[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: OCSP Algorithm Agility

To: Paul Hoffman <paul.hoffman@xxxxxxxx>
Subject: RE: OCSP Algorithm Agility
From: Stephen Kent <kent@xxxxxxx>
Date: Fri, 21 Sep 2007 17:49:32 -0400
Cc: <ietf-pkix@xxxxxxx>
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <2788466ED3E31C418E9ACC5C3166155703DF57@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <> <> <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


At 1:38 PM -0700 9/21/07, Paul Hoffman wrote:

At 2:07 PM -0400 9/21/07, Stephen Kent wrote:
How about defining an extension to be included in the cert issuedto an OCSP responder by a CA. The extension would have an orderedlist of algorithms (hash and signature if we want to address morethan the hash agility issue) accepted by the OCSP responder. AnOCSP client can use this info to determine what is the "best"algorithm (or alg pair) that it and the responder share. Thecombination of this extension and an OCSP negotiation procedurewill allow the client to detect MITM downgrade attacks. In fact, ifthe client acquires the responder's cert prior to making a request,there would not even be a need for real negotiation, since theclient would know what alg to request in a response.
Imagine the list of algorithms is RSA-with-SHA1 first andDSA-with-SHA1 second. How does your negotiation work? The clientasks for this message to be signed with RSA-with-SHA1. But theserver knows that RSA-with-SHA1 has been compromised since it gotthat certificate from the CA. What does the server say to the clientto indicate that it only wants to sign with DSA-with-SHA1? Whatprevents Mallory from saying the same thing to the client?
--Paul Hoffman, Director
--VPN Consortium


Paul,

You are correct that to impose a total ordering on what may be moreappropriately described as a lattice implies a value judgement, andthe responder and client might have different perspective. However,the responder, by publishing the list has expressed its totalordering, and has defined the set of algs that it supports. Thatallows the client to:

- if the client wants to rely on the responder's totalordering value judgement, the extension offers a verifiable referencefor that.

- if the client wants to use his own total ordering, he knowswhat set he can chose from, and thus can avoid offering a subset ofhis capabilities that will not overlap with that of the responder.

Lookng at your example, the CA should revoke the OCSP responder'scert with the newly compromised, bad algs, and issue a new one. yes,this is imperfect because we an encounter a circular revocationstatus problem for a responder. but I think this can be managed in apractical way by establishing a reasonable re-issue frequency for theresponder's cert.


Steve

Follow-Ups:
- RE: OCSP Algorithm Agility
  - From: Paul Hoffman

References:
- RE: OCSP Algorithm Agility
  - From: Hallam-Baker, Phillip
- RE: OCSP Algorithm Agility
  - From: Paul Hoffman
- RE: OCSP Algorithm Agility
  - From: Stephen Kent
- RE: OCSP Algorithm Agility
  - From: Paul Hoffman

Prev by Date: RE: OCSP Algorithm Agility
Next by Date: RE: OCSP Algorithm Agility
Previous by thread: RE: OCSP Algorithm Agility
Next by thread: RE: OCSP Algorithm Agility
Index(es):
- Date
- Thread