RE: OCSP response authentication question

["Covey, Carlin" <ccovey@xxxxxxxxxx>]

Ambarish and Jonathan,

Jonathan asked how to determine the authoritativeness of a 
signature over an OCSP response if that response provides status 
information for a chain of certificates.  I agree with your reply 
to Jonathan, but I'd like to add just one thought.

You indicated that the OCSP responder could
"...provide you with a consolidated response signed with a 
key that you trust (using direct trust)."

This direct trust could be based on the following interpretation of
Rule 1 ("Matches a local configuration of OCSP signing authority 
for the certificate in question; "):

The OCSP client could be locally configured to accept that an OCSP
responder that is designated as authoritative for the status
of a CA certificate is also authoritative for the status of
all certificates subordinate to that CA certificate.  This 
would handle the common usage case of a chain of certificates.

- Regards,

  Carlin Covey
  Cylink Corp.

-----Original Message-----
From: Ambarish Malpani [mailto:ambarish@valicert.com]
Sent: Monday, December 11, 2000 9:30 AM
To: 'Jonathan.Tuliani@symbian.com'; ietf-pkix@imc.org
Subject: RE: OCSP response authentication question



Hi Jonathan,
    The usage that you desire is quite correct and being used by
others.

It is perfectly reasonable to trust a single server and to send it
queries for the status of multiple certificates. If the server is
appropriately configured, it can go out to find the statuses of all
the certificates you are interested in and provide you with a
consolidated response signed with a key that you trust (using direct
trust).

If multiple CAs are willing to trust a single responder to provide
responses on their behalf, it is also possible for a single
responder to have multiple OCSP signing certificates issued by
multiple CAs. In this case, it is possible for you to get a single
response, signed by a single responder, but with multiple
certificates, indicating that the responder is authorized by
multiple CAs.

There is also a third possibility, where the client just queries all
the OCSP responders directly.

Hope this helps,
Regards,
Ambarish

---------------------------------------------------------------------
Ambarish Malpani
Architect                                                650.567.5457
ValiCert, Inc.                                  ambarish@valicert.com
339 N. Bernardo Ave.                          http://www.valicert.com
Mountain View, CA 94043


> -----Original Message-----
> From: Jonathan.Tuliani@symbian.com 
> [mailto:Jonathan.Tuliani@symbian.com]
> Sent: Monday, December 11, 2000 8:14 AM
> To: ietf-pkix@imc.org
> Subject: OCSP response authentication question
> 
> 
> Deal all,
> 
> We've been having a little trouble understanding how we 
> should be planning
> to authenticate our OCSP responses in the case where there is 
> more than one
> certificate from more than one issuer.  If anyone can help to 
> shed some
> light on this issue, we should be most grateful.  Details follow.
> 
> We're using the June 1999 edition of the OCSP spec, btw.
> 
> Suppose that a client wished to authenticate more than one 
> certificate.
> For example, suppose the client has a chain of certificates: 
> to validate
> the chain requires each certificate to be revocation checked.  It is
> possible to bundle all of these certificates into a single 
> OCSP request.
> Similarly, the OCSP response should be able to give us the 
> status for each
> certificate.
> 
> Our problem arises when trying to authenticate this response.  It is
> reasonable to suppose that the certificates in the request 
> could have been
> issued by a variety of different bodies.  Indeed, this is 
> likely to be so
> in the common usage scenario of validating a certificate 
> chain.  However,
> notice that the OCSP response has only a single signature.  
> This being the
> case, there is no way we can employ rules 2 or 3 under 
> section 4.2.2.2 of
> the OCSP spec - these specify that the response be signed 
> either directly
> by the certificate issuing CA, or contain an extendedKeyUsage 
> extension
> issued directly by the issuing CA.  This leaves rule 1, that 
> is that the
> response match a locally configured trusted responder.
> 
> Now suppose additionally that the OCSP server in question is 
> operating in
> the mode described in section 4.4.6 of the spec.  That is, 
> information is
> taken from AuthorityInfoAccess extensions in the certificates to form
> serviceLocator extensions, which are placed into the request as
> singleRequestExtensions.  The OCSP server uses these 
> extensions to direct
> the request to other servers known to be authoritative for 
> the certificate
> in question.  In our scenario, these serviceLocator extensions will be
> specifying several different authoritative servers.  We 
> suppose then that
> the original OCSP server must collate and authenticate these 
> responses,
> before compiling a single response valid for all 
> certificates, which it
> then signs and sends to the client.
> 
> We would be grateful if someone more familiar with the OCSP spec could
> confirm that what I have described is indeed a valid intended usage
> scenario.  In particular, we are concerned about the 
> authentication of the
> multiple responses that the OCSP server must perform before 
> producing the
> collated response.  Is it correct for the client to trust the 
> server with
> this task?
> 
> Best regards, and thanks in advance,
> 
> Jonathan
> -----------------------------
> Jonathan.Tuliani@Symbian.com
> www.symbian.com
>