[cabfpub] Fwd: [pkix] Straw-poll on OCSP responses for non-revoked certificates.

[Ben Wilson]

OCSP and CRLs are two different methodologies.  The more they are de-coupled, the more each can evolve and improve.  That is not to say that they have to be divorced, and implementations could still tie the two together.  Take RFC 2560 bis, for example, “1” for CertStatus could simply mean “bad” and then if revocationReason is populated with CRLReason, then the assumption should be that the CRL has been updated and is the source of the OCSP Response.  If it is not populated, then it should not be assumed that the CRL will match.  

 

For legacy applications, people should not use an RFC 2560 CertStatus response of “1” to mean that the serial number has to be placed on a CRL.  “Revoked” for OCSP is different than “revoked” for CRL, yet both should have the same meaning for communicating to the client that the certificate is unreliable and a client should hard fail in that case – “upon transmission or receipt of a fatal alert message, both parties immediately close the connection”.  Revocation is just a matter that depends on the technology being used.   

 

Finally, the straw poll is not about making a signed response of revoked mandatory, because existing options of “Unknown” and “Unauthorized” exist, as Eddy notes.   I don’t think clients should cache an OCSP response forever.  If the client thinks that the OCSP response of revoked was incorrect, it should query again and if the OCSP response says “good” then this is not an issue.  As noted in the straw poll, current conventional wisdom is that allow such behavior does no harm.

  

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: Tuesday, October 30, 2012 5:06 PM
To: public at cabforum.org
Subject: Re: [cabfpub] Fwd: [pkix] Straw-poll on OCSP responses for non-revoked certificates.

 


On 10/30/2012 11:47 PM, From Eddy Nigg (StartCom Ltd.): 

Neither - an OCSP responder should respond with "Unknown" or "Unauthorized" in case the certificate is unknown. Or either "Good" or "Revoked" for known ones.

Rational - responding "Revoked" for a certificate that might be good, is incorrect, either due to migration and update time or other reasons (out-of-sync cor whatever). Clients may cache revoked responses forever, revoked certificates are never unrevoked.


I hope the folks from the PKIX forum follow the CAB Forum public list - it wasn't obvious to me that this mail was forwarded. Well, well... :-)




Regards 


 


Signer: 

Eddy Nigg, COO/CTO


 

StartCom Ltd. <http://www.startcom.org> 


XMPP: 

startcom at startcom.org


Blog: 

Join the Revolution! <http://blog.startcom.org> 


Twitter: 

Follow Me <http://twitter.com/eddy_nigg> 


 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cabforum.org/pipermail/public/attachments/20121031/6768bb0c/attachment.html