ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Explanation of the OCSP sign request

2012-02-21 13:56:21
from [Martin Rex] [Permanent Link] 
Robert Hernady wrote:


I'm looking for the better understanding for the
RFC 2560  Online Certificate Status Protocol - OCSP.

The section 4.1 defines the ASN.1 structure for the OCSP request.
Follows the shortened structure.

OCSPRequest
   TBSRequest
   OPTIONAL Signature,

where the signature is marked as OPTIONAL. That one leads to the
conclusion that signing of the OCSP request is not required and
the implementer of the OCSP client MAY digitally sign that request.

But the section 2.3  Exception Cases defines error types and one
of them is "-sigRequired"

   The response "sigRequired" is returned in cases where the server
   requires the client sign the request in order to construct a
   response.


Does it mean that in that case the signature of the request becomes
mandatory? Does it mean that OCSP clients that have not implemented
OCSP request signing after are breaking this RFC?



OCSP servers that are requiring an OCSP request to be signed are not
"breaking" the protocol, but preclude interoperability with the vast
majority of potential peers, by using a standardized protocol option
to implement a very restrictive policy in whose OCSP requests they answer.

Whether such a policy is configured for an OCSP responder is a
deployment decision of the consumer of the technology.

Breaking interop is the logical result when requiring the use of
optional protocol features, so it has to be assumed the operator
of an OCSP responder that requires signatures on OCSP request explicitly
desires the non-interoperability outcome.  I don't see a standardized
indication of acceptable certification_authorities for the signature
on the OCSP request to accompany the "sigRequired" OCSPResponseStatus,
so this policy can be expected to work only for extremely small groups
of RPs, matching the following preconditions:

    - all RPs in the PKI have implemented the optional protocol feature
      "signed OCSP requests"
    - all RPs in the PKI have out-of-band knowledge of certificate issuers
      acceptable to that OCSP responder for signing OCSP requests.
    - all RPs in the PKI have signing PKI credentials issued by one of
      those certificate issuers acceptable to the OCSP responder.

-Martin
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [v6ops] Last Call: <draft-ietf-v6ops-v6-aaaa-whitelisting-implications-08.txt> (Considerations for Transitioning Content to IPv6) to Informational RFC, Livingood, Jason
Next by Date:  Conclusion of Last Call for draft-ietf-sieve-convert and draft-ietf-sieve-notify-sip-message, Pete Resnick
Previous by Thread:  Explanation of the OCSP sign request, Robert Hernady
Next by Thread:  Conclusion of Last Call for draft-ietf-sieve-convert and draft-ietf-sieve-notify-sip-message, Pete Resnick
Indexes:  [Date] [Thread] [Top] [All Lists]