:08:36 -0400 Received: from mxhub18.corp.emc.com (mxhub18.corp.emc.com [10.254.93.47]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r2RG8ZR6023355; Wed, 27 Mar 2013 12:08:35 -0400 Received: from mx15a.corp.emc.com ([169.254.1.81]) by mxhub18.corp.emc.com ([10.254.93.47]) with mapi; Wed, 27 Mar 2013 12:08:35 -0400 From: "Black, David" To: Stefan Santesson , "sts@aaa-sec.com" , "mmyers@fastq.com" , "ambarish@gmail.com" , "slava.galperin@gmail.com" , "cadams@eecs.uottawa.ca" , "gen-art@ietf.org" Date: Wed, 27 Mar 2013 12:08:34 -0400 Thread-Topic: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 Thread-Index: Ac4rAVGqYq2FrO/+RmysvI+sb7z05gAAukAg Message-ID: <8D3D17ACE214DC429325B2B98F3AE71293D366B6@MX15A.corp.emc.com> References: <8D3D17ACE214DC429325B2B98F3AE71293D36628@MX15A.corp.emc.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EMM-MHVC: 1 X-Mailman-Approved-At: Thu, 28 Mar 2013 07:33:50 -0700 Cc: "pkix@ietf.org" , "ietf@ietf.org" , "Black, David" Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Mar 2013 16:14:47 -0000 Stefan, > Is this important enough to do that? IMHO, yes - the "running code" aspects of existing responder behavior/limit= ations are definitely important enough for an RFC like this that revises a protoco= l spec, and the alternatives to "revoked" feel like an important complement to thos= e aspects (discussion what to do instead when responder behavior/limitations = are encountered). I appreciate the level of work that may be involved in capturing this, as I've had my share of contentious discussions in WGs that I chair - FWIW, I'm currently chairing my 4th and 5th WGs. OTOH, when a WG has put that mu= ch time/effort into reaching a (compromise) decision, it really is valuable to record why the decision was reached to avoid recovering that ground in the future and (specific to this situation) to give implementers some more context/information on how the protocol is likely to work in practice. Thanks, --David > -----Original Message----- > From: Stefan Santesson [mailto:stefan@aaa-sec.com] > Sent: Wednesday, March 27, 2013 11:38 AM > To: Black, David; sts@aaa-sec.com; mmyers@fastq.com; ambarish@gmail.com; > slava.galperin@gmail.com; cadams@eecs.uottawa.ca; gen-art@ietf.org > Cc: pkix@ietf.org; Sean Turner; ietf@ietf.org > Subject: Re: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 > > I could. > > My worry is just that this is such a contentious subject and it took us x > hundreds of emails to reach this state, that if I add more explanations, > people will start disagreeing with it and that we end up in a long debate > on how to correctly express this. > > Is this important enough to do that? > > /Stefan > > > On 3/27/13 3:30 PM, "Black, David" wrote: > > >Hi Stefan, > > > >> Does this answer your question? > > > >Yes, please add some of that explanation to the next version of the draf= t > >;-). > >Coverage of existing responder behavior/limitations (important "running > >code" > >concerns, IMHO) and alternatives to using "revoked" ("have a number of > >tools > >to prevent the client from accepting a bad certificate") seem particular= ly > >relevant. > > > >Thanks, > >--David > > > >> -----Original Message----- > >> From: Stefan Santesson [mailto:stefan@aaa-sec.com] > >> Sent: Wednesday, March 27, 2013 7:44 AM > >> To: Black, David; sts@aaa-sec.com; mmyers@fastq.com; ambarish@gmail.co= m; > >> slava.galperin@gmail.com; cadams@eecs.uottawa.ca; gen-art@ietf.org > >> Cc: pkix@ietf.org; Sean Turner; ietf@ietf.org > >> Subject: Re: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 > >> > >> Hi David, > >> > >> Yes I missed to respond to that aspect. > >> > >> This is a bit complicated, but we have a large legacy to take into > >>account > >> where some responders implements just RFC 2560, while some deliver > >> pre-generated responses according to RFC 5019 (Light-weight OCSP). LW > >> responders are not capable of producing a signed response at the time = of > >> responding and in case such responder finds a request for a certificat= e > >> where no pre-produced response exists, it will reply with an unsigned > >> error response "unauthorized", which also is a legitimate way to > >>respond. > >> So the actual OCSP responder may actually know that the certificate wa= s > >> never issued, but since it delivers pre-produced responder through a > >>CDN, > >> it can not provide a revoked response in real time. > >> > >> So the major aim with the current writing is to declare that the revok= ed > >> response is a MAY because there are other valid alternatives. > >> > >> We also want to avoid putting down a SHOULD respond revoked if a > >> certificate is known to be not-issued, because that would require us t= o > >> define what "known to be non-issued" actually means. And that could be > >> quite tricky as OCSP responders by no means are required to have this > >> knowledge. > >> > >> The OCSP responder simply have a number of tools to prevent the client > >> from accepting a bad certificate. > >> This update of OCSP simply allows responders to use the "revoked" > >>response > >> as a preventive measure, without mandating it. > >> > >> This is also related to activities in the CA Browser Forum where they > >>put > >> down requirements on responders complying with CAB rules to not respon= d > >> "good" to certificates that were never issued. > >> With this update in OCSP, they can now mandate in their policies both > >>the > >> fact that their responders MUST know if a certificate was never issued > >>and > >> MUST respond "revoked". > >> > >> So we allow other communities to raise the bar even if the base standa= rd > >> defines the response as optional. > >> > >> In theory we could possibly say that responding revoked is optional, b= ut > >> if you choose between revoked and unknown then you SHOULD favour revok= ed > >> over unknown. But such nested requirements just feels bad and impossib= le > >> to test compliance against. I'd much rather just leave it optional. I > >> think the Note gives a clear recommendation on this and the rationale > >> without spelling it out as a requirement. > >> > >> Does this answer your question? > >> > >> > >> On 3/27/13 12:51 AM, "Black, David" wrote: > >> > >> >Hi Stefan, > >> > > >> >This looks good - thank you for the prompt response. > >> > > >> >It looks like my speculation on item [1] was wrong, so could you > >>respond > >> >to the question below, please?: > >> > > >> >> >[1] Section 2.2: > >> >> > > >> >> > NOTE: The "revoked" state for known non-issued certificate = serial > >> >> > numbers is allowed in order to reduce the risk of r= elying > >> >> > parties using CRLs as a fall back mechanism, which = would be > >> >> > considerably higher if an "unknown" response was re= turned. > >> >> > > >> >> >Given this explanation, I'm surprised that the use of "revoked" > >> >>instead of > >> >> >"unknown" for a known non-issued certificate is a "MAY" requiremen= t > >>and > >> >> >not a "SHOULD" requirement. Why is that the case? > >> > > >> >-------------- > >> > > >> >Beyond that, the proposed actions (or proposed non-actions) on items > >> >[2]-[5] > >> >are fine with me, Sean's taken care of the author permissions item fr= om > >> >idnits, and I assume someone has or will check the ASN.1 . > >> > > >> >Thanks, > >> >--David > >> > > >> >> -----Original Message----- > >> >> From: Stefan Santesson [mailto:stefan@aaa-sec.com] > >> >> Sent: Monday, March 25, 2013 10:21 PM > >> >> To: Black, David; sts@aaa-sec.com; mmyers@fastq.com; > >>ambarish@gmail.com; > >> >> slava.galperin@gmail.com; cadams@eecs.uottawa.ca; gen-art@ietf.org > >> >> Cc: pkix@ietf.org; Sean Turner; ietf@ietf.org > >> >> Subject: Re: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 > >> >> > >> >> Hi David, > >> >> > >> >> Thanks for the review. > >> >> My reply in line. > >> >> > >> >> On 3/26/13 1:25 AM, "Black, David" wrote: > >> >> > >> >> >Authors, > >> >> > > >> >> >I am the assigned Gen-ART reviewer for this draft. For background = on > >> >> >Gen-ART, please > >> >> >see the FAQ at > >> >>. > >> >> > > >> >> >Please resolve these comments along with any other Last Call > >>comments > >> >>you > >> >> >may receive. > >> >> > > >> >> >Document: draft-ietf-pkix-rfc2560bis-15 > >> >> >Reviewer: David L. Black > >> >> >Review Date: March 25, 2013 > >> >> >IETF LC End Date: March 27, 2013 > >> >> > > >> >> >Summary: > >> >> >This draft is on the right track but has open issues, described in > >>the > >> >> >review. > >> >> > > >> >> >This draft updates the OCSP protocol for obtaining certificate > >>status > >> >> >with some minor extensions. > >> >> > > >> >> >Because this is a "bis" draft, I reviewed the diffs against RFC > >>2560. > >> >> > > >> >> >I did not check the ASN.1. I also did not see a writeup for this > >>draft > >> >> >in the data tracker, and so will rely on the document shepherd to > >> >> >ensure that the ASN.1 has been checked when the writeup is prepare= d. > >> >> > > >> >> >I found five open issues, all of which are minor, plus one idnits > >>item > >> >> >that is probably ok, but should be double-checked. > >> >> > > >> >> >Minor issues: > >> >> > > >> >> >[1] Section 2.2: > >> >> > > >> >> > NOTE: The "revoked" state for known non-issued certificate = serial > >> >> > numbers is allowed in order to reduce the risk of r= elying > >> >> > parties using CRLs as a fall back mechanism, which = would be > >> >> > considerably higher if an "unknown" response was re= turned. > >> >> > > >> >> >Given this explanation, I'm surprised that the use of "revoked" > >> >>instead of > >> >> >"unknown" for a known non-issued certificate is a "MAY" requiremen= t > >>and > >> >> >not a "SHOULD" requirement. Why is that the case? > >> >> > > >> >> >It appears that the reason is that the use of "revoked" in this > >> >>situation > >> >> >may be dangerous when serial numbers can be predicted for > >>certificates > >> >> >that > >> >> >will be issued in the future. If that's what's going on, this > >>concern > >> >>is > >> >> >already explained in the security considerations section, but it > >>should > >> >> >also be mentioned here for completeness. > >> >> > >> >> No, this is not the main reason. The main reason is the one stated > >>as a > >> >> Note: in this section: > >> >> > >> >> NOTE: The "revoked" state for known non-issued certificate serial > >> >>numbers > >> >> is allowed in order to reduce the risk of relying parties using CRL= s > >>as > >> >>a > >> >> fall back mechanism, which would be considerably higher if an > >>"unknown" > >> >> response was returned. > >> >> > >> >> > >> >> > > >> >> >[2] Section 4.2.2.2: > >> >> > > >> >> > The key that signs a certificate's status information need = not be > >>the > >> >> > same key that signed the certificate. It is necessary howev= er to > >> >> > ensure that the entity signing this information is authoriz= ed to > do > >> >> > so. Therefore, a certificate's issuer MAY either sign the = OCSP > >> >> > responses itself or it MAY explicitly designate this author= ity to > >> >> > another entity. > >> >> > > >> >> >The two instances of "MAY" in the above text were both "MUST" in R= FC > >> >>2560. > >> >> > > >> >> >The RFC 2560 text construction of "MUST" or "MUST" is a bit odd, b= ut > >> >>the two > >> >> >"MAY"s in this draft are even worse, as they allow "MAY do somethi= ng > >> >>else > >> >> >entirely", despite being enclosed in an either-or construct. I > >> >>strongly > >> >> >suspect that the latter was not intended, so the following would b= e > >> >> >clearer: > >> >> > > >> >> > The key that signs a certificate's status information need = not be > >>the > >> >> > same key that signed the certificate. It is necessary howev= er to > >> >> > ensure that the entity signing this information is authoriz= ed to > do > >> >> > so. Therefore, a certificate's issuer MUST do one of the > >>following: > >> >> > - sign the OCSP responses itself, or > >> >> > - explicitly designate this authority to another en= tity. > >> >> > >> >> > >> >> I Agree. I will adopt your text. > >> >> > >> >> > > >> >> >[3] Section 4.3: > >> >> > > >> >> >Is the "SHOULD" requirement still appropriate for the DSA with SHA= -1 > >> >>combo > >> >> >(vs. a "MAY" requirement)? This requirement was a "MUST" in RFC > >>2560, > >> >>but > >> >> >I wonder about actual usage of DSA in practice. > >> >> > >> >> The change in algorithm requirements was provided by RFC 6277, and > >> >>further > >> >> refined in this draft in accordance with requests from Sean Turner. > >> >> > >> >> > > >> >> >[4] Section 5, last paragraph: > >> >> > > >> >> > Responding a "revoked" state to certificate that has never = been > >> >> > issued may enable someone to obtain a revocation response f= or a > >> >> > certificate that is not yet issued, but soon will be issued= , if > the > >> >> > CA issues certificates using sequential certificate serial = number > >> >> > assignment. > >> >> > > >> >> >The above text after starting with the "if" is too narrow - it > >>should > >> >>say: > >> >> > > >> >> > if the certificate serial number of the certificate that > >> >> > will be issued can be predicted or guessed by the requester= . > >> >> > Such prediction is easy for a CA that issues certificates > >> >> > using sequential certificate serial number assignment. > >> >> > > >> >> >There's also a nit in original text - its first line should be: > >> >> > > >> >> > Responding with a "revoked" state for a certificate that ha= s never > >> >>been > >> >> > >> >> Good suggestions. I will update accordingly. > >> >> > >> >> > > >> >> >[5] Section 5.1.1: > >> >> > > >> >> > In archival applications it is quite possible that an OCSP > >>responder > >> >> > might be asked to report the validity of a certificate on a= date > in > >> >> > the distant past. Such a certificate might employ a signing= method > >> >> > that is no longer considered acceptably secure. In such > >> >> > circumstances the responder MUST NOT generate a signature u= sing a > >> >> > signing mechanism that is not considered acceptably secure. > >> >> > > >> >> >This could use an additional warning that certificate archival > >>should > >> >> >not rely solely on signatures in archived certificates for ensurin= g > >>the > >> >> >validity and integrity of the archived certificates because the > >> >>signature > >> >> >algorithm(s) may transition to no longer being considered acceptab= ly > >> >> >secure at some point after the certificates are archived. > >> >> > >> >> This note if I remember correctly is imported from RFC 6277, which = is > >> >> incorporated into this document. The reason behind the text is only > >>to > >> >> avoid usages of insecure algorithms. > >> >> Historical validation is a real can of worms that I really would > >>like to > >> >> keep a tight lid on. I really want to avoid doing recommendations i= n > >> >>this > >> >> space as it may trigger a whole flood of things that could be equal= ly > >> >> important to say about this subject. > >> >> > >> >> > > >> >> >Nits: > >> >> > > >> >> >idnits 2.12.15 said: > >> >> > > >> >> > -- The document seems to lack a disclaimer for pre-RFC5378 work, > >>but > >> >>may > >> >> > have content which was first submitted before 10 November 200= 8. > >> >>If > >> >> >you > >> >> > have contacted all the original authors and they are all > >>willing > >> >>to > >> >> >grant > >> >> > the BCP78 rights to the IETF Trust, then this is fine, and yo= u > >>can > >> >> >ignore > >> >> > this comment. If not, you may need to add the pre-RFC5378 > >> >> >disclaimer. > >> >> > (See the Legal Provisions document at > >> >> > http://trustee.ietf.org/license-info for more information.) > >> >> > > >> >> >This looks like it's ok because all the authors of RFC 2560 are al= so > >> >> >authors of > >> >> >this draft, but it should be double-checked. > >> >> > >> >> > >> >> I defer this one to Sean. I think he has this one under control. > >> >> > >> >> > >> >> Thanks again for the review. > >> >> > >> >> /Stefan > >> >> > >> >> > >> >> > > >> >> >Thanks, > >> >> >--David > >> >> >---------------------------------------------------- > >> >> >David L. Black, Distinguished Engineer > >> >> >EMC Corporation, 176 South St., Hopkinton, MA 01748 > >> >> >+1 (508) 293-7953 FAX: +1 (508) 293-7786 > >> >> >david.black@emc.com Mobile: +1 (978) 394-7754 > >> >> >---------------------------------------------------- > >> >> > > >> >> > > >> >> > >> >> > >> > > >> > >> > > > > From david.black@emc.com Thu Mar 28 07:52:10 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07D7D21F88FB; Thu, 28 Mar 2013 07:52:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zc8rl+AAJ-qo; Thu, 28 Mar 2013 07:52:08 -0700 (PDT) Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id ED31321F8935; Thu, 28 Mar 2013 07:52:06 -0700 (PDT) Received: from hop04-l1d11-si02.isus.emc.com (HOP04-L1D11-SI02.isus.emc.com [10.254.111.55]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r2SEpcnX019491 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 28 Mar 2013 10:51:39 -0400 Received: from mailhub.lss.emc.com (mailhubhoprd03.lss.emc.com [10.254.221.145]) by hop04-l1d11-si02.isus.emc.com (RSA Interceptor); Thu, 28 Mar 2013 10:51:24 -0400 Received: from mxhub13.corp.emc.com (mxhub13.corp.emc.com [128.222.70.234]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r2SEpNIU024772; Thu, 28 Mar 2013 10:51:23 -0400 Received: from mx15a.corp.emc.com ([169.254.1.81]) by mxhub13.corp.emc.com ([128.222.70.234]) with mapi; Thu, 28 Mar 2013 10:51:22 -0400 From: "Black, David" To: Carlisle Adams , "'Stefan Santesson'" , "sts@aaa-sec.com" , "mmyers@fastq.com" , "ambarish@gmail.com" , "slava.galperin@gmail.com" , "gen-art@ietf.org" Date: Thu, 28 Mar 2013 10:51:22 -0400 Thread-Topic: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 Thread-Index: AQGpRT9g4u5Gd5W5MBiHHaGDqUWdEpkE7WxggAAOGzA= Message-ID: <8D3D17ACE214DC429325B2B98F3AE71293D36935@MX15A.corp.emc.com> References: <8D3D17ACE214DC429325B2B98F3AE71293D366B6@MX15A.corp.emc.com> <014701ce2bbc$2d272830$87757890$@eecs.uottawa.ca> In-Reply-To: <014701ce2bbc$2d272830$87757890$@eecs.uottawa.ca> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EMM-MHVC: 1 X-Mailman-Approved-At: Thu, 28 Mar 2013 08:04:54 -0700 Cc: "pkix@ietf.org" , "ietf@ietf.org" , "Black, David" Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Mar 2013 14:52:10 -0000 > Does this solve you issue. > I think this is as far as dare to go without risking a heated debate. Yes, that suffices for me - it provides a cogent explanation of why "revoked" is optional, and the existing text on CRLs as a fallback mechanism suffices to illuminate a likely consequence of not using "revoked". Thank you, --David > -----Original Message----- > From: Carlisle Adams [mailto:cadams@eecs.uottawa.ca] > Sent: Thursday, March 28, 2013 9:57 AM > To: 'Stefan Santesson'; Black, David; sts@aaa-sec.com; mmyers@fastq.com; > ambarish@gmail.com; slava.galperin@gmail.com; gen-art@ietf.org > Cc: pkix@ietf.org; 'Sean Turner'; ietf@ietf.org > Subject: RE: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 > > Hi, > > This wording sounds fine to me. Thanks Stefan! > > Carlisle. > > > -----Original Message----- > From: Stefan Santesson [mailto:stefan@aaa-sec.com] > Sent: March-28-13 6:34 AM > To: Black, David; sts@aaa-sec.com; mmyers@fastq.com; ambarish@gmail.com; > slava.galperin@gmail.com; cadams@eecs.uottawa.ca; gen-art@ietf.org > Cc: pkix@ietf.org; Sean Turner; ietf@ietf.org > Subject: Re: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 > > I have given this a go by expanding the note as follows: > > NOTE: The "revoked" state for known non-issued certificate serial > numbers is allowed in order to reduce the risk of relying > parties using CRLs as a fall back mechanism, which would be > considerably higher if an "unknown" response was returned. The > "revoked" status is still optional in this context in order to > maintain backwards compatibility with deployments of RFC 2560. > For example, the responder may not have any knowledge about > whether a requested serial number has been assigned to any > issued certificate, or the responder may provide pre produced > responses in accordance with RFC 5019 and, for that reason, is > not capable of providing a signed response for all non-issued > certificate serial numbers. > > > Does this solve you issue. > I think this is as far as dare to go without risking a heated debate. > > /Stefan > > > On 3/27/13 5:08 PM, "Black, David" wrote: > > >Stefan, > > > >> Is this important enough to do that? > > > >IMHO, yes - the "running code" aspects of existing responder > >behavior/limitations are definitely important enough for an RFC like > >this that revises a protocol spec, and the alternatives to "revoked" > >feel like an important complement to those aspects (discussion what to > >do instead when responder behavior/limitations are encountered). > > > >I appreciate the level of work that may be involved in capturing this, > >as I've had my share of contentious discussions in WGs that I chair - > >FWIW, I'm currently chairing my 4th and 5th WGs. OTOH, when a WG has > >put that much time/effort into reaching a (compromise) decision, it > >really is valuable to record why the decision was reached to avoid > >recovering that ground in the future and (specific to this situation) > >to give implementers some more context/information on how the protocol > >is likely to work in practice. > > > >Thanks, > >--David > > > >> -----Original Message----- > >> From: Stefan Santesson [mailto:stefan@aaa-sec.com] > >> Sent: Wednesday, March 27, 2013 11:38 AM > >> To: Black, David; sts@aaa-sec.com; mmyers@fastq.com; > >> ambarish@gmail.com; slava.galperin@gmail.com; cadams@eecs.uottawa.ca; > >> gen-art@ietf.org > >> Cc: pkix@ietf.org; Sean Turner; ietf@ietf.org > >> Subject: Re: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 > >> > >> I could. > >> > >> My worry is just that this is such a contentious subject and it took > >>us x hundreds of emails to reach this state, that if I add more > >>explanations, people will start disagreeing with it and that we end > >>up in a long debate on how to correctly express this. > >> > >> Is this important enough to do that? > >> > >> /Stefan > >> > >> > >> On 3/27/13 3:30 PM, "Black, David" wrote: > >> > >> >Hi Stefan, > >> > > >> >> Does this answer your question? > >> > > >> >Yes, please add some of that explanation to the next version of the > >>draft > >> >;-). > >> >Coverage of existing responder behavior/limitations (important > >> >"running code" > >> >concerns, IMHO) and alternatives to using "revoked" ("have a number > >> >of tools to prevent the client from accepting a bad certificate") > >> >seem > >>particularly > >> >relevant. > >> > > >> >Thanks, > >> >--David > >> > > >> >> -----Original Message----- > >> >> From: Stefan Santesson [mailto:stefan@aaa-sec.com] > >> >> Sent: Wednesday, March 27, 2013 7:44 AM > >> >> To: Black, David; sts@aaa-sec.com; mmyers@fastq.com; > >>ambarish@gmail.com; > >> >> slava.galperin@gmail.com; cadams@eecs.uottawa.ca; gen-art@ietf.org > >> >> Cc: pkix@ietf.org; Sean Turner; ietf@ietf.org > >> >> Subject: Re: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 > >> >> > >> >> Hi David, > >> >> > >> >> Yes I missed to respond to that aspect. > >> >> > >> >> This is a bit complicated, but we have a large legacy to take into > >> >>account where some responders implements just RFC 2560, while some > >> >>deliver pre-generated responses according to RFC 5019 > >> >>(Light-weight OCSP). LW responders are not capable of producing a > >> >>signed response at the > >>time of > >> >> responding and in case such responder finds a request for a > >>certificate > >> >> where no pre-produced response exists, it will reply with an > >> >>unsigned error response "unauthorized", which also is a legitimate > >> >>way to respond. > >> >> So the actual OCSP responder may actually know that the > >> >>certificate > >>was > >> >> never issued, but since it delivers pre-produced responder through > >> >>a CDN, it can not provide a revoked response in real time. > >> >> > >> >> So the major aim with the current writing is to declare that the > >>revoked > >> >> response is a MAY because there are other valid alternatives. > >> >> > >> >> We also want to avoid putting down a SHOULD respond revoked if a > >> >> certificate is known to be not-issued, because that would require > >> >> us > >>to > >> >> define what "known to be non-issued" actually means. And that > >> >> could > >>be > >> >> quite tricky as OCSP responders by no means are required to have > >> >> this knowledge. > >> >> > >> >> The OCSP responder simply have a number of tools to prevent the > >>client > >> >> from accepting a bad certificate. > >> >> This update of OCSP simply allows responders to use the "revoked" > >> >>response > >> >> as a preventive measure, without mandating it. > >> >> > >> >> This is also related to activities in the CA Browser Forum where > >> >>they put down requirements on responders complying with CAB rules > >> >>to not > >>respond > >> >> "good" to certificates that were never issued. > >> >> With this update in OCSP, they can now mandate in their policies > >> >>both the fact that their responders MUST know if a certificate was > >> >>never > >>issued > >> >>and > >> >> MUST respond "revoked". > >> >> > >> >> So we allow other communities to raise the bar even if the base > >>standard > >> >> defines the response as optional. > >> >> > >> >> In theory we could possibly say that responding revoked is > >> >> optional, > >>but > >> >> if you choose between revoked and unknown then you SHOULD favour > >>revoked > >> >> over unknown. But such nested requirements just feels bad and > >>impossible > >> >> to test compliance against. I'd much rather just leave it > >> >> optional. I think the Note gives a clear recommendation on this > >> >> and the rationale without spelling it out as a requirement. > >> >> > >> >> Does this answer your question? > >> >> > >> >> > >> >> On 3/27/13 12:51 AM, "Black, David" wrote: > >> >> > >> >> >Hi Stefan, > >> >> > > >> >> >This looks good - thank you for the prompt response. > >> >> > > >> >> >It looks like my speculation on item [1] was wrong, so could you > >> >>respond > >> >> >to the question below, please?: > >> >> > > >> >> >> >[1] Section 2.2: > >> >> >> > > >> >> >> > NOTE: The "revoked" state for known non-issued > >>certificate serial > >> >> >> > numbers is allowed in order to reduce the risk > >> >> >> > of > >>relying > >> >> >> > parties using CRLs as a fall back mechanism, > >>which would be > >> >> >> > considerably higher if an "unknown" response > >> >> >> > was > >>returned. > >> >> >> > > >> >> >> >Given this explanation, I'm surprised that the use of "revoked" > >> >> >>instead of > >> >> >> >"unknown" for a known non-issued certificate is a "MAY" > >>requirement > >> >>and > >> >> >> >not a "SHOULD" requirement. Why is that the case? > >> >> > > >> >> >-------------- > >> >> > > >> >> >Beyond that, the proposed actions (or proposed non-actions) on > >> >> >items [2]-[5] are fine with me, Sean's taken care of the author > >> >> >permissions item > >>from > >> >> >idnits, and I assume someone has or will check the ASN.1 . > >> >> > > >> >> >Thanks, > >> >> >--David > >> >> > > >> >> >> -----Original Message----- > >> >> >> From: Stefan Santesson [mailto:stefan@aaa-sec.com] > >> >> >> Sent: Monday, March 25, 2013 10:21 PM > >> >> >> To: Black, David; sts@aaa-sec.com; mmyers@fastq.com; > >> >>ambarish@gmail.com; > >> >> >> slava.galperin@gmail.com; cadams@eecs.uottawa.ca; > >> >> >> gen-art@ietf.org > >> >> >> Cc: pkix@ietf.org; Sean Turner; ietf@ietf.org > >> >> >> Subject: Re: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 > >> >> >> > >> >> >> Hi David, > >> >> >> > >> >> >> Thanks for the review. > >> >> >> My reply in line. > >> >> >> > >> >> >> On 3/26/13 1:25 AM, "Black, David" wrote: > >> >> >> > >> >> >> >Authors, > >> >> >> > > >> >> >> >I am the assigned Gen-ART reviewer for this draft. For > >>background on > >> >> >> >Gen-ART, please > >> >> >> >see the FAQ at > >> >> >>. > >> >> >> > > >> >> >> >Please resolve these comments along with any other Last Call > >> >>comments > >> >> >>you > >> >> >> >may receive. > >> >> >> > > >> >> >> >Document: draft-ietf-pkix-rfc2560bis-15 > >> >> >> >Reviewer: David L. Black > >> >> >> >Review Date: March 25, 2013 > >> >> >> >IETF LC End Date: March 27, 2013 > >> >> >> > > >> >> >> >Summary: > >> >> >> >This draft is on the right track but has open issues, > >> >> >> >described > >>in > >> >>the > >> >> >> >review. > >> >> >> > > >> >> >> >This draft updates the OCSP protocol for obtaining certificate > >> >>status > >> >> >> >with some minor extensions. > >> >> >> > > >> >> >> >Because this is a "bis" draft, I reviewed the diffs against > >> >> >> >RFC > >> >>2560. > >> >> >> > > >> >> >> >I did not check the ASN.1. I also did not see a writeup for > >> >> >> >this > >> >>draft > >> >> >> >in the data tracker, and so will rely on the document shepherd > >> >> >> >to ensure that the ASN.1 has been checked when the writeup is > >>prepared. > >> >> >> > > >> >> >> >I found five open issues, all of which are minor, plus one > >> >> >> >idnits > >> >>item > >> >> >> >that is probably ok, but should be double-checked. > >> >> >> > > >> >> >> >Minor issues: > >> >> >> > > >> >> >> >[1] Section 2.2: > >> >> >> > > >> >> >> > NOTE: The "revoked" state for known non-issued > >>certificate serial > >> >> >> > numbers is allowed in order to reduce the risk > >> >> >> > of > >>relying > >> >> >> > parties using CRLs as a fall back mechanism, > >>which would be > >> >> >> > considerably higher if an "unknown" response > >> >> >> > was > >>returned. > >> >> >> > > >> >> >> >Given this explanation, I'm surprised that the use of "revoked" > >> >> >>instead of > >> >> >> >"unknown" for a known non-issued certificate is a "MAY" > >>requirement > >> >>and > >> >> >> >not a "SHOULD" requirement. Why is that the case? > >> >> >> > > >> >> >> >It appears that the reason is that the use of "revoked" in > >> >> >> >this > >> >> >>situation > >> >> >> >may be dangerous when serial numbers can be predicted for > >> >>certificates > >> >> >> >that > >> >> >> >will be issued in the future. If that's what's going on, this > >> >>concern > >> >> >>is > >> >> >> >already explained in the security considerations section, but > >> >> >> >it > >> >>should > >> >> >> >also be mentioned here for completeness. > >> >> >> > >> >> >> No, this is not the main reason. The main reason is the one > >> >> >> stated > >> >>as a > >> >> >> Note: in this section: > >> >> >> > >> >> >> NOTE: The "revoked" state for known non-issued certificate > >> >> >>serial numbers is allowed in order to reduce the risk of > >> >> >>relying parties using > >>CRLs > >> >>as > >> >> >>a > >> >> >> fall back mechanism, which would be considerably higher if an > >> >>"unknown" > >> >> >> response was returned. > >> >> >> > >> >> >> > >> >> >> > > >> >> >> >[2] Section 4.2.2.2: > >> >> >> > > >> >> >> > The key that signs a certificate's status information > >>need not be > >> >>the > >> >> >> > same key that signed the certificate. It is necessary > >>however to > >> >> >> > ensure that the entity signing this information is > >>authorized to > >> do > >> >> >> > so. Therefore, a certificate's issuer MAY either sign > >>the OCSP > >> >> >> > responses itself or it MAY explicitly designate this > >>authority to > >> >> >> > another entity. > >> >> >> > > >> >> >> >The two instances of "MAY" in the above text were both "MUST" > >> >> >> >in > >>RFC > >> >> >>2560. > >> >> >> > > >> >> >> >The RFC 2560 text construction of "MUST" or "MUST" is a bit > >> >> >> >odd, > >>but > >> >> >>the two > >> >> >> >"MAY"s in this draft are even worse, as they allow "MAY do > >>something > >> >> >>else > >> >> >> >entirely", despite being enclosed in an either-or construct. > >> >> >> >I > >> >> >>strongly > >> >> >> >suspect that the latter was not intended, so the following > >> >> >> >would > >>be > >> >> >> >clearer: > >> >> >> > > >> >> >> > The key that signs a certificate's status information > >>need not be > >> >>the > >> >> >> > same key that signed the certificate. It is necessary > >>however to > >> >> >> > ensure that the entity signing this information is > >>authorized to > >> do > >> >> >> > so. Therefore, a certificate's issuer MUST do one of > >> >> >> > the > >> >>following: > >> >> >> > - sign the OCSP responses itself, or > >> >> >> > - explicitly designate this authority to > >> >> >> > another > >>entity. > >> >> >> > >> >> >> > >> >> >> I Agree. I will adopt your text. > >> >> >> > >> >> >> > > >> >> >> >[3] Section 4.3: > >> >> >> > > >> >> >> >Is the "SHOULD" requirement still appropriate for the DSA with > >>SHA-1 > >> >> >>combo > >> >> >> >(vs. a "MAY" requirement)? This requirement was a "MUST" in > >> >> >> >RFC > >> >>2560, > >> >> >>but > >> >> >> >I wonder about actual usage of DSA in practice. > >> >> >> > >> >> >> The change in algorithm requirements was provided by RFC 6277, > >> >> >>and further refined in this draft in accordance with requests > >> >> >>from Sean > >>Turner. > >> >> >> > >> >> >> > > >> >> >> >[4] Section 5, last paragraph: > >> >> >> > > >> >> >> > Responding a "revoked" state to certificate that has > >>never been > >> >> >> > issued may enable someone to obtain a revocation > >> >> >> > response > >>for a > >> >> >> > certificate that is not yet issued, but soon will be > >>issued, if > >> the > >> >> >> > CA issues certificates using sequential certificate > >>serial number > >> >> >> > assignment. > >> >> >> > > >> >> >> >The above text after starting with the "if" is too narrow - it > >> >>should > >> >> >>say: > >> >> >> > > >> >> >> > if the certificate serial number of the certificate that > >> >> >> > will be issued can be predicted or guessed by the > >>requester. > >> >> >> > Such prediction is easy for a CA that issues certificate= s > >> >> >> > using sequential certificate serial number assignment. > >> >> >> > > >> >> >> >There's also a nit in original text - its first line should be: > >> >> >> > > >> >> >> > Responding with a "revoked" state for a certificate > >> >> >> > that > >>has never > >> >> >>been > >> >> >> > >> >> >> Good suggestions. I will update accordingly. > >> >> >> > >> >> >> > > >> >> >> >[5] Section 5.1.1: > >> >> >> > > >> >> >> > In archival applications it is quite possible that an > >> >> >> > OCSP > >> >>responder > >> >> >> > might be asked to report the validity of a certificate > >> >> >> > on > >>a date > >> in > >> >> >> > the distant past. Such a certificate might employ a > >>signing method > >> >> >> > that is no longer considered acceptably secure. In such > >> >> >> > circumstances the responder MUST NOT generate a > >> >> >> > signature > >>using a > >> >> >> > signing mechanism that is not considered acceptably > >>secure. > >> >> >> > > >> >> >> >This could use an additional warning that certificate archival > >> >>should > >> >> >> >not rely solely on signatures in archived certificates for > >>ensuring > >> >>the > >> >> >> >validity and integrity of the archived certificates because > >> >> >> >the > >> >> >>signature > >> >> >> >algorithm(s) may transition to no longer being considered > >>acceptably > >> >> >> >secure at some point after the certificates are archived. > >> >> >> > >> >> >> This note if I remember correctly is imported from RFC 6277, > >>which is > >> >> >> incorporated into this document. The reason behind the text is > >>only > >> >>to > >> >> >> avoid usages of insecure algorithms. > >> >> >> Historical validation is a real can of worms that I really > >> >> >> would > >> >>like to > >> >> >> keep a tight lid on. I really want to avoid doing > >> >> >> recommendations > >>in > >> >> >>this > >> >> >> space as it may trigger a whole flood of things that could be > >>equally > >> >> >> important to say about this subject. > >> >> >> > >> >> >> > > >> >> >> >Nits: > >> >> >> > > >> >> >> >idnits 2.12.15 said: > >> >> >> > > >> >> >> > -- The document seems to lack a disclaimer for pre-RFC5378 > >>work, > >> >>but > >> >> >>may > >> >> >> > have content which was first submitted before 10 November > >>2008. > >> >> >>If > >> >> >> >you > >> >> >> > have contacted all the original authors and they are all > >> >>willing > >> >> >>to > >> >> >> >grant > >> >> >> > the BCP78 rights to the IETF Trust, then this is fine, > >> >> >> >and > >>you > >> >>can > >> >> >> >ignore > >> >> >> > this comment. If not, you may need to add the > >> >> >> >pre-RFC5378 disclaimer. > >> >> >> > (See the Legal Provisions document at > >> >> >> > http://trustee.ietf.org/license-info for more > >> >> >> >information.) > >> >> >> > > >> >> >> >This looks like it's ok because all the authors of RFC 2560 > >> >> >> >are > >>also > >> >> >> >authors of > >> >> >> >this draft, but it should be double-checked. > >> >> >> > >> >> >> > >> >> >> I defer this one to Sean. I think he has this one under control. > >> >> >> > >> >> >> > >> >> >> Thanks again for the review. > >> >> >> > >> >> >> /Stefan > >> >> >> > >> >> >> > >> >> >> > > >> >> >> >Thanks, > >> >> >> >--David > >> >> >> >---------------------------------------------------- > >> >> >> >David L. Black, Distinguished Engineer EMC Corporation, 176 > >> >> >> >South St., Hopkinton, MA 01748 > >> >> >> >+1 (508) 293-7953 FAX: +1 (508) 293-7786 > >> >> >> >david.black@emc.com Mobile: +1 (978) 394-7754 > >> >> >> >---------------------------------------------------- > >> >> >> > > >> >> >> > > >> >> >> > >> >> >> > >> >> > > >> >> > >> >> > >> > > >> > >> > > > > > From stefan@aaa-sec.com Thu Mar 28 07:54:09 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0ABFF21F8935 for ; Thu, 28 Mar 2013 07:54:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.186 X-Spam-Level: X-Spam-Status: No, score=-102.186 tagged_above=-999 required=5 tests=[AWL=0.064, BAYES_00=-2.599, HELO_EQ_SE=0.35, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9UJyx25XYddr for ; Thu, 28 Mar 2013 07:54:07 -0700 (PDT) Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id A098621F88FB for ; Thu, 28 Mar 2013 07:54:05 -0700 (PDT) Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id 492CC1EED9F9 for ; Thu, 28 Mar 2013 15:54:01 +0100 (CET) X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id fcrc_3qT6dLY for ; Thu, 28 Mar 2013 15:53:59 +0100 (CET) Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id D497E1EEDA00 for ; Thu, 28 Mar 2013 15:53:59 +0100 (CET) Received: (qmail 5610 invoked from network); 28 Mar 2013 14:53:59 -0000 Received: from gw.aaa-sec.ideon.se (HELO [192.168.1.2]) (stefan@fiddler.nu@[85.235.7.89]) (envelope-sender ) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 28 Mar 2013 14:53:59 -0000 User-Agent: Microsoft-MacOutlook/14.3.2.130206 Date: Thu, 28 Mar 2013 15:53:53 +0100 From: Stefan Santesson To: "Black, David" , Carlisle Adams , "sts@aaa-sec.com" , "mmyers@fastq.com" , "ambarish@gmail.com" , "slava.galperin@gmail.com" , "gen-art@ietf.org" Message-ID: Thread-Topic: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 In-Reply-To: <8D3D17ACE214DC429325B2B98F3AE71293D36935@MX15A.corp.emc.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-Mailman-Approved-At: Thu, 28 Mar 2013 08:04:54 -0700 Cc: "pkix@ietf.org" , "ietf@ietf.org" Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Mar 2013 14:54:09 -0000 Great, I will issue an update shortly. /Stefan On 3/28/13 3:51 PM, "Black, David" wrote: >> Does this solve you issue. >> I think this is as far as dare to go without risking a heated debate. > >Yes, that suffices for me - it provides a cogent explanation of why >"revoked" is optional, and the existing text on CRLs as a fallback >mechanism suffices to illuminate a likely consequence of not using >"revoked". > >Thank you, >--David > >> -----Original Message----- >> From: Carlisle Adams [mailto:cadams@eecs.uottawa.ca] >> Sent: Thursday, March 28, 2013 9:57 AM >> To: 'Stefan Santesson'; Black, David; sts@aaa-sec.com; mmyers@fastq.com; >> ambarish@gmail.com; slava.galperin@gmail.com; gen-art@ietf.org >> Cc: pkix@ietf.org; 'Sean Turner'; ietf@ietf.org >> Subject: RE: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 >> >> Hi, >> >> This wording sounds fine to me. Thanks Stefan! >> >> Carlisle. >> >> >> -----Original Message----- >> From: Stefan Santesson [mailto:stefan@aaa-sec.com] >> Sent: March-28-13 6:34 AM >> To: Black, David; sts@aaa-sec.com; mmyers@fastq.com; ambarish@gmail.com; >> slava.galperin@gmail.com; cadams@eecs.uottawa.ca; gen-art@ietf.org >> Cc: pkix@ietf.org; Sean Turner; ietf@ietf.org >> Subject: Re: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 >> >> I have given this a go by expanding the note as follows: >> >> NOTE: The "revoked" state for known non-issued certificate serial >> numbers is allowed in order to reduce the risk of relying >> parties using CRLs as a fall back mechanism, which would be >> considerably higher if an "unknown" response was returned. The >> "revoked" status is still optional in this context in order to >> maintain backwards compatibility with deployments of RFC 2560. >> For example, the responder may not have any knowledge about >> whether a requested serial number has been assigned to any >> issued certificate, or the responder may provide pre produced >> responses in accordance with RFC 5019 and, for that reason, is >> not capable of providing a signed response for all non-issued >> certificate serial numbers. >> >> >> Does this solve you issue. >> I think this is as far as dare to go without risking a heated debate. >> >> /Stefan >> >> >> On 3/27/13 5:08 PM, "Black, David" wrote: >> >> >Stefan, >> > >> >> Is this important enough to do that? >> > >> >IMHO, yes - the "running code" aspects of existing responder >> >behavior/limitations are definitely important enough for an RFC like >> >this that revises a protocol spec, and the alternatives to "revoked" >> >feel like an important complement to those aspects (discussion what to >> >do instead when responder behavior/limitations are encountered). >> > >> >I appreciate the level of work that may be involved in capturing this, >> >as I've had my share of contentious discussions in WGs that I chair - >> >FWIW, I'm currently chairing my 4th and 5th WGs. OTOH, when a WG has >> >put that much time/effort into reaching a (compromise) decision, it >> >really is valuable to record why the decision was reached to avoid >> >recovering that ground in the future and (specific to this situation) >> >to give implementers some more context/information on how the protocol >> >is likely to work in practice. >> > >> >Thanks, >> >--David >> > >> >> -----Original Message----- >> >> From: Stefan Santesson [mailto:stefan@aaa-sec.com] >> >> Sent: Wednesday, March 27, 2013 11:38 AM >> >> To: Black, David; sts@aaa-sec.com; mmyers@fastq.com; >> >> ambarish@gmail.com; slava.galperin@gmail.com; cadams@eecs.uottawa.ca; >> >> gen-art@ietf.org >> >> Cc: pkix@ietf.org; Sean Turner; ietf@ietf.org >> >> Subject: Re: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 >> >> >> >> I could. >> >> >> >> My worry is just that this is such a contentious subject and it took >> >>us x hundreds of emails to reach this state, that if I add more >> >>explanations, people will start disagreeing with it and that we end >> >>up in a long debate on how to correctly express this. >> >> >> >> Is this important enough to do that? >> >> >> >> /Stefan >> >> >> >> >> >> On 3/27/13 3:30 PM, "Black, David" wrote: >> >> >> >> >Hi Stefan, >> >> > >> >> >> Does this answer your question? >> >> > >> >> >Yes, please add some of that explanation to the next version of the >> >>draft >> >> >;-). >> >> >Coverage of existing responder behavior/limitations (important >> >> >"running code" >> >> >concerns, IMHO) and alternatives to using "revoked" ("have a number >> >> >of tools to prevent the client from accepting a bad certificate") >> >> >seem >> >>particularly >> >> >relevant. >> >> > >> >> >Thanks, >> >> >--David >> >> > >> >> >> -----Original Message----- >> >> >> From: Stefan Santesson [mailto:stefan@aaa-sec.com] >> >> >> Sent: Wednesday, March 27, 2013 7:44 AM >> >> >> To: Black, David; sts@aaa-sec.com; mmyers@fastq.com; >> >>ambarish@gmail.com; >> >> >> slava.galperin@gmail.com; cadams@eecs.uottawa.ca; gen-art@ietf.org >> >> >> Cc: pkix@ietf.org; Sean Turner; ietf@ietf.org >> >> >> Subject: Re: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 >> >> >> >> >> >> Hi David, >> >> >> >> >> >> Yes I missed to respond to that aspect. >> >> >> >> >> >> This is a bit complicated, but we have a large legacy to take into >> >> >>account where some responders implements just RFC 2560, while some >> >> >>deliver pre-generated responses according to RFC 5019 >> >> >>(Light-weight OCSP). LW responders are not capable of producing a >> >> >>signed response at the >> >>time of >> >> >> responding and in case such responder finds a request for a >> >>certificate >> >> >> where no pre-produced response exists, it will reply with an >> >> >>unsigned error response "unauthorized", which also is a legitimate >> >> >>way to respond. >> >> >> So the actual OCSP responder may actually know that the >> >> >>certificate >> >>was >> >> >> never issued, but since it delivers pre-produced responder through >> >> >>a CDN, it can not provide a revoked response in real time. >> >> >> >> >> >> So the major aim with the current writing is to declare that the >> >>revoked >> >> >> response is a MAY because there are other valid alternatives. >> >> >> >> >> >> We also want to avoid putting down a SHOULD respond revoked if a >> >> >> certificate is known to be not-issued, because that would require >> >> >> us >> >>to >> >> >> define what "known to be non-issued" actually means. And that >> >> >> could >> >>be >> >> >> quite tricky as OCSP responders by no means are required to have >> >> >> this knowledge. >> >> >> >> >> >> The OCSP responder simply have a number of tools to prevent the >> >>client >> >> >> from accepting a bad certificate. >> >> >> This update of OCSP simply allows responders to use the "revoked" >> >> >>response >> >> >> as a preventive measure, without mandating it. >> >> >> >> >> >> This is also related to activities in the CA Browser Forum where >> >> >>they put down requirements on responders complying with CAB rules >> >> >>to not >> >>respond >> >> >> "good" to certificates that were never issued. >> >> >> With this update in OCSP, they can now mandate in their policies >> >> >>both the fact that their responders MUST know if a certificate was >> >> >>never >> >>issued >> >> >>and >> >> >> MUST respond "revoked". >> >> >> >> >> >> So we allow other communities to raise the bar even if the base >> >>standard >> >> >> defines the response as optional. >> >> >> >> >> >> In theory we could possibly say that responding revoked is >> >> >> optional, >> >>but >> >> >> if you choose between revoked and unknown then you SHOULD favour >> >>revoked >> >> >> over unknown. But such nested requirements just feels bad and >> >>impossible >> >> >> to test compliance against. I'd much rather just leave it >> >> >> optional. I think the Note gives a clear recommendation on this >> >> >> and the rationale without spelling it out as a requirement. >> >> >> >> >> >> Does this answer your question? >> >> >> >> >> >> >> >> >> On 3/27/13 12:51 AM, "Black, David" wrote: >> >> >> >> >> >> >Hi Stefan, >> >> >> > >> >> >> >This looks good - thank you for the prompt response. >> >> >> > >> >> >> >It looks like my speculation on item [1] was wrong, so could you >> >> >>respond >> >> >> >to the question below, please?: >> >> >> > >> >> >> >> >[1] Section 2.2: >> >> >> >> > >> >> >> >> > NOTE: The "revoked" state for known non-issued >> >>certificate serial >> >> >> >> > numbers is allowed in order to reduce the risk >> >> >> >> > of >> >>relying >> >> >> >> > parties using CRLs as a fall back mechanism, >> >>which would be >> >> >> >> > considerably higher if an "unknown" response >> >> >> >> > was >> >>returned. >> >> >> >> > >> >> >> >> >Given this explanation, I'm surprised that the use of >>"revoked" >> >> >> >>instead of >> >> >> >> >"unknown" for a known non-issued certificate is a "MAY" >> >>requirement >> >> >>and >> >> >> >> >not a "SHOULD" requirement. Why is that the case? >> >> >> > >> >> >> >-------------- >> >> >> > >> >> >> >Beyond that, the proposed actions (or proposed non-actions) on >> >> >> >items [2]-[5] are fine with me, Sean's taken care of the author >> >> >> >permissions item >> >>from >> >> >> >idnits, and I assume someone has or will check the ASN.1 . >> >> >> > >> >> >> >Thanks, >> >> >> >--David >> >> >> > >> >> >> >> -----Original Message----- >> >> >> >> From: Stefan Santesson [mailto:stefan@aaa-sec.com] >> >> >> >> Sent: Monday, March 25, 2013 10:21 PM >> >> >> >> To: Black, David; sts@aaa-sec.com; mmyers@fastq.com; >> >> >>ambarish@gmail.com; >> >> >> >> slava.galperin@gmail.com; cadams@eecs.uottawa.ca; >> >> >> >> gen-art@ietf.org >> >> >> >> Cc: pkix@ietf.org; Sean Turner; ietf@ietf.org >> >> >> >> Subject: Re: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 >> >> >> >> >> >> >> >> Hi David, >> >> >> >> >> >> >> >> Thanks for the review. >> >> >> >> My reply in line. >> >> >> >> >> >> >> >> On 3/26/13 1:25 AM, "Black, David" wrote: >> >> >> >> >> >> >> >> >Authors, >> >> >> >> > >> >> >> >> >I am the assigned Gen-ART reviewer for this draft. For >> >>background on >> >> >> >> >Gen-ART, please >> >> >> >> >see the FAQ at >> >> >> >>. >> >> >> >> > >> >> >> >> >Please resolve these comments along with any other Last Call >> >> >>comments >> >> >> >>you >> >> >> >> >may receive. >> >> >> >> > >> >> >> >> >Document: draft-ietf-pkix-rfc2560bis-15 >> >> >> >> >Reviewer: David L. Black >> >> >> >> >Review Date: March 25, 2013 >> >> >> >> >IETF LC End Date: March 27, 2013 >> >> >> >> > >> >> >> >> >Summary: >> >> >> >> >This draft is on the right track but has open issues, >> >> >> >> >described >> >>in >> >> >>the >> >> >> >> >review. >> >> >> >> > >> >> >> >> >This draft updates the OCSP protocol for obtaining certificate >> >> >>status >> >> >> >> >with some minor extensions. >> >> >> >> > >> >> >> >> >Because this is a "bis" draft, I reviewed the diffs against >> >> >> >> >RFC >> >> >>2560. >> >> >> >> > >> >> >> >> >I did not check the ASN.1. I also did not see a writeup for >> >> >> >> >this >> >> >>draft >> >> >> >> >in the data tracker, and so will rely on the document shepherd >> >> >> >> >to ensure that the ASN.1 has been checked when the writeup is >> >>prepared. >> >> >> >> > >> >> >> >> >I found five open issues, all of which are minor, plus one >> >> >> >> >idnits >> >> >>item >> >> >> >> >that is probably ok, but should be double-checked. >> >> >> >> > >> >> >> >> >Minor issues: >> >> >> >> > >> >> >> >> >[1] Section 2.2: >> >> >> >> > >> >> >> >> > NOTE: The "revoked" state for known non-issued >> >>certificate serial >> >> >> >> > numbers is allowed in order to reduce the risk >> >> >> >> > of >> >>relying >> >> >> >> > parties using CRLs as a fall back mechanism, >> >>which would be >> >> >> >> > considerably higher if an "unknown" response >> >> >> >> > was >> >>returned. >> >> >> >> > >> >> >> >> >Given this explanation, I'm surprised that the use of >>"revoked" >> >> >> >>instead of >> >> >> >> >"unknown" for a known non-issued certificate is a "MAY" >> >>requirement >> >> >>and >> >> >> >> >not a "SHOULD" requirement. Why is that the case? >> >> >> >> > >> >> >> >> >It appears that the reason is that the use of "revoked" in >> >> >> >> >this >> >> >> >>situation >> >> >> >> >may be dangerous when serial numbers can be predicted for >> >> >>certificates >> >> >> >> >that >> >> >> >> >will be issued in the future. If that's what's going on, this >> >> >>concern >> >> >> >>is >> >> >> >> >already explained in the security considerations section, but >> >> >> >> >it >> >> >>should >> >> >> >> >also be mentioned here for completeness. >> >> >> >> >> >> >> >> No, this is not the main reason. The main reason is the one >> >> >> >> stated >> >> >>as a >> >> >> >> Note: in this section: >> >> >> >> >> >> >> >> NOTE: The "revoked" state for known non-issued certificate >> >> >> >>serial numbers is allowed in order to reduce the risk of >> >> >> >>relying parties using >> >>CRLs >> >> >>as >> >> >> >>a >> >> >> >> fall back mechanism, which would be considerably higher if an >> >> >>"unknown" >> >> >> >> response was returned. >> >> >> >> >> >> >> >> >> >> >> >> > >> >> >> >> >[2] Section 4.2.2.2: >> >> >> >> > >> >> >> >> > The key that signs a certificate's status information >> >>need not be >> >> >>the >> >> >> >> > same key that signed the certificate. It is necessary >> >>however to >> >> >> >> > ensure that the entity signing this information is >> >>authorized to >> >> do >> >> >> >> > so. Therefore, a certificate's issuer MAY either sign >> >>the OCSP >> >> >> >> > responses itself or it MAY explicitly designate this >> >>authority to >> >> >> >> > another entity. >> >> >> >> > >> >> >> >> >The two instances of "MAY" in the above text were both "MUST" >> >> >> >> >in >> >>RFC >> >> >> >>2560. >> >> >> >> > >> >> >> >> >The RFC 2560 text construction of "MUST" or "MUST" is a bit >> >> >> >> >odd, >> >>but >> >> >> >>the two >> >> >> >> >"MAY"s in this draft are even worse, as they allow "MAY do >> >>something >> >> >> >>else >> >> >> >> >entirely", despite being enclosed in an either-or construct. >> >> >> >> >I >> >> >> >>strongly >> >> >> >> >suspect that the latter was not intended, so the following >> >> >> >> >would >> >>be >> >> >> >> >clearer: >> >> >> >> > >> >> >> >> > The key that signs a certificate's status information >> >>need not be >> >> >>the >> >> >> >> > same key that signed the certificate. It is necessary >> >>however to >> >> >> >> > ensure that the entity signing this information is >> >>authorized to >> >> do >> >> >> >> > so. Therefore, a certificate's issuer MUST do one of >> >> >> >> > the >> >> >>following: >> >> >> >> > - sign the OCSP responses itself, or >> >> >> >> > - explicitly designate this authority to >> >> >> >> > another >> >>entity. >> >> >> >> >> >> >> >> >> >> >> >> I Agree. I will adopt your text. >> >> >> >> >> >> >> >> > >> >> >> >> >[3] Section 4.3: >> >> >> >> > >> >> >> >> >Is the "SHOULD" requirement still appropriate for the DSA with >> >>SHA-1 >> >> >> >>combo >> >> >> >> >(vs. a "MAY" requirement)? This requirement was a "MUST" in >> >> >> >> >RFC >> >> >>2560, >> >> >> >>but >> >> >> >> >I wonder about actual usage of DSA in practice. >> >> >> >> >> >> >> >> The change in algorithm requirements was provided by RFC 6277, >> >> >> >>and further refined in this draft in accordance with requests >> >> >> >>from Sean >> >>Turner. >> >> >> >> >> >> >> >> > >> >> >> >> >[4] Section 5, last paragraph: >> >> >> >> > >> >> >> >> > Responding a "revoked" state to certificate that has >> >>never been >> >> >> >> > issued may enable someone to obtain a revocation >> >> >> >> > response >> >>for a >> >> >> >> > certificate that is not yet issued, but soon will be >> >>issued, if >> >> the >> >> >> >> > CA issues certificates using sequential certificate >> >>serial number >> >> >> >> > assignment. >> >> >> >> > >> >> >> >> >The above text after starting with the "if" is too narrow - it >> >> >>should >> >> >> >>say: >> >> >> >> > >> >> >> >> > if the certificate serial number of the certificate >>that >> >> >> >> > will be issued can be predicted or guessed by the >> >>requester. >> >> >> >> > Such prediction is easy for a CA that issues >>certificates >> >> >> >> > using sequential certificate serial number assignment. >> >> >> >> > >> >> >> >> >There's also a nit in original text - its first line should >>be: >> >> >> >> > >> >> >> >> > Responding with a "revoked" state for a certificate >> >> >> >> > that >> >>has never >> >> >> >>been >> >> >> >> >> >> >> >> Good suggestions. I will update accordingly. >> >> >> >> >> >> >> >> > >> >> >> >> >[5] Section 5.1.1: >> >> >> >> > >> >> >> >> > In archival applications it is quite possible that an >> >> >> >> > OCSP >> >> >>responder >> >> >> >> > might be asked to report the validity of a certificate >> >> >> >> > on >> >>a date >> >> in >> >> >> >> > the distant past. Such a certificate might employ a >> >>signing method >> >> >> >> > that is no longer considered acceptably secure. In such >> >> >> >> > circumstances the responder MUST NOT generate a >> >> >> >> > signature >> >>using a >> >> >> >> > signing mechanism that is not considered acceptably >> >>secure. >> >> >> >> > >> >> >> >> >This could use an additional warning that certificate archival >> >> >>should >> >> >> >> >not rely solely on signatures in archived certificates for >> >>ensuring >> >> >>the >> >> >> >> >validity and integrity of the archived certificates because >> >> >> >> >the >> >> >> >>signature >> >> >> >> >algorithm(s) may transition to no longer being considered >> >>acceptably >> >> >> >> >secure at some point after the certificates are archived. >> >> >> >> >> >> >> >> This note if I remember correctly is imported from RFC 6277, >> >>which is >> >> >> >> incorporated into this document. The reason behind the text is >> >>only >> >> >>to >> >> >> >> avoid usages of insecure algorithms. >> >> >> >> Historical validation is a real can of worms that I really >> >> >> >> would >> >> >>like to >> >> >> >> keep a tight lid on. I really want to avoid doing >> >> >> >> recommendations >> >>in >> >> >> >>this >> >> >> >> space as it may trigger a whole flood of things that could be >> >>equally >> >> >> >> important to say about this subject. >> >> >> >> >> >> >> >> > >> >> >> >> >Nits: >> >> >> >> > >> >> >> >> >idnits 2.12.15 said: >> >> >> >> > >> >> >> >> > -- The document seems to lack a disclaimer for pre-RFC5378 >> >>work, >> >> >>but >> >> >> >>may >> >> >> >> > have content which was first submitted before 10 November >> >>2008. >> >> >> >>If >> >> >> >> >you >> >> >> >> > have contacted all the original authors and they are all >> >> >>willing >> >> >> >>to >> >> >> >> >grant >> >> >> >> > the BCP78 rights to the IETF Trust, then this is fine, >> >> >> >> >and >> >>you >> >> >>can >> >> >> >> >ignore >> >> >> >> > this comment. If not, you may need to add the >> >> >> >> >pre-RFC5378 disclaimer. >> >> >> >> > (See the Legal Provisions document at >> >> >> >> > http://trustee.ietf.org/license-info for more >> >> >> >> >information.) >> >> >> >> > >> >> >> >> >This looks like it's ok because all the authors of RFC 2560 >> >> >> >> >are >> >>also >> >> >> >> >authors of >> >> >> >> >this draft, but it should be double-checked. >> >> >> >> >> >> >> >> >> >> >> >> I defer this one to Sean. I think he has this one under >>control. >> >> >> >> >> >> >> >> >> >> >> >> Thanks again for the review. >> >> >> >> >> >> >> >> /Stefan >> >> >> >> >> >> >> >> >> >> >> >> > >> >> >> >> >Thanks, >> >> >> >> >--David >> >> >> >> >---------------------------------------------------- >> >> >> >> >David L. Black, Distinguished Engineer EMC Corporation, 176 >> >> >> >> >South St., Hopkinton, MA 01748 >> >> >> >> >+1 (508) 293-7953 FAX: +1 (508) 293-7786 >> >> >> >> >david.black@emc.com Mobile: +1 (978) 394-7754 >> >> >> >> >---------------------------------------------------- >> >> >> >> > >> >> >> >> > >> >> >> >> >> >> >> >> >> >> >> > >> >> >> >> >> >> >> >> > >> >> >> >> >> > >> >> >> > From stefan@aaa-sec.com Thu Mar 28 08:51:21 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D146521F8ED6 for ; Thu, 28 Mar 2013 08:51:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.195 X-Spam-Level: X-Spam-Status: No, score=-102.195 tagged_above=-999 required=5 tests=[AWL=0.054, BAYES_00=-2.599, HELO_EQ_SE=0.35, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qtjc4MwLbYAK for ; Thu, 28 Mar 2013 08:51:20 -0700 (PDT) Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id 5993921F8DFC for ; Thu, 28 Mar 2013 08:51:18 -0700 (PDT) Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id 9892B1CF9D98 for ; Thu, 28 Mar 2013 16:51:14 +0100 (CET) X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 5d-tZPIiIxbX for ; Thu, 28 Mar 2013 16:51:14 +0100 (CET) Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id 5AE721DEBCBA for ; Thu, 28 Mar 2013 16:51:14 +0100 (CET) Received: (qmail 36964 invoked from network); 28 Mar 2013 15:51:14 -0000 Received: from gw.aaa-sec.ideon.se (HELO [192.168.1.2]) (stefan@fiddler.nu@[85.235.7.89]) (envelope-sender ) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 28 Mar 2013 15:51:14 -0000 User-Agent: Microsoft-MacOutlook/14.3.2.130206 Date: Thu, 28 Mar 2013 16:51:10 +0100 From: Stefan Santesson To: , Sam Hartman Message-ID: Thread-Topic: [pkix] Last Call: (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard In-Reply-To: <20130327211153.9DEBC1A678@ld9781.wdf.sap.corp> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Cc: pkix@ietf.org, ietf@ietf.org Subject: Re: [pkix] Last Call: (X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP) to Proposed Standard X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Mar 2013 15:51:22 -0000 On 3/27/13 10:11 PM, "Martin Rex" wrote: >It was the Security co-AD Russ Housley who indicated _early_ during >the discussion of that draft (2.5 years after it had been adopted >as a WG item) that he considered some of the suggested abuses of >existing error codes "unacceptable" For the record. Russ comment was: "I find the use of "unauthorized" to indicate that a client cannot make a multi-certificate request unacceptable." Which is completely different from your raised concern. /Stefan From stefan@aaa-sec.com Thu Mar 28 09:08:01 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14DC421F912E for ; Thu, 28 Mar 2013 09:08:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.501 X-Spam-Level: X-Spam-Status: No, score=-101.501 tagged_above=-999 required=5 tests=[AWL=-0.649, BAYES_00=-2.599, HELO_EQ_SE=0.35, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZYNaKgsgNf3f for ; Thu, 28 Mar 2013 09:07:59 -0700 (PDT) Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id A52AC21F8491 for ; Thu, 28 Mar 2013 09:07:58 -0700 (PDT) Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id 5633E1CF9945 for ; Thu, 28 Mar 2013 17:07:57 +0100 (CET) X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 7CdoyMbxDooS for ; Thu, 28 Mar 2013 17:07:55 +0100 (CET) Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id 208811E4EAD0 for ; Thu, 28 Mar 2013 17:07:55 +0100 (CET) Received: (qmail 4413 invoked from network); 28 Mar 2013 16:07:54 -0000 Received: from gw.aaa-sec.ideon.se (HELO [192.168.1.2]) (stefan@fiddler.nu@[85.235.7.89]) (envelope-sender ) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 28 Mar 2013 16:07:54 -0000 User-Agent: Microsoft-MacOutlook/14.3.2.130206 Date: Thu, 28 Mar 2013 17:07:52 +0100 From: Stefan Santesson To: Santosh Chokhani , Piyush Jain , 'pkix' Message-ID: Thread-Topic: [pkix] URI Name Constraint and URN In-Reply-To: Mime-version: 1.0 Content-type: multipart/alternative; boundary="B_3447335274_1855997" Subject: Re: [pkix] URI Name Constraint and URN X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Mar 2013 16:08:01 -0000 > This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --B_3447335274_1855997 Content-type: text/plain; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable Santosh, Clearly URN can't be expressed as a constraint. If there is a constraint expressing .example.com and the SAN holds a URN value, I'd say that this is a violation of that constraint. /Stefan From: Santosh Chokhani Date: Wednesday, March 27, 2013 11:04 PM To: Piyush Jain , 'pkix' Subject: Re: [pkix] URI Name Constraint and URN > David and Piyush, > =20 > Thanks. > =20 > I agree with you for the most part. But, the first sentence in that para= graph > can be used to think otherwise: =B3For URIs, the constraint applies to the = host > part of the name=B2. > =20 > Anyway, that is not my primary point. I think the URI schemes that canno= t > have host name component should be exempt from name constraint since ther= e is > nothing to constrain. > =20 > Today, we have actual certificates that have URN in them and rejecting th= em on > the basis of upstream URI constraints (which typically apply to URL) does= not > make sense to me. > =20 > My question is was that simply an oversight or is there a reason URN shou= ld be > rejected. One could also argue when using URN scheme, the name is not > hierarchical and there is no point in constraining it. > =20 >=20 > From: Piyush Jain [mailto:piyush@ditenity.com] > Sent: Tuesday, March 26, 2013 6:07 PM > To: Santosh Chokhani; 'pkix' > Subject: RE: [pkix] URI Name Constraint and URN > =20 > From 5280 > (e.g., if the URI either > does not include an authority component or includes an authority > component in which the host name is specified as an IP address), then > the application MUST reject the certificate. > =20 > It clearly says that if authority component is missing, certificate must = be > rejected. > =20 >=20 > From: pkix-bounces@ietf.org > [mailto:pkix-bounces@ietf.org ] On Behalf = Of > Santosh Chokhani > Sent: Tuesday, March 26, 2013 2:47 PM > To: 'pkix' > Subject: [pkix] URI Name Constraint and URN > =20 > I have been wrestling with what one should with a certificate if the SAN = in > the certificate contains URN and when you get to the certificate, the nam= e > constraint state variable indicates permitted and/or excluded values for = the > URI name form. > =20 > I think name constraint is not applicable to URN since it does not have a= n > =B3authority=B2 and thus =B3host=B2 component by definition. Thus, regardless of= the > name constraint state variable, presence of URN should not cause name > constraint violation. > =20 > But, when I read 5280, I find the text implying otherwise or ambiguous. > =20 > =20 > Santosh Chokhani > CygnaCom Solutions, Inc. > =20 > _______________________________________________ pkix mailing list > pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix --B_3447335274_1855997 Content-type: text/html; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable
Santosh,

Clearly URN can't be expressed as a constraint.
If there is = a constraint expressing .example.com and the SAN holds a URN value, I'd say = that this is a violation of that constraint.

/Stefa= n

From: Santosh Chok= hani <SChokhani@cygnacom.com&= gt;
Date: Wednesday, March 27, 201= 3 11:04 PM
To: Piyush Jain <piyush@ditenity.com>, 'pkix' <pkix@ietf.org>
Subject: Re: [pkix] URI Name Constraint and URN

David and Piyush,

 

Thanks.

 

I agree with you for the most part.  But, the first = sentence in that paragraph can be used to think otherwise: “For= URIs, the constraint applies to the host part of the name”.

 

Anyway, that is not my primary point.  I think the = URI schemes that cannot have host name component should be exempt from name = constraint since there is nothing to constrain.

 

Today, we have actual certificate= s that have URN in them and rejecting them on the basis of upstream URI cons= traints (which typically apply to URL) does not make sense to me.

 

My question is= was that simply an oversight or is there a reason URN should be rejected.&n= bsp; One could also argue when using URN scheme, the name is not hierarchica= l and there is no point in constraining it.

 

From: Piyush Jain [mailto= :piyush@ditenity.com]
Sent: Tuesday, March 26, 2013 6:07 PMTo: Santosh Chokhani; 'pkix'
Subject: RE: [pkix] URI Name= Constraint and URN

 

From 528= 0

(e.g., if the URI either

   does not include an authority co= mponent or includes an authority

<= span style=3D"font-size: 10pt; font-family: 'Courier New'; color: black; ">&nb= sp;  component in which the host name is specified as an IP address), t= hen

   the application MUS= T reject the certificate.

 

It clearly says that if authority component is missing,= certificate must be rejected.

 

From: pkix-bounces@ietf.org [= mailto:pkix-bounces@ietf.org] On Behalf Of Santosh Chokhani
Sent: Tuesday, March 26, 2013 2:47 PM
To:= 'pkix'
Subject: [pkix] URI Name Constraint and URN=

 

I have been wrestling with what one should with a certificate if t= he SAN in the certificate contains URN and when you get to the certificate, = the name constraint state variable indicates permitted and/or excluded value= s for the URI name form.

 

I think name constraint is not applicable to URN s= ince it does not have an “authority” and thus “host”= component by definition.  Thus, regardless of the name constraint stat= e variable, presence of URN should not cause name constraint violation.=

 

But= , when I read 5280, I find the text implying otherwise or ambiguous.

 

&= nbsp;

Santosh Chokhani

CygnaCom Solutions, Inc.

 

___________________________________= ____________ pkix mailing list pkix@ietf.org https://www.ietf.org/m= ailman/listinfo/pkix
--B_3447335274_1855997-- From SChokhani@cygnacom.com Thu Mar 28 09:11:38 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0B4121F8AC3 for ; Thu, 28 Mar 2013 09:11:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r2+ZT5xK3Q+m for ; Thu, 28 Mar 2013 09:11:36 -0700 (PDT) Received: from ipedge1.cygnacom.com (ipedge1.cygnacom.com [216.191.252.12]) by ietfa.amsl.com (Postfix) with ESMTP id 6AACA21F8A91 for ; Thu, 28 Mar 2013 09:11:35 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.84,927,1355115600"; d="scan'208,217";a="8414710" Received: from unknown (HELO scygexch7.cygnacom.com) ([10.4.60.22]) by ipedge1.cygnacom.com with ESMTP; 28 Mar 2013 12:11:34 -0400 Received: from scygexch7.cygnacom.com ([::1]) by scygexch7.cygnacom.com ([::1]) with mapi; Thu, 28 Mar 2013 12:11:34 -0400 From: Santosh Chokhani To: Stefan Santesson , Piyush Jain , 'pkix' Date: Thu, 28 Mar 2013 12:11:33 -0400 Thread-Topic: [pkix] URI Name Constraint and URN Thread-Index: Ac4rzmxd2j49AMORTS6peANJNRcfCwAAEV4g Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_B83745DA469B7847811819C5005244AFF3DC9CA5scygexch7cygnac_" MIME-Version: 1.0 Subject: Re: [pkix] URI Name Constraint and URN X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Mar 2013 16:11:38 -0000 --_000_B83745DA469B7847811819C5005244AFF3DC9CA5scygexch7cygnac_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Stefan, So, even though constraining URN is meaningless, all URN certificates shoul= d be rejected. Did I get you right? Make no sense at all to me. May be you can explain why this is useful or r= ight aside from 5280 having missed the scenario. From: Stefan Santesson [mailto:stefan@aaa-sec.com] Sent: Thursday, March 28, 2013 12:08 PM To: Santosh Chokhani; Piyush Jain; 'pkix' Subject: Re: [pkix] URI Name Constraint and URN Santosh, Clearly URN can't be expressed as a constraint. If there is a constraint expressing .example.com and the SAN holds a URN va= lue, I'd say that this is a violation of that constraint. /Stefan From: Santosh Chokhani > Date: Wednesday, March 27, 2013 11:04 PM To: Piyush Jain >, 'pkix' <= pkix@ietf.org> Subject: Re: [pkix] URI Name Constraint and URN David and Piyush, Thanks. I agree with you for the most part. But, the first sentence in that paragr= aph can be used to think otherwise: "For URIs, the constraint applies to th= e host part of the name". Anyway, that is not my primary point. I think the URI schemes that cannot = have host name component should be exempt from name constraint since there = is nothing to constrain. Today, we have actual certificates that have URN in them and rejecting them= on the basis of upstream URI constraints (which typically apply to URL) do= es not make sense to me. My question is was that simply an oversight or is there a reason URN should= be rejected. One could also argue when using URN scheme, the name is not = hierarchical and there is no point in constraining it. From: Piyush Jain [mailto:piyush@ditenity.com] Sent: Tuesday, March 26, 2013 6:07 PM To: Santosh Chokhani; 'pkix' Subject: RE: [pkix] URI Name Constraint and URN >From 5280 (e.g., if the URI either does not include an authority component or includes an authority component in which the host name is specified as an IP address), then the application MUST reject the certificate. It clearly says that if authority component is missing, certificate must be= rejected. From: pkix-bounces@ietf.org [mailto:pkix-boun= ces@ietf.org] On Behalf Of Santosh Chokhani Sent: Tuesday, March 26, 2013 2:47 PM To: 'pkix' Subject: [pkix] URI Name Constraint and URN I have been wrestling with what one should with a certificate if the SAN in= the certificate contains URN and when you get to the certificate, the name= constraint state variable indicates permitted and/or excluded values for t= he URI name form. I think name constraint is not applicable to URN since it does not have an = "authority" and thus "host" component by definition. Thus, regardless of t= he name constraint state variable, presence of URN should not cause name co= nstraint violation. But, when I read 5280, I find the text implying otherwise or ambiguous. Santosh Chokhani CygnaCom Solutions, Inc. _______________________________________________ pkix mailing list pkix@ietf= .org https://www.ietf.org/mailman/listinfo/pkix --_000_B83745DA469B7847811819C5005244AFF3DC9CA5scygexch7cygnac_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Stefan,

 

So, even though constraining URN is meaningless, all= URN certificates should be rejected.   Did I get you right?=

&n= bsp;

Mak= e no sense at all to me.  May be you can explain why this is useful or= right aside from 5280 having missed the scenario.

 

From: Stefan Santesson [mailto:stefan@aaa= -sec.com]
Sent: Thursday, March 28, 2013 12:08 PM
To: = Santosh Chokhani; Piyush Jain; 'pkix'
Subject: Re: [pkix] URI Nam= e Constraint and URN

=  

Santosh,

 

Clearly URN can't be expressed as a constraint.

= If there is a constraint expressing .example.com and the SAN holds a URN va= lue, I'd say that this is a violation of that constraint.=

 

/Stefan

&nb= sp;

From: Santosh Chokhani &= lt;SChokhani@cygnacom.com>=
Date: Wednesday, March 27, 2013 11:04 PM
To: Piyush Ja= in <piyush@ditenity.com>, = 'pkix' <pkix@ietf.org>
Sub= ject: Re: [pkix] URI Name Constraint and URN

 

David and Piyush,

 

=

Thanks.

 =

I agree with you for= the most part.  But, the first sentence in that paragraph can be used= to think otherwise: “For URIs, th= e constraint applies to the host part of the name”.=

 

Anyway, that is no= t my primary point.  I think the URI schemes that cannot have host nam= e component should be exempt from name constraint since there is nothing to= constrain.

 

Today, we have actual certificates that have URN in them and reject= ing them on the basis of upstream URI constraints (which typically apply to= URL) does not make sense to me.

 

= My question is was that simply an oversight o= r is there a reason URN should be rejected.  One could also argue when= using URN scheme, the name is not hierarchical and there is no point in co= nstraining it.

 

From: Piyush Jain [= mailto:piyush@ditenity.com]
Sent: Tuesday, March 26, 2013 6:= 07 PM
To: Santosh Chokhani; 'pkix'
Subject: RE: [pkix] = URI Name Constraint and URN

 = ;

F= rom 5280

(e.g., if the URI either

   does not include an authority = component or includes an authority<= /o:p>

   component in which the host n= ame is specified as an IP address), then=

   the application MUST re= ject the certificate.<= /p>

 

It clearly says that if authority component is missing, = certificate must be rejected.=

 =

From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Sa= ntosh Chokhani
Sent: Tuesday, March 26, 2013 2:47 PM
To: 'pkix'
Subject: [pkix] URI Name Constraint and URN

 

I have been wrestling with what one should = with a certificate if the SAN in the certificate contains URN and when you = get to the certificate, the name constraint state variable indicates permit= ted and/or excluded values for the URI name form.

 

I think name constraint is n= ot applicable to URN since it does not have an “authority” and = thus “host” component by definition.  Thus, regardless of = the name constraint state variable, presence of URN should not cause name c= onstraint violation.

 

But, when I read 5280, I find the text implying otherwis= e or ambiguous.

 

 

Santosh Chokhani

CygnaCom Solutions, Inc.

=

 

_______________________________________________ pkix mailing lis= t pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix=

= --_000_B83745DA469B7847811819C5005244AFF3DC9CA5scygexch7cygnac_-- From stefan@aaa-sec.com Thu Mar 28 09:21:43 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21A2721F8EE8 for ; Thu, 28 Mar 2013 09:21:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.157 X-Spam-Level: X-Spam-Status: No, score=-101.157 tagged_above=-999 required=5 tests=[AWL=-0.905, BAYES_00=-2.599, HELO_EQ_SE=0.35, HTML_MESSAGE=0.001, J_CHICKENPOX_31=0.6, MIME_QP_LONG_LINE=1.396, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q-Tn2VxlDvY5 for ; Thu, 28 Mar 2013 09:21:39 -0700 (PDT) Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id CEC9C21F8EC6 for ; Thu, 28 Mar 2013 09:21:38 -0700 (PDT) Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id 94E221CEDF6E for ; Thu, 28 Mar 2013 17:21:37 +0100 (CET) X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id UYSy3n11Jvu3 for ; Thu, 28 Mar 2013 17:21:35 +0100 (CET) Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id 448381CF9D55 for ; Thu, 28 Mar 2013 17:21:35 +0100 (CET) Received: (qmail 47705 invoked from network); 28 Mar 2013 16:21:35 -0000 Received: from gw.aaa-sec.ideon.se (HELO [192.168.1.2]) (stefan@fiddler.nu@[85.235.7.89]) (envelope-sender ) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 28 Mar 2013 16:21:35 -0000 User-Agent: Microsoft-MacOutlook/14.3.2.130206 Date: Thu, 28 Mar 2013 17:21:31 +0100 From: Stefan Santesson To: Santosh Chokhani , Piyush Jain , 'pkix' Message-ID: Thread-Topic: [pkix] URI Name Constraint and URN In-Reply-To: Mime-version: 1.0 Content-type: multipart/alternative; boundary="B_3447336095_1933215" Subject: Re: [pkix] URI Name Constraint and URN X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Mar 2013 16:21:43 -0000 > This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --B_3447336095_1933215 Content-type: text/plain; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable Not all URN certificates. Only certificates with a URN where a CA certificate in the current path has provided a constraints for URI:s according to the standard as a permittedSubtree constraint. RFC 5280 states: The name constraints extension, which MUST be used only in a CA certificate, indicates a name space within which all subject names in subsequent certificates in a certification path MUST be located. I simply can't see how "urn:com:contoso:whatever" can be claimed to fit within the permitted subtree constraint ".example.com" If ".example.com" is an excluded subtree, then I have no problem accepting the cert, because the URN is not excluded. /Stefan From: Santosh Chokhani Date: Thursday, March 28, 2013 5:11 PM To: Stefan Santesson , Piyush Jain , 'pkix' Subject: Re: [pkix] URI Name Constraint and URN > Stefan, > =20 > So, even though constraining URN is meaningless, all URN certificates sho= uld > be rejected. Did I get you right? > =20 > Make no sense at all to me. May be you can explain why this is useful or > right aside from 5280 having missed the scenario. > =20 >=20 > From: Stefan Santesson [mailto:stefan@aaa-sec.com] > Sent: Thursday, March 28, 2013 12:08 PM > To: Santosh Chokhani; Piyush Jain; 'pkix' > Subject: Re: [pkix] URI Name Constraint and URN > =20 >=20 > Santosh, >=20 > =20 >=20 > Clearly URN can't be expressed as a constraint. >=20 > If there is a constraint expressing .example.com and the SAN holds a URN > value, I'd say that this is a violation of that constraint. >=20 > =20 >=20 > /Stefan >=20 > =20 >=20 > From: Santosh Chokhani > Date: Wednesday, March 27, 2013 11:04 PM > To: Piyush Jain , 'pkix' > Subject: Re: [pkix] URI Name Constraint and URN >=20 > =20 >>=20 >> David and Piyush, >> =20 >> Thanks. >> =20 >> I agree with you for the most part. But, the first sentence in that >> paragraph can be used to think otherwise: =B3For URIs, the constraint appl= ies >> to the host part of the name=B2. >> =20 >> Anyway, that is not my primary point. I think the URI schemes that cann= ot >> have host name component should be exempt from name constraint since the= re is >> nothing to constrain. >> =20 >> Today, we have actual certificates that have URN in them and rejecting t= hem >> on the basis of upstream URI constraints (which typically apply to URL) = does >> not make sense to me. >> =20 >> My question is was that simply an oversight or is there a reason URN sho= uld >> be rejected. One could also argue when using URN scheme, the name is no= t >> hierarchical and there is no point in constraining it. >> =20 >>=20 >> From: Piyush Jain [mailto:piyush@ditenity.com] >> Sent: Tuesday, March 26, 2013 6:07 PM >> To: Santosh Chokhani; 'pkix' >> Subject: RE: [pkix] URI Name Constraint and URN >> =20 >> From 5280 >> (e.g., if the URI either >> does not include an authority component or includes an authority >> component in which the host name is specified as an IP address), then >> the application MUST reject the certificate. >> =20 >> It clearly says that if authority component is missing, certificate must= be >> rejected. >> =20 >>=20 >> From: pkix-bounces@ietf.org >> [mailto:pkix-bounces@ietf.org ] On Behalf= Of >> Santosh Chokhani >> Sent: Tuesday, March 26, 2013 2:47 PM >> To: 'pkix' >> Subject: [pkix] URI Name Constraint and URN >> =20 >> I have been wrestling with what one should with a certificate if the SAN= in >> the certificate contains URN and when you get to the certificate, the na= me >> constraint state variable indicates permitted and/or excluded values for= the >> URI name form. >> =20 >> I think name constraint is not applicable to URN since it does not have = an >> =B3authority=B2 and thus =B3host=B2 component by definition. Thus, regardless o= f the >> name constraint state variable, presence of URN should not cause name >> constraint violation. >> =20 >> But, when I read 5280, I find the text implying otherwise or ambiguous. >> =20 >> =20 >> Santosh Chokhani >> CygnaCom Solutions, Inc. >> =20 >> _______________________________________________ pkix mailing list >> pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix > _______________________________________________ pkix mailing list > pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix --B_3447336095_1933215 Content-type: text/html; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable
Not all URN certificates.

Only certificates with a URN where a CA certificate i= n the current path has provided a constraints for URI:s according to the sta= ndard as a permittedSubtree constraint.

RFC 5280 st= ates:
   The name constraints ex=
tension, which MUST be used only in a CA
   certificate, indicates a name space within which all subject names in=

   subsequent certificates in a certification path MUST be located.

I simply can't see how "urn:com:contoso:whatever= "  can be claimed to fit within the permitted subtree constraint ".exam= ple.com"

If ".example.com" is an excluded subtree, = then I have no problem accepting the cert, because the URN is not excluded.<= /div>

/Stefan


From: Santosh Chokhani <SChokhani@cygnacom.com>
Date: Thursday, March 28, 2013 5:11 PM
To: Stefan Santesson <stefan@aaa-sec.com>, Piyush Jain <piyush@ditenity.com>, 'pkix' <pkix@ietf.org>
Subject: Re: [pkix] URI Name Constraint and URN

Stefan,

 

So, even though constraining URN is meaningless, all URN certificates = should be rejected.   Did I get you right?

 

<= p class=3D"MsoNormal">Make no sense at all to me.&= nbsp; May be you can explain why this is useful or right aside from 5280 hav= ing missed the scenario.

 

From:= = Stefan Santesson [mailto:stefan@aaa-sec= .com]
Sent: Thursday, March 28, 2013 12:08 PM
To: S= antosh Chokhani; Piyush Jain; 'pkix'
Subject: Re: [pkix] URI Name = Constraint and URN

 

Santosh,

 

Clearly U= RN can't be expressed as a constraint.

If there is a con= straint expressing .example.com and the SAN holds a URN value, I'd say that = this is a violation of that constraint.

 

/Stefan

 

From: Santosh Chokhani <SChokhani@cygnacom.com>
Date: Wednesday, March 27, 201= 3 11:04 PM
To: Piyush Jain <piyush@ditenity.com>, 'pkix' <pki= x@ietf.org>
Subject: Re: [pkix] URI Name Constraint and URN=

 

David and Piyush,=

 

Thanks.

 

<= p class=3D"MsoNormal">I agree with you for the mos= t part.  But, the first sentence in that paragraph can be used to think= otherwise: “For URIs, the constraint= applies to the host part of the name”.

 

Anyway, that is not my primary point.=   I think the URI schemes that cannot have host name component should b= e exempt from name constraint since there is nothing to constrain.

 <= /p>

Today, we have actual ce= rtificates that have URN in them and rejecting them on the basis of upstream= URI constraints (which typically apply to URL) does not make sense to me. <= /span>

<= span style=3D"color:#1F497D"> 

My question is = was that simply an oversight or is there a reason URN should be rejected.&nb= sp; One could also argue when using URN scheme, the name is not hierarchical= and there is no point in constraining it.<= o:p>

 =

From: Piyush Jain [mailto:piyush@ditenity.com]
Sent: Tuesday, March 2= 6, 2013 6:07 PM
To: Santosh Chokhani; 'pkix'
Subject: RE= : [pkix] URI Name Constraint and URN

&n= bsp;

F= rom 5280

(e.g., if the URI either

   does not include an authority compo= nent or includes an authority

   component in which the host name is = specified as an IP address), then

   the application MUST reject the = certificate.

 

It= clearly says that if authority component is missing, certificate must be re= jected.

 

From: pkix-boun= ces@ietf.org [mailto:pkix-bounces@ietf.org] On= Behalf Of Santosh Chokhani
Sent: Tuesday, March 26, 2013 2:47= PM
To: 'pkix'
Subject: [pkix] URI Name Constraint and U= RN

 

I have been wrestling with what one s= hould with a certificate if the SAN in the certificate contains URN and when= you get to the certificate, the name constraint state variable indicates pe= rmitted and/or excluded values for the URI name form.

<= p class=3D"MsoNormal"> 

I think name constraint is not = applicable to URN since it does not have an “authority” and thus= “host” component by definition.  Thus, regardless of the n= ame constraint state variable, presence of URN should not cause name constra= int violation.

 

But, when I read 5280, I find the text implying otherwise or ambiguous= .

 =

 <= o:p>

Santosh = Chokhani

CygnaCom Solutions, Inc.

 

________________________= _______________________ pkix mailing list pki= x@ietf.org https://= www.ietf.org/mailman/listinfo/pkix

_______________________________________________ pkix mailing list pkix@ietf.org https://www.ietf.org/m= ailman/listinfo/pkix --B_3447336095_1933215-- From SChokhani@cygnacom.com Thu Mar 28 09:24:32 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB26521F8E8F for ; Thu, 28 Mar 2013 09:24:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.298 X-Spam-Level: X-Spam-Status: No, score=-2.298 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_31=0.6] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kD4tlgdvl3ff for ; Thu, 28 Mar 2013 09:24:29 -0700 (PDT) Received: from ipedge1.cygnacom.com (ipedge1.cygnacom.com [216.191.252.12]) by ietfa.amsl.com (Postfix) with ESMTP id 025D321F8EC6 for ; Thu, 28 Mar 2013 09:24:27 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.84,927,1355115600"; d="scan'208,217";a="8414991" Received: from unknown (HELO scygexch7.cygnacom.com) ([10.4.60.22]) by ipedge1.cygnacom.com with ESMTP; 28 Mar 2013 12:24:23 -0400 Received: from scygexch7.cygnacom.com ([::1]) by scygexch7.cygnacom.com ([::1]) with mapi; Thu, 28 Mar 2013 12:24:22 -0400 From: Santosh Chokhani To: Stefan Santesson , Piyush Jain , 'pkix' Date: Thu, 28 Mar 2013 12:24:21 -0400 Thread-Topic: [pkix] URI Name Constraint and URN Thread-Index: Ac4r0FRjiBrAhf9KRVqIhQr02Fey3gAACduA Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_B83745DA469B7847811819C5005244AFF3DC9CABscygexch7cygnac_" MIME-Version: 1.0 Subject: Re: [pkix] URI Name Constraint and URN X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Mar 2013 16:24:32 -0000 --_000_B83745DA469B7847811819C5005244AFF3DC9CABscygexch7cygnac_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Stefan, URN by definition do not have "authority" component are not hierarchical. You are simply parroting what 5280 says and not explaining what the use of = meaning of doing this is. May be you should explain how an upstream CA will permit URN and still cons= train URL. From: Stefan Santesson [mailto:stefan@aaa-sec.com] Sent: Thursday, March 28, 2013 12:22 PM To: Santosh Chokhani; Piyush Jain; 'pkix' Subject: Re: [pkix] URI Name Constraint and URN Not all URN certificates. Only certificates with a URN where a CA certificate in the current path has= provided a constraints for URI:s according to the standard as a permittedS= ubtree constraint. RFC 5280 states: The name constraints extension, which MUST be used only in a CA certificate, indicates a name space within which all subject names in subsequent certificates in a certification path MUST be located. I simply can't see how "urn:com:contoso:whatever" can be claimed to fit wi= thin the permitted subtree constraint ".example.com" If ".example.com" is an excluded subtree, then I have no problem accepting = the cert, because the URN is not excluded. /Stefan From: Santosh Chokhani > Date: Thursday, March 28, 2013 5:11 PM To: Stefan Santesson >, Piyus= h Jain >, 'pkix' > Subject: Re: [pkix] URI Name Constraint and URN Stefan, So, even though constraining URN is meaningless, all URN certificates shoul= d be rejected. Did I get you right? Make no sense at all to me. May be you can explain why this is useful or r= ight aside from 5280 having missed the scenario. From: Stefan Santesson [mailto:stefan@aaa-sec.com] Sent: Thursday, March 28, 2013 12:08 PM To: Santosh Chokhani; Piyush Jain; 'pkix' Subject: Re: [pkix] URI Name Constraint and URN Santosh, Clearly URN can't be expressed as a constraint. If there is a constraint expressing .example.com and the SAN holds a URN va= lue, I'd say that this is a violation of that constraint. /Stefan From: Santosh Chokhani > Date: Wednesday, March 27, 2013 11:04 PM To: Piyush Jain >, 'pkix' <= pkix@ietf.org> Subject: Re: [pkix] URI Name Constraint and URN David and Piyush, Thanks. I agree with you for the most part. But, the first sentence in that paragr= aph can be used to think otherwise: "For URIs, the constraint applies to th= e host part of the name". Anyway, that is not my primary point. I think the URI schemes that cannot = have host name component should be exempt from name constraint since there = is nothing to constrain. Today, we have actual certificates that have URN in them and rejecting them= on the basis of upstream URI constraints (which typically apply to URL) do= es not make sense to me. My question is was that simply an oversight or is there a reason URN should= be rejected. One could also argue when using URN scheme, the name is not = hierarchical and there is no point in constraining it. From: Piyush Jain [mailto:piyush@ditenity.com] Sent: Tuesday, March 26, 2013 6:07 PM To: Santosh Chokhani; 'pkix' Subject: RE: [pkix] URI Name Constraint and URN >From 5280 (e.g., if the URI either does not include an authority component or includes an authority component in which the host name is specified as an IP address), then the application MUST reject the certificate. It clearly says that if authority component is missing, certificate must be= rejected. From: pkix-bounces@ietf.org [mailto:pkix-boun= ces@ietf.org] On Behalf Of Santosh Chokhani Sent: Tuesday, March 26, 2013 2:47 PM To: 'pkix' Subject: [pkix] URI Name Constraint and URN I have been wrestling with what one should with a certificate if the SAN in= the certificate contains URN and when you get to the certificate, the name= constraint state variable indicates permitted and/or excluded values for t= he URI name form. I think name constraint is not applicable to URN since it does not have an = "authority" and thus "host" component by definition. Thus, regardless of t= he name constraint state variable, presence of URN should not cause name co= nstraint violation. But, when I read 5280, I find the text implying otherwise or ambiguous. Santosh Chokhani CygnaCom Solutions, Inc. _______________________________________________ pkix mailing list pkix@ietf= .org https://www.ietf.org/mailman/listinfo/pkix _______________________________________________ pkix mailing list pkix@ietf= .org https://www.ietf.org/mailman/listinfo/pkix --_000_B83745DA469B7847811819C5005244AFF3DC9CABscygexch7cygnac_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Stefan,

 

URN by definition do not have “authority”= ; component are not hierarchical.

 

You are simply parroting what 5280 says = and not explaining what the use of meaning of doing this is.

 =

May be you sh= ould explain how an upstream CA will permit URN and still constrain URL.

=  

From: Stefan Santes= son [mailto:stefan@aaa-sec.com]
Sent: Thursday, March 28, 2013 1= 2:22 PM
To: Santosh Chokhani; Piyush Jain; 'pkix'
Subject:<= /b> Re: [pkix] URI Name Constraint and URN

 

Not all URN certificates.=

 

Only certificates with a URN whe= re a CA certificate in the current path has provided a constraints for URI:= s according to the standard as a permittedSubtree constraint.

 

RFC 5280 states:<= /p>

   The name constraints extension, which =
MUST be used only in a CA
   cer=
tificate, indicates a name space within which all subject names in<=
/o:p>
   subsequent certificates in =
a certification path MUST be located.

<= span style=3D'font-size:10.5pt;color:black'> 

I= simply can't see how "urn:com:contoso:whatever"  can be cla= imed to fit within the permitted subtree constraint ".example.com"= ;

 

If ".example.co= m" is an excluded subtree, then I have no problem accepting the cert, = because the URN is not excluded.

 =

/Stefan

<= span style=3D'font-size:10.5pt;color:black'> 

<= o:p> 

Stefan,

 

So, even though c= onstraining URN is meaningless, all URN certificates should be rejected.&nb= sp;  Did I get you right?

 

Make no sense at all to me.  May be you can= explain why this is useful or right aside from 5280 having missed the scen= ario.

 

From: Stefan Santesson [mailt= o:stefan@aaa-sec.com]
Sent: Thursday, March 28, 2013 12:08 P= M
To: Santosh Chokhani; Piyush Jain; 'pkix'
Subject: Re= : [pkix] URI Name Constraint and URN

 

Santosh,

 

Clearly URN can't be expressed as a constraint.

If there is a constraint expressin= g .example.com and the SAN holds a URN value, I'd say that this is a violat= ion of that constraint.

 

/St= efan

 

From: Santosh Chokhani <SChokhani@cygnacom.com>
Date: Wednesday, March 27, 2013 = 11:04 PM
To: Piyush Jain <piyush@ditenity.com>, 'pkix' <pkix@ietf.org>
Subject: Re: [pkix] URI Name Constraint an= d URN

 =

David and= Piyush,

 

Thanks.

 

I agree with you for the most part.  But, the first sentenc= e in that paragraph can be used to think otherwise: “For URIs, the constraint applies to the host part of the= name”.

 

Anyway, that is not my primary point.  I think the URI sc= hemes that cannot have host name component should be exempt from name const= raint since there is nothing to constrain.

=  

Today, we have actual certificates t= hat have URN in them and rejecting them on the basis of upstream URI constr= aints (which typically apply to URL) does not make sense to me.

 <= /span>

My question is= was that simply an oversight or is there a reason URN should be rejected.&= nbsp; One could also argue when using URN scheme, the name is not hierarchi= cal and there is no point in constraining it.

 

From: Piyush Jain [mailto:piyush@ditenity.com]
Sent= : Tuesday, March 26, 2013 6:07 PM
To: Santosh Chokhani; 'pkix= '
Subject: RE: [pkix] URI Name Constraint and URN

<= span style=3D'color:black'> 

From 5280=

(e.g., if the URI either

   = does not include an authority component or includes an authority

  = component in which the host name is specified as an IP address), then

 =   the application MUST reject the certificate.

 

It clearly says that if aut= hority component is missing, certificate must be rejected.

 =

From: <= /span>= pkix-bou= nces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Santosh Chokhani
Sent: Tuesday, March = 26, 2013 2:47 PM
To: 'pkix'
Subject: [pkix] URI Name Co= nstraint and URN

 

I have been wr= estling with what one should with a certificate if the SAN in the certifica= te contains URN and when you get to the certificate, the name constraint st= ate variable indicates permitted and/or excluded values for the URI name fo= rm.

&= nbsp;

I think name constraint is not applicable to URN since it does not have an= “authority” and thus “host” component by definitio= n.  Thus, regardless of the name constraint state variable, presence o= f URN should not cause name constraint violation.

 

But, when I read 5280, I fin= d the text implying otherwise or ambiguous.

 

 

Santosh Chokhani

CygnaCom Solutions= , Inc.

 

____________________________________= ___________ pkix mailing list pkix@ietf.or= g https://www.ie= tf.org/mailman/listinfo/pkix

____________________________________________= ___ pkix mailing list pkix@ietf.org https://www.ietf.org/m= ailman/listinfo/pkix

= --_000_B83745DA469B7847811819C5005244AFF3DC9CABscygexch7cygnac_-- From internet-drafts@ietf.org Thu Mar 28 09:32:24 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E5D021F8FC6; Thu, 28 Mar 2013 09:32:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.583 X-Spam-Level: X-Spam-Status: No, score=-102.583 tagged_above=-999 required=5 tests=[AWL=0.017, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oL-iXmDuRLDm; Thu, 28 Mar 2013 09:32:24 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CEB821F8967; Thu, 28 Mar 2013 09:32:24 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 4.43 Message-ID: <20130328163224.15375.34321.idtracker@ietfa.amsl.com> Date: Thu, 28 Mar 2013 09:32:24 -0700 Cc: pkix@ietf.org Subject: [pkix] I-D Action: draft-ietf-pkix-rfc2560bis-16.txt X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Mar 2013 16:32:24 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Public-Key Infrastructure (X.509) Working= Group of the IETF. Title : X.509 Internet Public Key Infrastructure Online Certific= ate Status Protocol - OCSP Author(s) : Stefan Santesson Michael Myers Rich Ankney Ambarish Malpani Slava Galperin Carlisle Adams Filename : draft-ietf-pkix-rfc2560bis-16.txt Pages : 43 Date : 2013-03-28 Abstract: This document specifies a protocol useful in determining the current status of a digital certificate without requiring CRLs. Additional mechanisms addressing PKIX operational requirements are specified in separate documents. This document obsoletes RFC 2560 and RFC 6277, and updates RFC 5912. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-pkix-rfc2560bis There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-pkix-rfc2560bis-16 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-pkix-rfc2560bis-16 Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From piyush@ditenity.com Thu Mar 28 10:38:03 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DA3221F903B for ; Thu, 28 Mar 2013 10:38:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.298 X-Spam-Level: X-Spam-Status: No, score=-3.298 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_31=0.6, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gh9jV-CHW5Q8 for ; Thu, 28 Mar 2013 10:37:59 -0700 (PDT) Received: from mail-qa0-f51.google.com (mail-qa0-f51.google.com [209.85.216.51]) by ietfa.amsl.com (Postfix) with ESMTP id 3E50921F9039 for ; Thu, 28 Mar 2013 10:37:59 -0700 (PDT) Received: by mail-qa0-f51.google.com with SMTP id hg5so18470qab.3 for ; Thu, 28 Mar 2013 10:37:58 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:references:in-reply-to:subject:date:message-id :mime-version:content-type:x-mailer:thread-index:content-language :x-gm-message-state; bh=d2gcpPhTfLPlIxX/kfd43z0ve7lh8sQvPyfYuZp+5MY=; b=cs9SLSgdT8MN7P3JvltkwYADNzVP1sCFTkudowD3cZY0cYzOhJVKsjxnZaOTbR3Np7 q4EHcW7ms4syTB4uMrvYrniPB118uE0bGLnaOmAYB58bWbpOvhZof+N1vRr/dggexgYU wQb50PvXI9q97LR4cRpdsHk87Vwyzi4epYk/6LuXO2VS56ImLzzj52TgKJ+ILMfj1kz4 8XEP8GUulD3aqNLvTHwe0WU9APwmS1UMBKFJr7kCaqEzg8W7j7ZAMXMoWdkMTlKPjTHB Z4L02OAgj/q92y+kFxATvQKWPG2baPTwkfDMgr+4N+EA5JI8xorPDsDRBbp0/iUM6gLE csqQ== X-Received: by 10.229.69.133 with SMTP id z5mr2185429qci.137.1364492278633; Thu, 28 Mar 2013 10:37:58 -0700 (PDT) Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id dr7sm124548qab.5.2013.03.28.10.37.56 (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 28 Mar 2013 10:37:58 -0700 (PDT) From: "Piyush Jain" To: "'Santosh Chokhani'" , "'Stefan Santesson'" , "'pkix'" References: In-Reply-To: Date: Thu, 28 Mar 2013 10:37:52 -0700 Message-ID: <000c01ce2bda$fadd38f0$f097aad0$@ditenity.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_000D_01CE2BA0.4E82CDC0" X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQEfSBbLKi5YrJaPE2aBNlVzD/FdbgGEwBTGAk7R4vCZ+oL7cA== Content-Language: en-us X-Gm-Message-State: ALoCoQmjnS6NIr4La/kS5iHhfFmixVEZiLsoyReGE9NO+erHdtlEKfkhcFHWEnpp0Bb6/C9JcJx6 Subject: Re: [pkix] URI Name Constraint and URN X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Mar 2013 17:38:03 -0000 This is a multipart message in MIME format. ------=_NextPart_000_000D_01CE2BA0.4E82CDC0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Santosh, I think I agree with you that constraining URN based on authority does not make sense. The text - "For URIs, the constraint applies to the host part of the name." from 5280 indicates that the author assumed that URIs will always have the authority component, which is a wrong assumption. There may be some value in applying the constraint after using a resolver to map the URN to a location, or constraining the namespace of the URN itself. So here are the possible scenarios 1) Constraint is a URL, name is URN. This is what you came across. It does not make sense to apply authority constraints unless URN is resolved to a URL 2) Constraint is URN, name is URL. Not sure if this is useful at all. 5280 is silent on this. 3) Constraint is URN, name is URN. It might be useful to define matching rules for this scenario. 4) Constraint is URL, name is URL. This is the only case 5280 handles today. -Piyush From: Santosh Chokhani [mailto:SChokhani@cygnacom.com] Sent: Thursday, March 28, 2013 9:24 AM To: Stefan Santesson; Piyush Jain; 'pkix' Subject: RE: [pkix] URI Name Constraint and URN Stefan, URN by definition do not have "authority" component are not hierarchical. You are simply parroting what 5280 says and not explaining what the use of meaning of doing this is. May be you should explain how an upstream CA will permit URN and still constrain URL. From: Stefan Santesson [mailto:stefan@aaa-sec.com] Sent: Thursday, March 28, 2013 12:22 PM To: Santosh Chokhani; Piyush Jain; 'pkix' Subject: Re: [pkix] URI Name Constraint and URN Not all URN certificates. Only certificates with a URN where a CA certificate in the current path has provided a constraints for URI:s according to the standard as a permittedSubtree constraint. RFC 5280 states: The name constraints extension, which MUST be used only in a CA certificate, indicates a name space within which all subject names in subsequent certificates in a certification path MUST be located. I simply can't see how "urn:com:contoso:whatever" can be claimed to fit within the permitted subtree constraint ".example.com" If ".example.com" is an excluded subtree, then I have no problem accepting the cert, because the URN is not excluded. /Stefan From: Santosh Chokhani Date: Thursday, March 28, 2013 5:11 PM To: Stefan Santesson , Piyush Jain , 'pkix' Subject: Re: [pkix] URI Name Constraint and URN Stefan, So, even though constraining URN is meaningless, all URN certificates should be rejected. Did I get you right? Make no sense at all to me. May be you can explain why this is useful or right aside from 5280 having missed the scenario. From: Stefan Santesson [mailto:stefan@aaa-sec.com] Sent: Thursday, March 28, 2013 12:08 PM To: Santosh Chokhani; Piyush Jain; 'pkix' Subject: Re: [pkix] URI Name Constraint and URN Santosh, Clearly URN can't be expressed as a constraint. If there is a constraint expressing .example.com and the SAN holds a URN value, I'd say that this is a violation of that constraint. /Stefan From: Santosh Chokhani Date: Wednesday, March 27, 2013 11:04 PM To: Piyush Jain , 'pkix' Subject: Re: [pkix] URI Name Constraint and URN David and Piyush, Thanks. I agree with you for the most part. But, the first sentence in that paragraph can be used to think otherwise: "For URIs, the constraint applies to the host part of the name". Anyway, that is not my primary point. I think the URI schemes that cannot have host name component should be exempt from name constraint since there is nothing to constrain. Today, we have actual certificates that have URN in them and rejecting them on the basis of upstream URI constraints (which typically apply to URL) does not make sense to me. My question is was that simply an oversight or is there a reason URN should be rejected. One could also argue when using URN scheme, the name is not hierarchical and there is no point in constraining it. From: Piyush Jain [mailto:piyush@ditenity.com] Sent: Tuesday, March 26, 2013 6:07 PM To: Santosh Chokhani; 'pkix' Subject: RE: [pkix] URI Name Constraint and URN >From 5280 (e.g., if the URI either does not include an authority component or includes an authority component in which the host name is specified as an IP address), then the application MUST reject the certificate. It clearly says that if authority component is missing, certificate must be rejected. From: pkix-bounces@ietf.org [ mailto:pkix-bounces@ietf.org] On Behalf Of Santosh Chokhani Sent: Tuesday, March 26, 2013 2:47 PM To: 'pkix' Subject: [pkix] URI Name Constraint and URN I have been wrestling with what one should with a certificate if the SAN in the certificate contains URN and when you get to the certificate, the name constraint state variable indicates permitted and/or excluded values for the URI name form. I think name constraint is not applicable to URN since it does not have an "authority" and thus "host" component by definition. Thus, regardless of the name constraint state variable, presence of URN should not cause name constraint violation. But, when I read 5280, I find the text implying otherwise or ambiguous. Santosh Chokhani CygnaCom Solutions, Inc. _______________________________________________ pkix mailing list pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix _______________________________________________ pkix mailing list pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix ------=_NextPart_000_000D_01CE2BA0.4E82CDC0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Santosh,

 

I think I agree with you = that constraining URN based on authority does not make = sense.

 

The text – =
“For URIs, the constraint =
applies to the host part of the name.” from 5280 indicates that the author assumed that URIs will always =
have the authority component, which is a wrong assumption.
 

There may be some value = in applying the constraint after using a resolver to map the URN to a = location, or constraining the namespace of the URN itself.  =

 

So here are the possible = scenarios

1)      = Constraint = is a URL, name is URN. This is what you came across. It does not make = sense to apply authority constraints unless URN is resolved to a = URL

2)      = Constraint = is URN, name is URL. Not sure if this is useful at all. 5280 is silent = on this.

3)      = Constraint = is URN, name is URN. It might be useful to define matching rules for = this scenario.

4)      = Constraint = is URL, name is URL. This is the only case 5280 handles = today.

 

-Piyush

 

From:= = Santosh Chokhani [mailto:SChokhani@cygnacom.com]
Sent: = Thursday, March 28, 2013 9:24 AM
To: Stefan Santesson; Piyush = Jain; 'pkix'
Subject: RE: [pkix] URI Name Constraint and = URN

 

Stefan,

 

URN by definition do not = have “authority” component are not = hierarchical.

 

You are simply parroting = what 5280 says and not explaining what the use of meaning of doing this = is.

 

May be you should = explain how an upstream CA will permit URN and still constrain = URL.

 

 

=

Only certificates with a URN = where a CA certificate in the current path has provided a constraints = for URI:s according to the standard as a permittedSubtree = constraint.

 

=

RFC 5280 = states:

   The name constraints =
extension, which MUST be used only in a CA
   certificate, =
indicates a name space within which all subject names =
in
   subsequent =
certificates in a certification path MUST be located.

 

=

I = simply can't see how "urn:com:contoso:whatever"  can be = claimed to fit within the permitted subtree constraint = ".example.com"

 

=

If ".example.com" is an = excluded subtree, then I have no problem accepting the cert, because the = URN is not excluded.

 

=

/Stefan

 

=

 

=

From: = Santosh Chokhani <SChokhani@cygnacom.com>
= Date: Thursday, March 28, 2013 5:11 PM
To: Stefan = Santesson <stefan@aaa-sec.com>, Piyush = Jain <piyush@ditenity.com>, 'pkix' = <pkix@ietf.org>
Subject: = Re: [pkix] URI Name Constraint and = URN

 

=

Stefan,

 

So, even though constraining URN is meaningless, = all URN certificates should be rejected.   Did I get you = right?

 

Make no sense at all to me.  May be you can = explain why this is useful or right aside from 5280 having missed the = scenario.

 

= From:= Stefan Santesson [mailto:stefan@aaa-sec.com] =
Sent: Thursday, March 28, 2013 12:08 PM
To: Santosh = Chokhani; Piyush Jain; 'pkix'
Subject: Re: [pkix] URI Name = Constraint and URN

 

Santosh,

 

Clearly = URN can't be expressed as a constraint.

If there = is a constraint expressing .example.com and the SAN holds a URN value, = I'd say that this is a violation of that constraint.

 

/Stefan

 

From: = Santosh Chokhani <SChokhani@cygnacom.com>
= Date: Wednesday, March 27, 2013 11:04 PM
To: Piyush = Jain <piyush@ditenity.com>, 'pkix' = <pkix@ietf.org>
Subject: = Re: [pkix] URI Name Constraint and = URN

 

David and = Piyush,

 

Thanks.

 

I agree with you for the most part.  But, = the first sentence in that paragraph can be used to think otherwise: = “For URIs, the constraint = applies to the host part of the name”.

 

Anyway, that is not my = primary point.  I think the URI schemes that cannot have host name = component should be exempt from name constraint since there is nothing = to constrain.

 

Today, we have actual certificates that have URN = in them and rejecting them on the basis of upstream URI constraints = (which typically apply to URL) does not make sense to me.

 

My question is was that simply an oversight or = is there a reason URN should be rejected.  One could also argue = when using URN scheme, the name is not hierarchical and there is no = point in constraining it.

 

= From:= Piyush Jain [mailto:piyush@ditenity.com] =
Sent: Tuesday, March 26, 2013 6:07 PM
To: Santosh = Chokhani; 'pkix'
Subject: RE: [pkix] URI Name Constraint and = URN

 

From 5280

(e.g., = if the URI either

   does not include an authority component = or includes an authority

   component in which the host name is = specified as an IP address), then

   the application MUST reject the = certificate.

 

It clearly says that if authority component is = missing, certificate must be rejected.

 

= From:= pkix-bounces= @ietf.org= [mailto:pkix-= bounces@ietf.org= ] On Behalf Of Santosh Chokhani
Sent: Tuesday, March = 26, 2013 2:47 PM
To: 'pkix'
Subject: [pkix] URI Name = Constraint and URN

 

I have been wrestling with = what one should with a certificate if the SAN in the certificate = contains URN and when you get to the certificate, the name constraint = state variable indicates permitted and/or excluded values for the URI = name form.

 

I think name constraint is = not applicable to URN since it does not have an “authority” = and thus “host” component by definition.  Thus, = regardless of the name constraint state variable, presence of URN should = not cause name constraint violation.

 

But, when I read 5280, I = find the text implying otherwise or ambiguous.

 

 

Santosh = Chokhani

CygnaCom Solutions, Inc.

 

__________________________________= _____________ pkix mailing list pkix@ietf.org https://www.ietf.org/= mailman/listinfo/pkix

__________________________________= _____________ pkix mailing list pkix@ietf.org https://www.ietf.org/= mailman/listinfo/pkix =

------=_NextPart_000_000D_01CE2BA0.4E82CDC0-- From david.cooper@nist.gov Thu Mar 28 11:03:58 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90FE621F905B for ; Thu, 28 Mar 2013 11:03:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.141 X-Spam-Level: X-Spam-Status: No, score=-5.141 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ow0Z5sKZUajR for ; Thu, 28 Mar 2013 11:03:58 -0700 (PDT) Received: from wsget2.nist.gov (wsget2.nist.gov [129.6.13.151]) by ietfa.amsl.com (Postfix) with ESMTP id DEC0B21F9027 for ; Thu, 28 Mar 2013 11:03:57 -0700 (PDT) Received: from WSXGHUB1.xchange.nist.gov (129.6.18.96) by wsget2.nist.gov (129.6.13.151) with Microsoft SMTP Server (TLS) id 14.3.123.3; Thu, 28 Mar 2013 14:03:37 -0400 Received: from smtp.nist.gov (129.6.16.226) by WSXGHUB1.xchange.nist.gov (129.6.18.96) with Microsoft SMTP Server id 8.3.298.1; Thu, 28 Mar 2013 14:03:56 -0400 Received: from st26.ncsl.nist.gov (st26.ncsl.nist.gov [129.6.54.72]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id r2SI3tZd000726; Thu, 28 Mar 2013 14:03:56 -0400 Message-ID: <5154860B.7050900@nist.gov> Date: Thu, 28 Mar 2013 14:03:55 -0400 From: "David A. Cooper" User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130308 Thunderbird/17.0.4 MIME-Version: 1.0 To: Piyush Jain References: <000c01ce2bda$fadd38f0$f097aad0$@ditenity.com> In-Reply-To: <000c01ce2bda$fadd38f0$f097aad0$@ditenity.com> Content-Type: text/html; charset="windows-1252" Content-Transfer-Encoding: 8bit Cc: 'pkix' Subject: Re: [pkix] URI Name Constraint and URN X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Mar 2013 18:03:58 -0000
On 03/28/2013 01:37 PM, Piyush Jain wrote:

Santosh,

 

I think I agree with you that constraining URN based on authority does not make sense.

 

The text – “For URIs, the constraint applies to the host part of the name.” from 5280 indicates that the author assumed that URIs will always have the authority component, which is a wrong assumption.

RFC 5280 says:
If a constraint is applied to the uniformResourceIdentifier name form and a subsequent certificate includes a subjectAltName extension with a uniformResourceIdentifier that does not include an authority component with a host name specified as a fully qualified domain name (e.g., if the URI either does not include an authority component or includes an authority component in which the host name is specified as an IP address), then the application MUST reject the certificate.

This indicates quite clearly that the author did not assume that URIs will always have the authority component.

See also http://www.ietf.org/mail-archive/web/pkix/current/msg02179.html ("RFC 3280bis and URI schemes without hostname").

From piyush@ditenity.com Thu Mar 28 11:49:30 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CC3D21F9092 for ; Thu, 28 Mar 2013 11:49:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.101 X-Spam-Level: X-Spam-Status: No, score=-1.101 tagged_above=-999 required=5 tests=[AWL=-2.197, BAYES_00=-2.599, DOS_OUTLOOK_TO_MX=1, DYN_RDNS_SHORT_HELO_HTML=0.499, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_EQ_LT4=0.442, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gF6T7rE4dJYt for ; Thu, 28 Mar 2013 11:49:29 -0700 (PDT) Received: from mail-qc0-x233.google.com (mail-qc0-x233.google.com [IPv6:2607:f8b0:400d:c01::233]) by ietfa.amsl.com (Postfix) with ESMTP id DB55C21F9080 for ; Thu, 28 Mar 2013 11:49:28 -0700 (PDT) Received: by mail-qc0-f179.google.com with SMTP id b40so4387662qcq.10 for ; Thu, 28 Mar 2013 11:49:28 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-type:x-mailer:thread-index :content-language:x-gm-message-state; bh=eOE9rQkeCbxk0F/joNtkObHy09G4Fk0GX31IWKYfj74=; b=ZqE535kg6f9N7z3Lti6bUIzXKlrFptN9BgkwqRGI/eYCMkMjOqcz48nQwQTo3Ssmy8 Alp+1glKzLkf/Vvz5AC9bbmsezULtliUfr2Fp/IXxY8gmEL77hM7BBDSw4TpuQbh894a sRl0UbRsqXrL+pmrfE30b/7lCI9cSzHAdhdWuwVtJQJQudxG7gD7vUSQG1xo4LtW7sA9 vk+xpypO/oXUdxCU0P1f2EBcOmnWTZHuPyniVCAZnz6P9y4pryK6piEMiyeWr/+WJwIP 9BuUuiyaoGDPeByt7RKlotKXuLITGAacviEtK7sfnoMXEVYvLfeeDnpgJO0u9Fzz38BR QAtA== X-Received: by 10.224.209.193 with SMTP id gh1mr252236qab.86.1364496568241; Thu, 28 Mar 2013 11:49:28 -0700 (PDT) Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id gm5sm617068qab.2.2013.03.28.11.49.26 (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 28 Mar 2013 11:49:27 -0700 (PDT) From: "Piyush Jain" To: "'David A. Cooper'" , "Santosh Chokhani" References: <000c01ce2bda$fadd38f0$f097aad0$@ditenity.com> <5154860B.7050900@nist.gov> In-Reply-To: <5154860B.7050900@nist.gov> Date: Thu, 28 Mar 2013 11:49:23 -0700 Message-ID: <004f01ce2be4$f7eb64a0$e7c22de0$@ditenity.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0050_01CE2BAA.4B8DC520" X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQEfSBbLKi5YrJaPE2aBNlVzD/FdbgGEwBTGAk7R4vAC51KXIgICL8F1mdNM27A= Content-Language: en-us X-Gm-Message-State: ALoCoQlC+3MYiulCwC53p7z1VisPYHKWxmsAmRl4dLF7hxa5njJ4K0HgUjHIINNJDFRoUbFDdR5X Cc: 'pkix' Subject: Re: [pkix] URI Name Constraint and URN X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Mar 2013 18:49:30 -0000 This is a multipart message in MIME format. ------=_NextPart_000_0050_01CE2BAA.4B8DC520 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit My apologies to the author(s) for being presumptuous and thank David for pointing to the discussion thread. So it seems that WG consciously refrained from defining matching rules for URNs. This implies if a CA has a permitted subtree constraint, any descendent certificate cannot have a URN name. Seems like a limitation which cannot be addressed without defining matching rules for URNs. From: David A. Cooper [mailto:david.cooper@nist.gov] Sent: Thursday, March 28, 2013 11:04 AM To: Piyush Jain Cc: 'pkix' Subject: Re: [pkix] URI Name Constraint and URN On 03/28/2013 01:37 PM, Piyush Jain wrote: Santosh, I think I agree with you that constraining URN based on authority does not make sense. The text - "For URIs, the constraint applies to the host part of the name." from 5280 indicates that the author assumed that URIs will always have the authority component, which is a wrong assumption. RFC 5280 says: If a constraint is applied to the uniformResourceIdentifier name form and a subsequent certificate includes a subjectAltName extension with a uniformResourceIdentifier that does not include an authority component with a host name specified as a fully qualified domain name (e.g., if the URI either does not include an authority component or includes an authority component in which the host name is specified as an IP address), then the application MUST reject the certificate. This indicates quite clearly that the author did not assume that URIs will always have the authority component. See also http://www.ietf.org/mail-archive/web/pkix/current/msg02179.html ("RFC 3280bis and URI schemes without hostname"). ------=_NextPart_000_0050_01CE2BAA.4B8DC520 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

My apologies to the = author(s) for being presumptuous and thank David for pointing to the = discussion thread.

 

So it seems that WG = consciously refrained from defining matching rules for URNs. =

This implies if a CA has a permitted subtree = constraint, any descendent certificate cannot have a URN name. Seems = like a limitation which cannot be addressed without defining matching = rules for URNs.

 

From: David A. Cooper [mailto:david.cooper@nist.gov]
Sent: = Thursday, March 28, 2013 11:04 AM
To: Piyush = Jain
Cc: 'pkix'
Subject: Re: [pkix] URI Name = Constraint and URN

 

On = 03/28/2013 01:37 PM, Piyush Jain wrote:

Santosh,

 

I think I agree with you = that constraining URN based on authority does not make = sense.

 

The text – =
“For URIs, the constraint applies to the host part of the =
name.” from 5280 indicates that the author assumed that URIs will always =
have the authority component, which is a wrong assumption.<=
/o:p>


RFC = 5280 says:

If a = constraint is applied to the uniformResourceIdentifier name form and a = subsequent certificate includes a subjectAltName extension with a = uniformResourceIdentifier that does not include an authority component = with a host name specified as a fully qualified domain name (e.g., if = the URI either does not include an authority = component or includes an authority component in which the host = name is specified as an IP address), then the application MUST reject = the certificate.


This indicates quite clearly that the author did = not assume that URIs will always have the authority = component.

See also = http://www.ietf.org/mail-archive/web/pkix/current/msg02179.html = ("RFC 3280bis and URI schemes without = hostname").

------=_NextPart_000_0050_01CE2BAA.4B8DC520-- From tmiller@mitre.org Fri Mar 29 06:26:58 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 586D521F9405 for ; Fri, 29 Mar 2013 06:26:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TG6gLpShTRyV for ; Fri, 29 Mar 2013 06:26:57 -0700 (PDT) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 6CF0D21F926F for ; Fri, 29 Mar 2013 06:26:57 -0700 (PDT) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id EB63F1F0328; Fri, 29 Mar 2013 09:26:56 -0400 (EDT) Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id D7DA11F0835; Fri, 29 Mar 2013 09:26:56 -0400 (EDT) Received: from IMCMBX01.MITRE.ORG ([169.254.1.87]) by IMCCAS03.MITRE.ORG ([129.83.29.80]) with mapi id 14.02.0342.003; Fri, 29 Mar 2013 09:26:37 -0400 From: "Miller, Timothy J." To: Piyush Jain , "'David A. Cooper'" , Santosh Chokhani Thread-Topic: [pkix] URI Name Constraint and URN Thread-Index: AQHOK9BO9dgaluVHQ+eSP3hIs2otNpi7jNWAgAAUigCAAAdHgIAADLSAgADkZwA= Date: Fri, 29 Mar 2013 13:26:36 +0000 Message-ID: In-Reply-To: <004f01ce2be4$f7eb64a0$e7c22de0$@ditenity.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.3.2.130206 x-originating-ip: [172.31.38.91] Content-Type: text/plain; charset="iso-8859-1" Content-ID: <90564892A7FFEB458A65E87F14037895@imc.mitre.org> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: 'pkix' Subject: Re: [pkix] URI Name Constraint and URN X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Mar 2013 13:26:58 -0000 So perhaps the problem is there's no way to apply a single NC rule to URIs since the sub-types of URIs conflict in how names are constructed. I.e., the right fix is to discard the URI type and treat the sub-type of URLs and URNs separately. This would permit separate NC processing for each, which seems to be what Santosh is asking for. -- T On 3/28/13 1:49 PM, "Piyush Jain" wrote: >My apologies to the author(s) for being presumptuous and thank David for >pointing to the discussion thread. >=20 >So it seems that WG consciously refrained from defining matching rules >for URNs. > >This implies if a CA has a permitted subtree constraint, any descendent >certificate cannot have a URN name. Seems like a limitation which cannot >be addressed without defining matching rules for URNs. >=20 >From: David A. Cooper [mailto:david.cooper@nist.gov] > >Sent: Thursday, March 28, 2013 11:04 AM >To: Piyush Jain >Cc: 'pkix' >Subject: Re: [pkix] URI Name Constraint and URN > > >=20 >On 03/28/2013 01:37 PM, Piyush Jain wrote: > > >Santosh, >=20 >I think I agree with you that constraining URN based on authority does >not make sense. >=20 >The text =AD =B3For URIs, the constraint applies to the host part of the >name.=B2 from 5280 indicates that the author assumed that URIs will always >have the authority component, which is a wrong assumption. > > >RFC 5280 says: >If a constraint is applied to the uniformResourceIdentifier name form and >a subsequent certificate includes a subjectAltName extension with a >uniformResourceIdentifier > that does not include an authority component with a host name specified >as a fully qualified domain name (e.g., if the >URI either does not include an authority component or includes an >authority component in which > the host name is specified as an IP address), then the application MUST >reject the certificate. > >This indicates quite clearly that the author did not assume that URIs >will always have the authority component. > >See also=20 >http://www.ietf.org/mail-archive/web/pkix/current/msg02179.html > ("RFC >3280bis and URI schemes without hostname"). > > From piyush@ditenity.com Fri Mar 29 09:21:53 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B84D21F8E57 for ; Fri, 29 Mar 2013 09:21:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.972 X-Spam-Level: X-Spam-Status: No, score=-0.972 tagged_above=-999 required=5 tests=[AWL=-1.568, BAYES_00=-2.599, DOS_OUTLOOK_TO_MX=1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_EQ_LT4=0.442, RDNS_DYNAMIC=0.1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9yoOvu5Ccavl for ; Fri, 29 Mar 2013 09:21:51 -0700 (PDT) Received: from mail-gg0-x234.google.com (mail-gg0-x234.google.com [IPv6:2607:f8b0:4002:c02::234]) by ietfa.amsl.com (Postfix) with ESMTP id F3A5F21F8C9A for ; Fri, 29 Mar 2013 09:21:50 -0700 (PDT) Received: by mail-gg0-f180.google.com with SMTP id e5so44632ggk.11 for ; Fri, 29 Mar 2013 09:21:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-type:content-transfer-encoding :x-mailer:thread-index:content-language:x-gm-message-state; bh=PfXPjQmKQao6e7/IssgguZspiMNJoixLqcUDqJx+Pos=; b=aB6aKM0u6h4vQf/tybschTPD8FCHegbHtDPvKb2eVY6hUjEAGEnCJM7TXMreQz9cCj lqQobK3UCOUnbd1KYl8LZ/mlrfBLIt1NdaVSSYPB9NqY0iHLzqlldPTAeX7/DBVYtWn8 bXJLsY4S3d4NbceO6PPioQaa91v1667THNyb4Nkuxot5moUXHJPD7JW2y6CsVBgxY3aJ hUy6LPNJ2L5g6Teo8vagf6SFipNwHc02FWw28GfAoJXY/seVMWXwKIBrI8RxJ83K9DOM 2Bb6pjeIKCzkM3EbR/6dg3I6nkV6ce080JqDpdLUfyW+97Je01W8smX0g+o6W9OI6LEN 0Swg== X-Received: by 10.236.174.230 with SMTP id x66mr726975yhl.195.1364574098396; Fri, 29 Mar 2013 09:21:38 -0700 (PDT) Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id s45sm1761788yhk.22.2013.03.29.09.21.36 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 29 Mar 2013 09:21:37 -0700 (PDT) From: "Piyush Jain" To: "'Miller, Timothy J.'" , "'David A. Cooper'" , "'Santosh Chokhani'" References: <004f01ce2be4$f7eb64a0$e7c22de0$@ditenity.com> In-Reply-To: Date: Fri, 29 Mar 2013 09:21:32 -0700 Message-ID: <00fe01ce2c99$7b408f10$71c1ad30$@ditenity.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 14.0 thread-index: AQJicp73yS/HxS1VlbQRjP0SzB2R8JeUTMGw Content-Language: en-us X-Gm-Message-State: ALoCoQn5UIMNpwHD6O+rV7YMb/je9ynk/Ojxsm9QdWydR5YZAR+HodJ+cYBn+wOSwBZyZeg/qwM6 Cc: 'pkix' Subject: Re: [pkix] URI Name Constraint and URN X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Mar 2013 16:21:53 -0000 Yes. Applying location constraints to URNs is the problem which must be fixed. Defining processing rules for URN constrains is probably nice to have. > -----Original Message----- > From: Miller, Timothy J. [mailto:tmiller@mitre.org] > Sent: Friday, March 29, 2013 6:27 AM > To: Piyush Jain; 'David A. Cooper'; Santosh Chokhani > Cc: 'pkix' > Subject: Re: [pkix] URI Name Constraint and URN >=20 > So perhaps the problem is there's no way to apply a single NC rule to = URIs > since the sub-types of URIs conflict in how names are constructed. = I.e., the > right fix is to discard the URI type and treat the sub-type of URLs = and URNs > separately. This would permit separate NC processing for each, which seems > to be what Santosh is asking for. >=20 > -- T >=20 > On 3/28/13 1:49 PM, "Piyush Jain" wrote: >=20 > >My apologies to the author(s) for being presumptuous and thank David > >for pointing to the discussion thread. > > > >So it seems that WG consciously refrained from defining matching = rules > >for URNs. > > > >This implies if a CA has a permitted subtree constraint, any = descendent > >certificate cannot have a URN name. Seems like a limitation which > >cannot be addressed without defining matching rules for URNs. > > > >From: David A. Cooper [mailto:david.cooper@nist.gov] > > > >Sent: Thursday, March 28, 2013 11:04 AM > >To: Piyush Jain > >Cc: 'pkix' > >Subject: Re: [pkix] URI Name Constraint and URN > > > > > > > >On 03/28/2013 01:37 PM, Piyush Jain wrote: > > > > > >Santosh, > > > >I think I agree with you that constraining URN based on authority = does > >not make sense. > > > >The text =AD =B3For URIs, the constraint applies to the host part of = the > >name.=B2 from 5280 indicates that the author assumed that URIs will > >always have the authority component, which is a wrong assumption. > > > > > >RFC 5280 says: > >If a constraint is applied to the uniformResourceIdentifier name form > >and a subsequent certificate includes a subjectAltName extension with = a > >uniformResourceIdentifier that does not include an authority = component > >with a host name specified as a fully qualified domain name (e.g., if > >the URI either does not include an authority component or includes an > >authority component in which the host name is specified as an IP > >address), then the application MUST reject the certificate. > > > >This indicates quite clearly that the author did not assume that URIs > >will always have the authority component. > > > >See also > >http://www.ietf.org/mail-archive/web/pkix/current/msg02179.html > > > ("RFC > >3280bis and URI schemes without hostname"). > > > > From SChokhani@cygnacom.com Fri Mar 29 09:28:29 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7596E21F907C for ; Fri, 29 Mar 2013 09:28:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.523 X-Spam-Level: X-Spam-Status: No, score=-2.523 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2liczzI5Hsuk for ; Fri, 29 Mar 2013 09:28:27 -0700 (PDT) Received: from ipedge1.cygnacom.com (ipedge1.cygnacom.com [216.191.252.12]) by ietfa.amsl.com (Postfix) with ESMTP id 46A2621F92CE for ; Fri, 29 Mar 2013 09:28:27 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.87,373,1363147200"; d="scan'208,217";a="8427075" Received: from unknown (HELO scygexch7.cygnacom.com) ([10.4.60.22]) by ipedge1.cygnacom.com with ESMTP; 29 Mar 2013 12:28:26 -0400 Received: from scygexch7.cygnacom.com ([::1]) by scygexch7.cygnacom.com ([::1]) with mapi; Fri, 29 Mar 2013 12:28:26 -0400 From: Santosh Chokhani To: "David A. Cooper" , Piyush Jain Date: Fri, 29 Mar 2013 12:28:25 -0400 Thread-Topic: [pkix] URI Name Constraint and URN Thread-Index: Ac4r3qIKYKeyQRgyQBCcD68hTRol1wAupDXw Message-ID: References: <000c01ce2bda$fadd38f0$f097aad0$@ditenity.com> <5154860B.7050900@nist.gov> In-Reply-To: <5154860B.7050900@nist.gov> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_B83745DA469B7847811819C5005244AFF3DC9D2Escygexch7cygnac_" MIME-Version: 1.0 Cc: 'pkix' Subject: Re: [pkix] URI Name Constraint and URN X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Mar 2013 16:28:29 -0000 --_000_B83745DA469B7847811819C5005244AFF3DC9D2Escygexch7cygnac_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable David, 1. Can you explain what harm is does to accept a certificate if the u= pstream CA has URL constrained? 2. Can you explain how a CA that wishes to constrain URL, but permit = URN would do so. Note that this is a real scenario as you know? 3. Note that SAN description in 5280 already require FQDN for the hos= t for URI that require authority. So, why are you hung up on the text in 5= 280 which most likely did not consider URN scenario. If it did, please exp= lain why a name constraint is meaningful to URN which not a hierarchical na= me in the first place. 4. I read the post you sent below and I read it as supporting what I = am saying. Do not constrain the URI that cannot have authority component t= o it. "* Decide that this name type is not appropriate for URI schemes that tend = not to use authorities. * Relax the rules. I strongly urge the WG not to take on the task of name = constraints for URIs without authority in this document." From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Dav= id A. Cooper Sent: Thursday, March 28, 2013 2:04 PM To: Piyush Jain Cc: 'pkix' Subject: Re: [pkix] URI Name Constraint and URN On 03/28/2013 01:37 PM, Piyush Jain wrote: Santosh, I think I agree with you that constraining URN based on authority does not = make sense. The text - "For URIs, the constraint applies to the host part of the name."= from 5280 indicates that the author assumed that URIs will always have the= authority component, which is a wrong assumption. RFC 5280 says: If a constraint is applied to the uniformResourceIdentifier name form and a= subsequent certificate includes a subjectAltName extension with a uniformR= esourceIdentifier that does not include an authority component with a host = name specified as a fully qualified domain name (e.g., if the URI either do= es not include an authority component or includes an authority component in= which the host name is specified as an IP address), then the application M= UST reject the certificate. This indicates quite clearly that the author did not assume that URIs will = always have the authority component. See also http://www.ietf.org/mail-archive/web/pkix/current/msg02179.html ("= RFC 3280bis and URI schemes without hostname"). --_000_B83745DA469B7847811819C5005244AFF3DC9D2Escygexch7cygnac_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

= David,

 

1.    &nb= sp;  Can = you explain what harm is does to accept a certificate if the upstream CA ha= s URL constrained?

 

2.       <= /span>Can you explain how a = CA that wishes to constrain URL, but permit URN would do so.  Note tha= t this is a real scenario as you know?

 

3.   =     Note that SAN description in 5280 already require FQDN for the host fo= r URI that require authority.  So, why are you hung up on the text in = 5280 which most likely did not consider URN scenario.  If it did, plea= se explain why a name constraint is meaningful to URN which not a hierarchi= cal name in the first place.

 

= 4.    &nbs= p;  I rea= d the post you sent below and I read it as supporting what I am saying.&nbs= p; Do not constrain the URI that cannot have authority component to it.

&= nbsp;

“* Decide that this name = type is not appropriate for URI schemes that tend not to use authorities.&n= bsp;

 

* Relax the rules.  I strongly urge the WG not= to take on the task of name constraints for URIs without authority in this= document.”

 

 = ;

&= nbsp;

From:<= /span> pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of David A. Cooper
Sent: Thursday, March 28, 2013 = 2:04 PM
To: Piyush Jain
Cc: 'pkix'
Subject: R= e: [pkix] URI Name Constraint and URN

 

On 03/28/20= 13 01:37 PM, Piyush Jain wrote:

Santosh,

 

I think I agree with you that constraining URN based= on authority does not make sense.

 

The=
 text – “For URIs, the constraint applies to the host part =
of the name.” from 5280 indicates that the author assumed that=
 URIs will always have the authority component, which is a wrong assumption=
.


RFC 5280 says:=

If a constraint is applied to the uniform= ResourceIdentifier name form and a subsequent certificate includes a subjec= tAltName extension with a uniformResourceIdentifier that does not include a= n authority component with a host name specified as a fully qualified domai= n name (e.g., if the URI either does not include an author= ity component or includes an authority component in which the host name = is specified as an IP address), then the application MUST reject the certif= icate.


This indicates quite clearly that the author did not assume tha= t URIs will always have the authority component.

See also http://ww= w.ietf.org/mail-archive/web/pkix/current/msg02179.html ("RFC 3280b= is and URI schemes without hostname").

= --_000_B83745DA469B7847811819C5005244AFF3DC9D2Escygexch7cygnac_-- From SChokhani@cygnacom.com Fri Mar 29 09:29:34 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7EA721F9339 for ; Fri, 29 Mar 2013 09:29:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.538 X-Spam-Level: X-Spam-Status: No, score=-2.538 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nHH6+pzWWpjo for ; Fri, 29 Mar 2013 09:29:34 -0700 (PDT) Received: from ipedge1.cygnacom.com (ipedge1.cygnacom.com [216.191.252.12]) by ietfa.amsl.com (Postfix) with ESMTP id 26D1A21F907C for ; Fri, 29 Mar 2013 09:29:34 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.87,373,1363147200"; d="scan'208";a="8427081" Received: from unknown (HELO scygexch7.cygnacom.com) ([10.4.60.22]) by ipedge1.cygnacom.com with ESMTP; 29 Mar 2013 12:29:27 -0400 Received: from scygexch7.cygnacom.com ([::1]) by scygexch7.cygnacom.com ([::1]) with mapi; Fri, 29 Mar 2013 12:29:27 -0400 From: Santosh Chokhani To: Piyush Jain , "'Miller, Timothy J.'" , "'David A. Cooper'" Date: Fri, 29 Mar 2013 12:29:26 -0400 Thread-Topic: [pkix] URI Name Constraint and URN Thread-Index: AQJicp73yS/HxS1VlbQRjP0SzB2R8JeUTMGwgAADCAA= Message-ID: References: <004f01ce2be4$f7eb64a0$e7c22de0$@ditenity.com> <00fe01ce2c99$7b408f10$71c1ad30$@ditenity.com> In-Reply-To: <00fe01ce2c99$7b408f10$71c1ad30$@ditenity.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: 'pkix' Subject: Re: [pkix] URI Name Constraint and URN X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Mar 2013 16:29:35 -0000 There is nothing to constrain when URN is UUID. -----Original Message----- From: Piyush Jain [mailto:piyush@ditenity.com]=20 Sent: Friday, March 29, 2013 12:22 PM To: 'Miller, Timothy J.'; 'David A. Cooper'; Santosh Chokhani Cc: 'pkix' Subject: RE: [pkix] URI Name Constraint and URN Yes. Applying location constraints to URNs is the problem which must be fix= ed. Defining processing rules for URN constrains is probably nice to have. > -----Original Message----- > From: Miller, Timothy J. [mailto:tmiller@mitre.org] > Sent: Friday, March 29, 2013 6:27 AM > To: Piyush Jain; 'David A. Cooper'; Santosh Chokhani > Cc: 'pkix' > Subject: Re: [pkix] URI Name Constraint and URN >=20 > So perhaps the problem is there's no way to apply a single NC rule to=20 > URIs since the sub-types of URIs conflict in how names are=20 > constructed. I.e., the > right fix is to discard the URI type and treat the sub-type of URLs=20 > and URNs > separately. This would permit separate NC processing for each, which seems > to be what Santosh is asking for. >=20 > -- T >=20 > On 3/28/13 1:49 PM, "Piyush Jain" wrote: >=20 > >My apologies to the author(s) for being presumptuous and thank David=20 > >for pointing to the discussion thread. > > > >So it seems that WG consciously refrained from defining matching=20 > >rules for URNs. > > > >This implies if a CA has a permitted subtree constraint, any=20 > >descendent certificate cannot have a URN name. Seems like a=20 > >limitation which cannot be addressed without defining matching rules for= URNs. > > > >From: David A. Cooper [mailto:david.cooper@nist.gov] > > > >Sent: Thursday, March 28, 2013 11:04 AM > >To: Piyush Jain > >Cc: 'pkix' > >Subject: Re: [pkix] URI Name Constraint and URN > > > > > > > >On 03/28/2013 01:37 PM, Piyush Jain wrote: > > > > > >Santosh, > > > >I think I agree with you that constraining URN based on authority=20 > >does not make sense. > > > >The text =AD =B3For URIs, the constraint applies to the host part of the= =20 > >name.=B2 from 5280 indicates that the author assumed that URIs will=20 > >always have the authority component, which is a wrong assumption. > > > > > >RFC 5280 says: > >If a constraint is applied to the uniformResourceIdentifier name form=20 > >and a subsequent certificate includes a subjectAltName extension with=20 > >a uniformResourceIdentifier that does not include an authority=20 > >component with a host name specified as a fully qualified domain name=20 > >(e.g., if the URI either does not include an authority component or=20 > >includes an authority component in which the host name is specified=20 > >as an IP address), then the application MUST reject the certificate. > > > >This indicates quite clearly that the author did not assume that URIs=20 > >will always have the authority component. > > > >See also > >http://www.ietf.org/mail-archive/web/pkix/current/msg02179.html > > > ("RFC > >3280bis and URI schemes without hostname"). > > > > From stefan@aaa-sec.com Fri Mar 29 09:30:14 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0A7021F942A for ; Fri, 29 Mar 2013 09:30:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.55 X-Spam-Level: X-Spam-Status: No, score=-101.55 tagged_above=-999 required=5 tests=[AWL=-0.699, BAYES_00=-2.599, HELO_EQ_SE=0.35, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gk+jd+zV90yn for ; Fri, 29 Mar 2013 09:30:13 -0700 (PDT) Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id A54B521F93EB for ; Fri, 29 Mar 2013 09:30:12 -0700 (PDT) Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id BD5D51F07A49 for ; Fri, 29 Mar 2013 17:30:10 +0100 (CET) X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Utkhzn06ibkP for ; Fri, 29 Mar 2013 17:30:10 +0100 (CET) Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id E43721F07AC5 for ; Fri, 29 Mar 2013 17:30:09 +0100 (CET) Received: (qmail 33286 invoked from network); 29 Mar 2013 16:30:09 -0000 Received: from 81-232-51-61-no39.business.telia.com (HELO [192.168.0.104]) (stefan@fiddler.nu@[81.232.51.61]) (envelope-sender ) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 29 Mar 2013 16:30:09 -0000 User-Agent: Microsoft-MacOutlook/14.3.2.130206 Date: Fri, 29 Mar 2013 17:30:09 +0100 From: Stefan Santesson To: Santosh Chokhani , Piyush Jain , 'pkix' Message-ID: Thread-Topic: [pkix] URI Name Constraint and URN In-Reply-To: Mime-version: 1.0 Content-type: multipart/alternative; boundary="B_3447423012_2324243" Subject: Re: [pkix] URI Name Constraint and URN X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Mar 2013 16:30:14 -0000 > This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --B_3447423012_2324243 Content-type: text/plain; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable From: Santosh Chokhani Date: Thursday, March 28, 2013 5:24 PM To: Stefan Santesson , Piyush Jain , 'pkix' Subject: Re: [pkix] URI Name Constraint and URN >=20 > Stefan, > =20 > URN by definition do not have =B3authority=B2 component are not hierarchical. > =20 > You are simply parroting what 5280 says and not explaining what the use o= f > meaning of doing this is. > =20 > May be you should explain how an upstream CA will permit URN and still > constrain URL. I wish I could but I can't. Not given the current definition of name constraints. If you contrain URL in permitted subtree, I can't see given the current standard, how you could allow a URN as matching that constraint. Other than of course stick it into a new otherName instead of the SAN URI. Maybe that would be your best bet as you in any case can't rely on standard client behaviour to handle this. /Stefan --B_3447423012_2324243 Content-type: text/html; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable
From: = San= tosh Chokhani <SChokhani@cygnacom.co= m>
Date: Thursday, March = 28, 2013 5:24 PM
To: Stefan Santes= son <stefan@aaa-sec.com>, Piyu= sh Jain <piyush@ditenity.com>= , 'pkix' <pkix@ietf.org>
Subject: Re: [pkix] URI Name Constraint and = URN

<= p class=3D"MsoNormal" style=3D"margin: 0in 0in 0.0001pt; font-size: 11pt; font-f= amily: Calibri, sans-serif; color: rgb(0, 0, 0); font-style: normal; font-va= riant: normal; font-weight: normal; letter-spacing: normal; line-height: nor= mal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform:= none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-= adjust: auto; -webkit-text-stroke-width: 0px; ">Stefan,

 

URN by definition do not have “authority” com= ponent are not hierarchical.

 

You are simply parroting what 5280 says and not = explaining what the use of meaning of doing this is.

 

May be you should explai= n how an upstream CA will permit URN and still constrain URL.


I wish I could but I can't. Not given th= e current definition of name constraints.

If you co= ntrain URL in permitted subtree, I can't see given the current standard, how= you could allow a URN as matching that constraint.
Other than of = course stick it into a new otherName instead of the SAN URI.

<= /div>
Maybe that would be your best bet as you in any case can't rely on= standard client behaviour to handle this.

/Stefan<= /div> --B_3447423012_2324243-- From david.black@emc.com Thu Mar 28 16:16:42 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7C2B21F8F0F; Thu, 28 Mar 2013 16:16:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Iy5vg6NTvyJD; Thu, 28 Mar 2013 16:16:42 -0700 (PDT) Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id C13A721F8F1F; Thu, 28 Mar 2013 16:16:34 -0700 (PDT) Received: from hop04-l1d11-si01.isus.emc.com (HOP04-L1D11-SI01.isus.emc.com [10.254.111.54]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r2SNG7g1031849 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 28 Mar 2013 19:16:07 -0400 Received: from mailhub.lss.emc.com (mailhubhoprd05.lss.emc.com [10.254.222.129]) by hop04-l1d11-si01.isus.emc.com (RSA Interceptor); Thu, 28 Mar 2013 19:15:55 -0400 Received: from mxhub05.corp.emc.com (mxhub05.corp.emc.com [128.222.70.202]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r2SNFsj9030538; Thu, 28 Mar 2013 19:15:55 -0400 Received: from mx15a.corp.emc.com ([169.254.1.81]) by mxhub05.corp.emc.com ([128.222.70.202]) with mapi; Thu, 28 Mar 2013 19:15:54 -0400 From: "Black, David" To: "Black, David" , "sts@aaa-sec.com" , "mmyers@fastq.com" , "ambarish@gmail.com" , "slava.galperin@gmail.com" , "cadams@eecs.uottawa.ca" , "gen-art@ietf.org" Date: Thu, 28 Mar 2013 19:15:53 -0400 Thread-Topic: Gen-ART review of draft-ietf-pkix-rfc2560bis-16 Thread-Index: Ac4puHxAH7Fxh7AxT6S6tCMO9vgxrgCUWZuQ Message-ID: <8D3D17ACE214DC429325B2B98F3AE71293D36A70@MX15A.corp.emc.com> References: <8D3D17ACE214DC429325B2B98F3AE71293AEEDBC@MX15A.corp.emc.com> In-Reply-To: <8D3D17ACE214DC429325B2B98F3AE71293AEEDBC@MX15A.corp.emc.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EMM-MHVC: 1 X-Mailman-Approved-At: Fri, 29 Mar 2013 09:41:07 -0700 Cc: "pkix@ietf.org" , "ietf@ietf.org" , "Black, David" Subject: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-16 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Mar 2013 23:16:43 -0000 The -16 version of this draft resolves all of the concerns raised by the Gen-ART review of the -15 version. Thanks, --David > -----Original Message----- > From: Black, David > Sent: Monday, March 25, 2013 8:26 PM > To: sts@aaa-sec.com; mmyers@fastq.com; ambarish@gmail.com; > slava.galperin@gmail.com; cadams@eecs.uottawa.ca; gen-art@ietf.org > Cc: Black, David; pkix@ietf.org; Sean Turner; ietf@ietf.org > Subject: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 >=20 > Authors, >=20 > I am the assigned Gen-ART reviewer for this draft. For background on Gen-= ART, > please > see the FAQ at . >=20 > Please resolve these comments along with any other Last Call comments you= may > receive. >=20 > Document: draft-ietf-pkix-rfc2560bis-15 > Reviewer: David L. Black > Review Date: March 25, 2013 > IETF LC End Date: March 27, 2013 >=20 > Summary: > This draft is on the right track but has open issues, described in the re= view. >=20 > This draft updates the OCSP protocol for obtaining certificate status > with some minor extensions. >=20 > Because this is a "bis" draft, I reviewed the diffs against RFC 2560. >=20 > I did not check the ASN.1. I also did not see a writeup for this draft > in the data tracker, and so will rely on the document shepherd to > ensure that the ASN.1 has been checked when the writeup is prepared. >=20 > I found five open issues, all of which are minor, plus one idnits item > that is probably ok, but should be double-checked. >=20 > Minor issues: >=20 > [1] Section 2.2: >=20 > NOTE: The "revoked" state for known non-issued certificate serial > numbers is allowed in order to reduce the risk of relying > parties using CRLs as a fall back mechanism, which would be > considerably higher if an "unknown" response was returned. >=20 > Given this explanation, I'm surprised that the use of "revoked" instead o= f > "unknown" for a known non-issued certificate is a "MAY" requirement and > not a "SHOULD" requirement. Why is that the case? >=20 > It appears that the reason is that the use of "revoked" in this situation > may be dangerous when serial numbers can be predicted for certificates th= at > will be issued in the future. If that's what's going on, this concern is > already explained in the security considerations section, but it should > also be mentioned here for completeness. >=20 > [2] Section 4.2.2.2: >=20 > The key that signs a certificate's status information need not be the > same key that signed the certificate. It is necessary however to > ensure that the entity signing this information is authorized to do > so. Therefore, a certificate's issuer MAY either sign the OCSP > responses itself or it MAY explicitly designate this authority to > another entity. >=20 > The two instances of "MAY" in the above text were both "MUST" in RFC 2560= . >=20 > The RFC 2560 text construction of "MUST" or "MUST" is a bit odd, but the = two > "MAY"s in this draft are even worse, as they allow "MAY do something else > entirely", despite being enclosed in an either-or construct. I strongly > suspect that the latter was not intended, so the following would be clear= er: >=20 > The key that signs a certificate's status information need not be the > same key that signed the certificate. It is necessary however to > ensure that the entity signing this information is authorized to do > so. Therefore, a certificate's issuer MUST do one of the following: > - sign the OCSP responses itself, or > - explicitly designate this authority to another entity. >=20 > [3] Section 4.3: >=20 > Is the "SHOULD" requirement still appropriate for the DSA with SHA-1 comb= o > (vs. a "MAY" requirement)? This requirement was a "MUST" in RFC 2560, bu= t > I wonder about actual usage of DSA in practice. >=20 > [4] Section 5, last paragraph: >=20 > Responding a "revoked" state to certificate that has never been > issued may enable someone to obtain a revocation response for a > certificate that is not yet issued, but soon will be issued, if the > CA issues certificates using sequential certificate serial number > assignment. >=20 > The above text after starting with the "if" is too narrow - it should say= : >=20 > if the certificate serial number of the certificate that > will be issued can be predicted or guessed by the requester. > Such prediction is easy for a CA that issues certificates > using sequential certificate serial number assignment. >=20 > There's also a nit in original text - its first line should be: >=20 > Responding with a "revoked" state for a certificate that has never been >=20 > [5] Section 5.1.1: >=20 > In archival applications it is quite possible that an OCSP responder > might be asked to report the validity of a certificate on a date in > the distant past. Such a certificate might employ a signing method > that is no longer considered acceptably secure. In such > circumstances the responder MUST NOT generate a signature using a > signing mechanism that is not considered acceptably secure. >=20 > This could use an additional warning that certificate archival should > not rely solely on signatures in archived certificates for ensuring the > validity and integrity of the archived certificates because the signature > algorithm(s) may transition to no longer being considered acceptably > secure at some point after the certificates are archived. >=20 > Nits: >=20 > idnits 2.12.15 said: >=20 > -- The document seems to lack a disclaimer for pre-RFC5378 work, but ma= y > have content which was first submitted before 10 November 2008. If = you > have contacted all the original authors and they are all willing to = grant > the BCP78 rights to the IETF Trust, then this is fine, and you can i= gnore > this comment. If not, you may need to add the pre-RFC5378 disclaime= r. > (See the Legal Provisions document at > http://trustee.ietf.org/license-info for more information.) >=20 > This looks like it's ok because all the authors of RFC 2560 are also auth= ors > of > this draft, but it should be double-checked. >=20 > Thanks, > --David > ---------------------------------------------------- > David L. Black, Distinguished Engineer > EMC Corporation, 176 South St., Hopkinton, MA=A0 01748 > +1 (508) 293-7953=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 FAX: +1 (508) 293-7= 786 > david.black@emc.com=A0=A0=A0=A0=A0=A0=A0 Mobile: +1 (978) 394-7754 > ---------------------------------------------------- >=20 From piyush@ditenity.com Fri Mar 29 09:17:16 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFF8821F94F0 for ; Fri, 29 Mar 2013 09:17:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.937 X-Spam-Level: X-Spam-Status: No, score=-2.937 tagged_above=-999 required=5 tests=[AWL=0.662, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FIxFBiS07LoO for ; Fri, 29 Mar 2013 09:17:15 -0700 (PDT) Received: from mail-ye0-f171.google.com (mail-ye0-f171.google.com [209.85.213.171]) by ietfa.amsl.com (Postfix) with ESMTP id 9807F21F94F1 for ; Fri, 29 Mar 2013 09:17:14 -0700 (PDT) Received: by mail-ye0-f171.google.com with SMTP id r10so46594yen.16 for ; Fri, 29 Mar 2013 09:17:14 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-type:content-transfer-encoding :x-mailer:thread-index:content-language:x-gm-message-state; bh=+5PVVpAaAZ2cB0uKcFCPuLcPGzfXbN/K61uOX/TlPvs=; b=YIOT56MHUKPo6Vc8RhvXDxhVGyyU9NeOhEianpVK2ofgU0KfYdzhZ/yb8IORnR4sOl 8zuZdUBdW9p8M4xH6wpHHfJ6DFeqhmUeMhS1LeQPQSWHKUNn38KMDygcjtyIN+9Amd3F V9ko3Ww/JOvROwVBncKmy+E/egPQaOxswnR73a/eYbnkKNoluZggUsftUU8XZu9VaWOh 3z3dt59yUEwHHL5aJvIcZpwwM90P/rPTe6C7VzuDqIe8n7VXXhcGiOkZsWyLA7BI4kjc vuU6d8cmDpu+ZprE/7TvUTSufdiiKsMsucjzvzrmCB3FUOe/56TrjJUJFwcx0l9aVfnR e1kQ== X-Received: by 10.236.222.69 with SMTP id s65mr749951yhp.59.1364573833856; Fri, 29 Mar 2013 09:17:13 -0700 (PDT) Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id f70sm1732504yhi.12.2013.03.29.09.17.11 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 29 Mar 2013 09:17:13 -0700 (PDT) From: "Piyush Jain" To: "'Stefan Santesson'" , "'Black, David'" , , , , , , References: <8D3D17ACE214DC429325B2B98F3AE71293D366B6@MX15A.corp.emc.com> In-Reply-To: Date: Fri, 29 Mar 2013 09:17:08 -0700 Message-ID: <00fc01ce2c98$ddc41770$994c4650$@ditenity.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 thread-index: AQGpRT9g4u5Gd5W5MBiHHaGDqUWdEpkGo+sQ Content-Language: en-us X-Gm-Message-State: ALoCoQkfT376y1Iy5usxWjyubioSyYB/A6Om3qD4sJXZfT342rkhPvyVZVD8O6QSjq8S7AVp1sfJ X-Mailman-Approved-At: Fri, 29 Mar 2013 09:41:07 -0700 Cc: pkix@ietf.org, ietf@ietf.org Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Mar 2013 16:17:17 -0000 ' "revoked" status is still optional in this context in order to maintain backwards compatibility with deployments of RFC 2560.' I fail to understand this statement about backward compatibility. How does "revoked" being "optional/required breaks backward compatibility? The only reason cited in the WG discussions to use revoked for "not-issued" was that any other approach would break backward compatibility with legacy clients. And now the draft says that revoked is optional because making it required won't be backward compatible. And it gives the impression that best course of action for 2560bis responders is to start issuing revoked for "not-issued", which is far from the originally stated goal to provide a way for CAs to be able to return revoked for such serial numbers. -Piyush > -----Original Message----- > From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of > Stefan Santesson > Sent: Thursday, March 28, 2013 3:34 AM > To: Black, David; sts@aaa-sec.com; mmyers@fastq.com; > ambarish@gmail.com; slava.galperin@gmail.com; cadams@eecs.uottawa.ca; > gen-art@ietf.org > Cc: pkix@ietf.org; ietf@ietf.org > Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 > > I have given this a go by expanding the note as follows: > > NOTE: The "revoked" state for known non-issued certificate serial > numbers is allowed in order to reduce the risk of relying > parties using CRLs as a fall back mechanism, which would be > considerably higher if an "unknown" response was returned. The > "revoked" status is still optional in this context in order to > maintain backwards compatibility with deployments of RFC 2560. > For example, the responder may not have any knowledge about > whether a requested serial number has been assigned to any > issued certificate, or the responder may provide pre produced > responses in accordance with RFC 5019 and, for that reason, is > not capable of providing a signed response for all non-issued > certificate serial numbers. > > > Does this solve you issue. > I think this is as far as dare to go without risking a heated debate. > > /Stefan > > > On 3/27/13 5:08 PM, "Black, David" wrote: > > >Stefan, > > > >> Is this important enough to do that? > > > >IMHO, yes - the "running code" aspects of existing responder > >behavior/limitations are definitely important enough for an RFC like > >this that revises a protocol spec, and the alternatives to "revoked" > >feel like an important complement to those aspects (discussion what to > >do instead when responder behavior/limitations are encountered). > > > >I appreciate the level of work that may be involved in capturing this, > >as I've had my share of contentious discussions in WGs that I chair - > >FWIW, I'm currently chairing my 4th and 5th WGs. OTOH, when a WG has > >put that much time/effort into reaching a (compromise) decision, it > >really is valuable to record why the decision was reached to avoid > >recovering that ground in the future and (specific to this situation) > >to give implementers some more context/information on how the protocol > >is likely to work in practice. > > > >Thanks, > >--David > > > >> -----Original Message----- > >> From: Stefan Santesson [mailto:stefan@aaa-sec.com] > >> Sent: Wednesday, March 27, 2013 11:38 AM > >> To: Black, David; sts@aaa-sec.com; mmyers@fastq.com; > >> ambarish@gmail.com; slava.galperin@gmail.com; > cadams@eecs.uottawa.ca; > >> gen-art@ietf.org > >> Cc: pkix@ietf.org; Sean Turner; ietf@ietf.org > >> Subject: Re: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 > >> > >> I could. > >> > >> My worry is just that this is such a contentious subject and it took > >>us x hundreds of emails to reach this state, that if I add more > >>explanations, people will start disagreeing with it and that we end > >>up in a long debate on how to correctly express this. > >> > >> Is this important enough to do that? > >> > >> /Stefan > >> > >> > >> On 3/27/13 3:30 PM, "Black, David" wrote: > >> > >> >Hi Stefan, > >> > > >> >> Does this answer your question? > >> > > >> >Yes, please add some of that explanation to the next version of the > >>draft > >> >;-). > >> >Coverage of existing responder behavior/limitations (important > >> >"running code" > >> >concerns, IMHO) and alternatives to using "revoked" ("have a number > >> >of tools to prevent the client from accepting a bad certificate") > >> >seem > >>particularly > >> >relevant. > >> > > >> >Thanks, > >> >--David > >> > > >> >> -----Original Message----- > >> >> From: Stefan Santesson [mailto:stefan@aaa-sec.com] > >> >> Sent: Wednesday, March 27, 2013 7:44 AM > >> >> To: Black, David; sts@aaa-sec.com; mmyers@fastq.com; > >>ambarish@gmail.com; > >> >> slava.galperin@gmail.com; cadams@eecs.uottawa.ca; gen- > art@ietf.org > >> >> Cc: pkix@ietf.org; Sean Turner; ietf@ietf.org > >> >> Subject: Re: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 > >> >> > >> >> Hi David, > >> >> > >> >> Yes I missed to respond to that aspect. > >> >> > >> >> This is a bit complicated, but we have a large legacy to take into > >> >>account where some responders implements just RFC 2560, while > some > >> >>deliver pre-generated responses according to RFC 5019 > >> >>(Light-weight OCSP). LW responders are not capable of producing a > >> >>signed response at the > >>time of > >> >> responding and in case such responder finds a request for a > >>certificate > >> >> where no pre-produced response exists, it will reply with an > >> >>unsigned error response "unauthorized", which also is a legitimate > >> >>way to respond. > >> >> So the actual OCSP responder may actually know that the > >> >>certificate > >>was > >> >> never issued, but since it delivers pre-produced responder through > >> >>a CDN, it can not provide a revoked response in real time. > >> >> > >> >> So the major aim with the current writing is to declare that the > >>revoked > >> >> response is a MAY because there are other valid alternatives. > >> >> > >> >> We also want to avoid putting down a SHOULD respond revoked if a > >> >> certificate is known to be not-issued, because that would require > >> >> us > >>to > >> >> define what "known to be non-issued" actually means. And that > >> >> could > >>be > >> >> quite tricky as OCSP responders by no means are required to have > >> >> this knowledge. > >> >> > >> >> The OCSP responder simply have a number of tools to prevent the > >>client > >> >> from accepting a bad certificate. > >> >> This update of OCSP simply allows responders to use the "revoked" > >> >>response > >> >> as a preventive measure, without mandating it. > >> >> > >> >> This is also related to activities in the CA Browser Forum where > >> >>they put down requirements on responders complying with CAB rules > >> >>to not > >>respond > >> >> "good" to certificates that were never issued. > >> >> With this update in OCSP, they can now mandate in their policies > >> >>both the fact that their responders MUST know if a certificate was > >> >>never > >>issued > >> >>and > >> >> MUST respond "revoked". > >> >> > >> >> So we allow other communities to raise the bar even if the base > >>standard > >> >> defines the response as optional. > >> >> > >> >> In theory we could possibly say that responding revoked is > >> >> optional, > >>but > >> >> if you choose between revoked and unknown then you SHOULD > favour > >>revoked > >> >> over unknown. But such nested requirements just feels bad and > >>impossible > >> >> to test compliance against. I'd much rather just leave it > >> >> optional. I think the Note gives a clear recommendation on this > >> >> and the rationale without spelling it out as a requirement. > >> >> > >> >> Does this answer your question? > >> >> > >> >> > >> >> On 3/27/13 12:51 AM, "Black, David" wrote: > >> >> > >> >> >Hi Stefan, > >> >> > > >> >> >This looks good - thank you for the prompt response. > >> >> > > >> >> >It looks like my speculation on item [1] was wrong, so could you > >> >>respond > >> >> >to the question below, please?: > >> >> > > >> >> >> >[1] Section 2.2: > >> >> >> > > >> >> >> > NOTE: The "revoked" state for known non-issued > >>certificate serial > >> >> >> > numbers is allowed in order to reduce the risk > >> >> >> > of > >>relying > >> >> >> > parties using CRLs as a fall back mechanism, > >>which would be > >> >> >> > considerably higher if an "unknown" response > >> >> >> > was > >>returned. > >> >> >> > > >> >> >> >Given this explanation, I'm surprised that the use of "revoked" > >> >> >>instead of > >> >> >> >"unknown" for a known non-issued certificate is a "MAY" > >>requirement > >> >>and > >> >> >> >not a "SHOULD" requirement. Why is that the case? > >> >> > > >> >> >-------------- > >> >> > > >> >> >Beyond that, the proposed actions (or proposed non-actions) on > >> >> >items [2]-[5] are fine with me, Sean's taken care of the author > >> >> >permissions item > >>from > >> >> >idnits, and I assume someone has or will check the ASN.1 . > >> >> > > >> >> >Thanks, > >> >> >--David > >> >> > > >> >> >> -----Original Message----- > >> >> >> From: Stefan Santesson [mailto:stefan@aaa-sec.com] > >> >> >> Sent: Monday, March 25, 2013 10:21 PM > >> >> >> To: Black, David; sts@aaa-sec.com; mmyers@fastq.com; > >> >>ambarish@gmail.com; > >> >> >> slava.galperin@gmail.com; cadams@eecs.uottawa.ca; > >> >> >> gen-art@ietf.org > >> >> >> Cc: pkix@ietf.org; Sean Turner; ietf@ietf.org > >> >> >> Subject: Re: Gen-ART review of draft-ietf-pkix-rfc2560bis-15 > >> >> >> > >> >> >> Hi David, > >> >> >> > >> >> >> Thanks for the review. > >> >> >> My reply in line. > >> >> >> > >> >> >> On 3/26/13 1:25 AM, "Black, David" wrote: > >> >> >> > >> >> >> >Authors, > >> >> >> > > >> >> >> >I am the assigned Gen-ART reviewer for this draft. For > >>background on > >> >> >> >Gen-ART, please > >> >> >> >see the FAQ at > >> >> >>. > >> >> >> > > >> >> >> >Please resolve these comments along with any other Last Call > >> >>comments > >> >> >>you > >> >> >> >may receive. > >> >> >> > > >> >> >> >Document: draft-ietf-pkix-rfc2560bis-15 > >> >> >> >Reviewer: David L. Black > >> >> >> >Review Date: March 25, 2013 > >> >> >> >IETF LC End Date: March 27, 2013 > >> >> >> > > >> >> >> >Summary: > >> >> >> >This draft is on the right track but has open issues, > >> >> >> >described > >>in > >> >>the > >> >> >> >review. > >> >> >> > > >> >> >> >This draft updates the OCSP protocol for obtaining certificate > >> >>status > >> >> >> >with some minor extensions. > >> >> >> > > >> >> >> >Because this is a "bis" draft, I reviewed the diffs against > >> >> >> >RFC > >> >>2560. > >> >> >> > > >> >> >> >I did not check the ASN.1. I also did not see a writeup for > >> >> >> >this > >> >>draft > >> >> >> >in the data tracker, and so will rely on the document shepherd > >> >> >> >to ensure that the ASN.1 has been checked when the writeup is > >>prepared. > >> >> >> > > >> >> >> >I found five open issues, all of which are minor, plus one > >> >> >> >idnits > >> >>item > >> >> >> >that is probably ok, but should be double-checked. > >> >> >> > > >> >> >> >Minor issues: > >> >> >> > > >> >> >> >[1] Section 2.2: > >> >> >> > > >> >> >> > NOTE: The "revoked" state for known non-issued > >>certificate serial > >> >> >> > numbers is allowed in order to reduce the risk > >> >> >> > of > >>relying > >> >> >> > parties using CRLs as a fall back mechanism, > >>which would be > >> >> >> > considerably higher if an "unknown" response > >> >> >> > was > >>returned. > >> >> >> > > >> >> >> >Given this explanation, I'm surprised that the use of "revoked" > >> >> >>instead of > >> >> >> >"unknown" for a known non-issued certificate is a "MAY" > >>requirement > >> >>and > >> >> >> >not a "SHOULD" requirement. Why is that the case? > >> >> >> > > >> >> >> >It appears that the reason is that the use of "revoked" in > >> >> >> >this > >> >> >>situation > >> >> >> >may be dangerous when serial numbers can be predicted for > >> >>certificates > >> >> >> >that > >> >> >> >will be issued in the future. If that's what's going on, this > >> >>concern > >> >> >>is > >> >> >> >already explained in the security considerations section, but > >> >> >> >it > >> >>should > >> >> >> >also be mentioned here for completeness. > >> >> >> > >> >> >> No, this is not the main reason. The main reason is the one > >> >> >> stated > >> >>as a > >> >> >> Note: in this section: > >> >> >> > >> >> >> NOTE: The "revoked" state for known non-issued certificate > >> >> >>serial numbers is allowed in order to reduce the risk of > >> >> >>relying parties using > >>CRLs > >> >>as > >> >> >>a > >> >> >> fall back mechanism, which would be considerably higher if an > >> >>"unknown" > >> >> >> response was returned. > >> >> >> > >> >> >> > >> >> >> > > >> >> >> >[2] Section 4.2.2.2: > >> >> >> > > >> >> >> > The key that signs a certificate's status information > >>need not be > >> >>the > >> >> >> > same key that signed the certificate. It is necessary > >>however to > >> >> >> > ensure that the entity signing this information is > >>authorized to > >> do > >> >> >> > so. Therefore, a certificate's issuer MAY either sign > >>the OCSP > >> >> >> > responses itself or it MAY explicitly designate this > >>authority to > >> >> >> > another entity. > >> >> >> > > >> >> >> >The two instances of "MAY" in the above text were both "MUST" > >> >> >> >in > >>RFC > >> >> >>2560. > >> >> >> > > >> >> >> >The RFC 2560 text construction of "MUST" or "MUST" is a bit > >> >> >> >odd, > >>but > >> >> >>the two > >> >> >> >"MAY"s in this draft are even worse, as they allow "MAY do > >>something > >> >> >>else > >> >> >> >entirely", despite being enclosed in an either-or construct. > >> >> >> >I > >> >> >>strongly > >> >> >> >suspect that the latter was not intended, so the following > >> >> >> >would > >>be > >> >> >> >clearer: > >> >> >> > > >> >> >> > The key that signs a certificate's status information > >>need not be > >> >>the > >> >> >> > same key that signed the certificate. It is necessary > >>however to > >> >> >> > ensure that the entity signing this information is > >>authorized to > >> do > >> >> >> > so. Therefore, a certificate's issuer MUST do one of > >> >> >> > the > >> >>following: > >> >> >> > - sign the OCSP responses itself, or > >> >> >> > - explicitly designate this authority to > >> >> >> > another > >>entity. > >> >> >> > >> >> >> > >> >> >> I Agree. I will adopt your text. > >> >> >> > >> >> >> > > >> >> >> >[3] Section 4.3: > >> >> >> > > >> >> >> >Is the "SHOULD" requirement still appropriate for the DSA with > >>SHA-1 > >> >> >>combo > >> >> >> >(vs. a "MAY" requirement)? This requirement was a "MUST" in > >> >> >> >RFC > >> >>2560, > >> >> >>but > >> >> >> >I wonder about actual usage of DSA in practice. > >> >> >> > >> >> >> The change in algorithm requirements was provided by RFC 6277, > >> >> >>and further refined in this draft in accordance with requests > >> >> >>from Sean > >>Turner. > >> >> >> > >> >> >> > > >> >> >> >[4] Section 5, last paragraph: > >> >> >> > > >> >> >> > Responding a "revoked" state to certificate that has > >>never been > >> >> >> > issued may enable someone to obtain a revocation > >> >> >> > response > >>for a > >> >> >> > certificate that is not yet issued, but soon will be > >>issued, if > >> the > >> >> >> > CA issues certificates using sequential certificate > >>serial number > >> >> >> > assignment. > >> >> >> > > >> >> >> >The above text after starting with the "if" is too narrow - it > >> >>should > >> >> >>say: > >> >> >> > > >> >> >> > if the certificate serial number of the certificate that > >> >> >> > will be issued can be predicted or guessed by the > >>requester. > >> >> >> > Such prediction is easy for a CA that issues certificates > >> >> >> > using sequential certificate serial number assignment. > >> >> >> > > >> >> >> >There's also a nit in original text - its first line should be: > >> >> >> > > >> >> >> > Responding with a "revoked" state for a certificate > >> >> >> > that > >>has never > >> >> >>been > >> >> >> > >> >> >> Good suggestions. I will update accordingly. > >> >> >> > >> >> >> > > >> >> >> >[5] Section 5.1.1: > >> >> >> > > >> >> >> > In archival applications it is quite possible that an > >> >> >> > OCSP > >> >>responder > >> >> >> > might be asked to report the validity of a certificate > >> >> >> > on > >>a date > >> in > >> >> >> > the distant past. Such a certificate might employ a > >>signing method > >> >> >> > that is no longer considered acceptably secure. In such > >> >> >> > circumstances the responder MUST NOT generate a > >> >> >> > signature > >>using a > >> >> >> > signing mechanism that is not considered acceptably > >>secure. > >> >> >> > > >> >> >> >This could use an additional warning that certificate archival > >> >>should > >> >> >> >not rely solely on signatures in archived certificates for > >>ensuring > >> >>the > >> >> >> >validity and integrity of the archived certificates because > >> >> >> >the > >> >> >>signature > >> >> >> >algorithm(s) may transition to no longer being considered > >>acceptably > >> >> >> >secure at some point after the certificates are archived. > >> >> >> > >> >> >> This note if I remember correctly is imported from RFC 6277, > >>which is > >> >> >> incorporated into this document. The reason behind the text is > >>only > >> >>to > >> >> >> avoid usages of insecure algorithms. > >> >> >> Historical validation is a real can of worms that I really > >> >> >> would > >> >>like to > >> >> >> keep a tight lid on. I really want to avoid doing > >> >> >> recommendations > >>in > >> >> >>this > >> >> >> space as it may trigger a whole flood of things that could be > >>equally > >> >> >> important to say about this subject. > >> >> >> > >> >> >> > > >> >> >> >Nits: > >> >> >> > > >> >> >> >idnits 2.12.15 said: > >> >> >> > > >> >> >> > -- The document seems to lack a disclaimer for pre-RFC5378 > >>work, > >> >>but > >> >> >>may > >> >> >> > have content which was first submitted before 10 November > >>2008. > >> >> >>If > >> >> >> >you > >> >> >> > have contacted all the original authors and they are all > >> >>willing > >> >> >>to > >> >> >> >grant > >> >> >> > the BCP78 rights to the IETF Trust, then this is fine, > >> >> >> >and > >>you > >> >>can > >> >> >> >ignore > >> >> >> > this comment. If not, you may need to add the > >> >> >> >pre-RFC5378 disclaimer. > >> >> >> > (See the Legal Provisions document at > >> >> >> > http://trustee.ietf.org/license-info for more > >> >> >> >information.) > >> >> >> > > >> >> >> >This looks like it's ok because all the authors of RFC 2560 > >> >> >> >are > >>also > >> >> >> >authors of > >> >> >> >this draft, but it should be double-checked. > >> >> >> > >> >> >> > >> >> >> I defer this one to Sean. I think he has this one under control. > >> >> >> > >> >> >> > >> >> >> Thanks again for the review. > >> >> >> > >> >> >> /Stefan > >> >> >> > >> >> >> > >> >> >> > > >> >> >> >Thanks, > >> >> >> >--David > >> >> >> >---------------------------------------------------- > >> >> >> >David L. Black, Distinguished Engineer EMC Corporation, 176 > >> >> >> >South St., Hopkinton, MA 01748 > >> >> >> >+1 (508) 293-7953 FAX: +1 (508) 293-7786 > >> >> >> >david.black@emc.com Mobile: +1 (978) 394-7754 > >> >> >> >---------------------------------------------------- > >> >> >> > > >> >> >> > > >> >> >> > >> >> >> > >> >> > > >> >> > >> >> > >> > > >> > >> > > > > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix From stefan@aaa-sec.com Fri Mar 29 09:37:14 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB4BC21F93C9 for ; Fri, 29 Mar 2013 09:37:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.179 X-Spam-Level: X-Spam-Status: No, score=-102.179 tagged_above=-999 required=5 tests=[AWL=0.070, BAYES_00=-2.599, HELO_EQ_SE=0.35, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2mCpxKQooe4q for ; Fri, 29 Mar 2013 09:37:14 -0700 (PDT) Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id 440EF21F93A0 for ; Fri, 29 Mar 2013 09:37:14 -0700 (PDT) Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id 5273B1F07DC9 for ; Fri, 29 Mar 2013 17:37:13 +0100 (CET) X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id BABtAnrQ4k8W for ; Fri, 29 Mar 2013 17:37:13 +0100 (CET) Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id B73A81F07DC0 for ; Fri, 29 Mar 2013 17:37:12 +0100 (CET) Received: (qmail 51098 invoked from network); 29 Mar 2013 16:37:12 -0000 Received: from 81-232-51-61-no39.business.telia.com (HELO [192.168.0.104]) (stefan@fiddler.nu@[81.232.51.61]) (envelope-sender ) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 29 Mar 2013 16:37:12 -0000 User-Agent: Microsoft-MacOutlook/14.3.2.130206 Date: Fri, 29 Mar 2013 17:37:10 +0100 From: Stefan Santesson To: Piyush Jain , "'Black, David'" , , , , , , Message-ID: Thread-Topic: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 In-Reply-To: <00fc01ce2c98$ddc41770$994c4650$@ditenity.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-Mailman-Approved-At: Fri, 29 Mar 2013 09:41:07 -0700 Cc: pkix@ietf.org, ietf@ietf.org Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Mar 2013 16:37:15 -0000 On 3/29/13 5:17 PM, "Piyush Jain" wrote: >' "revoked" status is still optional in this context in order to maintain >backwards compatibility with deployments of RFC 2560.' > >I fail to understand this statement about backward compatibility. >How does "revoked" being "optional/required breaks backward compatibility? >The only reason cited in the WG discussions to use revoked for >"not-issued" >was that any other approach would break backward compatibility with legacy >clients. And now the draft says that revoked is optional because making it >required won't be backward compatible. Yes. Making it required would prohibit other valid ways to respond to this situation that is allowed by RFC 2560 and RFC 5019. Such as responding "good" or responding with "unauthorized" error. > >And it gives the impression that best course of action for 2560bis >responders is to start issuing revoked for "not-issued", which is far from >the originally stated goal to provide a way for CAs to be able to return >revoked for such serial numbers. The latter is what optional means. /Stefan From piyush@ditenity.com Fri Mar 29 09:44:54 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3A2621F9406 for ; Fri, 29 Mar 2013 09:44:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.808 X-Spam-Level: X-Spam-Status: No, score=-2.808 tagged_above=-999 required=5 tests=[AWL=0.791, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vr+971YSYqK4 for ; Fri, 29 Mar 2013 09:44:54 -0700 (PDT) Received: from mail-ye0-f179.google.com (mail-ye0-f179.google.com [209.85.213.179]) by ietfa.amsl.com (Postfix) with ESMTP id D702621F9403 for ; Fri, 29 Mar 2013 09:44:53 -0700 (PDT) Received: by mail-ye0-f179.google.com with SMTP id q7so49534yen.10 for ; Fri, 29 Mar 2013 09:44:53 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-type:content-transfer-encoding :x-mailer:thread-index:content-language:x-gm-message-state; bh=o+DP7cDna2ivc6yobD143vwfySme8xGtJzNw2x9hOkc=; b=jNYci3u3WfOZaqm8QbNDfb0GVnm9NJ8wxzM8edFRbo08rV2d27bcCLCl5iP2kAQTmR hSKnJXJlr5vSDHpccS3fjtzwnUlEW9jDSwIyflpZuyUA6OuR0LKQMHV/PsAyegLhKaPD ynbXvdF1lnBVEdey1PxeADj96h0FP69/KR7RcdjwH1jDV7k9Y2ek6FkMPt44AEyhq++6 PDdOr0xe574DjMslH4pc8ZMXunSnf3cIxyYT7HMRE5sjaKcPl+H2zk4cvnvaFGKXRtkY QW+wGSJEIK0ews6X+LVo9YSjkOHE30eqNJMpggBKOVMI1MhdE3ygcO570ukeDbyo0Jzj SkGQ== X-Received: by 10.236.131.1 with SMTP id l1mr795386yhi.21.1364575493409; Fri, 29 Mar 2013 09:44:53 -0700 (PDT) Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id w69sm1901418yhe.4.2013.03.29.09.44.52 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 29 Mar 2013 09:44:52 -0700 (PDT) From: "Piyush Jain" To: "'Santosh Chokhani'" , "'Miller, Timothy J.'" , "'David A. Cooper'" References: <004f01ce2be4$f7eb64a0$e7c22de0$@ditenity.com> <00fe01ce2c99$7b408f10$71c1ad30$@ditenity.com> In-Reply-To: Date: Fri, 29 Mar 2013 09:44:48 -0700 Message-ID: <012401ce2c9c$bb2b9900$3182cb00$@ditenity.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 14.0 thread-index: AQMFsea5hqjZEtxS3TkpUO68LOHg5AJicp73AnC4cigDGlqhwJYOZ1Wg Content-Language: en-us X-Gm-Message-State: ALoCoQm2jRM3n/JdYagcEbmCb2vES2DU2i/2/9EpoRECEv4fqTK2lfnlv9gn+tWp/h+iA/qGai1z Cc: 'pkix' Subject: Re: [pkix] URI Name Constraint and URN X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Mar 2013 16:44:54 -0000 That is true. In this case there will be no NC constraining the URNs. A URN NC would only make sense for hierarchical URNs. > -----Original Message----- > From: Santosh Chokhani [mailto:SChokhani@cygnacom.com] > Sent: Friday, March 29, 2013 9:29 AM > To: Piyush Jain; 'Miller, Timothy J.'; 'David A. Cooper' > Cc: 'pkix' > Subject: RE: [pkix] URI Name Constraint and URN >=20 > There is nothing to constrain when URN is UUID. >=20 > -----Original Message----- > From: Piyush Jain [mailto:piyush@ditenity.com] > Sent: Friday, March 29, 2013 12:22 PM > To: 'Miller, Timothy J.'; 'David A. Cooper'; Santosh Chokhani > Cc: 'pkix' > Subject: RE: [pkix] URI Name Constraint and URN >=20 > Yes. Applying location constraints to URNs is the problem which must = be > fixed. > Defining processing rules for URN constrains is probably nice to have. >=20 > > -----Original Message----- > > From: Miller, Timothy J. [mailto:tmiller@mitre.org] > > Sent: Friday, March 29, 2013 6:27 AM > > To: Piyush Jain; 'David A. Cooper'; Santosh Chokhani > > Cc: 'pkix' > > Subject: Re: [pkix] URI Name Constraint and URN > > > > So perhaps the problem is there's no way to apply a single NC rule = to > > URIs since the sub-types of URIs conflict in how names are > > constructed. I.e., > the > > right fix is to discard the URI type and treat the sub-type of URLs > > and > URNs > > separately. This would permit separate NC processing for each, = which > seems > > to be what Santosh is asking for. > > > > -- T > > > > On 3/28/13 1:49 PM, "Piyush Jain" wrote: > > > > >My apologies to the author(s) for being presumptuous and thank = David > > >for pointing to the discussion thread. > > > > > >So it seems that WG consciously refrained from defining matching > > >rules for URNs. > > > > > >This implies if a CA has a permitted subtree constraint, any > > >descendent certificate cannot have a URN name. Seems like a > > >limitation which cannot be addressed without defining matching = rules for > URNs. > > > > > >From: David A. Cooper [mailto:david.cooper@nist.gov] > > > > > >Sent: Thursday, March 28, 2013 11:04 AM > > >To: Piyush Jain > > >Cc: 'pkix' > > >Subject: Re: [pkix] URI Name Constraint and URN > > > > > > > > > > > >On 03/28/2013 01:37 PM, Piyush Jain wrote: > > > > > > > > >Santosh, > > > > > >I think I agree with you that constraining URN based on authority > > >does not make sense. > > > > > >The text =AD =B3For URIs, the constraint applies to the host part = of the > > >name.=B2 from 5280 indicates that the author assumed that URIs will > > >always have the authority component, which is a wrong assumption. > > > > > > > > >RFC 5280 says: > > >If a constraint is applied to the uniformResourceIdentifier name = form > > >and a subsequent certificate includes a subjectAltName extension = with > > >a uniformResourceIdentifier that does not include an authority > > >component with a host name specified as a fully qualified domain = name > > >(e.g., if the URI either does not include an authority component or > > >includes an authority component in which the host name is = specified > > >as an IP address), then the application MUST reject the = certificate. > > > > > >This indicates quite clearly that the author did not assume that = URIs > > >will always have the authority component. > > > > > >See also > > >http://www.ietf.org/mail-archive/web/pkix/current/msg02179.html > > > > > ("RFC > > >3280bis and URI schemes without hostname"). > > > > > > >=20 From piyush@ditenity.com Fri Mar 29 10:12:45 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BEB221F9405 for ; Fri, 29 Mar 2013 10:12:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.921 X-Spam-Level: X-Spam-Status: No, score=-2.921 tagged_above=-999 required=5 tests=[AWL=0.678, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pNWKlsOlfQPq for ; Fri, 29 Mar 2013 10:12:44 -0700 (PDT) Received: from mail-gh0-f179.google.com (mail-gh0-f179.google.com [209.85.160.179]) by ietfa.amsl.com (Postfix) with ESMTP id 6C23821F91F0 for ; Fri, 29 Mar 2013 10:12:44 -0700 (PDT) Received: by mail-gh0-f179.google.com with SMTP id z12so51160ghb.38 for ; Fri, 29 Mar 2013 10:12:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-type:content-transfer-encoding :x-mailer:thread-index:content-language:x-gm-message-state; bh=ts9tp7NQ67JmzP+2dGIhLZzPy4Igv1d5U3wroC96kBM=; b=YGu7CQ7eRwR5LzvXkBnCWUDD024LOxbvV2FMwwvvxdVe9f0T0PrqImgXmbV3sDfOIH ULQRcpqli2pWIuMCj+hoETtqtgCoH9VOl9CukaoLFqCpWrVeByg2K8XI7QeI1SWvWUfQ wr+wg8z/MTdJpIfXHecBzqs2rvbpuUB0bi14LBgA8WziLrcJKPLybcp0wmfy5/wZx8JB Xsm5JUE0YZFnkwKD62UqM8Ut19l2U3he2mlyKgJlAv7o4/SLHb1YwTk2v02vHL+HzNlc rtBI6tW4cyTsldG8HiqaAo1OMJUW0XEAAv8ZQ2YYDqUV3XNhFxV5PFHuhrfJbIGHKZyH QOlw== X-Received: by 10.236.135.231 with SMTP id u67mr896266yhi.135.1364577163772; Fri, 29 Mar 2013 10:12:43 -0700 (PDT) Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id x71sm2079717yhg.17.2013.03.29.10.12.41 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 29 Mar 2013 10:12:43 -0700 (PDT) From: "Piyush Jain" To: "'Stefan Santesson'" , "'Black, David'" , , , , , , References: <00fc01ce2c98$ddc41770$994c4650$@ditenity.com> In-Reply-To: Date: Fri, 29 Mar 2013 10:12:38 -0700 Message-ID: <012f01ce2ca0$9eaf4840$dc0dd8c0$@ditenity.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 thread-index: AQFaQn1rWGWmOJQLB6oJfMxBH8dluJmktKLg Content-Language: en-us X-Gm-Message-State: ALoCoQmGbWIBCD5pZ8mFg+cK7f1DbbbyoysiJHEi8GvzO7LQ2iSDV7xuN2hqlBlPwbp8dVgoM3gs Cc: pkix@ietf.org Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Mar 2013 17:12:45 -0000 Not arguing that it should be required. I'm with you on keeping it optional. It is your statement about backward compatibility to justify it that is incorrect. Backward compatibility "with deployments of RFC2560" is not affected in either case. Legacy clients will continue to work whether you make it required or optional. You probably meant "maintain compliance with RFC 2560 and RFC 5019." -Piyush > -----Original Message----- > From: Stefan Santesson [mailto:stefan@aaa-sec.com] > Sent: Friday, March 29, 2013 9:37 AM > To: Piyush Jain; 'Black, David'; sts@aaa-sec.com; mmyers@fastq.com; > ambarish@gmail.com; slava.galperin@gmail.com; cadams@eecs.uottawa.ca; > gen-art@ietf.org > Cc: pkix@ietf.org; ietf@ietf.org > Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 > > On 3/29/13 5:17 PM, "Piyush Jain" wrote: > > >' "revoked" status is still optional in this context in order to > >maintain backwards compatibility with deployments of RFC 2560.' > > > >I fail to understand this statement about backward compatibility. > >How does "revoked" being "optional/required breaks backward > compatibility? > >The only reason cited in the WG discussions to use revoked for > >"not-issued" > >was that any other approach would break backward compatibility with > >legacy clients. And now the draft says that revoked is optional because > >making it required won't be backward compatible. > > Yes. Making it required would prohibit other valid ways to respond to this > situation that is allowed by RFC 2560 and RFC 5019. > Such as responding "good" or responding with "unauthorized" error. > > > > >And it gives the impression that best course of action for 2560bis > >responders is to start issuing revoked for "not-issued", which is far > >from the originally stated goal to provide a way for CAs to be able to > >return revoked for such serial numbers. > > The latter is what optional means. > > /Stefan > From david.cooper@nist.gov Fri Mar 29 10:39:20 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 587C721F9409 for ; Fri, 29 Mar 2013 10:39:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.141 X-Spam-Level: X-Spam-Status: No, score=-5.141 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y5FbDYZYEmj3 for ; Fri, 29 Mar 2013 10:39:19 -0700 (PDT) Received: from wsget2.nist.gov (wsget2.nist.gov [129.6.13.151]) by ietfa.amsl.com (Postfix) with ESMTP id 0CFB121F939B for ; Fri, 29 Mar 2013 10:39:18 -0700 (PDT) Received: from WSXGHUB1.xchange.nist.gov (129.6.18.96) by wsget2.nist.gov (129.6.13.151) with Microsoft SMTP Server (TLS) id 14.3.123.3; Fri, 29 Mar 2013 13:38:57 -0400 Received: from smtp.nist.gov (129.6.16.226) by WSXGHUB1.xchange.nist.gov (129.6.18.96) with Microsoft SMTP Server id 8.3.298.1; Fri, 29 Mar 2013 13:39:17 -0400 Received: from st26.ncsl.nist.gov (st26.ncsl.nist.gov [129.6.54.72]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id r2THdHP9007750; Fri, 29 Mar 2013 13:39:17 -0400 Message-ID: <5155D1C5.7070301@nist.gov> Date: Fri, 29 Mar 2013 13:39:17 -0400 From: "David A. Cooper" User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130308 Thunderbird/17.0.4 MIME-Version: 1.0 To: Santosh Chokhani References: <000c01ce2bda$fadd38f0$f097aad0$@ditenity.com> <5154860B.7050900@nist.gov> In-Reply-To: Content-Type: text/html; charset="windows-1252" Content-Transfer-Encoding: 8bit Cc: 'pkix' Subject: Re: [pkix] URI Name Constraint and URN X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Mar 2013 17:39:20 -0000
Santosh,

On 03/29/2013 12:28 PM, Santosh Chokhani wrote:
So, why are you hung up on the text in 5280 which most likely did not consider URN scenario.  If it did, please explain why a name constraint is meaningful to URN which not a hierarchical name in the first place.

The text in 5280 most definitely did consider the URN scenario.  That is why 5280 includes a sentence that says "if the URI either does not include an authority component...."

I also pointed to an thread on the PKIX mail list with the subject "RFC 3280bis and URI schemes without hostname" (http://www.ietf.org/mail-archive/web/pkix/current/msg02179.html), and in one of the messages in that thread (http://www.ietf.org/mail-archive/web/pkix/current/msg02171.html), I referred to a thread from early 2007 with the subject "URN in subjectAltName" (http://www.imc.org/ietf-pkix/mail-archive/msg02513.html).  I did a quick look at the "URN in subjectAltName" thread and saw that there was at least one message in that thread (http://www.imc.org/ietf-pkix/mail-archive/msg02641.html) that specifically mentioned URNs and name constraints.

I even checked my interoperability testing spreadsheet (from about 4 years ago) and see that I tested this scenario and found two path validation implementations that implemented this aspect of name constraints:
Issued end entity certificate (ValidNoAuthorityURI.cer) under SampleRoot.cer and verified that both clients would accept a URI without an authority component in the absence of a name constraint.  Created a subordinate (URInameConstraintsIntermediateCA.cer) that specifies a permitted subtree for URIs and three end entities, one with a URI that satisfies the constraint (ValidURInameConstraints.cer), one with a URI with no authority component [urn:uuid:...] (NoAuthorityURInameConstraints.cer), and one with a URI that uses an IP address to specify the host (InvalidURIIPaddress.cer).  Both clients accepted the certificate with the valid URI and rejected the other two certificates.

Can you explain to me how all of those things happened if 5280 did not consider URN scenario?

As to your other questions, I will simply point you to http://www.ietf.org/mail-archive/web/pkix/current/msg02132.html, where I said:
I am inclined to think that URIs that do not include an authority should be ignored. That is, they should be treated just as if they had been included in a different name form for which name constraints have not been defined.

So, unless I changed my mind later, I didn't even agree with the requirements that were put into 5280.  However, as editor it would have been my responsibility to reflect working group consensus in the document, not my own personal opinion.  So, I will not attempt to respond to your other questions, which seem to be asking me to defend the current text in 5280.  I am simply rebutting suggestions that URNs were never considered when the name constraints rules in 5280 were written.  I have no interest in either supporting or arguing against the current rules.

Dave

On 03/29/2013 12:28 PM, Santosh Chokhani wrote:

David,

 

1.       Can you explain what harm is does to accept a certificate if the upstream CA has URL constrained?

 

2.       Can you explain how a CA that wishes to constrain URL, but permit URN would do so.  Note that this is a real scenario as you know?

 

3.       Note that SAN description in 5280 already require FQDN for the host for URI that require authority.  So, why are you hung up on the text in 5280 which most likely did not consider URN scenario.  If it did, please explain why a name constraint is meaningful to URN which not a hierarchical name in the first place.

 

4.       I read the post you sent below and I read it as supporting what I am saying.  Do not constrain the URI that cannot have authority component to it.

 

“* Decide that this name type is not appropriate for URI schemes that tend not to use authorities. 

 

* Relax the rules.  I strongly urge the WG not to take on the task of name constraints for URIs without authority in this document.”

 

 

 

From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of David A. Cooper
Sent: Thursday, March 28, 2013 2:04 PM
To: Piyush Jain
Cc: 'pkix'
Subject: Re: [pkix] URI Name Constraint and URN

 

On 03/28/2013 01:37 PM, Piyush Jain wrote:

Santosh,

 

I think I agree with you that constraining URN based on authority does not make sense.

 

The text – “For URIs, the constraint applies to the host part of the name.” from 5280 indicates that the author assumed that URIs will always have the authority component, which is a wrong assumption.


RFC 5280 says:

If a constraint is applied to the uniformResourceIdentifier name form and a subsequent certificate includes a subjectAltName extension with a uniformResourceIdentifier that does not include an authority component with a host name specified as a fully qualified domain name (e.g., if the URI either does not include an authority component or includes an authority component in which the host name is specified as an IP address), then the application MUST reject the certificate.


This indicates quite clearly that the author did not assume that URIs will always have the authority component.

See also http://www.ietf.org/mail-archive/web/pkix/current/msg02179.html ("RFC 3280bis and URI schemes without hostname").


From SChokhani@cygnacom.com Fri Mar 29 10:45:21 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8173521F90BD for ; Fri, 29 Mar 2013 10:45:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.548 X-Spam-Level: X-Spam-Status: No, score=-2.548 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xEXvjJWpBSDE for ; Fri, 29 Mar 2013 10:45:17 -0700 (PDT) Received: from ipedge1.cygnacom.com (ipedge1.cygnacom.com [216.191.252.12]) by ietfa.amsl.com (Postfix) with ESMTP id 526BC21F86D9 for ; Fri, 29 Mar 2013 10:45:17 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.87,374,1363147200"; d="scan'208,217";a="8427655" Received: from unknown (HELO scygexch7.cygnacom.com) ([10.4.60.22]) by ipedge1.cygnacom.com with ESMTP; 29 Mar 2013 13:45:16 -0400 Received: from scygexch7.cygnacom.com ([::1]) by scygexch7.cygnacom.com ([::1]) with mapi; Fri, 29 Mar 2013 13:45:16 -0400 From: Santosh Chokhani To: "David A. Cooper" Date: Fri, 29 Mar 2013 13:45:15 -0400 Thread-Topic: [pkix] URI Name Constraint and URN Thread-Index: Ac4spFfgZzR8lPFDT3KRcqA74y9CcgAAKGlw Message-ID: References: <000c01ce2bda$fadd38f0$f097aad0$@ditenity.com> <5154860B.7050900@nist.gov> <5155D1C5.7070301@nist.gov> In-Reply-To: <5155D1C5.7070301@nist.gov> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_B83745DA469B7847811819C5005244AFF3DC9D3Dscygexch7cygnac_" MIME-Version: 1.0 Cc: 'pkix' Subject: Re: [pkix] URI Name Constraint and URN X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Mar 2013 17:45:21 -0000 --_000_B83745DA469B7847811819C5005244AFF3DC9D3Dscygexch7cygnac_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable David, Thank you very much. From: David A. Cooper [mailto:david.cooper@nist.gov] Sent: Friday, March 29, 2013 1:39 PM To: Santosh Chokhani Cc: 'pkix' Subject: Re: [pkix] URI Name Constraint and URN Santosh, On 03/29/2013 12:28 PM, Santosh Chokhani wrote: So, why are you hung up on the text in 5280 which most likely did not consi= der URN scenario. If it did, please explain why a name constraint is meani= ngful to URN which not a hierarchical name in the first place. The text in 5280 most definitely did consider the URN scenario. That is wh= y 5280 includes a sentence that says "if the URI either does not include an= authority component...." I also pointed to an thread on the PKIX mail list with the subject "RFC 328= 0bis and URI schemes without hostname" (http://www.ietf.org/mail-archive/we= b/pkix/current/msg02179.html), and in one of the messages in that thread (h= ttp://www.ietf.org/mail-archive/web/pkix/current/msg02171.html), I referred= to a thread from early 2007 with the subject "URN in subjectAltName" (http= ://www.imc.org/ietf-pkix/mail-archive/msg02513.html). I did a quick look a= t the "URN in subjectAltName" thread and saw that there was at least one me= ssage in that thread (http://www.imc.org/ietf-pkix/mail-archive/msg02641.ht= ml) that specifically mentioned URNs and name constraints. I even checked my interoperability testing spreadsheet (from about 4 years = ago) and see that I tested this scenario and found two path validation impl= ementations that implemented this aspect of name constraints: Issued end entity certificate (ValidNoAuthorityURI.cer) under SampleRoot.ce= r and verified that both clients would accept a URI without an authority co= mponent in the absence of a name constraint. Created a subordinate (URInam= eConstraintsIntermediateCA.cer) that specifies a permitted subtree for URIs= and three end entities, one with a URI that satisfies the constraint (Vali= dURInameConstraints.cer), one with a URI with no authority component [urn:u= uid:...] (NoAuthorityURInameConstraints.cer), and one with a URI that uses = an IP address to specify the host (InvalidURIIPaddress.cer). Both clients = accepted the certificate with the valid URI and rejected the other two cert= ificates. Can you explain to me how all of those things happened if 5280 did not cons= ider URN scenario? As to your other questions, I will simply point you to http://www.ietf.org/= mail-archive/web/pkix/current/msg02132.html, where I said: I am inclined to think that URIs that do not include an authority should be= ignored. That is, they should be treated just as if they had been included= in a different name form for which name constraints have not been defined. So, unless I changed my mind later, I didn't even agree with the requiremen= ts that were put into 5280. However, as editor it would have been my respo= nsibility to reflect working group consensus in the document, not my own pe= rsonal opinion. So, I will not attempt to respond to your other questions,= which seem to be asking me to defend the current text in 5280. I am simpl= y rebutting suggestions that URNs were never considered when the name const= raints rules in 5280 were written. I have no interest in either supporting= or arguing against the current rules. Dave On 03/29/2013 12:28 PM, Santosh Chokhani wrote: David, 1. Can you explain what harm is does to accept a certificate if the u= pstream CA has URL constrained? 2. Can you explain how a CA that wishes to constrain URL, but permit = URN would do so. Note that this is a real scenario as you know? 3. Note that SAN description in 5280 already require FQDN for the hos= t for URI that require authority. So, why are you hung up on the text in 5= 280 which most likely did not consider URN scenario. If it did, please exp= lain why a name constraint is meaningful to URN which not a hierarchical na= me in the first place. 4. I read the post you sent below and I read it as supporting what I = am saying. Do not constrain the URI that cannot have authority component t= o it. "* Decide that this name type is not appropriate for URI schemes that tend = not to use authorities. * Relax the rules. I strongly urge the WG not to take on the task of name = constraints for URIs without authority in this document." From: pkix-bounces@ietf.org [mailto:pkix-boun= ces@ietf.org] On Behalf Of David A. Cooper Sent: Thursday, March 28, 2013 2:04 PM To: Piyush Jain Cc: 'pkix' Subject: Re: [pkix] URI Name Constraint and URN On 03/28/2013 01:37 PM, Piyush Jain wrote: Santosh, I think I agree with you that constraining URN based on authority does not = make sense. The text - "For URIs, the constraint applies to the host part of the name."= from 5280 indicates that the author assumed that URIs will always have the= authority component, which is a wrong assumption. RFC 5280 says: If a constraint is applied to the uniformResourceIdentifier name form and a= subsequent certificate includes a subjectAltName extension with a uniformR= esourceIdentifier that does not include an authority component with a host = name specified as a fully qualified domain name (e.g., if the URI either do= es not include an authority component or includes an authority component in= which the host name is specified as an IP address), then the application M= UST reject the certificate. This indicates quite clearly that the author did not assume that URIs will = always have the authority component. See also http://www.ietf.org/mail-archive/web/pkix/current/msg02179.html ("= RFC 3280bis and URI schemes without hostname"). --_000_B83745DA469B7847811819C5005244AFF3DC9D3Dscygexch7cygnac_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

= David,

 

Thank you very much.

 

From: David A. Cooper [mailto:david.cooper@nist.gov]
Sent: Frid= ay, March 29, 2013 1:39 PM
To: Santosh Chokhani
Cc: 'pk= ix'
Subject: Re: [pkix] URI Name Constraint and URN

 

Santosh,

On 03/29/2013 12:28 PM, Santosh Chokhani wrote= :

= So, why are you hung up on the text in 5280 which most likely did not consi= der URN scenario.  If it did, please explain why a name constraint is = meaningful to URN which not a hierarchical name in the first place.<= o:p>


The text in 5280 most definitely did= consider the URN scenario.  That is why 5280 includes a sentence that= says "if the URI either does not include an authority component....&q= uot;

I also pointed to an thread on the PKIX mail list with the subj= ect "RFC 3280bis and URI schemes without hostname" (http://www.i= etf.org/mail-archive/web/pkix/current/msg02179.html), and in one of the= messages in that thread (http://www.ietf.org/mail-archive/web/pkix/curren= t/msg02171.html), I referred to a thread from early 2007 with the subje= ct "URN in subjectAltName" (http://www.imc.org/ietf-pkix/mail-archive/ms= g02513.html).  I did a quick look at the "URN in subjectAltNa= me" thread and saw that there was at least one message in that thread = (http:/= /www.imc.org/ietf-pkix/mail-archive/msg02641.html) that specifically me= ntioned URNs and name constraints.

I even checked my interoperabilit= y testing spreadsheet (from about 4 years ago) and see that I tested this s= cenario and found two path validation implementations that implemented this= aspect of name constraints:

Issued end entity certificate (ValidNoAuthorityURI.cer) = under SampleRoot.cer and verified that both clients would accept a URI with= out an authority component in the absence of a name constraint.  Creat= ed a subordinate (URInameConstraintsIntermediateCA.cer) that specifies a pe= rmitted subtree for URIs and three end entities, one with a URI that satisf= ies the constraint (ValidURInameConstraints.cer), one with a URI with no au= thority component [urn:uuid:...] (NoAuthorityURInameConstraints.cer), and o= ne with a URI that uses an IP address to specify the host (InvalidURIIPaddr= ess.cer).  Both clients accepted the certificate with the valid URI an= d rejected the other two certificates.


Can you explain to me how all of those things happened if 5280 di= d not consider URN scenario?

As to your other questions, I will simp= ly point you to http://www.ietf.org/mail-archive/web/pkix/current/msg02132= .html, where I said:

I am inclined to think that URIs that do not include= an authority should be ignored. That is, they should be treated just as if= they had been included in a different name form for which name constraints= have not been defined.


So, = unless I changed my mind later, I didn't even agree with the requirements t= hat were put into 5280.  However, as editor it would have been my resp= onsibility to reflect working group consensus in the document, not my own p= ersonal opinion.  So, I will not attempt to respond to your other ques= tions, which seem to be asking me to defend the current text in 5280. = I am simply rebutting suggestions that URNs were never considered when the= name constraints rules in 5280 were written.  I have no interest in e= ither supporting or arguing against the current rules.

Dave

O= n 03/29/2013 12:28 PM, Santosh Chokhani wrote:

David,

 

1.       Can you explain what harm is does to accept = a certificate if the upstream CA has URL constrained?

=

 =

2.       Can you explain how a CA= that wishes to constrain URL, but permit URN would do so.  Note that = this is a real scenario as you know?

 

= 3.       Note that SAN description in 5280 = already require FQDN for the host for URI that require authority.  So,= why are you hung up on the text in 5280 which most likely did not consider= URN scenario.  If it did, please explain why a name constraint is mea= ningful to URN which not a hierarchical name in the first place.

 =

4.   &nbs= p;   I read= the post you sent below and I read it as supporting what I am saying. = ; Do not constrain the URI that cannot have authority component to it.

 <= /span>

“* Decide that th= is name type is not appropriate for URI schemes that tend not to use author= ities. 

 

* Relax the rules.  = I strongly urge the WG not to take on the task of name constraints for URIs= without authority in this document.”

 

 

 

<= p class=3DMsoNormal>From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of Davi= d A. Cooper
Sent: Thursday, March 28, 2013 2:04 PM
To: = Piyush Jain
Cc: 'pkix'
Subject: Re: [pkix] URI Name Con= straint and URN

 = ;

On 03/28/2013 01:37 PM, Piyush Ja= in wrote:

Santosh,

&nbs= p;

= I think I agree with you that constraining URN based on authority does not = make sense.

 

The text – “For URIs, the constraint applies to the host part of the name.” from 5280 indicates that the author assumed that URIs will always have =
the authority component, which is a wrong assumption.
<= /blockquote>


RFC 5280 says:

If a constraint is applied to the uniformResourc= eIdentifier name form and a subsequent certificate includes a subjectAltNam= e extension with a uniformResourceIdentifier that does not include an autho= rity component with a host name specified as a fully qualified domain name = (e.g., if the URI either does not i= nclude an authority component or includes an authority component= in which the host name is specified as an IP address), then the applicatio= n MUST reject the certificate.


This indicates quite clearly that the = author did not assume that URIs will always have the authority compo= nent.

See also http://www.ietf.org/mail-archive/web/pkix/current/ms= g02179.html ("RFC 3280bis and URI schemes without hostname").=

 

= --_000_B83745DA469B7847811819C5005244AFF3DC9D3Dscygexch7cygnac_-- From piyush@ditenity.com Fri Mar 29 12:27:47 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8241621F8EC9 for ; Fri, 29 Mar 2013 12:27:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.974 X-Spam-Level: X-Spam-Status: No, score=-0.974 tagged_above=-999 required=5 tests=[AWL=-1.570, BAYES_00=-2.599, DOS_OUTLOOK_TO_MX=1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_EQ_LT4=0.442, RDNS_DYNAMIC=0.1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2iMPABnhvDMX for ; Fri, 29 Mar 2013 12:27:46 -0700 (PDT) Received: from mail-gg0-x232.google.com (mail-gg0-x232.google.com [IPv6:2607:f8b0:4002:c02::232]) by ietfa.amsl.com (Postfix) with ESMTP id 3732F21F8ED3 for ; Fri, 29 Mar 2013 12:27:46 -0700 (PDT) Received: by mail-gg0-f178.google.com with SMTP id e5so66163ggh.23 for ; Fri, 29 Mar 2013 12:27:45 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-type:content-transfer-encoding :x-mailer:thread-index:content-language:x-gm-message-state; bh=o8FpgSuY6P+4bpsz0DjVU5JcgCo4w97r71fi1wecLAk=; b=jSufkgrU6l/GRvp260Dc4sBIrLGjznA3vl6PaGRzigzTycqAlJYF3WRVZcTvFXCH2k pdyFb91O6OJ66i7T+ZZtFQWzA2xDaZdA+6Lesq0kP9SWxhCVvJvrX+D75RfY6JxyoqJt PtIff9pe8erSHhZemgjVayYhSUKLJ0vpG7at8jvaGgX+SwKhO7orGvq6Sq2yOCKSSE8L 7b6LrD3nMR5CZD1EP4BgzwMNH1Iy9oFrNN9QvPFzsPCP8WKkEVGRosTToUGW9DK/4hlY iQZtBFnQ3hmWGvrVpr9wP05IucTnvWV2OFq/w6wAAvbQAhlEno4cvk6kFlmmLUHIPPxW vlSw== X-Received: by 10.236.115.97 with SMTP id d61mr1222469yhh.136.1364585265603; Fri, 29 Mar 2013 12:27:45 -0700 (PDT) Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id x71sm2927779yhg.17.2013.03.29.12.27.43 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 29 Mar 2013 12:27:45 -0700 (PDT) From: "Piyush Jain" To: "'Black, David'" , "'Stefan Santesson'" , , , , , , References: <00fc01ce2c98$ddc41770$994c4650$@ditenity.com> <012f01ce2ca0$9eaf4840$dc0dd8c0$@ditenity.com> <8D3D17ACE214DC429325B2B98F3AE71293D36BC5@MX15A.corp.emc.com> In-Reply-To: <8D3D17ACE214DC429325B2B98F3AE71293D36BC5@MX15A.corp.emc.com> Date: Fri, 29 Mar 2013 12:27:40 -0700 Message-ID: <017c01ce2cb3$7be35ff0$73aa1fd0$@ditenity.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 thread-index: AQEn+8mlhU8+Jh1sNTWP+EAwhHU2PQFaQn1rAjldMbICSr83JZnad9xw Content-Language: en-us X-Gm-Message-State: ALoCoQmhHnJVFJwf2kp49tcZWh2KemhoLWOKie3XH/gyrn4Gh3Iimt5NLighU9KANRUo+5EUiw7g Cc: pkix@ietf.org Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Mar 2013 19:27:47 -0000 Hi David, Your interpretation of the text is right on target. How, based on the past discussions in this WG, that is not the intent. The sole reason cited for overloading the meaning of revoked status with non-issued was that it allows new servers to interoperate with legacy clients. The WG agreed that there are many better alternatives but they all break compatibility with older clients. In fact, a more secure and complete proposal by Denis was not adopted because of the same reason. I believe that Stefan is trying to convey that requiring servers to return revoked in this context will make them non-compliant with 2560 and 5019 as opposed to breaking interoperability with legacy clients. Cheers -Piyush > -----Original Message----- > From: Black, David [mailto:david.black@emc.com] > Sent: Friday, March 29, 2013 11:18 AM > To: Piyush Jain; 'Stefan Santesson'; sts@aaa-sec.com; mmyers@fastq.com; > ambarish@gmail.com; slava.galperin@gmail.com; cadams@eecs.uottawa.ca; > gen-art@ietf.org > Cc: pkix@ietf.org; Black, David > Subject: RE: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 > > Hi Piyush, > > The usual backwards compatibility concern is mixed new/legacy > deployments. > In this case, the specifics appear to be: > > New clients with legacy servers cannot expect to see "revoked" in this case. > This matters because a hypothetical client coded to depend on a "revoked" > response in this case won't work correctly with legacy servers (even though > it'd be rather questionable to code that dependency into a new client - never > underestimate the creativity and cleverness of implementers). > > New servers with legacy clients risk breaking clients that can't cope with > "revoked" in this case, as you noted: > > >>> any other approach would break backward compatibility with legacy > >>> clients. > > Both of these are justifications for "optional", as these RFCs apply to both > clients and servers. > > Thanks, > --David > > > -----Original Message----- > > From: Piyush Jain [mailto:piyush@ditenity.com] > > Sent: Friday, March 29, 2013 1:13 PM > > To: 'Stefan Santesson'; Black, David; sts@aaa-sec.com; > > mmyers@fastq.com; ambarish@gmail.com; slava.galperin@gmail.com; > > cadams@eecs.uottawa.ca; gen- art@ietf.org > > Cc: pkix@ietf.org > > Subject: RE: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 > > > > Not arguing that it should be required. I'm with you on keeping it optional. > > > > It is your statement about backward compatibility to justify it that > > is incorrect. > > Backward compatibility "with deployments of RFC2560" is not affected > > in either case. Legacy clients will continue to work whether you make > > it required or optional. > > > > You probably meant "maintain compliance with RFC 2560 and RFC 5019." > > > > -Piyush > > > > > -----Original Message----- > > > From: Stefan Santesson [mailto:stefan@aaa-sec.com] > > > Sent: Friday, March 29, 2013 9:37 AM > > > To: Piyush Jain; 'Black, David'; sts@aaa-sec.com; mmyers@fastq.com; > > > ambarish@gmail.com; slava.galperin@gmail.com; > > > cadams@eecs.uottawa.ca; gen-art@ietf.org > > > Cc: pkix@ietf.org; ietf@ietf.org > > > Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 > > > > > > On 3/29/13 5:17 PM, "Piyush Jain" wrote: > > > > > > >' "revoked" status is still optional in this context in order to > > > >maintain backwards compatibility with deployments of RFC 2560.' > > > > > > > >I fail to understand this statement about backward compatibility. > > > >How does "revoked" being "optional/required breaks backward > > > compatibility? > > > >The only reason cited in the WG discussions to use revoked for > > > >"not-issued" > > > >was that any other approach would break backward compatibility with > > > >legacy clients. And now the draft says that revoked is optional > > > >because making it required won't be backward compatible. > > > > > > Yes. Making it required would prohibit other valid ways to respond > > > to this situation that is allowed by RFC 2560 and RFC 5019. > > > Such as responding "good" or responding with "unauthorized" error. > > > > > > > > > > >And it gives the impression that best course of action for 2560bis > > > >responders is to start issuing revoked for "not-issued", which is > > > >far from the originally stated goal to provide a way for CAs to be > > > >able to return revoked for such serial numbers. > > > > > > The latter is what optional means. > > > > > > /Stefan > > > > > > > From stefan@aaa-sec.com Fri Mar 29 12:56:31 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B769F21F8900 for ; Fri, 29 Mar 2013 12:56:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.249 X-Spam-Level: X-Spam-Status: No, score=-102.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vJYc1XduFEf4 for ; Fri, 29 Mar 2013 12:56:31 -0700 (PDT) Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id 5A76721F86A8 for ; Fri, 29 Mar 2013 12:56:30 -0700 (PDT) Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id 7A17A1F0CCBA for ; Fri, 29 Mar 2013 20:56:28 +0100 (CET) X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Dvx7US9pHNCf for ; Fri, 29 Mar 2013 20:56:28 +0100 (CET) Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id 036551F0CCBD for ; Fri, 29 Mar 2013 20:56:28 +0100 (CET) Received: (qmail 16644 invoked from network); 29 Mar 2013 19:56:27 -0000 Received: from 81-236-19-140-no39.tbcn.telia.com (HELO [192.168.1.69]) (stefan@fiddler.nu@[81.236.19.140]) (envelope-sender ) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 29 Mar 2013 19:56:27 -0000 User-Agent: Microsoft-MacOutlook/14.3.2.130206 Date: Fri, 29 Mar 2013 20:56:22 +0100 From: Stefan Santesson To: Piyush Jain , "'Black, David'" , , , , , , Message-ID: Thread-Topic: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 In-Reply-To: <012f01ce2ca0$9eaf4840$dc0dd8c0$@ditenity.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Cc: pkix@ietf.org Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Mar 2013 19:56:31 -0000 On 3/29/13 6:12 PM, "Piyush Jain" wrote: >It is your statement about backward compatibility to justify it that is >incorrect. >Backward compatibility "with deployments of RFC2560" is not affected in >either case. Legacy clients will continue to work whether you make it >required or optional. Legacy servers won't /Stefan From tmiller@mitre.org Fri Mar 29 13:19:14 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3523321F8C11 for ; Fri, 29 Mar 2013 13:19:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Iu8bvHJ-VR4n for ; Fri, 29 Mar 2013 13:19:12 -0700 (PDT) Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 7EC7B21F8C10 for ; Fri, 29 Mar 2013 13:19:12 -0700 (PDT) Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id BFB691F0925; Fri, 29 Mar 2013 16:19:11 -0400 (EDT) Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id B016F1F023D; Fri, 29 Mar 2013 16:19:11 -0400 (EDT) Received: from IMCMBX01.MITRE.ORG ([169.254.1.87]) by IMCCAS02.MITRE.ORG ([129.83.29.69]) with mapi id 14.02.0342.003; Fri, 29 Mar 2013 16:18:52 -0400 From: "Miller, Timothy J." To: Stefan Santesson , Santosh Chokhani , Piyush Jain , 'pkix' Thread-Topic: [pkix] URI Name Constraint and URN Thread-Index: AQHOK9BO9dgaluVHQ+eSP3hIs2otNpi7jNWAgAGT84D///lyiA== Date: Fri, 29 Mar 2013 20:18:52 +0000 Message-ID: <195DB2510AAA004391F58E28FCE2120008DBFC63@IMCMBX01.MITRE.ORG> References: , In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [129.83.31.52] Content-Type: multipart/alternative; boundary="_000_195DB2510AAA004391F58E28FCE2120008DBFC63IMCMBX01MITREOR_" MIME-Version: 1.0 Subject: Re: [pkix] URI Name Constraint and URN X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Mar 2013 20:19:14 -0000 --_000_195DB2510AAA004391F58E28FCE2120008DBFC63IMCMBX01MITREOR_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable If the NC for URIs included the scheme-part, then a NC could apply to a URL= (or other URI with a host-part in the hierarchical-part) without impacting= a URN (which lacks a hierarchical-part entirely). Unfortunately I don't s= ee a way to do this in a backward compatible way. Alternatively an exclusion clause for the URN scheme in 4.2.1.10 would have= a similar effect, but that seems ugly to me. -- T ________________________________ From: pkix-bounces@ietf.org [pkix-bounces@ietf.org] on behalf of Stefan San= tesson [stefan@aaa-sec.com] Sent: Friday, March 29, 2013 11:30 To: Santosh Chokhani; Piyush Jain; 'pkix' Subject: Re: [pkix] URI Name Constraint and URN From: Santosh Chokhani > Date: Thursday, March 28, 2013 5:24 PM To: Stefan Santesson >, Piyus= h Jain >, 'pkix' > Subject: Re: [pkix] URI Name Constraint and URN Stefan, URN by definition do not have =93authority=94 component are not hierarchica= l. You are simply parroting what 5280 says and not explaining what the use of = meaning of doing this is. May be you should explain how an upstream CA will permit URN and still cons= train URL. I wish I could but I can't. Not given the current definition of name constr= aints. If you contrain URL in permitted subtree, I can't see given the current sta= ndard, how you could allow a URN as matching that constraint. Other than of course stick it into a new otherName instead of the SAN URI. Maybe that would be your best bet as you in any case can't rely on standard= client behaviour to handle this. /Stefan --_000_195DB2510AAA004391F58E28FCE2120008DBFC63IMCMBX01MITREOR_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable

If the NC for URIs included the scheme-part, then a NC could apply to a = URL (or other URI with a host-part in the hierarchical-part) without impact= ing a URN (which lacks a hierarchical-part entirely).  Unfortunat= ely I don't see a way to do this in a backward compatible way. 

 

Alternatively an exclusion clause for the URN scheme in 4.2.1.10 would h= ave a similar effect, but that seems ugly to me.

 

-- T 

 

 

From: pkix-bounces@ietf.org [pkix-bounces@= ietf.org] on behalf of Stefan Santesson [stefan@aaa-sec.com]
Sent: Friday, March 29, 2013 11:30
To: Santosh Chokhani; Piyush Jain; 'pkix'
Subject: Re: [pkix] URI Name Constraint and URN

From: Santosh Chokhani <SChokhani@cygnacom.com>
Date: Thursday, March 28, 2013 5:2= 4 PM
To: Stefan Santesson <stefan@aaa-sec.com>= , Piyush Jain <= piyush@ditenity.com>, 'pkix' <pkix@ietf.org>
Subject: Re: [pkix] URI Name Const= raint and URN

Stefan,

 

URN by definition do not have =93auth= ority=94 component are not hierarchical.

 

You are simply parroting what 5280 sa= ys and not explaining what the use of meaning of doing this is.

 

May be you should explain how an upst= ream CA will permit URN and still constrain URL.

I wish I could but I can't. Not given the current definition of name c= onstraints.

If you contrain URL in permitted subtree, I can't see given the curren= t standard, how you could allow a URN as matching that constraint.
Other than of course stick it into a new otherName instead of the SAN = URI.

Maybe that would be your best bet as you in any case can't rely on sta= ndard client behaviour to handle this.

/Stefan
--_000_195DB2510AAA004391F58E28FCE2120008DBFC63IMCMBX01MITREOR_-- From SChokhani@cygnacom.com Fri Mar 29 13:25:17 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 984FD21F8B15 for ; Fri, 29 Mar 2013 13:25:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.555 X-Spam-Level: X-Spam-Status: No, score=-2.555 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vm9X0sPnxTa7 for ; Fri, 29 Mar 2013 13:25:16 -0700 (PDT) Received: from ipedge1.cygnacom.com (ipedge1.cygnacom.com [216.191.252.12]) by ietfa.amsl.com (Postfix) with ESMTP id B1B4921F89E2 for ; Fri, 29 Mar 2013 13:25:15 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.87,374,1363147200"; d="scan'208,217";a="8428885" Received: from unknown (HELO scygexch7.cygnacom.com) ([10.4.60.22]) by ipedge1.cygnacom.com with ESMTP; 29 Mar 2013 16:25:13 -0400 Received: from scygexch7.cygnacom.com ([::1]) by scygexch7.cygnacom.com ([::1]) with mapi; Fri, 29 Mar 2013 16:25:13 -0400 From: Santosh Chokhani To: "Miller, Timothy J." , Stefan Santesson , Piyush Jain , 'pkix' Date: Fri, 29 Mar 2013 16:25:12 -0400 Thread-Topic: [pkix] URI Name Constraint and URN Thread-Index: AQHOK9BO9dgaluVHQ+eSP3hIs2otNpi7jNWAgAGT84D///lyiIAABM+w Message-ID: References: , <195DB2510AAA004391F58E28FCE2120008DBFC63@IMCMBX01.MITRE.ORG> In-Reply-To: <195DB2510AAA004391F58E28FCE2120008DBFC63@IMCMBX01.MITRE.ORG> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_B83745DA469B7847811819C5005244AFF3DC9D48scygexch7cygnac_" MIME-Version: 1.0 Subject: Re: [pkix] URI Name Constraint and URN X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Mar 2013 20:25:17 -0000 --_000_B83745DA469B7847811819C5005244AFF3DC9D48scygexch7cygnac_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Tim, I think using URN is risky. May be the profile owners can be convinced to = put these name in other names as Stefan suggested and transition over time = to newer profiles. From: Miller, Timothy J. [mailto:tmiller@mitre.org] Sent: Friday, March 29, 2013 4:19 PM To: Stefan Santesson; Santosh Chokhani; Piyush Jain; 'pkix' Subject: RE: [pkix] URI Name Constraint and URN If the NC for URIs included the scheme-part, then a NC could apply to a URL= (or other URI with a host-part in the hierarchical-part) without impacting= a URN (which lacks a hierarchical-part entirely). Unfortunately I don't s= ee a way to do this in a backward compatible way. Alternatively an exclusion clause for the URN scheme in 4.2.1.10 would have= a similar effect, but that seems ugly to me. -- T ________________________________ From: pkix-bounces@ietf.org [pkix-bounces@iet= f.org] on behalf of Stefan Santesson [stefan@aaa-sec.com] Sent: Friday, March 29, 2013 11:30 To: Santosh Chokhani; Piyush Jain; 'pkix' Subject: Re: [pkix] URI Name Constraint and URN From: Santosh Chokhani > Date: Thursday, March 28, 2013 5:24 PM To: Stefan Santesson >, Piyus= h Jain >, 'pkix' > Subject: Re: [pkix] URI Name Constraint and URN Stefan, URN by definition do not have "authority" component are not hierarchical. You are simply parroting what 5280 says and not explaining what the use of = meaning of doing this is. May be you should explain how an upstream CA will permit URN and still cons= train URL. I wish I could but I can't. Not given the current definition of name constr= aints. If you contrain URL in permitted subtree, I can't see given the current sta= ndard, how you could allow a URN as matching that constraint. Other than of course stick it into a new otherName instead of the SAN URI. Maybe that would be your best bet as you in any case can't rely on standard= client behaviour to handle this. /Stefan --_000_B83745DA469B7847811819C5005244AFF3DC9D48scygexch7cygnac_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Tim,=

 

I think using URN is risky.  May be the prof= ile owners can be convinced to put these name in other names as Stefan sugg= ested and transition over time to newer profiles.

 

From: Miller, Timothy J. [mailto:tmiller@mitre.org]
Sent:= Friday, March 29, 2013 4:19 PM
To: Stefan Santesson; Santosh= Chokhani; Piyush Jain; 'pkix'
Subject: RE: [pkix] URI Name Const= raint and URN

&n= bsp;

If the NC for URIs included the scheme-part, then= a NC could apply to a URL (or other URI with a host-part in the hierarchic= al-part) without impacting a URN (which lacks a hierarchical-part entirely)= .  Unfortunately I don't see a way to do this in a backward = compatible way. 

 =

Alternatively an exclusion clause for the URN scheme in 4.2.1.10= would have a similar effect, but that seems ugly to me.<= /p>

 

-- T 

 

 

From: pkix= -bounces@ietf.org [pkix-bounces@ietf.org] on behalf of Stefan Santesson= [stefan@aaa-sec.com]
Sent: Friday, March 29, 2013 11:30
To= : Santosh Chokhani; Piyush Jain; 'pkix'
Subject: Re: [pkix] U= RI Name Constraint and URN

From: = Santosh Chokhani <SChokhani@cygnacom.com<= span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:bla= ck'>>

Date: Thursday, March 28,= 2013 5:24 PM
To: Stefan Santesson <stefan@aaa-sec.com>, Piyush Jain <<= a href=3D"mailto:piyush@ditenity.com" target=3D"_blank">piyush@ditenity.com= >, 'pkix' <pki= x@ietf.org>
Subject: Re: [pkix] URI Name Constraint and UR= N

 

Stefan,

 

URN by definition = do not have “authority” component are not hierarchical.<= span style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:bla= ck'>

 

You are simply parrot= ing what 5280 says and not explaining what the use of meaning of doing this= is.

 

May be = you should explain how an upstream CA will permit URN and still constrain U= RL.

 

I wish I could but I can't. Not g= iven the current definition of name constraints.

 

If you = contrain URL in permitted subtree, I can't see given the current standard, = how you could allow a URN as matching that constraint.

Other than of = course stick it into a new otherName instead of the SAN URI.

&nb= sp;

Maybe that would be your best bet as you in any case can't rely on sta= ndard client behaviour to handle this.

 

/Stefan

= --_000_B83745DA469B7847811819C5005244AFF3DC9D48scygexch7cygnac_-- From internet-drafts@ietf.org Fri Mar 29 13:34:22 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6D8921F8EDF; Fri, 29 Mar 2013 13:34:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.516 X-Spam-Level: X-Spam-Status: No, score=-102.516 tagged_above=-999 required=5 tests=[AWL=0.084, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QIQBAZxH3FoD; Fri, 29 Mar 2013 13:34:22 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AAEA21F8D11; Fri, 29 Mar 2013 13:34:22 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 4.43 Message-ID: <20130329203422.30472.94494.idtracker@ietfa.amsl.com> Date: Fri, 29 Mar 2013 13:34:22 -0700 Cc: pkix@ietf.org Subject: [pkix] I-D Action: draft-ietf-pkix-est-06.txt X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Mar 2013 20:34:23 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Public-Key Infrastructure (X.509) Working= Group of the IETF. Title : Enrollment over Secure Transport Author(s) : Max Pritikin Peter E. Yee Dan Harkins Filename : draft-ietf-pkix-est-06.txt Pages : 49 Date : 2013-03-29 Abstract: This document profiles certificate enrollment for clients using Certificate Management over CMS (CMC) messages over a secure transport. This profile, called Enrollment over Secure Transport (EST), describes a simple yet functional certificate management protocol targeting Public Key Infrastructure (PKI) clients that need to acquire client certificates and associated Certification Authority (CA) certificate(s). It also supports client-generated public/ private key pairs as well as key pairs generated by the CA. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-pkix-est There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-pkix-est-06 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-pkix-est-06 Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From piyush@ditenity.com Fri Mar 29 14:06:48 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B405021F95DF for ; Fri, 29 Mar 2013 14:06:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.854 X-Spam-Level: X-Spam-Status: No, score=-2.854 tagged_above=-999 required=5 tests=[AWL=0.745, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JxiDuppwswnn for ; Fri, 29 Mar 2013 14:06:47 -0700 (PDT) Received: from mail-gh0-f181.google.com (mail-gh0-f181.google.com [209.85.160.181]) by ietfa.amsl.com (Postfix) with ESMTP id 8353421F95E1 for ; Fri, 29 Mar 2013 14:06:44 -0700 (PDT) Received: by mail-gh0-f181.google.com with SMTP id 3so77788ghz.26 for ; Fri, 29 Mar 2013 14:06:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-type:content-transfer-encoding :x-mailer:thread-index:content-language:x-gm-message-state; bh=O8aVT+jGyoO8hV9o0JyKr5lYJzFt2VizUjM8F53BOF4=; b=iDpL8EwGV4scebHWhdHQaR9dI53OUUjq5UdiRvxBIhut1HwmNOPddpYgQmbojUBBCi ik7aKw2MiKaG8rO+FIODeJyt+yft52uKaIpnuwu26By9tS2Ohw+WW3ddeLZTG3Z6RJjL ykETpoSaRMDy7Aghe4hAmJFTUyydq5tNoVqr620DbtoEhz6FTm6B9Hg8j1akVwyNXttM 5RGLABi7H0J0v1szZ9u5RJ9R+IIM7NWH1thw5IdZsVVrXTP4enSWXs8J7MCZwvO4aCPg auAIgWP2KWrF0RpqwP64smUPX0I5Ocn4Me1tF5Fc1Of8jEDeOg47jAK8XGBUB+w0IheX W4+w== X-Received: by 10.236.112.232 with SMTP id y68mr1399006yhg.15.1364591204067; Fri, 29 Mar 2013 14:06:44 -0700 (PDT) Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id x33sm3558480yhn.18.2013.03.29.14.06.42 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 29 Mar 2013 14:06:43 -0700 (PDT) From: "Piyush Jain" To: "'Stefan Santesson'" , "'Black, David'" , , , , , , References: <012f01ce2ca0$9eaf4840$dc0dd8c0$@ditenity.com> In-Reply-To: Date: Fri, 29 Mar 2013 14:06:38 -0700 Message-ID: <01bc01ce2cc1$4f80e280$ee82a780$@ditenity.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 thread-index: AQKoO57n93xm6dsdTwwJv/h02J257JcJCl3Q Content-Language: en-us X-Gm-Message-State: ALoCoQmoIrRHhlKP2LBtJl1RhONK0zeb4vjHYqmj7VwxkkBcuInmx+M7o4sBEwI4Q6Cl3Hf+xHfz Cc: pkix@ietf.org Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Mar 2013 21:06:48 -0000 Not sure if I understand. Are you saying legacy servers won't work with 2560bis clients? > On 3/29/13 6:12 PM, "Piyush Jain" wrote: > > >It is your statement about backward compatibility to justify it that is > >incorrect. > >Backward compatibility "with deployments of RFC2560" is not affected in > >either case. Legacy clients will continue to work whether you make it > >required or optional. > > Legacy servers won't > > /Stefan > From piyush@ditenity.com Fri Mar 29 16:42:52 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDD1B21F8B6E for ; Fri, 29 Mar 2013 16:42:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.911 X-Spam-Level: X-Spam-Status: No, score=-2.911 tagged_above=-999 required=5 tests=[AWL=0.688, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JraWz-L5ld-a for ; Fri, 29 Mar 2013 16:42:52 -0700 (PDT) Received: from mail-qa0-f44.google.com (mail-qa0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id 59D8121F8B64 for ; Fri, 29 Mar 2013 16:42:52 -0700 (PDT) Received: by mail-qa0-f44.google.com with SMTP id o13so137770qaj.10 for ; Fri, 29 Mar 2013 16:42:51 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:subject:date:message-id:mime-version :content-type:content-transfer-encoding:x-mailer:thread-index :content-language:x-gm-message-state; bh=mPKWo7XyjDOmanHhZXuCeqfO1XNWhT152dpYaqYi5MI=; b=S6C/DBVvOeu+Qp1TUn0x7HWtDGGXMMocF2iDVqKJJYRLr2VV9iHkRO30jPbEIryELE ZtKrn+27RJsfQvOS2gQReQXoCvapc957iaeY6Hj4NppHQZn6Tyknkva3PtIKQh0gcMXS M7c0XtHYYmOz1s1MPSopYbssU/hlsYpJj+iEiFBdeuQsBZ3IZNC1vnUSDGT72BO96w8v PeJeGCZg+T5rmi3jL6QE9I+dAEt/w78AS4j9TNE369mddixGwWJmc//deS2dIFN+fy0j 48OvKUoiupG9ttsMkY9ltntcaZmjFvTONnz41zJuWR6l/pmnsaSaueMjDKC7YPcmt7EL Pa2Q== X-Received: by 10.229.157.200 with SMTP id c8mr1897925qcx.103.1364600571792; Fri, 29 Mar 2013 16:42:51 -0700 (PDT) Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id dr7sm10084320qab.5.2013.03.29.16.42.50 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 29 Mar 2013 16:42:51 -0700 (PDT) From: "Piyush Jain" To: Date: Fri, 29 Mar 2013 16:42:47 -0700 Message-ID: <020d01ce2cd7$1f100f20$5d302d60$@ditenity.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 thread-index: Ac4s1gkQPK+zSsOLRROvKoU9ruasaQ== Content-Language: en-us X-Gm-Message-State: ALoCoQlAoWYUnnEjL5O/kMCiLDYBgv6aQhheqnawYHX6UG96cMuwyfnsFNpOlAo5TM//RMxWfrZf Subject: [pkix] Extended Validation Certificate OIDs X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Mar 2013 23:42:53 -0000 Hi list, It seems that every CA that issues an EV certificate today uses a different certificate policy OID to indicate extended validation. Is there a reason why EV OID is not standardized? Thanks -Piyush From stefan@aaa-sec.com Fri Mar 29 17:21:03 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A95151F0D0B for ; Fri, 29 Mar 2013 17:21:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.186 X-Spam-Level: X-Spam-Status: No, score=-102.186 tagged_above=-999 required=5 tests=[AWL=0.064, BAYES_00=-2.599, HELO_EQ_SE=0.35, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id edyZl9awgiPp for ; Fri, 29 Mar 2013 17:21:03 -0700 (PDT) Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id 1E35F1F0D07 for ; Fri, 29 Mar 2013 17:21:02 -0700 (PDT) Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id 8DB941F148A7 for ; Sat, 30 Mar 2013 01:21:00 +0100 (CET) X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id DBT9iWxIH5CK for ; Sat, 30 Mar 2013 01:21:00 +0100 (CET) Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id 4BAA41F148A3 for ; Sat, 30 Mar 2013 01:21:00 +0100 (CET) Received: (qmail 38793 invoked from network); 30 Mar 2013 00:20:59 -0000 Received: from 81-232-51-61-no39.business.telia.com (HELO [192.168.0.104]) (stefan@fiddler.nu@[81.232.51.61]) (envelope-sender ) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 30 Mar 2013 00:20:59 -0000 User-Agent: Microsoft-MacOutlook/14.3.2.130206 Date: Sat, 30 Mar 2013 01:20:34 +0100 From: Stefan Santesson To: Piyush Jain , "'Black, David'" , , , , , , Message-ID: Thread-Topic: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 In-Reply-To: <01bc01ce2cc1$4f80e280$ee82a780$@ditenity.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Cc: pkix@ietf.org Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Mar 2013 00:21:03 -0000 Legacy servers would not comply with RFC2560bis IF revoked response for non issued certs would be required. /Stefan On 3/29/13 10:06 PM, "Piyush Jain" wrote: >Not sure if I understand. >Are you saying legacy servers won't work with 2560bis clients? > >> On 3/29/13 6:12 PM, "Piyush Jain" wrote: >> >> >It is your statement about backward compatibility to justify it that is >> >incorrect. >> >Backward compatibility "with deployments of RFC2560" is not affected in >> >either case. Legacy clients will continue to work whether you make it >> >required or optional. >> >> Legacy servers won't >> >> /Stefan >> > > From yngve@spec-work.net Fri Mar 29 17:39:35 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C083C21F8EC8 for ; Fri, 29 Mar 2013 17:39:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0K527FMwWms2 for ; Fri, 29 Mar 2013 17:39:34 -0700 (PDT) Received: from smtp.domeneshop.no (smtp.domeneshop.no [194.63.252.54]) by ietfa.amsl.com (Postfix) with ESMTP id 05DC821F8EC2 for ; Fri, 29 Mar 2013 17:39:34 -0700 (PDT) Received: from 239.171.251.212.customer.cdi.no ([212.251.171.239]:64526 helo=killashandra.invalid.invalid) by smtp.domeneshop.no with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from ) id 1ULjpU-0003Vd-CJ for pkix@ietf.org; Sat, 30 Mar 2013 01:39:32 +0100 Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes To: pkix@ietf.org References: <020d01ce2cd7$1f100f20$5d302d60$@ditenity.com> Date: Sat, 30 Mar 2013 01:39:22 +0100 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: "Yngve N. Pettersen" Message-ID: In-Reply-To: <020d01ce2cd7$1f100f20$5d302d60$@ditenity.com> User-Agent: Opera Mail/12.14 (Win32) Subject: Re: [pkix] Extended Validation Certificate OIDs X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Mar 2013 00:39:35 -0000 On Sat, 30 Mar 2013 00:42:47 +0100, Piyush Jain wrote: > Hi list, > > It seems that every CA that issues an EV certificate today uses a > different > certificate policy OID to indicate extended validation. > Is there a reason why EV OID is not standardized? Each browser able to recognize EV certificates enable each Root *individually* as being able to issue EV certificates, this is based on evaluation of audits for the Root CA and agreements between the Root CA and the browser vendor. For that reason it does not really matter which OID is used, so each CA can obtain their own OID. It is also not desirable that any CA can insert an OID and be automatically considered to have issued an EV certificate. In addition, theoretically, every subordinate CA under an EV-enabled Root can be provided with a distinct EV-OID different from the EV-OID(s) used by any other subordinate CA under that root, with the EV-OID being filtered in the certificate of the subordinate CA. This system (which is not actually in use) would allow a CA to ask the browsers to turn off EV for a specific subordinate CA that is (for whatever reason) no longer qualified to issue EV certificates, without affecting the other subordinate CAs or revoking that subordinate CA's certificate. At present I am aware of one case where a CA is using two EV-OIDs, one for general sites, and one for a special class of certificates issued to government sites in that country. -- Sincerely, Yngve N. Pettersen Using Opera's mail client: http://www.opera.com/mail/ From piyush@ditenity.com Fri Mar 29 17:55:30 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 399C721F8733 for ; Fri, 29 Mar 2013 17:55:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.003 X-Spam-Level: X-Spam-Status: No, score=-3.003 tagged_above=-999 required=5 tests=[AWL=0.596, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oqeE4AyFze58 for ; Fri, 29 Mar 2013 17:55:29 -0700 (PDT) Received: from mail-qe0-f52.google.com (mail-qe0-f52.google.com [209.85.128.52]) by ietfa.amsl.com (Postfix) with ESMTP id 8E6A921F872E for ; Fri, 29 Mar 2013 17:55:29 -0700 (PDT) Received: by mail-qe0-f52.google.com with SMTP id jy17so480443qeb.39 for ; Fri, 29 Mar 2013 17:55:29 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-type:content-transfer-encoding :x-mailer:thread-index:content-language:x-gm-message-state; bh=XncH86Qa+MF2FQYtXKhAn7ydFvwff1QJguITGGGw4OI=; b=TA9pjbkLC1temdC78VY8t1f4iAPbVzgCl6NUsa8QDTDlXONZX4CFlATl5yIU0LWJEr p1Bog2U1QmG147zannzOXnmndKXpjXkPgetABsvnhyWn5YkX4ZrhsF8OG8h0TtMUEywd zqHYuX1JI0HLoTOf+b6oDUhsN966cCaGNcEU1afyPCktVxd6BoRqdoDKJN11kd5gfRgY qkkLozAZS6h7IhHwYTVObfob4tmTy9q4hen5QH+vFyAM54PCZwNtVKF3kSYFGbSA2FeR whoFvHCVu3vbuFPalN1gSM65F5NyfUcPWUBa8FA0WAl6S3XuUhJAbKmoxDuRgkW/zzyh ipVw== X-Received: by 10.229.72.195 with SMTP id n3mr1880673qcj.136.1364604928981; Fri, 29 Mar 2013 17:55:28 -0700 (PDT) Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id gw9sm10385303qab.10.2013.03.29.17.55.27 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 29 Mar 2013 17:55:28 -0700 (PDT) From: "Piyush Jain" To: "'Stefan Santesson'" , "'Black, David'" , , , , , , References: <01bc01ce2cc1$4f80e280$ee82a780$@ditenity.com> In-Reply-To: Date: Fri, 29 Mar 2013 17:55:24 -0700 Message-ID: <023401ce2ce1$44448cd0$cccda670$@ditenity.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 thread-index: AQIQHut5P1ALIp35y89UiDxtCrrCl5g5gxKg Content-Language: en-us X-Gm-Message-State: ALoCoQl+nb4AVX2Tmr4LFYnKfYMBXJ8dYL6ocOf9WCg2F9CkrLB4pElXqoTZ7Y8RRYnXYMWXyOG+ Cc: pkix@ietf.org Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Mar 2013 00:55:30 -0000 Agreed. The text, however incorrectly states "revoked" status is still optional in this context in order to maintain backwards compatibility with deployments of RFC 2560.' Please note the subtle difference between being backward compatible with deployments and being compliant with standards. > -----Original Message----- > From: Stefan Santesson [mailto:stefan@aaa-sec.com] > Sent: Friday, March 29, 2013 5:21 PM > To: Piyush Jain; 'Black, David'; sts@aaa-sec.com; mmyers@fastq.com; > ambarish@gmail.com; slava.galperin@gmail.com; cadams@eecs.uottawa.ca; > gen-art@ietf.org > Cc: pkix@ietf.org > Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 > > Legacy servers would not comply with RFC2560bis IF revoked response for > non issued certs would be required. > > /Stefan > > On 3/29/13 10:06 PM, "Piyush Jain" wrote: > > >Not sure if I understand. > >Are you saying legacy servers won't work with 2560bis clients? > > > >> On 3/29/13 6:12 PM, "Piyush Jain" wrote: > >> > >> >It is your statement about backward compatibility to justify it that > >> >is incorrect. > >> >Backward compatibility "with deployments of RFC2560" is not affected > >> >in either case. Legacy clients will continue to work whether you > >> >make it required or optional. > >> > >> Legacy servers won't > >> > >> /Stefan > >> > > > > > From piyush@ditenity.com Fri Mar 29 18:08:50 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38B5421F8E9A for ; Fri, 29 Mar 2013 18:08:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.04 X-Spam-Level: X-Spam-Status: No, score=-3.04 tagged_above=-999 required=5 tests=[AWL=0.559, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TKO35DRVE8V4 for ; Fri, 29 Mar 2013 18:08:48 -0700 (PDT) Received: from mail-qa0-f48.google.com (mail-qa0-f48.google.com [209.85.216.48]) by ietfa.amsl.com (Postfix) with ESMTP id 5C0B921F8E94 for ; Fri, 29 Mar 2013 18:08:48 -0700 (PDT) Received: by mail-qa0-f48.google.com with SMTP id hu16so153811qab.7 for ; Fri, 29 Mar 2013 18:08:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:references:in-reply-to:subject:date:message-id :mime-version:content-type:content-transfer-encoding:x-mailer :thread-index:content-language:x-gm-message-state; bh=0GGt7lKZA2Wcvu6BiD7RFj7sxKkDDrKATDwgJeQ/UAs=; b=Ccc3GqXe2ScuZ7E27vd1xOV3S89TNWj3fuaP14uh+vy/rTtUIAX7p3IJ2ErQiNHmJZ 5dQzLwmw0+n36W7nuNKVQWAIqPf2Kva08u+DGdX0W6HHE2hNtTcO/+hI18BnBq08uTEW r5R2Wy7MzWyf+4MhuRKryBYXa5VTSQMQmoImln1UcEadrpxXnfkqQB0vJR9747EE9XWm brVrmEYPbxw2bpN3mEcTD9U+H9hKEmkr4n+uP7zf9/LW+1Oi0wO3XIOyP7GAqCFGxjz+ icbp4JwsYz0x3cuRF0cpE6YlfVOtY/SaLj96k9A6AE4CkWj85tTjBPNyhMqucMcL1md7 NaXA== X-Received: by 10.229.136.69 with SMTP id q5mr1981929qct.108.1364605724361; Fri, 29 Mar 2013 18:08:44 -0700 (PDT) Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id gw9sm10450269qab.10.2013.03.29.18.08.43 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 29 Mar 2013 18:08:43 -0700 (PDT) From: "Piyush Jain" To: "'Yngve N. Pettersen'" , References: <020d01ce2cd7$1f100f20$5d302d60$@ditenity.com> In-Reply-To: Date: Fri, 29 Mar 2013 18:08:40 -0700 Message-ID: <025501ce2ce3$1e3d1140$5ab733c0$@ditenity.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 thread-index: AQKHCCXI88YM8aSrS8ddm0ymz9gtoQGKwKttlz9dJtA= Content-Language: en-us X-Gm-Message-State: ALoCoQlFB/tpTW89GLPoNXV5ZqyshYAjAFbnhoA7IuvrNwh1VshWrrQi+/k+YgcdRCdfXa8uLde1 Subject: Re: [pkix] Extended Validation Certificate OIDs X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Mar 2013 01:08:50 -0000 Thank Yngve. Am I correct to assume that the EV certificates are only issued to servers and browsers are the only known clients that make use of such certificates? I'm investigating the possibility of making use of EV status in closed environments where trust in the CA is established through a bridge and direct mapping of CA root to EV OID is not available to the RP. I guess the correct approach in this case would be to define yet another EV OID and propagate the EV information through policy mapping extensions in certs issued by the bridge. -Piyush > -----Original Message----- > From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of > Yngve N. Pettersen > Sent: Friday, March 29, 2013 5:39 PM > To: pkix@ietf.org > Subject: Re: [pkix] Extended Validation Certificate OIDs > > On Sat, 30 Mar 2013 00:42:47 +0100, Piyush Jain > wrote: > > > Hi list, > > > > It seems that every CA that issues an EV certificate today uses a > > different certificate policy OID to indicate extended validation. > > Is there a reason why EV OID is not standardized? > > Each browser able to recognize EV certificates enable each Root > *individually* as being able to issue EV certificates, this is based on > evaluation of audits for the Root CA and agreements between the Root CA > and the browser vendor. For that reason it does not really matter which OID > is used, so each CA can obtain their own OID. It is also not desirable that any > CA can insert an OID and be automatically considered to have issued an EV > certificate. > > In addition, theoretically, every subordinate CA under an EV-enabled Root > can be provided with a distinct EV-OID different from the EV-OID(s) used by > any other subordinate CA under that root, with the EV-OID being filtered in > the certificate of the subordinate CA. This system (which is not actually in > use) would allow a CA to ask the browsers to turn off EV for a specific > subordinate CA that is (for whatever reason) no longer qualified to issue EV > certificates, without affecting the other subordinate CAs or revoking that > subordinate CA's certificate. > > At present I am aware of one case where a CA is using two EV-OIDs, one for > general sites, and one for a special class of certificates issued to government > sites in that country. > > > -- > Sincerely, > Yngve N. Pettersen > > Using Opera's mail client: http://www.opera.com/mail/ > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix From yngve@spec-work.net Fri Mar 29 19:01:51 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69F6A21F8ED6 for ; Fri, 29 Mar 2013 19:01:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uhLicHbktGQG for ; Fri, 29 Mar 2013 19:01:50 -0700 (PDT) Received: from smtp.domeneshop.no (smtp.domeneshop.no [194.63.252.54]) by ietfa.amsl.com (Postfix) with ESMTP id 4D37121F8ED4 for ; Fri, 29 Mar 2013 19:01:49 -0700 (PDT) Received: from 239.171.251.212.customer.cdi.no ([212.251.171.239]:49611 helo=killashandra.invalid.invalid) by smtp.domeneshop.no with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from ) id 1ULl75-0004rj-Nr for pkix@ietf.org; Sat, 30 Mar 2013 03:01:47 +0100 Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes To: "pkix@ietf.org" References: <020d01ce2cd7$1f100f20$5d302d60$@ditenity.com> <025501ce2ce3$1e3d1140$5ab733c0$@ditenity.com> Date: Sat, 30 Mar 2013 03:01:37 +0100 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: "Yngve N. Pettersen" Message-ID: In-Reply-To: <025501ce2ce3$1e3d1140$5ab733c0$@ditenity.com> User-Agent: Opera Mail/12.14 (Win32) Subject: Re: [pkix] Extended Validation Certificate OIDs X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Mar 2013 02:01:51 -0000 On Sat, 30 Mar 2013 02:08:40 +0100, Piyush Jain wrote: > Thank Yngve. > > Am I correct to assume that the EV certificates are only issued to > servers > and browsers are the only known clients that make use of such > certificates? There is also an EV spec for Object signing, and it is AFAIK used by security features in Windows 8. > I'm investigating the possibility of making use of EV status in closed > environments where trust in the CA is established through a bridge and > direct mapping of CA root to EV OID is not available to the RP. It is generally not possible to create your own private EV Root CA and get it accepted by browsers, unless you go through the route of getting your Root embedded in the client Rootstores, which require annual audits under WebTrust or ETSI for both Normal CA and Extended Validation. The only client that I am aware of that allow local control of the EV OID information is Windows Vista (MSIE) and newer, through special enterprise configuration mechanisms. In all other cases I believe the information is hardcoded in the executable, or as in the case of Opera, distributed in a digitally signed format. These restrictions exist because of the strict requirements for being allowed to issue EV certificates and to enable the EV indication. As for the most realistic options for acceptance in all browsers, you probably need to either establish an EV-enabled enterprise account with one of the recognized CAs or buy a Subordinate CA certificate from one that is allowed to issue EV certificates (which would require the full audit regime) > I guess the correct approach in this case would be to define yet another > EV > OID and propagate the EV information through policy mapping extensions in > certs issued by the bridge. > > -Piyush > >> -----Original Message----- >> From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of >> Yngve N. Pettersen >> Sent: Friday, March 29, 2013 5:39 PM >> To: pkix@ietf.org >> Subject: Re: [pkix] Extended Validation Certificate OIDs >> >> On Sat, 30 Mar 2013 00:42:47 +0100, Piyush Jain >> wrote: >> >> > Hi list, >> > >> > It seems that every CA that issues an EV certificate today uses a >> > different certificate policy OID to indicate extended validation. >> > Is there a reason why EV OID is not standardized? >> >> Each browser able to recognize EV certificates enable each Root >> *individually* as being able to issue EV certificates, this is based on >> evaluation of audits for the Root CA and agreements between the Root CA >> and the browser vendor. For that reason it does not really matter which > OID >> is used, so each CA can obtain their own OID. It is also not desirable > that any >> CA can insert an OID and be automatically considered to have issued an >> EV >> certificate. >> >> In addition, theoretically, every subordinate CA under an EV-enabled >> Root >> can be provided with a distinct EV-OID different from the EV-OID(s) used > by >> any other subordinate CA under that root, with the EV-OID being filtered > in >> the certificate of the subordinate CA. This system (which is not >> actually > in >> use) would allow a CA to ask the browsers to turn off EV for a specific >> subordinate CA that is (for whatever reason) no longer qualified to >> issue > EV >> certificates, without affecting the other subordinate CAs or revoking >> that >> subordinate CA's certificate. >> >> At present I am aware of one case where a CA is using two EV-OIDs, one >> for >> general sites, and one for a special class of certificates issued to > government >> sites in that country. >> >> >> -- >> Sincerely, >> Yngve N. Pettersen >> >> Using Opera's mail client: http://www.opera.com/mail/ >> _______________________________________________ >> pkix mailing list >> pkix@ietf.org >> https://www.ietf.org/mailman/listinfo/pkix > -- Sincerely, Yngve N. Pettersen Using Opera's mail client: http://www.opera.com/mail/ From stefan@aaa-sec.com Sat Mar 30 16:58:23 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 347AA21F88ED for ; Sat, 30 Mar 2013 16:58:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.195 X-Spam-Level: X-Spam-Status: No, score=-102.195 tagged_above=-999 required=5 tests=[AWL=0.054, BAYES_00=-2.599, HELO_EQ_SE=0.35, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xB3yQl-7C96M for ; Sat, 30 Mar 2013 16:58:22 -0700 (PDT) Received: from s87.loopia.se (s87.loopia.se [194.9.95.113]) by ietfa.amsl.com (Postfix) with ESMTP id 96E9121F8749 for ; Sat, 30 Mar 2013 16:58:21 -0700 (PDT) Received: from s87.loopia.se (localhost [127.0.0.1]) by s87.loopia.se (Postfix) with ESMTP id D861B1F2F708 for ; Sun, 31 Mar 2013 00:58:19 +0100 (CET) X-Virus-Scanned: amavisd-new at outgoing-smtp.loopia.se Received: from s87.loopia.se ([127.0.0.1]) by s87.loopia.se (s87.loopia.se [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 3141uzDtAYLC for ; Sun, 31 Mar 2013 00:58:19 +0100 (CET) Received: from s327.loopia.se (s34.loopia.se [194.9.94.70]) by s87.loopia.se (Postfix) with ESMTP id 97FC21F2F700 for ; Sun, 31 Mar 2013 00:58:19 +0100 (CET) Received: (qmail 564 invoked from network); 30 Mar 2013 23:58:19 -0000 Received: from 81-232-51-61-no39.business.telia.com (HELO [192.168.0.104]) (stefan@fiddler.nu@[81.232.51.61]) (envelope-sender ) by s327.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 30 Mar 2013 23:58:19 -0000 User-Agent: Microsoft-MacOutlook/14.3.2.130206 Date: Sun, 31 Mar 2013 00:58:13 +0100 From: Stefan Santesson To: Piyush Jain , "'Black, David'" , , , , , Message-ID: Thread-Topic: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 In-Reply-To: <023401ce2ce1$44448cd0$cccda670$@ditenity.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Cc: pkix@ietf.org Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Mar 2013 23:58:23 -0000 On 3/30/13 1:55 AM, "Piyush Jain" wrote: >Agreed. > >The text, however incorrectly states >"revoked" status is still optional in this context in order to maintain >backwards compatibility with deployments of RFC 2560.' > >Please note the subtle difference between being backward compatible with >deployments and being compliant with standards. No I don't get it. And I'm really trying. This is what backward compatibility of a standard is. A standard is backwards compatible if any valid implementation of the old standard is also a valid implementation of the revised standard. /Stefan From piyush@ditenity.com Sat Mar 30 17:53:30 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5A2321F8749 for ; Sat, 30 Mar 2013 17:53:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.976 X-Spam-Level: X-Spam-Status: No, score=-0.976 tagged_above=-999 required=5 tests=[AWL=-1.572, BAYES_00=-2.599, DOS_OUTLOOK_TO_MX=1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_EQ_LT4=0.442, RDNS_DYNAMIC=0.1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 24zdqwtE1-2v for ; Sat, 30 Mar 2013 17:53:30 -0700 (PDT) Received: from mail-qc0-x231.google.com (mail-qc0-x231.google.com [IPv6:2607:f8b0:400d:c01::231]) by ietfa.amsl.com (Postfix) with ESMTP id 379FF21F8726 for ; Sat, 30 Mar 2013 17:53:29 -0700 (PDT) Received: by mail-qc0-f177.google.com with SMTP id u28so643089qcs.22 for ; Sat, 30 Mar 2013 17:53:29 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-type:content-transfer-encoding :x-mailer:thread-index:content-language:x-gm-message-state; bh=TXtTjwDHOZFr+pgv0Xz5diIkh1iJ5owAk3sjEjEuFTY=; b=ISrGGWlAeQ17g5O4ldr6JkKzzNkHXjitNOuxEv9r5UINd/kQpLIsw3IYVHUgsiE9zg 81stmpN/XOviGpl/T3SfjbedLAwiTfKZwiVAgY+Oc8lnIoLI9ebaP1m2jWkobPWY7IXJ zihVQBGdt3doROEieYU3VjpbLjvfKJFLORWgMJpl/85s1OR9loYasqGjb2A0T6IpiAIN PsaREeJaVnYZgUnAe9ead9r4peo5znmLZV4YAsWXSKgrFBGOOUPp0rKAqbtqdb1Bc2wv 8Pc9UNxnO/qiwJWKHPFadA3hu8w+ntC/rZsqK3/GNc9sN3GNPDt0W+tywTt4jPrBDU5v aXOQ== X-Received: by 10.224.149.193 with SMTP id u1mr8530365qav.97.1364691209386; Sat, 30 Mar 2013 17:53:29 -0700 (PDT) Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id ku2sm13735600qeb.4.2013.03.30.17.53.27 (version=TLSv1 cipher=RC4-SHA bits=128/128); Sat, 30 Mar 2013 17:53:28 -0700 (PDT) From: "Piyush Jain" To: "'Stefan Santesson'" , "'Black, David'" , , , , , References: <023401ce2ce1$44448cd0$cccda670$@ditenity.com> In-Reply-To: Date: Sat, 30 Mar 2013 17:53:25 -0700 Message-ID: <033001ce2daa$2826e150$7874a3f0$@ditenity.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 thread-index: AQH+nYEO0mMdaySTI1Wq5Cz3Zlq4EZheELgg Content-Language: en-us X-Gm-Message-State: ALoCoQnRiNps2HnEJgLq2Hl2kRklcpte62CMr3lKZ9C8yjKhnEULDJR5vJxFBv5ZNNz8aONnJC86 Cc: pkix@ietf.org Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Mar 2013 00:53:30 -0000 > This is what backward compatibility of a standard is. > A standard is backwards compatible if any valid implementation of the old > standard is also a valid implementation of the revised standard. And I always thought that compatibility applies to implementations. Anyway, I'm pasting David's interpretation of the text that he sent in one of the messages in this thread. I would appreciate it if you can share you thoughts on this interpretation. If this is how most people see it, they would conclude that both clients and server would need to be updated together if servers start returning revoked for non-issued. I know that this is not what you trying to convey. Pasted from David's message ~~~~~~~~~~~~~~~~~~~~~~ "The usual backwards compatibility concern is mixed new/legacy deployments. In this case, the specifics appear to be: New clients with legacy servers cannot expect to see "revoked" in this case. This matters because a hypothetical client coded to depend on a "revoked" response in this case won't work correctly with legacy servers (even though it'd be rather questionable to code that dependency into a new client - never underestimate the creativity and cleverness of implementers). New servers with legacy clients risk breaking clients that can't cope with "revoked" in this case, as you noted:" End ~~~ From david.black@emc.com Sat Mar 30 19:04:29 2013 Return-Path: X-Original-To: pkix@ietfa.amsl.com Delivered-To: pkix@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C75C21F8935 for ; Sat, 30 Mar 2013 19:04:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4GPLn9LKbJ0N for ; Sat, 30 Mar 2013 19:04:26 -0700 (PDT) Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 7ECF621F8934 for ; Sat, 30 Mar 2013 19:04:26 -0700 (PDT) Received: from hop04-l1d11-si01.isus.emc.com (HOP04-L1D11-SI01.isus.emc.com [10.254.111.54]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r2V241jj015643 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 30 Mar 2013 22:04:01 -0400 Received: from mailhub.lss.emc.com (mailhubhoprd01.lss.emc.com [10.254.221.251]) by hop04-l1d11-si01.isus.emc.com (RSA Interceptor); Sat, 30 Mar 2013 22:03:46 -0400 Received: from mxhub27.corp.emc.com (mxhub27.corp.emc.com [10.254.110.183]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id r2V23j3Z018791; Sat, 30 Mar 2013 22:03:45 -0400 Received: from mx15a.corp.emc.com ([169.254.1.81]) by mxhub27.corp.emc.com ([10.254.110.183]) with mapi; Sat, 30 Mar 2013 22:03:44 -0400 From: "Black, David" To: Piyush Jain , "'Stefan Santesson'" , "sts@aaa-sec.com" , "mmyers@fastq.com" , "ambarish@gmail.com" , "slava.galperin@gmail.com" , "cadams@eecs.uottawa.ca" Content-Class: urn:content-classes:message Date: Sat, 30 Mar 2013 22:03:11 -0400 Thread-Topic: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 Thread-Index: AQH+nYEO0mMdaySTI1Wq5Cz3Zlq4EZheELgggAALf7OAABCRHg== Message-ID: <985590FA-5A27-4787-B2EB-D44F909B7B3E@mimectl> References: <023401ce2ce1$44448cd0$cccda670$@ditenity.com> , <033001ce2daa$2826e150$7874a3f0$@ditenity.com> In-Reply-To: <033001ce2daa$2826e150$7874a3f0$@ditenity.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US x-mimectl: Produced By Microsoft Exchange V8.3.105.0 Content-Type: multipart/alternative; boundary="_000_985590FA5A274787B2EBD44F909B7B3Emimectl_" MIME-Version: 1.0 X-EMM-MHVC: 1 Cc: "pkix@ietf.org" , "Black, David" Subject: Re: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 X-BeenThere: pkix@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: PKIX Working Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Mar 2013 02:04:29 -0000 --_000_985590FA5A274787B2EBD44F909B7B3Emimectl_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable > Anyway, I'm pasting David's interpretation of the text that he sent in on= e > of the messages in this thread. I would appreciate it if you can share yo= u > thoughts on this interpretation. > If this is how most people see it, they would conclude that both clients = and > server would need to be updated together if servers start returning revok= ed > for non-issued. I know that this is not what you trying to convey. I don't think that's a good inference ... but this is getting confusing, so let's go back to the beginning. An important consideration is that "revoked" is defined in RFC 2560, so all existing clients have to be able to cope with that response, independent of whether they comply with 2560 or 2560bis. They apparently do cope just fin= e, as Piyush wrote: > Legacy clients will continue to work whether you make it required or opti= onal. What's new is that there's an additional case, non-issued certificate serial number, where a 2560bis server could return "revoked" but a 2560 server will never return "revoked". OTOH, use of "revoked" can't be required in this case for the reasons described in Stefan's new text in 2560bis. That would appear to lead to the following: - Server (responder) use of "revoked" for non-issued certificate serial numbers is optional for the reasons that Stefan described, but suggested when possible because it reduces the likelihood of relying parties falling back to CRLs by comparison to use of "unknown". I'm carefully avoiding use of "SHOULD" here. - Clients (requesters) MUST NOT depend on receiving "revoked" for non-issued certificate numbers because servers that comply with RFC 2560 won't do that. According to Piyush, all existing deployed clients already meet this "MUST NOT" requirement, so nothing else is needed. Stefan's text in -16 covers the first point. The second point could be added for additional explanation, but it would need to go outside the "NOTE:" due to its use of "MUST NOT." Thanks, --David ________________________________ From: Piyush Jain [piyush@ditenity.com] Sent: Saturday, March 30, 2013 8:53 PM To: 'Stefan Santesson'; Black, David; sts@aaa-sec.com; mmyers@fastq.com; am= barish@gmail.com; slava.galperin@gmail.com; cadams@eecs.uottawa.ca Cc: pkix@ietf.org Subject: RE: [pkix] Gen-ART review of draft-ietf-pkix-rfc2560bis-15 > This is what backward compatibility of a standard is. > A standard is backwards compatible if any valid implementation of the old > standard is also a valid implementation of the revised standard. And I always thought that compatibility applies to implementations. Anyway, I'm pasting David's interpretation of the text that he sent in one of the messages in this thread. I would appreciate it if you can share you thoughts on this interpretation. If this is how most people see it, they would conclude that both clients an= d server would need to be updated together if servers start returning revoked for non-issued. I know that this is not what you trying to convey. Pasted from David's message ~~~~~~~~~~~~~~~~~~~~~~ "The usual backwards compatibility concern is mixed new/legacy deployments. In this case, the specifics appear to be: New clients with legacy servers cannot expect to see "revoked" in this case= . This matters because a hypothetical client coded to depend on a "revoked" response in this case won't work correctly with legacy servers (even though it'd be rather questionable to code that dependency into a new client - never underestimate the creativity and cleverness of implementers). New servers with legacy clients risk breaking clients that can't cope with "revoked" in this case, as you noted:" End ~~~ --_000_985590FA5A274787B2EBD44F909B7B3Emimectl_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
> Anyway, I'm pasting= David's interpretation of the text that he sent in one
> of the mess= ages in this thread. I would appreciate it if you can share you
> tho= ughts on this interpretation.
> If this is how most people see it, th= ey would conclude that both clients and
> server would need to be upd= ated together if servers start returning revoked
> for non-issued. I = know that this is not what you trying to convey.
I don't think that's a good inference ... but this is getting confusing,= so
let's go back to the <= FONT face=3D"courier new">beginning.
 
An important consideration is that "revoked" is defined in= RFC 2560, so all
existing clients have to be able to cope with that response, independent of
whether they comply with 2560 or 2560bis.  They apparently do cope just fine,
as Piyush wrote:
 
> Legacy clients will continue to work whether you make i= t required or optional.
What's new is that there= 's an additional case, non-issued certificate
serial number, where a 2560bis server could return "revoked" but<= /FONT>
a 2560 server will never return "revoked".  OTOH, use of "revoked"
can't be required in this cas= e for the reasons described in Stefan's
new text in 2560bis.
 
That would appear to lea= d to the following:
 
- Server (responder)&nbs= p;use of "revoked" for non-issued certificate
    serial numbers is optional for the reasons that Stefan described,
    but suggested when possible because it reduces the likelihood
    of relying parties falling back to CRLs by comparison to use of
    "unknown".  I'm carefully avoiding = use of "SHOULD" here.
- Clients (requesters) M= UST NOT depend on receiving "revoked" for
    non-issued certificate numbers because servers that comply
    with RFC 2560 won't do that.  According to Piyush, all existing
    deployed clients already meet this "MUST NOT" requirement, so
    nothing else is needed.
 
Stefan's text in -16 cov= ers the first point.  The second point could
be added for additional = explanation, but it would need to go outside
the "NOTE:" due to its use of "MUST NOT."
 
Thanks,
--David
 
From: Piyush Jain [piyu= sh@ditenity.com]
Sent: Saturday, March 30, 2013 8:53 PM
To:= 'Stefan Santesson'; Black, David; sts@aaa-sec.com; mmyers@fastq.com; a= mbarish@gmail.com; slava.galperin@gmail.com; cadams@eecs.uottawa.ca
C= c: pkix@ietf.org
Subject: RE: [pkix] Gen-ART review of draft-= ietf-pkix-rfc2560bis-15

> This is what backward compatibility of a standa= rd is.
> A standard is backwards compatible if any valid implementati= on of the old
> standard is also a valid implementation of the revise= d standard.

And I always thought that compatibility applies to imple= mentations.

Anyway, I'm pasting David's interpretation of the text t= hat he sent in one
of the messages in this thread. I would appreciate it= if you can share you
thoughts on this interpretation.
If this is how= most people see it, they would conclude that both clients and
server wo= uld need to be updated together if servers start returning revoked
for n= on-issued. I know that this is not what you trying to convey.
 
=
Pasted from David's message
~~~~~~~~~~~~~~~~~~~~~~
"The usual bac= kwards compatibility concern is mixed new/legacy deployments.
In this ca= se, the specifics appear to be:
New clients with legacy servers cannot e= xpect to see "revoked" in this case.
This matters because a hypothetical= client coded to depend on a "revoked"
response in this case won't work = correctly with legacy servers (even though
it'd be rather questionable t= o code that dependency into a new client -
never underestimate the creat= ivity and cleverness of implementers).
New servers with legacy clients r= isk breaking clients that can't cope with
"revoked" in this case, as you= noted:"
End
~~~





 --_000_985590FA5A274787B2EBD44F909B7B3Emimectl_--