Re: last call initiated
"Julien Stern" <julien.stern@cryptolog.com> Wed, 08 February 2006 11:51 UTC
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1F6nr1-0002Us-RR for pkix-archive@megatron.ietf.org; Wed, 08 Feb 2006 06:51:23 -0500
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA14792 for <pkix-archive@lists.ietf.org>; Wed, 8 Feb 2006 06:49:37 -0500 (EST)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id k18Av0Vu014349; Wed, 8 Feb 2006 02:57:00 -0800 (PST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id k18Av0XE014348; Wed, 8 Feb 2006 02:57:00 -0800 (PST)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from kraid.nerim.net (smtp-103-wednesday.nerim.net [62.4.16.103]) by above.proper.com (8.12.11/8.12.9) with ESMTP id k18AuxIR014341 for <ietf-pkix@imc.org>; Wed, 8 Feb 2006 02:56:59 -0800 (PST) (envelope-from julien.stern@cryptolog.com)
Received: from uranus.cry.pto (cryptolog.net4.nerim.net [62.212.120.81]) by kraid.nerim.net (Postfix) with ESMTP id 7C40340F7B for <ietf-pkix@imc.org>; Wed, 8 Feb 2006 11:56:55 +0100 (CET)
Received: from localhost (localhost [127.0.0.1]) by uranus.cry.pto (Postfix) with ESMTP id 3915D44104 for <ietf-pkix@imc.org>; Wed, 8 Feb 2006 11:57:47 +0100 (CET)
Received: from uranus.cry.pto ([127.0.0.1]) by localhost (uranus [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 32548-03 for <ietf-pkix@imc.org>; Wed, 8 Feb 2006 11:57:36 +0100 (CET)
Received: from callisto.cry.pto (callisto.cry.pto [10.0.1.4]) by uranus.cry.pto (Postfix) with SMTP id 8A37F440ED for <ietf-pkix@imc.org>; Wed, 8 Feb 2006 11:57:35 +0100 (CET)
Received: by callisto.cry.pto (sSMTP sendmail emulation); Wed, 8 Feb 2006 12:07:49 +0100
From: Julien Stern <julien.stern@cryptolog.com>
Date: Wed, 08 Feb 2006 12:07:49 +0100
To: ietf-pkix@imc.org
Subject: Re: last call initiated
Message-ID: <20060208110749.GB12941@cryptolog.com>
Mail-Followup-To: Julien Stern <julien.stern@cryptolog.com>, ietf-pkix@imc.org
References: <p0623090dc00ec6c778cb@[128.89.89.106]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <p0623090dc00ec6c778cb@[128.89.89.106]>
User-Agent: Mutt/1.5.6+20040907i
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at cryptolog.com
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Greetings, I have two comments on the draft (that I had already posted after the -02 draft was published): 1) Section 1.2.3 states that the OCSP responder should reply with an "unauthorized" reply code when it is not capable of replying authoritatively. I believe there are two problems with that: First, it overrides the semantic of the "unauthorized" error code, which originally means that the client is not, well, authorized :) to access to service. How would one know when he is actually not authorized ? Second, because OCSP replies are unsigned, it allows for an very easy man-in-the-middle attack. Because most client software assume by default that the certificate is valid when the revocation status is unknown, it is easy to turn an invalid certificate into a valid one is you control a proxy in the middle, by sending an unsigned "unauthorized" reply. I totally understand that sending signed replies for certificates of unknown status is not possible for "caching" server. However, the present draft just refers to the security considerations of RFC2560, whereas they have more impact in the present case. 2) Regarding Nonces This profile is obviously nonceless. No caching server in its sane mind would ever implement nonce. So why imply that a server could possibly send one ? If this is to cope with the case of a client that does not know whether the server supports nonce or not, the extensive discussions that occured on the list regarding this issue do not seem to be definitely solved. If this RFC is published as is, it will practically destroy all nonced implementations of OCSP, because the client has no way to know whether is it talking with a nonce-supporting server or not. Hence, nonced implementations becomes useless, because replay attacks always become possible, unless the client is pre-configured to know that the server is indeed using nonces. To make my point(s) clearer: I have nothing against this protocol and think it is important to have it because it's very efficient. However, I do not think that, security-wise, it is a _profile_ of OCSP. Lightweight OCSP is less secure than OCSP (the price to pay for efficiency), but because 1) a client cannot know whether it is talking to a standard OCSP or a lightweight OCSP server, and 2) the lightweight OCSP mandates that the client falls back to less secure mode it means that lightweight OCSP practically prevents a regular OCSP server to provide extra security to its clients. Note that, in my very humble opinion, this problem comes from RFC2560 and not from this draft. If RFC2560 was modified to include the following semantic behavior, we could have a bit-on-the-wire compatible protocol AND allow regular OCSP to cohabit with lightweight OCSP without sacrifying security: the changes would be: 1) A server (identified by a ResponderID) can serve "fresh" responses or "cached" responses, but MUST NOT serve both (else one MUST use different responderIDs). 2) For a "caching" server: - the nextUpdate field of all the SingleResponse elements MUST be present. It should indicate the expiration date of the (cached) information validity. - the nonce extension MUST be ignored 3) For a "live" server: - the nextUpdate field of all the SingleResponse elements MUST be absent, thus indicating the information is live - the nonce extension MUST be honored Sincerely, -- Julien Stern On Tue, Feb 07, 2006 at 04:53:25PM -0500, Stephen Kent wrote: > > Folks, > > I am initiating a WG last call for the lightweight OCSP profile: > > draft-ietf-pkix-lightweight-ocsp-profile-03.txt > > I have provided the authors with an initial set of comments. > > Please send your comments to the list by February 17th, 1.5 weeks from > today. > > Thanks, > > Steve >
- last call initiated Stephen Kent
- Re: last call initiated Julien Stern
- RE: last call initiated Dave Engberg
- RE: last call initiated Santosh Chokhani
- Re: last call initiated Julien Stern
- RE: last call initiated Ryan Hurst