[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: OCSP Algorithm Agility

To: <ietf-pkix@xxxxxxx>
Subject: RE: OCSP Algorithm Agility
From: Stephen Kent <kent@xxxxxxx>
Date: Fri, 21 Sep 2007 14:07:44 -0400
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <2788466ED3E31C418E9ACC5C3166155703DF57@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


Folks,

How about defining an extension to be included in the cert issued toan OCSP responder by a CA. The extension would have an ordered listof algorithms (hash and signature if we want to address more than thehash agility issue) accepted by the OCSP responder. An OCSP clientcan use this info to determine what is the "best" algorithm (or algpair) that it and the responder share. The combination of thisextension and an OCSP negotiation procedure will allow the client todetect MITM downgrade attacks. In fact, if the client acquires theresponder's cert prior to making a request, there would not even be aneed for real negotiation, since the client would know what alg torequest in a response.


Steve

Follow-Ups:
- RE: OCSP Algorithm Agility
  - From: Santosh Chokhani
- RE: OCSP Algorithm Agility
  - From: Paul Hoffman
- RE: OCSP Algorithm Agility
  - From: Santosh Chokhani

References:
- RE: OCSP Algorithm Agility
  - From: Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility
  - From: Paul Hoffman

Prev by Date: RE: OCSP Algorithm Agility
Next by Date: RE: OCSP Algorithm Agility
Previous by thread: RE: OCSP Algorithm Agility
Next by thread: RE: OCSP Algorithm Agility
Index(es):
- Date
- Thread