Specify allowed usage of "unknown" OCSP response #189
Comments
|
Dear Wayne, According to section 2.2 of RFC 6960, an OCSP responder may respond "revoked" for a "non-issued" Certificate. It even allows this response for "unknown" Certificates in order to support backwards compatibility with implementations of RFC 2560. In addition to that, section 4.4.8 labeled "Extended Revoked Definition" says: "This extension MUST be included in the OCSP response when that response contains a "revoked" status for a non-issued certificate". Also, from section 2.2
By reading the BRs (section 6.9.13), it is clear that TLS Certificates are not allowed to be "suspended". However, if an RFC 6960 compliant OCSP responder responds with "revoked" for an unknown serial number and then issues a certificate with the same requested serial number, it will later return a response "good". This seems to be an allowed practice therefore it should be OK for a responder to change a "revoked" status to "good". In addition to that, 6960 demands that for non-issued Certificates, the responder must use the revocationReason "certificateHold". To summarize:
Using the following practice as described in RFC 6960 should not be a violation of the BRs. That is, answering revoked where a pre-certificate has been issued but not the final certificate should be OK as long as the response contains the Extended Revoked extension and the revocationReason is |
|
Dimitris: All of this is being discussed on the list. Could I ask you to
continue the discussion there so it doesn’t fragment?
|
|
I wasn't sure which thread I should post this. One is discussion about Digicert's incident and the other is discussing about Apple's :) Anyway, I think I will respond to the thread with the most recent response. |
|
Looking at the emails, it appears that CABF Ballot SC23v3 subsequently passed and BR 4.9.10 was amended to address OCSP for precertificates. However, I don't believe that we have fully addressed whether / to what extent "unknown" and other similar types of OCSP responses are allowed. I'm not sure where the email thread on m.d.s.p. picks this back up. |
RFC 6960 section 2.2 describes a limited situation in which the "unknown" response is expected to be returned for a certificate, but it is a SHOULD. There appear to be no hard and fast rules on when this response is forbidden, but multiple discussions [1][2][3] have resulted in the understanding that it is not generally acceptable. My understanding (to be confirmed) is that Firefox treats this response as a soft failure, which makes its use a risk. Consider banning the use of the "unknown" OCSP response.
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1551390
[2] https://groups.google.com/d/msg/mozilla.dev.security.policy/LC_y8yPDI9Q/NbOmVB77AQAJ
[3] https://groups.google.com/d/msg/mozilla.dev.security.policy/hJGY5U-0bYI/K-emAMXVAQAJ
The text was updated successfully, but these errors were encountered: