Updating OCSP. David Cooper

Similar documents
X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. Status of this Memo

Internet Engineering Task Force (IETF) Obsoletes: 2560, 6277

MTAT Applied Cryptography

Validation Policy r tra is g e R ANF AC MALTA, LTD

Security Protocols and Infrastructures. Winter Term 2015/2016

Internet Engineering Task Force (IETF) Category: Standards Track October 2015 ISSN:

PKCS #10 v1.7: Certification Request Syntax Standard (Final draft)

OCSP Client Tool V2.2 User Guide

Expires in 6 months September Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP <draft-ietf-pkix-ocsp-00.

Internet Engineering Task Force (IETF) Request for Comments: 6961 June 2013 Category: Standards Track ISSN:

Online Certificate Status Protocol (OCSP) Extensions

Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile draft-ietf-pkix-rfc3280bis-04.

draft-ietf-smime-cert-06.txt December 14, 1998 Expires in six months S/MIME Version 3 Certificate Handling Status of this memo

Internet Engineering Task Force (IETF) Request for Comments: 5917 Category: Informational June 2010 ISSN:

Expires October 2005 Updates RFC 3280 April 2005

Information technology Open Systems Interconnection The Directory Part 8: Public-key and attribute certificate frameworks

MISPC Minimum Interoperability Specification for PKI Components, Version 1

Internet Engineering Task Force (IETF) Obsoletes: 6485 Category: Standards Track August 2016 ISSN:

ISO/IEC INTERNATIONAL STANDARD

Security Protocols and Infrastructures

Internet Engineering Task Force (IETF) Category: Informational July 2012 ISSN: S/MIME Capabilities for Public Key Definitions

SSL Certificates Certificate Policy (CP)

RSA Validation Solution

Internet Engineering Task Force (IETF) Request for Comments: 5754 Updates: 3370 January 2010 Category: Standards Track ISSN:

Security Protocols and Infrastructures. Winter Term 2015/2016

Online Certificate Status Protocol Mobile Profile

Intended Category: Standards Track Expires July 2006 January 2006

ETSI TS V1.2.2 ( )

CORRIGENDA ISIS-MTT SPECIFICATION 1.1 COMMON ISIS-MTT SPECIFICATIONS VERSION JANUARY 2008 FOR INTEROPERABLE PKI APPLICATIONS

1) Revision history Revision 0 (Oct 29, 2008) First revision (r0)

Network Working Group. Updates: 2634 August 2007 Category: Standards Track

TO: FROM: DATE: SUBJECT: Revisions General 2.1 The Mismatch does

PKI Interoperability Test Tool v1.2 (PITT) Usage Guide

ETSI ES V1.1.3 ( )

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

LDAP Items.

ETSI TS V1.3.1 ( )

PKCS #15: Conformance Profile Specification

Intended Category: Standards Track Expires March 2006 September 2005

Internet Engineering Task Force (IETF) Request for Comments: 6032 Category: Standards Track. December 2010

Intended status: Standards Track Expires: September 14, 2017 March 13, 2017

Network Working Group Request for Comments: 5019 Category: Standards Track Microsoft September 2007

D. Crocker, Ed. Updates: RFC4871 June 10, 2009 (if approved) Intended status: Standards Track Expires: December 12, 2009

November 1998 Expires May Storing Certificates in the Domain Name System (DNS)

Category: Informational January 2010 ISSN:

CI Plus ECP Specification v1.0 ( )

Internet Engineering Task Force (IETF) Request for Comments: Category: Standards Track. BBN September 2017

ETSI TS V1.5.1 ( )

Using OCSP to Secure Certificate-Using Transactions in M-commerce

DRAFT ISDCF Doc5 - Guideline for SMPTE KDMs and Certificates Behaviors Last revised

Server-based Certificate Validation Protocol

Internet Engineering Task Force (IETF) Symantec Corp. L. Rosenthol Adobe May Internet X.509 Public Key Infrastructure -- Certificate Image

Bugzilla ID: Bugzilla Summary:

ETSI TS V1.2.1 ( ) Technical Specification

D. Crocker, Ed. Intended status: Standards Track January 25, 2009 Expires: July 29, 2009

Internet Engineering Task Force (IETF) Request for Comments: 6490 Category: Standards Track. G. Michaelson APNIC. S. Kent BBN February 2012

Specification document for OCSP

Internet Engineering Task Force (IETF) Category: Experimental Helsinki Institute for Information Technology ISSN: May 2011

Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure

SSH Communications Tectia SSH

Public Key Infrastructures

Public Key Infrastructures. Using PKC to solve network security problems

Internet Engineering Task Force (IETF) Request for Comments: 6403 Category: Informational ISSN: M. Peck November 2011

Internet Engineering Task Force (IETF) Category: Standards Track Queensland University of Technology March 2011

Internet Engineering Task Force (IETF) Category: Standards Track ISSN: January 2010

Obsoletes: 2632 July 2004 Category: Standards Track. Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Certificate Handling

Digital Certificates Demystified

Signtrust. ISIS-MTT Assessment Report

Category: Standards Track W. Ford VeriSign D. Solo Citigroup April 2002

September 1997 Expires March Storing Certificates in the Domain Name System

PKCS #7: Cryptographic Message Syntax Standard

APNIC Trial of Certification of IP Addresses and ASes

Request for Comments: TIS Labs March Storing Certificates in the Domain Name System (DNS)

A PKI For IDR Public Key Infrastructure and Number Resource Certification

Autokey Version 2 Specification

E-Passport Validation: A practical experience

Smart Meters Programme Schedule 2.1

Technical Specification Electronic Signatures and Infrastructures (ESI); CMS Advanced Electronic Signatures (CAdES)

APNIC Trial of Certification of IP Addresses and ASes

Network Working Group. Siemens Networks GmbH & Co KG February Online Certificate Status Protocol (OCSP) Extensions to IKEv2

Trust Anchor Constraint Tool (TACT) v1.2.6 User Guide

IBM Education Assistance for z/os V2R2

This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026.

Understanding HTTPS CRL and OCSP

Request for Comments: 2459 Category: Standards Track VeriSign W. Polk NIST D. Solo Citicorp January 1999

Machine Readable Travel Documents

W. Polk (NIST) D. Solo (Citigroup) expires in six months October Internet X.509 Public Key Infrastructure. Certificate and CRL Profile

ETSI TS V1.1.1 ( )

Managing Certificates

API Gateway Version September Validation Authority Interoperability Guide

ETSI TS V1.8.3 ( ) Technical Specification. Electronic Signatures and Infrastructures (ESI); CMS Advanced Electronic Signatures (CAdES)

stir-certs-02 IETF 93 (Prague) STIR WG Jon

Public Key Infrastructures. Andreas Hülsing

SECURITY TARGET FOR ALACRIS OCSP Client Professional Version (EAL 2)

Category: Standards Track July Use of the RSAES-OAEP Key Transport Algorithm in the Cryptographic Message Syntax (CMS)

Electronic Seal Administrator Guide Published:December 27, 2017

IHE Change Proposal. Tracking information: Change Proposal Status: Date of last update: Sep 13, 2018 Charles Parisot, Vassil Peytchev, John Moehrke

Internet Engineering Task Force (IETF) Category: Standards Track. June 2016

ISO/IEC INTERNATIONAL STANDARD

INTERNATIONAL STANDARD

Transcription:

Updating OCSP David Cooper

Background Concerns raised about text in RFC 2560 being misinterpreted, particularly Section 4.2.2.2 on Authorized Responders Working group agreed to develop an update to RFC 2560 Scope of update effort limited to clarifying the protocol. This means the update will not make any changes to the protocol described in RFC 2560, except

Changes in RFC 5019 1 Section 2.2.1 states that while an RFC 5019- compliant request MUST request status for only one certificate, a response MAY include status information for more than one certificate. Section 2.2.3 extends the definition of the unauthorized error code from: The response "unauthorized" is returned in cases where the client is not authorized to make this query to this server or the server is not capable of responding authoritatively. 1 The Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments

Changes in draft-ietf-pkix-ocspagility Updates set of mandatory and optional cryptographic algorithms. Defines a new request extension, PreferredSignatureAlgorithms. Specifies rules for responder signature algorithm selection.

Clarifying Authorized Responders RFC 2560 states the key used to sign the response must belong to one of the following: [Integrated OCSP Responder] the CA who issued the certificate in question [Locally Trusted OCSP Responder] a Trusted Responder whose public key is trusted by the requester [Designated OCSP Responder] a CA Designated Responder (Authorized Responder) who holds a specially marked certificate issued directly by the CA.

Integrated OCSP Responder Update clarifies meaning of the CA who issued the certificate in question : OCSP response does not need to be signed with same key as target certificate Subject DN in OCSP responder's certificate must be the same as issuer DN in target certificate Appendix D includes four examples that involve integrated OCSP responders.

Designated OCSP Responder Update clarifies requirement for OCSP responder's certificate to be issued by the CA that issued the certificate in question : CA may use different keys to sign OCSP responder's certificate and target certificate. Issuer DN in OCSP responder's certificate must be the same as issuer DN in target certificate. Appendix D includes six examples that involve designated OCSP responders.

Locally Trusted OCSP Responder Reinforces that local configuration is client's local configuration, not CA's local configuration. Emphasizes that locally trusted OCSP responders are usually created by an organization for use by its own clients, not by a CA for use by all clients validating certificates issued by that CA. Appendix D includes one example involving a locally trusted OCSP responder.

Editor's Notes Draft -00 contains 10 editor's notes Some highlight change made in protocol, providing rationale for change. Some request additional information (e.g., syntax of nonce extension). Some propose consideration of changes in future drafts.

Next Steps Working groups needs to decide whether to: Use draft-cooper-pkix-rfc2560bis as the starting point for development of OCSP update; or Start over with a new approach to developing an update to OCSP. If draft-cooper-pkix-rfc2560bis is accepted, David Cooper and Stefan Santesson (and possibly others) will update the draft and submit a revised version as a working group document.

Questions

New Issues Handling unrecognized critical extensions: requestextension: Return an "unauthorized" error response? singlerequestextension: return a certstatus of "unknown" (or "unauthorized" error response if responder can only provide pre-generated responses)?

New Issues Problem: OCSP responder basis responses on CRL Returns "unknown" certstatus if certificate was not issued at time CRL was generated Returned certstatus for recently issued certificate continues to be "unknown" until responder obtains new CRL. Should definition of "unknown" be reworded to encourage responders to return status of "good" rather than "unknown" under these circumstances?

Editor's Notes Syntax of nonce extension RFC 2560 specifies an OID for the nonce extension, but not an ASN.1 structure for the extension value. How do current implementations populate extnvalue for the nonce extension? Is it always populated with the DER encoding of some ASN.1 syntax? Responder processing of nonce extension: Next draft will be changed to state that response may include a nonce even if request did not include one. Text will be added to explain why this is permitted.

Editor's Notes (continued) Preferred signature Algorithms Use of parameters in sigidentifier for RSA signature algorithms? Are parameters included or omitted? Service Locator extension RFC 2560 does not specify the processing performed by the OCSP Responder. Which OCSP responder signs response that is received by client? Responder that received request from client? Authoritative responder to which request was routed? Either? Should update clarify this?

Editor's Notes (continued) Syntax of id-pkix-ocsp-nocheck extension. RFC 2560 says extnvalue SHOULD be NULL. Do any certificates include a nocheck extension where extnvalue is not NULL? Can update say that extnvalue SHALL be NULL? CRL entry extensions as singleextensions in responses: RFC 2560 states that all CRL entry extensions from RFC 2459 are supported as singleextensions Update only mentions invaliditydate.

Editor's Notes (continued) Response verification requires clients to confirm that the identity of the signer matches the intended recipient of the request. Should this requirement be removed or modified? Under what circumstances does the client know the identity of the intended recipient of the request? When following a URL in an AIA extension, identity of recipient isn't known. When using a locally configured OCSP responder, could local OCSP responder relay request to a CA designated responder and return the response signed by that responder (especially if request included a service locator extension)?

Editor's notes (continued) What are the requirements for including an AIA extension in target certificates: Integrated or designated responder that provides status for the certificate? [SHOULD or MUST] Responder that provides status for the certificate that is neither integrated nor designated (i.e., can only be used as a locally trusted OCSP responder)? [SHOULD NOT or MUST NOT] Is the only requirement that CA products be capable of including an AIA extension in certificates?

Editor's Notes (continued) 1998 ASN.1 from RFC 2560: Module did not have an OID Added OID, copied from draft-ietf-pkix-ocspagility-08 Module imports Certificate, AlgorithmIdentifier, and CRLReason from AuthenticationFramework rather than PKIX1Explicit88 and PKIX1Implicit88 Is there a reason for this? Should it be changed? No changes were made in draft-cooper-pkix-rfc2560bis.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback