idnits 2.17.1 draft-pala-ocspv2-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (February 5, 2019) is 1879 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- == Unused Reference: 'RFC3986' is defined on line 132, but no explicit reference was found in the text == Unused Reference: 'RFC4501' is defined on line 137, but no explicit reference was found in the text == Unused Reference: 'RFC5019' is defined on line 141, but no explicit reference was found in the text == Unused Reference: 'RFC5234' is defined on line 146, but no explicit reference was found in the text == Unused Reference: 'RFC5280' is defined on line 151, but no explicit reference was found in the text == Unused Reference: 'RFC6960' is defined on line 157, but no explicit reference was found in the text Summary: 0 errors (**), 0 flaws (~~), 8 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Pala 3 Internet-Draft CableLabs 4 Intended status: Experimental February 5, 2019 5 Expires: August 9, 2019 7 Online Certificate Status Protocol - Version 2 (OCSPv2) 8 draft-pala-ocspv2-00 10 Abstract 12 With the increase number of protocols and applications that rely on 13 digital certificates to authenticate either the communication channel 14 (TLS) or the data itself (PKIX), the need for providing an efficient 15 revocation system is paramount. Although the Online Certificate 16 Status Protocol (OCSP) allows for efficient lookup of the revocation 17 status of a certificate, the distribution of this information via 18 HTTP (or very rarely) HTTPS is not particularly efficient for high 19 volume websites without incurring in high distribution costs (e.g., 20 CDN). 22 In particular, this specification defines a new set of messages 23 (i.e., OCSPv2 Request and OCSPv2 Response) that address the 24 inefficiencies of OCSPv1 by (a) providing range-based responses to 25 optimize (reduce) the number of pre-computed responses required by a 26 CA, and (b) allowing the inclusion of other (certificate chain) 27 responses in the same response for round-trip and caching 28 optimization. 30 The deployment of OCSPv2 to validate the status of a certificate is 31 meant to lower the costs of providing revocation services and 32 increase the efficiency of the service, thus allowing for short-lived 33 responses (i.e., hours instead of days). 35 Status of This Memo 37 This Internet-Draft is submitted in full conformance with the 38 provisions of BCP 78 and BCP 79. 40 Internet-Drafts are working documents of the Internet Engineering 41 Task Force (IETF). Note that other groups may also distribute 42 working documents as Internet-Drafts. The list of current Internet- 43 Drafts is at https://datatracker.ietf.org/drafts/current/. 45 Internet-Drafts are draft documents valid for a maximum of six months 46 and may be updated, replaced, or obsoleted by other documents at any 47 time. It is inappropriate to use Internet-Drafts as reference 48 material or to cite them other than as "work in progress." 49 This Internet-Draft will expire on August 9, 2019. 51 Copyright Notice 53 Copyright (c) 2019 IETF Trust and the persons identified as the 54 document authors. All rights reserved. 56 This document is subject to BCP 78 and the IETF Trust's Legal 57 Provisions Relating to IETF Documents 58 (https://trustee.ietf.org/license-info) in effect on the date of 59 publication of this document. Please review these documents 60 carefully, as they describe your rights and restrictions with respect 61 to this document. Code Components extracted from this document must 62 include Simplified BSD License text as described in Section 4.e of 63 the Trust Legal Provisions and are provided without warranty as 64 described in the Simplified BSD License. 66 Table of Contents 68 1. Requirements notation . . . . . . . . . . . . . . . . . . . . 2 69 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 70 3. Limitations of previous versions of OCSPv1 . . . . . . . . . 2 71 4. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 3 72 5. The OCSPv2 Request . . . . . . . . . . . . . . . . . . . . . 3 73 6. The OCSPv2 Response . . . . . . . . . . . . . . . . . . . . . 3 74 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3 75 8. Security Considerations . . . . . . . . . . . . . . . . . . . 3 76 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 3 77 10. Normative References . . . . . . . . . . . . . . . . . . . . 3 78 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 4 80 1. Requirements notation 82 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 83 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 84 document are to be interpreted as described in [RFC2119]. 86 2. Introduction 88 Introduction 90 3. Limitations of previous versions of OCSPv1 92 Explains the limitations of OCSPv1 when it comes to efficiency. 94 4. Protocol Overview 96 Provides a description of the protocol with particular emphasis on 97 the different approach (range vs. one-by-one). 99 5. The OCSPv2 Request 101 The OCSPv2 Request. 103 6. The OCSPv2 Response 105 The OCSPv2 Response. 107 7. IANA Considerations 109 No special considerations for IANA. 111 8. Security Considerations 113 Several security considerations need to be explicitly considered for 114 the system administrators and application developers to understand 115 the weaknesses of the overall architecture. 117 9. Acknowledgments 119 The authors would like to thank everybody who provided insightful 120 comments and helped in the definition of the deployment 121 considerations. Last but not least, the authors would like to thank 122 all the people that expressed interest in implementing support for 123 this proposal. 125 10. Normative References 127 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 128 Requirement Levels", BCP 14, RFC 2119, 129 DOI 10.17487/RFC2119, March 1997, 130 . 132 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 133 Resource Identifier (URI): Generic Syntax", STD 66, 134 RFC 3986, DOI 10.17487/RFC3986, January 2005, 135 . 137 [RFC4501] Josefsson, S., "Domain Name System Uniform Resource 138 Identifiers", RFC 4501, DOI 10.17487/RFC4501, May 2006, 139 . 141 [RFC5019] Deacon, A. and R. Hurst, "The Lightweight Online 142 Certificate Status Protocol (OCSP) Profile for High-Volume 143 Environments", RFC 5019, DOI 10.17487/RFC5019, September 144 2007, . 146 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 147 Specifications: ABNF", STD 68, RFC 5234, 148 DOI 10.17487/RFC5234, January 2008, 149 . 151 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 152 Housley, R., and W. Polk, "Internet X.509 Public Key 153 Infrastructure Certificate and Certificate Revocation List 154 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 155 . 157 [RFC6960] Santesson, S., Myers, M., Ankney, R., Malpani, A., 158 Galperin, S., and C. Adams, "X.509 Internet Public Key 159 Infrastructure Online Certificate Status Protocol - OCSP", 160 RFC 6960, DOI 10.17487/RFC6960, June 2013, 161 . 163 Author's Address 165 Massimiliano Pala 166 CableLabs 167 858 Coal Creek Cir 168 Louisville, CO 80027 169 USA 171 Email: director@openca.org 172 URI: http://www.linkedin.com/in/mpala