Candidate for moving OCSP to a Draft Standard
Ambarish Malpani <ambarish@valicert.com> Thu, 31 January 2002 21:19 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA12869 for <pkix-archive@odin.ietf.org>; Thu, 31 Jan 2002 16:19:58 -0500 (EST)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g0VKUeZ02066 for ietf-pkix-bks; Thu, 31 Jan 2002 12:30:40 -0800 (PST)
Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g0VKUc302062 for <ietf-pkix@imc.org>; Thu, 31 Jan 2002 12:30:38 -0800 (PST)
Received: from CONVERSION-DAEMON by ext-mail.valicert.com (PMDF V5.2-33 #46613) id <0GQT00701KZ4V1@ext-mail.valicert.com> for ietf-pkix@imc.org; Thu, 31 Jan 2002 12:30:40 -0800 (PST)
Received: from polaris.valicert.com ([192.168.2.34]) by ext-mail.valicert.com (PMDF V5.2-33 #46613) with ESMTP id <0GQT00790KZ3N1@ext-mail.valicert.com> for ietf-pkix@imc.org; Thu, 31 Jan 2002 12:30:40 -0800 (PST)
Received: by exchange.valicert.com with Internet Mail Service (5.5.2653.19) id <D6WG8A7B>; Thu, 31 Jan 2002 12:30:39 -0800
Content-return: allowed
Date: Thu, 31 Jan 2002 12:30:37 -0800
From: Ambarish Malpani <ambarish@valicert.com>
Subject: Candidate for moving OCSP to a Draft Standard
To: "'ietf-pkix@imc.org'" <ietf-pkix@imc.org>
Message-id: <613B3C619C9AD4118C4E00B0D03E7C3E028E50A4@exchange.valicert.com>
MIME-version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-type: multipart/mixed; boundary="Boundary_(ID_Vw+J6SAKb3Us0Sw9tOar+w)"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Hi Guys, Here is a candidate for moving OCSP to a Draft Standard. There are no changes in the bytes that go across the wire - basically all clarifications. A list of all the changes between this document and RFC 2560 are in Appendix D (reproduced here). I hope we can get to the Draft Standard state before this IETF. Regards, Ambarish Appendix D. Changes This section contains the differences in this document from RFC 2560 - Mention Appendix D in Section 1 and added an appendix D. - Added a paragraph in Section 1 equating a client with a requestor and server with responder - Section 2.2 - clarified the explanation of good, revoked and unknown - Added Section 2.8 requiring clients and responders to support HTTP - Added a note at the end of section 3.2, which allows a client to accept a response that provides statuses for only some of the certificates requested. - Clarified the issuerKeyHash in Section 4.1.1 - Added "DER encoding of the" in the third paragraph Section 4.1.2 - Section 4.2.1 - clarified that the signature is on the DER encoding of tbsResponseData (and not its hash) - Section 4.2.1 - specified the use of the certs field in BasicOCSPResponse - Section 4.2.1 - clarified how you compute KeyHash when providing the ResponderID byKey. - Section 4.2.2.2 - removed an extra quote in point 3 - Section 4.3 - Made RSA mandatory. Also changed the references to point to the appropriate documents. Added the references to the References section - Section 4.4.1 - Clarified that a nonce in the request MUST be - included in the response for the response to be trusted. - Appendix A - A.1.1. - Got rid of support for GET - not sure that anybody does it. It is also unclear how a server would tell a client to ever use GET in the URL specified in the AIA - Add the module tag for the ASN.1 in OCSP - Made SEQUENCE OF Certificate OPTIONAL to SEQUENCE SIZE(1..MAX) of Certificate OPTIONAL in the ASN.1 defintions. The avoids the ambiguity of whether the optional sequence may be present, but with 0 elements. This was done by definining a new element called Certificates, which is used. Look at the defintion of both Signature and BasicOCSPResponse. - Clarified the meaning of nextUpdate being absent (Section 2.4) - Fixed typo where we referred to id-ad-ocspSigning, to reflect the correct OID - id-kp-OCSPSigning - Clarified criteria for response acceptance (Section 3.2) - Added a line in Section 5 indicating that nonces can be used to prevent prevent attacks using replays of precomputed responses - Added a paragraph in Section 5 requiring nonces to be unique for replay protection --------------------------------------------------------------------- Ambarish Malpani Architect 650.567.5457 ValiCert, Inc. ambarish@valicert.com 339 N. Bernardo Ave. http://www.valicert.com Mountain View, CA 94043
- Candidate for moving OCSP to a Draft Standard Ambarish Malpani
- Re: Candidate for moving OCSP to a Draft Standard Denis Pinkas
- RE: Candidate for moving OCSP to a Draft Standard Santosh Chokhani
- RE: Candidate for moving OCSP to a Draft Standard Olle Mulmo
- Re: Candidate for moving OCSP to a Draft Standard Denis Pinkas
- RE: Candidate for moving OCSP to a Draft Standard Florian Oelmaier
- FW: Candidate for moving OCSP to a Draft Standard Florian Oelmaier
- Re: Candidate for moving OCSP to a Draft Standard Denis Pinkas
- RE: Candidate for moving OCSP to a Draft Standard Ambarish Malpani
- Re: Candidate for moving OCSP to a Draft Standard Denis Pinkas
- Re: Candidate for moving OCSP to a Draft Standard Denis Pinkas
- Re: Candidate for moving OCSP to a Draft Standard Peter Gutmann
- RE: Candidate for moving OCSP to a Draft Standard Florian Oelmaier
- RE: Candidate for moving OCSP to a Draft Standard Khaja E. Ahmed
- RE: Candidate for moving OCSP to a Draft Standard Peter Gutmann
- RE: Candidate for moving OCSP to a Draft Standard Peter Gutmann
- RE: Candidate for moving OCSP to a Draft Standard Housley, Russ
- Re: Candidate for moving OCSP to a Draft Standard David P. Kemp
- RE: Candidate for moving OCSP to a Draft Standard Peter Gutmann
- Re: Candidate for moving OCSP to a Draft Standard Peter Gutmann
- RE: Candidate for moving OCSP to a Draft Standard Ambarish Malpani
- Re: Candidate for moving OCSP to a Draft Standard David P. Kemp
- RE: Candidate for moving OCSP to a Draft Standard Ambarish Malpani
- RE: Candidate for moving OCSP to a Draft Standard Khaja E. Ahmed
- RE: Candidate for moving OCSP to a Draft Standard Peter Gutmann
- Re: Candidate for moving OCSP to a Draft Standard Peter Gutmann
- RE: Candidate for moving OCSP to a Draft Standard Simon Tardell
- RE: Candidate for moving OCSP to a Draft Standard Khaja E. Ahmed
- RE: Candidate for moving OCSP to a Draft Standard Simon Tardell
- RE: Candidate for moving OCSP to a Draft Standard Michael McIntosh
- RE: Candidate for moving OCSP to a Draft Standard Peter Gutmann
- Re: Candidate for moving OCSP to a Draft Standard Al Arsenault
- Re: Candidate for moving OCSP to a Draft Standard Peter Gutmann
- RE: Candidate for moving OCSP to a Draft Standard Khaja E. Ahmed
- Compromised OCSP server Key: Was: RE: Candidate f… Khaja E. Ahmed
- Re: Candidate for moving OCSP to a Draft Standard Petra Barzin
- Re: Candidate for moving OCSP to a Draft Standard Michael Ströder
- Re: Candidate for moving OCSP to a Draft Standard Michael Ströder
- Re: Candidate for moving OCSP to a Draft Standard Juergen Brauckmann
- Re: Candidate for moving OCSP to a Draft Standard Peter Gutmann
- Re: Candidate for moving OCSP to a Draft Standard David P. Kemp
- RE: Candidate for moving OCSP to a Draft Standard Ambarish Malpani
- RE: Candidate for moving OCSP to a Draft Standard Michael Myers
- Re: Candidate for moving OCSP to a Draft Standard David P. Kemp
- WG Last Call: Roadmap wpolk
- Re: WG Last Call: Roadmap Denis Pinkas
- Re: WG Last Call: Roadmap Sean P. Turner