Draft profile of OCSP Responders and Responses #2
There are no files selected for viewing
| Original file line number | Original file line | Diff line number | Diff line change |
|---|---|---|---|
|
|
@@ -813,7 +813,8 @@ The Issuing CA SHALL revoke a Subordinate CA Certificate within seven (7) days i | ||
| 7. The Issuing CA or Subordinate CA ceases operations for any reason and has not made arrangements for another CA to provide revocation support for the Certificate; | 7. The Issuing CA or Subordinate CA ceases operations for any reason and has not made arrangements for another CA to provide revocation support for the Certificate; | ||
| 8. The Issuing CA's or Subordinate CA's right to issue Certificates under these Requirements expires or is revoked or terminated, unless the Issuing CA has made arrangements to continue maintaining the CRL/OCSP Repository; | 8. The Issuing CA's or Subordinate CA's right to issue Certificates under these Requirements expires or is revoked or terminated, unless the Issuing CA has made arrangements to continue maintaining the CRL/OCSP Repository; | ||
| 9. Revocation is required by the Issuing CA's Certificate Policy and/or Certification Practice Statement; or | 9. Revocation is required by the Issuing CA's Certificate Policy and/or Certification Practice Statement; or | ||
| 10. The technical content or format of the Certificate presents an unacceptable risk to Application Software Suppliers or Relying Parties (e.g. the CA/Browser Forum might determine that a deprecated cryptographic/signature algorithm or key size presents an unacceptable risk and that such Certificates should be revoked and replaced by CAs within a given period of time); or | |||
| 11. The Subordinate CA has issued one or more Delegated OCSP Responder Certificates with a validity period greater than 31 days and the Issuing CA obtains evidence that the Delegated OCSP Responder Certificate's Private Key has been misused, suffered a Key Compromise, or no longer complies with the requirements of Section 6.1.5 and 6.1.6. | |||
|
|
|
||
| ### 4.9.2 Who can request revocation | ### 4.9.2 Who can request revocation | ||
| The Subscriber, RA, or Issuing CA can initiate revocation. Additionally, Subscribers, Relying Parties, Application Software Suppliers, and other third parties may submit Certificate Problem Reports informing the issuing CA of reasonable cause to revoke the certificate. | The Subscriber, RA, or Issuing CA can initiate revocation. Additionally, Subscribers, Relying Parties, Application Software Suppliers, and other third parties may submit Certificate Problem Reports informing the issuing CA of reasonable cause to revoke the certificate. | ||
|
|
@@ -853,30 +854,33 @@ The CA SHALL update and reissue CRLs at least (i) once every twelve months and ( | ||
| No stipulation. | No stipulation. | ||
|
|
|
||
| ### 4.9.9 On-line revocation/status checking availability | ### 4.9.9 On-line revocation/status checking availability | ||
| The CA SHALL provide an OCSP responder that conforms to the profile specified by RFC5019 for all Certificates issued, including the transport profile. | |||
|
There was a problem hiding this comment. This is a refinement on the requirement from 866/867, whose goal is to make it efficient for Relying Parties and Servers to efficiently obtain fresh OCSP information. It is more restrictive than the current language, which permits RFC 6960 A.1 style GETs, but matches what Clients and Servers are already expecting (notably, IIS). There was a problem hiding this comment. The other thing this profile requires is that the CA MUST include a nextUpdate field. This is effectively already part of Microsoft's program requirements, as part of https://social.technet.microsoft.com/wiki/contents/articles/31633.microsoft-trusted-root-program-requirements.aspx#C_Revocation_Requirements There was a problem hiding this comment. Compulsory nextUpdate is also part of the Mozilla requirements. There was a problem hiding this comment. Please note that RFC5019 and RFC6960 are not consistent about the presence of nextupdae field in the OCSP response. RFC5019 says: "Clients MUST check for the existence of the nextUpdate field and MUST ensure the current time, expressed in GMT time as described in Section 2.2.4, falls between the thisUpdate and nextUpdate times. If the nextUpdate field is absent, the client MUST reject the response”. However, RFC6960 says “If nextUpdate is not set, the responder is indicating that newer revocation information is available all the time.” This means that client can accept the OCSP response but they cannot cache it. There was a problem hiding this comment. @SamerW That's not a correct analysis. RFC 5019 is a profile of RFC 6960 - so of course 5019 is more restrictive than 6960 (or, alternatively, 6960 is more liberal). You're arguing that because it's possible to be more liberal, it's at conflict with 5019 - but not, the entire purpose of referencing 5019 is to indicate the MUST requirement nature of the nextUpdate, and then to further constrain the profile of 5019 in the Baseline Requirements. There was a problem hiding this comment.
What does 866/867 refer to here?
By my reading, the only way in which RFC5019 GETs are more restrictive than RFC 6960 GETs is that they specify some response headers. Is that accurate? There was a problem hiding this comment. Ah, reading down I see that 866/867 refers to line numbers, and the comment on line 867 explains about the caching headers. |
|||
|
There was a problem hiding this comment. This is intended to be addressed by line 1596. |
|||
|
There was a problem hiding this comment. This is intended to be addressed by line 1597. |
|||
|
There was a problem hiding this comment. As this is not about availability, but requirements, it's moved to line 871. |
|||
|
|
|
||
| ### 4.9.10 On-line revocation checking requirements | ### 4.9.10 On-line revocation checking requirements | ||
| All OCSP responses MUST conform to the profile specified in Section 7.3 | |||
|
There was a problem hiding this comment. All other aspects about what the response looks like are now moved to Section 7.3, which is consistent with RFC 3647. |
|||
|
There was a problem hiding this comment. As we're past the effective date, this is removed. The requirement on line 856 is slightly more restrictive in this, but only in that it normatively specifies the use of HTTP caching directives, so that Relying Parties (and Servers) can efficiently obtain the information. |
|||
|
|
|
||
| For newly issued Subscriber Certificates, OCSP responses SHOULD be published prior to the delivery of the Certificate to the Subscriber. OCSP responses MUST be published no later than 10 minutes after the Subscriber Certificate has been issued. | |||
|
There was a problem hiding this comment. This is to try to provide an upper bound for Relying Parties, particularly servers, as to when they can expect to obtain a fresh OCSP response. Ideally, this would be a MUST be published prior, but some bound of latency is expected. 10 minutes seemed a reasonable upper-bound for distribution to CDNs, but to allow efficient deployment of stapling, particularly mustStaple, this number would likely need to come down to something like 1 minute. This is just a starting point for discussion. There was a problem hiding this comment. Does submitting a certificate to one or more CT logs count as "delivery of the Certificate to the Subscriber"? (The Subscriber may be operating a log monitor that detects the newly submitted certificate quickly, especially if one or more of the logs has a very short STH issuance frequency). If so, CAs that want to embed SCTs in OCSP responses would need to take special care here. Specifically, a cert's first OCSP response would need to be generated without embedded SCTs and before the cert is submitted to the CT logs. But...that would mean that the cert wouldn't be CT-compliant (to begin with), and so future CT-requiring browsers would reject it until the next OCSP response (with embedded SCTs) is provided. I realize that a "SHOULD" is not a "MUST", but I'd like to be able to embed SCTs in a cert's first OCSP response without that action being frowned upon. There was a problem hiding this comment. @robstradling Yup, that's the thorny part which I wanted to be careful with. I wanted to describe an upper bound for that, because there's a need to reasonably accommodate both logging a certificate and publishing to a CDN. I was trying to find a different phrase here - my goal was say if something was API delivered, then the API shouldn't return success until it met these criteria (ideally). This fits with something like ACME nicely, which supports the async return case. So my intent was to set the lower bound as "before success is indicated to the customer" (whether it be API or otherwise), with the upper bound as "within 10 minutes of issuance". Do you have any suggestions here how to clarify? There was a problem hiding this comment. Perhaps "OCSP responses SHOULD be published prior to delivering the Certificate directly to the Subscriber"? (i.e., delivering by publishing to CT would be "indirectly" delivering). There was a problem hiding this comment. I feel like saying "directly" opens up rules-lawyering. Better to take the position that "delivering the Certificate to the Subscriber" should be interpreted as being made available through the interface used to request a certificate.
|
|||
|
|
|
||
| The CA SHALL publish an updated OCSP response for Subscriber Certificates by the earlier of: | |||
| 1. 8 hours prior to the nextUpdate field of the previously published OCSP response; or | |||
| 2. If the OCSP response has a validity period, as defined by the difference in time between the thisUpdate and nextUpdate fields, of greater than 16 hours, then the value of the thisUpdate field plus one half of the validity period of the OCSP response. | |||
|
|
|
||
| The CA SHALL publish an updated OCSP response for Subordinate CA Certificates by the earlier of: | |||
| 1. 24 hours after revoking a Subordinate CA Certificate; or | |||
| 2. 3 months; or | |||
| 3. 92 days. | |||
|
|
|||
| If a Delegated OCSP Responder Certificate is used: | |||
| 1. The Delegated OCSP Responder Certificate MUST be directly signed and issued by the Issuer CA of the Subscriber Certificate it provides status information for, using the same issuer name and key; and | |||
| 2. The Delegated OCSP Responder Certificate MUST contain the id-pkix-ocsp-nocheck extension as defined in RFC6960; and | |||
| 3. All certificates issued by the CA for the Delegated OCSP Responder's public key MUST contain an extended key usage certificate extension whose only value is id-kp-OCSPSigning, as specified in RFC6960; and | |||
| 4. The Delegated OCSP Responder Certificate MUST have a validity period no greater than one year, and SHOULD have a validity period no greater than 31 days. If a Delegated OCSP Responder Certificate with a validity period greater than 31 days is issued, the Issuing CA MUST be subject to the revocation requirements of Section 4.9.1.2. | |||
|
|
|
||
| If a Delegated OCSP Responder Certificate is not used, or if the validity period of the Delegated OCSP Responder Certificate is greater than 31 days, the OCSP response MUST be pre-produced as specified in RFC5019. | |||
|
|
|
||
| If the OCSP responder receives a request for status of a certificate that has not been issued, then the responder SHOULD NOT respond with a "good" status. The CA SHOULD monitor the responder for such requests as part of its security response procedures. | If the OCSP responder receives a request for status of a certificate that has not been issued, then the responder SHOULD NOT respond with a "good" status. The CA SHOULD monitor the responder for such requests as part of its security response procedures. | ||
|
|
|
||
| OCSP responders for CAs which are not Technically Constrained in line with Section 7.1.5 MUST NOT respond with a "good" status for such certificates. | |||
|
There was a problem hiding this comment. Just cleaning up effective dates There was a problem hiding this comment. I think more editing should be done than just removing the dates. This exception should be phased out over time. |
|||
|
|
|
||
| ### 4.9.11 Other forms of revocation advertisements available | ### 4.9.11 Other forms of revocation advertisements available | ||
| If the Subscriber Certificate is for a high-traffic FQDN, the CA MAY rely on stapling, in accordance with [RFC4366], to distribute its OCSP responses. In this case, the CA SHALL ensure that the Subscriber "staples" the OCSP response for the Certificate in its TLS handshake. The CA SHALL enforce this requirement on the Subscriber either contractually, through the Subscriber Agreement or Terms of Use, or by technical review measures implemented by the CA. | If the Subscriber Certificate is for a high-traffic FQDN, the CA MAY rely on stapling, in accordance with [RFC4366], to distribute its OCSP responses. In this case, the CA SHALL ensure that the Subscriber "staples" the OCSP response for the Certificate in its TLS handshake. The CA SHALL enforce this requirement on the Subscriber either contractually, through the Subscriber Agreement or Terms of Use, or by technical review measures implemented by the CA. | ||
|
|
@@ -1357,9 +1361,7 @@ b. cRLDistributionPoints | ||
|
|
|
||
| c. authorityInformationAccess | c. authorityInformationAccess | ||
|
|
|
||
| This extension MUST be present. It MUST NOT be marked critical, and it MUST contain the HTTP URL of the Issuing CA's OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1). It SHOULD also contain the HTTP URL of the Issuing CA's certificate (accessMethod = 1.3.6.1.5.5.7.48.2). | |||
|
There was a problem hiding this comment. The problem with this section is that it applies to subordinate CAs, but the method it describes cannot be used to provide revocation status information for subordinate CAs. That's provided by RFC 6961, from Yngve Pettersen, but for which few (no?) browser members support. Because of that, it's possible to meet this requirement using the language written, so it's removed. Support for status_request_v2 isn't high on most folks TLS1.2 agenda. In TLS1.3, the whole mechanism is changed (and implicitly includes this, although that may not be desirable). I suspect that this is probably a broader discussion for Browser Members as to whether to support this case in the future, but given that it cannot and is not supported now, it seemed OK to remove. |
|||
|
|
|
||
| d. basicConstraints | d. basicConstraints | ||
|
|
|
||
|
|
@@ -1595,10 +1597,21 @@ The issuing CA SHALL document in its Certificate Policy or Certification Practic | ||
|
|
|
||
| ## 7.3 OCSP profile | ## 7.3 OCSP profile | ||
|
|
|
||
| 1. All OCSP responses MUST conform with RFC6960 and be the profile specified in RFC5019. | |||
| 2. Responses MUST have the same value for the producedAt and thisUpdate times. | |||
| 3. Except for responses indicating a Revoked status, the difference in time between the thisUpdate and nextUpdate fields MUST be greater than or equal to 8 hours and MUST NOT be greater than or equal to 192 hours (7 days). | |||
| 4. For OCSP responses directly signed by the issuing CA, the response MUST NOT include any certificates within the BasicOCSPResponse's certs field. | |||
| 5. For OCSP responses signed by a Delegated OCSP Responder Certificate, the response MUST only include the Delegated OCSP Responder Certificate within the BasicOCSPResponse's certs field and MUST NOT include any additional certificates. | |||
|
|
|||
| ### 7.3.1 Version number(s) | ### 7.3.1 Version number(s) | ||
|
|
|
||
| OCSP responders MUST support v1 requests, as specified in RFC6960. OCSP responders MUST produce v1 responses, as specified in RFC6960. | |||
|
|
|||
| ### 7.3.2 OCSP extensions | ### 7.3.2 OCSP extensions | ||
|
|
|
||
| 1. As specified in RFC5019 for pre-produced responses, responses MUST NOT include the id-pkix-ocsp-nonce extension. | |||
|
There was a problem hiding this comment. As discussed during the SHA-1 discussions, CAs supporting id-pkix-ocsp-nonce can be induced to sign material used to produce collisions. It also is actively detrimental to stapling. If there's a use case for CAs to support this, I think we need to specify an upper-bound, and would want to revisit the profile for OCSP Responder Certificates to minimize risk. There's no good answers here. |
|||
| 2. Responses MAY include an OCSP extension with the OID 1.3.6.1.4.1.11129.2.4.5. If such an extension is included, it MUST conform to RFC6962. | |||
|
There was a problem hiding this comment. This is just the CT extension, and making it a requirement that you can't put random stuff in here. |
|||
|
|
|||
|
There was a problem hiding this comment. Are there other extensions CAs are using? I'd love to explicitly forbid all other extensions for consistency, but don't know enough about the space to do this definitively. |
|||
| # 8. COMPLIANCE AUDIT AND OTHER ASSESSMENTS | # 8. COMPLIANCE AUDIT AND OTHER ASSESSMENTS | ||
| The CA SHALL at all times: | The CA SHALL at all times: | ||
|
|
|
||
|
|
|||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is replaced with line 856, restricting it to JUST RFC 5019.