Network Working Group M.Myers draft-ietf-pkix-ocspv2-ext-01.txt TraceRoute Security A. Malpani Malpani Consulting Services D.Pinkas Bull Target category: Standards Track December 2002 Expires in 6 months X.509 Internet Public Key Infrastructure Online Certificate Status Protocol, version 2 draft-ietf-pkix-ocspv2-ext-01.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright Notice Copyright (C) The Internet Society (1999-2002). All Rights Reserved. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document (in uppercase, as shown) are to be interpreted as described in [RFC2119]. 1. Abstract The Online Certificate Status Protocol (OCSP) enables applications to determine on line the revocation status of a certificate. This document specifies one extension for the OCSP protocol and defines a version v2 for that protocol which allows additional means to designate the certificate for which the revocation status is requested. It also allows to ask for the revocation status of either a public key certificate (PKC) or an attribute certificate (AC). Malpani & all [Page 1] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 2. General OCSP is a protocol useful in determining the current status of a digital certificate without requiring CRLs. Additional mechanisms addressing PKIX operational requirements are specified in separate documents. This document specifies one extensions that may be used with OCSP in a request. Currently the serviceLocator extension may be used in a request to route the request to the OCSP server which is known to be authoritative for the identified certificate. The client fills in that extension by copying the AuthorityInfoAccess (AIA) field from the certificate which specifies the address of the OCSP server. However, if the CA that has issued the certificate has chosen to only issue CRLs, and if the client wants to talk to a single OCSP server to get the revocation status of a certificate, that OCSP server may not know where the CRL is available. For that reason a new extension is being defined to allow the OCSP server to locate the CRL. That extension is called the crlLocator. The client may fill-in that extension by copying the CRLDistributionPoints (CDP) field from the certificate which specifies the address of the CRL repository. This document also specifies OCSPv2 which differs from OCSPv1 by the fact that more means are provided to specify the certificate for which the revocation status is provided. OCSPv2 also allows to get the revocation status of Attribute Certificates. RFC 2560bis allows to reference the certificate using the following structure: CertID ::= SEQUENCE { hashAlgorithm AlgorithmIdentifier, issuerNameHash OCTET STRING, -- Hash of Issuer's DN issuerKeyHash OCTET STRING, -- Hash of Issuer's public key serialNumber CertificateSerialNumber } Since the hash of the issuer's public key is mandatory, the protocol can only be used when a certification path has been constructed before. A goal of OCSPv2 is to allow to use the protocol when the only information available is either the full certificate itself or an ambiguous reference of the certificate for which the query will be made. In many cases, it is more efficient to first make sure that the certificate is not revoked, before trying to build a certification path and making accesses to a repository (e.g. using LDAP). Malpani & all [Page 2] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 In addition, since only the hash of the issuer name is transmitted, it was not easy for the OCSP responder, when using OCSPv1, to identify the CA, unless working with an a priori list of CAs. The goal of that extension is also to allow to fulfill the service, even when the CAs are not a priori known to the OCSP responder. OCSPv2 still allows the use of CertID (for backward compatibility), but allows for two other options: a) to send the full certificate, b) to send the issuer name, the certificate serial number, a hash value computed over the ASN.1 DER encoded tbsCertificate field from the certificate, and the signature (value and algorithm identifier) of the certificate. The hash value is computed using the hash function designated in the algorithm identifier of the signature. While sending the whole certificate allows an OCSP server to pick up any information from the certificate, the certificate while being transmitted may be observed. A confidentiality service would certainly provide an adequate protection, but the protocol will not release private information, if only the issuer name, the certificate serial number, a hash value and the signature are disclosed. In this way the second option may be preferable. It is up to the client to decide which option suits its needs. The OCSP response has been extended to cover the same possibilities (the OCSP server simply copies what it received). In this document, the terms client and requestor are used interchangeably to indicate the entity making the OCSP request, while the terms server and responder are used to indicate the entity providing the response. 3. OCSPv2 3.1 Protocol Overview In lieu of or as a supplement to checking against a periodic CRL, it may be necessary to obtain timely information regarding the revocation status of a certificate (cf. [RFC3280], Section 3.3). Examples include high-value funds transfer or large stock trades. The Online Certificate Status Protocol (OCSP) enables applications to determine the (revocation) state of an identified certificate. OCSP may be used to satisfy some of the operational requirements of providing more timely revocation information than is possible with CRLs and may also be used to obtain additional status information. An OCSP client issues a status request to an OCSP responder and suspends acceptance of the certificate in question until the responder provides a response. Malpani & all [Page 3] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 This protocol specifies the data that needs to be exchanged between an application checking the status of a certificate and the server providing that status. 3.2 Request An OCSP request contains the following data: -- protocol version -- service request -- target certificate identifier -- optional extensions which MAY be processed by the OCSP Responder Upon receipt of a request, an OCSP Responder determines if: 1. the message is well formed 2. the responder is configured to provide the requested service and 3. the request contains the information needed by the responder. If any one of the prior conditions are not met, the OCSP responder produces an error message; otherwise, it returns a definitive response. 3.3 Response OCSP responses can be of various types. An OCSP response consists of a response type and the bytes of the actual response. There is one basic type of OCSP response that MUST be supported by all OCSP servers and clients. The rest of this section pertains only to this basic response type. All definitive response messages SHALL be digitally signed. The key used to sign the response MUST belong to one of the following: -- the CA who issued the certificate in question -- a Trusted Responder whose public key is trusted by the requestor -- a CA Designated Responder (Authorized Responder) who holds a specially marked certificate issued directly by the CA, indicating that the responder may issue OCSP responses for that CA A definitive response message is composed of: -- version of the response syntax -- name of the responder -- responses for each of the certificates in a request -- optional extensions -- signature algorithm OID -- signature computed across hash of the response Malpani & all [Page 4] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 The response for each of the certificates in a request consists of -- target certificate identifier -- certificate status value -- response validity interval -- optional extensions This specification defines the following definitive response indicators for use in the certificate status value: -- good -- revoked -- unknown The "good" state indicates that the certificate has not been revoked. It does not indicate that the certificate was ever issued, or is in its validity interval. The "revoked" state indicates that the certificate has been revoked (either permanently or temporarily (on hold)). The "unknown" state indicates that the responder does not know, or is unwilling to tell, the requestor the status of the certificate. A client may be able to get a definitive response later, or at another responder. Response extensions may be used to convey additional information on assertions made by the responder regarding the status of the certificate such as positive statement about issuance, expiry, etc. 3.4 Exception Cases In case of errors, the OCSP Responder may return an error message. These messages are not signed. Errors can be of the following types: -- malformedRequest -- internalError -- tryLater -- sigRequired -- unauthorized A server produces the "malformedRequest" response if the request received does not conform to the OCSP syntax. The response "internalError" indicates that the OCSP responder reached an inconsistent internal state. The query should be retried, potentially with another responder. In the event that the OCSP responder is operational, but unable to return a status for the requested certificate, the "tryLater" response can be used to indicate that the service exists, but is temporarily unable to respond. Malpani & all [Page 5] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 The response "sigRequired" is returned in cases where the server requires the client sign the request in order to construct a response. The response "unauthorized" is returned in cases where the client is not authorized to make this query to this server. 3.5 Semantics of thisUpdate, nextUpdate and producedAt Responses can contain three times in them - thisUpdate, nextUpdate and producedAt. The semantics of these fields are: - thisUpdate: The time at which the status being indicated is known to be correct - nextUpdate: The time at or before which newer information will be available about the status of the certificate - producedAt: The time at which the OCSP responder signed this response. If nextUpdate is not set, the responder is indicating that it is does not know when newer revocation information will be available (examples of why a responder might not know when new revocation information is likely to be available are that the CA hasn't told it, or because newer information is available all the time). 3.6 OCSP Signature Authority Delegation The key that signs a certificate's status information need not be the same key that signed the certificate. A certificate's issuer explicitly delegates OCSP signing authority by issuing a certificate containing a unique value for extendedKeyUsage in the OCSP signer's certificate. This certificate MUST be issued directly to the responder by the cognizant CA. 3.7 CA Key Compromise If an OCSP responder knows that a particular CA's private key has been compromised, it MAY return the revoked state for all certificates issued by that CA. 3.8 Transports for OCSP While OCSP can be used over many transports, for interoperability, all OCSP clients and responders MUST support the use of HTTP [HTTP] as the transport. 4. Functional Requirements 4.1 Certificate Content In order to convey to OCSP clients a well-known point of information access, CAs SHALL provide the capability to include the Malpani & all [Page 6] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 AuthorityInfoAccess extension (defined in [RFC3280], section 4.2.2.1) in certificates that can be checked using OCSP. Alternatively, the accessLocation for the OCSP provider may be configured locally at the OCSP client. CAs that support an OCSP service, either hosted locally or provided by an Authorized Responder, MUST provide for the inclusion of a value for a uniformResourceIndicator (URI) accessLocation and the OID value id-ad-ocsp for the accessMethod in the AccessDescription SEQUENCE. The value of the accessLocation field in the subject certificate defines the transport (e.g. HTTP) used to access the OCSP responder and may contain other transport dependent information (e.g. a URL). 4.2 Signed Response Acceptance Requirements Prior to accepting a signed response as valid, OCSP clients SHALL confirm that: 1. The certificate identified in a received response corresponds to that which was identified in the corresponding request; 2. The signature on the response is valid; 3. The identity of the signer matches the intended recipient of the request. 4. The signer is currently authorized to sign the response. 5. The time at which the status being indicated is known to be correct (thisUpdate) is sufficiently recent. 6. When nextUpdate is set in the response, it is greater than the current time. 7. The producedAt time in the response is sufficiently recent. 8. If the request contained a nonce, the response must contain the same nonce (see section 5.4.1). NOTE: The first criteria does not imply that a client should reject an OCSP response from a server that contains statuses of a superset or subset of the certificates whose statuses were requested i.e. it is all right for a server to, in an OCSP response provide the statuses of only some of the certificates requested, and some other certificates whose statues were not requested. For example, if a client requests the status of certificates with serial numbers 1 and 2 and gets a response which has the statuses of certificates with serial numbers 1 and 3, the client can accept that response for the status of the certificate with serial number 1, assuming the rest of the response acceptance criteria were met. Malpani & all [Page 7] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 5. Detailed Protocol The ASN.1 syntax imports terms defined in [RFC3280]. For signature calculation, the data to be signed is encoded using the ASN.1 distinguished encoding rules (DER) [X.690]. ASN.1 EXPLICIT tagging is used as a default unless specified otherwise. The terms imported from elsewhere are: Extensions, CertificateSerialNumber, SubjectPublicKeyInfo, Name, AlgorithmIdentifier, CRLReason, IssuerandSerialNumber. 5.1 Requests This section specifies the ASN.1 specification for a confirmation request. The actual formatting of the message could vary depending on the transport mechanism used (HTTP, SMTP, LDAP, etc.). 5.1.1 Request Syntax OCSPRequest ::= SEQUENCE { tbsRequest TBSRequest, optionalSignature [0] EXPLICIT Signature OPTIONAL } TBSRequest ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1, requestorName [1] EXPLICIT GeneralName OPTIONAL, requestList SEQUENCE OF Request, requestExtensions [2] EXPLICIT Extensions OPTIONAL } Signature ::= SEQUENCE { signatureAlgorithm AlgorithmIdentifier, signature BIT STRING, certs [0] EXPLICIT Certificates OPTIONAL} Version ::= INTEGER { v1(0), v2(1) } Request ::= SEQUENCE { reqCert ReqCert, singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL } Certificates ::= SEQUENCE SIZE(1..MAX) of Certificate ReqCert ::= CHOICE { certID CertID, fullCert [0] FullCertificate, certIdWithSignature [1] CertIdWithSignature } CertID ::= SEQUENCE { hashAlgorithm AlgorithmIdentifier, issuerNameHash OCTET STRING, -- Hash of Issuer's DN issuerKeyHash OCTET STRING, -- Hash of Issuers public key serialNumber CertificateSerialNumber } Malpani & all [Page 8] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 Note: CertID is kept unchanged from OCSPv1. OCSPv1 interoperablity can be obtained through the use of the certID element of the ReqCert CHOICE. If certID is used in ReqCert, the value for version in the tbsRequest field of OCSPRequest SHALL be v1. If any other choice in ReqCert is used, the value for version SHALL be v2. issuerNameHash is the hash of the Issuer's distinguished name. The hash shall be calculated over the DER encoding of the issuer's name field in the certificate being checked. issuerKeyHash is the hash of the Issuer's public key. The hash shall be calculated over the value of the BIT STRING subjectPublicKey field (excluding the tag, length and number of unused bits) in the issuer's certificate. The hash algorithm used for both these hashes, is identified in hashAlgorithm. serialNumber is the serial number of the certificate for which status is being requested. fullCert may be either a public key certificate, as defined in RFC 3280, or an attribute certificate, as defined in RFC 3281. OCSP responder SHALL support public key certificates and MAY support Attribute Certificates. FullCertificate ::= CHOICE { certificate [0] Certificate, attributeCert [1] AttributeCertificate } certIdWithSignature is a more compact way to specify unambiguously a certificate. CertIdWithSignature ::= SEQUENCE { issuerandSerialNumber IssuerandSerialNumber, tbsCertificateHash BIT STRING, certSignature CertSignature } IssuerandSerialNumber is defined in [RFC3369] section 10.2.4. tbsCertificateHash contains a hash value computed over the ASN.1 DER encoded tbsCertificate field from the certificate using the hash function identified in the signature algorithm from the signature. certSignature contains the signature fields from the certificate. CertSignature ::= SEQUENCE { signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING } Malpani & all [Page 9] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 5.1.2 Notes on the Request Syntax The primary reason to use the hash of the CA's public key in addition to the hash of the CA's name, to identify the issuer, when CertID is being used, is that it is possible that two CAs may choose to use the same Name (uniqueness in the Name is a recommendation that cannot be enforced). Two CAs will never, however, have the same public key unless the CAs either explicitly decided to share their private key, or the key of one of the CAs was compromised. Including the hash of the CA's public key allows an OCSP client to ensure that it and the responder are both referring to the same CA. Support for any specific extension is OPTIONAL. The critical flag SHOULD NOT be set for any of them. Section 6.4 suggests several useful extensions. Additional extensions MAY be defined in additional RFCs. Unrecognized extensions MUST be ignored (unless they have the critical flag set and are not understood). The requestor MAY choose to sign the OCSP request. In that case, the signature is computed over the DER encoding of the tbsRequest structure. If the request is signed, the requestor SHALL specify its name in the requestorName field. Also, for signed requests, the requestor MAY include certificates that help the OCSP responder verify the requestor's signature in the certs field of Signature. 5.1.3. Notes on the client behavior This standard mandates the client to verify that the key used to sign the response belongs to one of the following: 1) the CA who issued the certificate in question, 2) a Trusted Responder whose public key is trusted by the requestor, 3) a CA Designated Responder (Authorized Responder) who holds a specially marked certificate issued directly by the CA, indicating that the responder may issue OCSP responses for that CA. These three cases are then considered individually: 5.1.3.1. Responder whose public key is the same as the key from CA who issued the certificate In that case, the client MUST first verify the certification path of the certificate and then use the key that was used to verify the certificate to verify that the signature from the OCSP response is correct. Malpani & all [Page 10] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 5.1.3.2. Trusted Responder whose public key is trusted by the requestor In that case, the client must directly use the public key from the Trusted Responder. This means that the client may not know if that key is revoked or not (unless out-of-bands means are being used). There are three ways for the client to designate the issuer: a) using CertID. In that case, issuerNameHash and issuerKeyHash are provided by the client. Since the client needs to provide the issuerKeyHash, this means that it needs first to get the superior CA certificate (e.g. it may be sent in a signed message) and to verify that the issuer key was used to sign it. b) using the full certificate. The client does not need to verify first the certification path of the certificate. c) using CertIdWithSignature. The client does not need to verify first the certification path of the certificate. 5.1.3.3. CA designated Responder who holds a specially marked certificate issued directly by the CA In that case, the client MUST use the AIA extension present in the certificate to locate the Authorized Responder. The client does not need to verify first the certification path of the certificate. However, when it gets the OCSP response, it SHALL verify that the signature from the OCSP response is correct. For doing this, it MUST find a certificate which holds a special mark (i.e. which contains in the Extended Key Usage the extension id-kp-OCSPSigning) issued by the issuer of the certificate to be verified and then make sure that this certificate allows to verify the signature from the OCSP response. It MUST verify the whole certification path for that certificate and verify that none of the certificates is revoked. 5.2 Response Syntax This section specifies the ASN.1 specification for a confirmation response. The actual formatting of the message could vary depending on the transport mechanism used (HTTP, SMTP, LDAP, etc.). 5.2.1 ASN.1 Specification of the OCSP Response An OCSP response at a minimum consists of a responseStatus field indicating the processing status of the prior request. If the value of responseStatus is one of the error conditions, responseBytes are not set. OCSPResponse ::= SEQUENCE { responseStatus OCSPResponseStatus, responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } Malpani & all [Page 11] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 OCSPResponseStatus ::= ENUMERATED { successful (0), --Response has valid confirmations malformedRequest (1), --Illegal confirmation request internalError (2), --Internal error in issuer tryLater (3), --Try again later --(4) is not used sigRequired (5), --Must sign the request unauthorized (6), --Request unauthorized badCRL (8) --Error in CRL processing } The value for responseBytes consists of an OBJECT IDENTIFIER and a response syntax identified by that OID encoded as an OCTET STRING. ResponseBytes ::= SEQUENCE { responseType OBJECT IDENTIFIER, response OCTET STRING } For a basic OCSP responder, responseType will be id-pkix-ocsp-basic. id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp } id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 } OCSP responders SHALL be capable of producing responses of the id- pkix-ocsp-basic response type. Correspondingly, OCSP clients SHALL be capable of receiving and processing responses of the id-pkix-ocsp- basic response type. The value for response SHALL be the DER encoding of BasicOCSPResponse. BasicOCSPResponse ::= SEQUENCE { tbsResponseData ResponseData, signatureAlgorithm AlgorithmIdentifier, signature BIT STRING, certs [0] EXPLICIT Certificates OPTIONAL } The value for signature SHALL be computed on the DER encoding of tbsResponseData. The responder MAY include certificates that help the OCSP client verify the responder's signature in the certs field of BasicOCSPResponse. ResponseData ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1, responderID ResponderID, producedAt GeneralizedTime, responses SEQUENCE OF SingleResponse, responseExtensions [1] EXPLICIT Extensions OPTIONAL } ResponderID ::= CHOICE { byName [1] Name, byKey [2] KeyHash } Malpani & all [Page 12] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key -- (i.e. the SHA-1 hash of the value of the BIT STRING -- subjectPublicKey [excluding the tag, length and number of unused -- bits] of the responder's certificate). SingleResponse ::= SEQUENCE { reqCert ReqCert, -- MUST be identical to the same field from the request certStatus CertStatus, thisUpdate GeneralizedTime, nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, singleExtensions [1] EXPLICIT Extensions OPTIONAL } CertStatus ::= CHOICE { good [0] IMPLICIT NULL, revoked [1] IMPLICIT RevokedInfo, unknown [2] IMPLICIT UnknownInfo } RevokedInfo ::= SEQUENCE { revocationTime GeneralizedTime, revocationReason [0] EXPLICIT CRLReason OPTIONAL } UnknownInfo ::= NULL -- this can be replaced with an enumeration 5.2.2 Notes on OCSP Responses 5.2.2.1 Time The thisUpdate and nextUpdate fields define a recommended validity interval. This interval corresponds to the {thisUpdate, nextUpdate} interval in CRLs. Responses whose nextUpdate value is earlier than the local system time value SHOULD be considered unreliable. Responses whose thisUpdate time is later than the local system time SHOULD be considered unreliable. Responses where the nextUpdate value is not set is explained in more detail in Section 2.4). The producedAt time is the time at which this response was signed. 5.2.2.2 Authorized Responders The key that signs a certificate's status information need not be the same key that signed the certificate. It is necessary however to ensure that the entity signing this information is authorized to do so. Therefore, a certificate's issuer MUST either sign the OCSP responses itself or it MUST explicitly designate this authority to another entity. OCSP signing delegation SHALL be designated by the inclusion of id-kp-OCSPSigning in an extendedKeyUsage certificate extension included in the OCSP response signer's certificate. This certificate MUST be issued directly by the CA that issued the certificate in question. id-kp-OCSPSigning OBJECT IDENTIFIER ::= {id-kp 9} Malpani & all [Page 13] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 Systems or applications that rely on OCSP responses MUST be capable of detecting and enforcing use of the id-kp-OCSPSigning value as described above. They MAY provide a means of locally configuring one or more OCSP signing authorities, and specifying the set of CAs for which each signing authority is trusted. They MUST reject the response if the certificate required to validate the signature on the response fails to meet at least one of the following criteria: 1. Matches a local configuration of OCSP signing authority for the certificate in question; or 2. Is the certificate of the CA that issued the certificate in question; or 3. Includes a value of id-kp-OCSPSigning in an ExtendedKeyUsage extension and is issued by the CA that issued the certificate in question. Additional acceptance or rejection criteria may apply to either the response itself or to the certificate used to validate the signature on the response. 5.2.2.3. Revocation Checking of an Authorized Responder Since an Authorized OCSP responder provides status information for one or more CAs, OCSP clients need to know how to check that an authorized responder's certificate has not been revoked. CAs may choose to deal with this problem in one of three ways: - A CA may specify that an OCSP client can trust a responder for the lifetime of the responder's certificate. The CA does so by including the extension id-pkix-ocsp-nocheck. This SHOULD be a non-critical extension. The value of the extension should be NULL. CAs issuing such a certificate should realize that a compromise of the responder's key, is as serious as the compromise of a CA key used to sign CRLs, at least for the validity period of this certificate. CA's may choose to issue this type of certificate with a very short lifetime and renew it frequently. id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 } - A CA may specify how the responder's certificate be checked for revocation. This can be done using CRL Distribution Points if the check should be done using CRLs or CRL Distribution Points, or Authority Information Access if the check should be done in some other way. Details for specifying either of these two mechanisms are available in [RFC3280]. - A CA may choose not to specify any method of revocation checking for the responder's certificate, in which case, it would be up to the OCSP client's local security policy to decide whether that certificate should be checked for revocation or not. Malpani & all [Page 14] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 5.2.2.4. Checks to be done by the responder The key used to sign the response belongs to one of the following: 1) the CA who issued the certificate in question, 2) a Trusted Responder whose public key is trusted by the requestor, 3) a CA Designated Responder (Authorized Responder) who holds a specially marked certificate issued directly by the CA, indicating that the responder may issue OCSP responses for that CA. 5.2.2.4.1. Responder whose public key is the same as the key from CA who issued the certificate In that case, the OCSP server may either use a direct access to the issuer database that contains the certificate or use CRLs that originate directly from the issuer (e.g. communicated through a trusted channel). In that case either an access to a single data base is supported or accesses to CRLs issued by one single issuer are supported. There cannot be any mistake about the name of the issuer. 5.2.2.4.2. Trusted Responder whose public key is trusted by the requestor There are three ways for the client to designate the issuer: a) using CertID. Since the issuer may be using CRLs or OCSP servers to provide the revocation status information, and since the keys for signing the CRLs may be the same or different from the keys used to sign the certificate, the OCSP server MUST make sure that either the CRL or the OCSP response that it is using is signed with the right key. This means that the OCSP responder MUST build a certification path up to one of its trust anchors and then get the public key of the issuer. At that time, it MUST verify that this key matches the issuerKeyHash. This key MUST match with the private key that has been used is used to sign the CRL or the OCSP response or the certificates issued to designate the CRL issuer or the OCSP responder. b) using the full certificate. When the OCSP responder has a direct access to the data base of the issuer for which it is providing revocation status information, then it SHALL make sure that it is the right certificate by verifying that the certificate that was sent matches the one in the data base. Malpani & all [Page 15] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 When the OCSP responder does not have access to the data base of the issuers, then it SHALL make sure that it is the right certificate by verifying the signature over that certificate. This MUST be done by verifying the signature over that certificate. For doing this, the OCSP responder first needs to build a certification path up to one of its trust anchors (without necessarily verifying the revocation status of the CAs from the path). The presumed issuer key is then used to verify the signature of the certificate. That issuer key MUST then be used to verify that this key is used to sign the CRL or the OCSP response, or the certificates issued to designate the CRL issuer or the OCSP responder. c) using CertIdWithSignature. When the OCSP responder has a direct access to the data base of the issuer for which it is providing revocation status information, then it SHALL make sure that it is the right certificate by verifying that the signature that was sent matches with the signature of the certificate contained in the data base. When the OCSP responder does not have access to the data base of the issuer, then it may use either CRLs or the OCSP responder designated by the CA that has issued the certificate. When the OCSP responder does not have access to the data base of the issuers, then it SHALL first make sure that it is the right certificate. This MUST be done by verifying the signature over that certificate. For doing this, the OCSP responder first needs to build a certification path up to one of its trust anchors (without necessarily verifying the revocation status of the CAs from the path). The presumed issuer key MUST then be used to verify the signature of the certificate using both the tbsCertificateHash and the signature value. That issuer key MUST then be used to verify that this key is used to sign the CRL or the OCSP response, or the certificates issued to designate the CRL issuer or the OCSP responder. 5.2.2.4.3. CA designated Responder who holds a specially marked certificate issued directly by the CA The OCSP server may either have a direct access to the data base from the issuer or use CRLs issued by that issuer or a designated CRL issuer. It is up to the OCSP responder to be fully aware when it is handling the revocation service for two CAs that would have the same name (certified under different certification branches). Malpani & all [Page 16] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 When all issuers that are handled have different names, there is no problem. Otherwise, when some issuers have the same name, then different cases apply depending on the ways the client designates the issuer: a) using CertID. In that case, the OCSP responder MUST use issuerKeyHash to make sure that it is getting information from the right issuer. For doing this, the OCSP responder once needs to build a certification path up to one of its trust anchors (without necessarily verifying the revocation status of the CAs from the path). The presumed issuer key MUST then be checked against the issuerKeyHash. T hat issuer key MUST then be used to verify that this key is used to sign the CRL, or the certificates issued to designate the CRL issuer or is associated with a given data base. b) using the full certificate. In that case, the OCSP responder MUST verify the signature over the certificate. For doing this, the OCSP responder once needs to build a certification path up to one of its trust anchors (without necessarily verifying the revocation status of the CAs from the path). The presumed issuer key MUST then be used to verify the signature of the certificate using both the tbsCertificateHash and the signature value. That issuer key MUST then be used to verify that this key is used to sign the CRL, or the certificates issued to designate the CRL issuer or is associated with a given data base. c) using CertIdWithSignature. In that case, the OCSP responder MUST verify the signature over the certificate. For doing this, the OCSP responder once needs to build a certification path up to one of its trust anchors (without necessarily verifying the revocation status of the CAs from the path). The presumed issuer key MUST then be used to verify the signature of the certificate. That issuer key MUST then be used to verify that this key is used to sign the CRL, or the certificates issued to designate the CRL issuer or is associated with a given data base. 5.3 Mandatory and Optional Cryptographic Algorithms OCSP clients and responders MUST support the RSA signature algorithm. This algorithm is defined in RFC 2437 [RFC2437]. OCSP clients and responders MAY support the DSA signature algorithm. This algorithm is defined in FIPS Pub 186 [DSS]. OCSP responders MUST support the SHA1 hashing algorithm. This algorithm is defined in FIPS Pub 180-1 [SHA1]. Malpani & all [Page 17] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 5.4 Extensions This section defines some standard extensions, based on the extension model employed in X.509 version 3 certificates see [RFC3280]. Support for all extensions is optional for both clients and responders. For each extension, the definition indicates its syntax, processing performed by the OCSP Responder, and any extensions which are included in the corresponding response. 5.4.1 Nonce The nonce cryptographically binds a response to a request to prevent replay attacks. In a request, a nonce (if present) is included as one of the requestExtensions in requests, while in responses (if present) it is included as one of the responseExtensions. In both the request and the response, the nonce is identified by the object identifier id-pkix-ocsp-nonce, while the extnValue is the value of the nonce. If a nonce is included in a request, then the response MUST contain the same nonce. Responses without the same nonce MUST NOT be trusted. id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 } extnValue ::= OCTET STRING 5.4.2 CRL References It may be desirable for the OCSP responder to indicate the CRL on which a revoked or onHold certificate is found. This can be useful where OCSP is used between repositories, and also as an auditing mechanism. The CRL may be specified by a URL (the URL at which the CRL is available), a number (CRL number) or a time (the time at which the relevant CRL was created). These extensions will be specified as singleExtensions. The identifier for this extension will be id-pkix-ocsp-crl, while the value will be CrlID. id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 } CrlID ::= SEQUENCE { crlUrl [0] EXPLICIT IA5String OPTIONAL, crlNum [1] EXPLICIT INTEGER OPTIONAL, crlTime [2] EXPLICIT GeneralizedTime OPTIONAL } For the choice crlUrl, the IA5String will specify the URL at which the CRL is available. For crlNum, the INTEGER will specify the value of the CRL number extension of the relevant CRL. For crlTime, the GeneralizedTime will indicate the time at which the relevant CRL was issued. Malpani & all [Page 18] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 5.4.3 Acceptable Response Types An OCSP client MAY wish to specify the kinds of response types it understands. To do so, it SHOULD use an extension with the OID id- pkix-ocsp-response, and the value AcceptableResponses. This extension is included as one of the requestExtensions in requests. The OIDs included in AcceptableResponses are the OIDs of the various response types this client can accept (e.g., id-pkix-ocsp-basic). id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 } AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER As noted in section 6.2.1, OCSP responders SHALL be capable of responding with responses of the id-pkix-ocsp-basic response type. Correspondingly, OCSP clients SHALL be capable of receiving and processing responses of the id-pkix-ocsp-basic response type. 5.4.4 Archive Cutoff An OCSP responder MAY choose to retain revocation information beyond a certificate's expiration. The date obtained by subtracting this retention interval value from the producedAt time in a response is defined as the certificate's "archive cutoff" date. OCSP-enabled applications would use an OCSP archive cutoff date to contribute to a proof that a digital signature was (or was not) reliable on the date it was produced even if the certificate needed to validate the signature has long since expired. OCSP servers that provide support for such historical reference SHOULD include an archive cutoff date extension in responses. If included, this value SHALL be provided as an OCSP singleExtensions extension identified by id-pkix-ocsp-archive-cutoff and of syntax GeneralizedTime. id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 } ArchiveCutoff ::= GeneralizedTime To illustrate, if a server is operated with a 7-year retention interval policy and status was produced at time t1 then the value for ArchiveCutoff in the response would be (t1 - 7 years). 5.4.5 CRL Entry Extensions All the extensions specified as CRL Entry Extensions - in Section 5.3 of [RFC3280] - are also supported as singleExtensions. Malpani & all [Page 19] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 5.4.6 Service Locator An OCSP server may be operated in a mode whereby the server receives a request and routes it to the OCSP server which is known to be authoritative for the identified certificate. The serviceLocator request extension is defined for this purpose. This extension is included as one of the singleRequestExtensions in requests. id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 } ServiceLocator ::= SEQUENCE { issuer Name, locator AuthorityInfoAccessSyntax OPTIONAL } Values for these fields are obtained from the corresponding fields in the subject certificate. When this field is present in the request and when a full certificate is sent, the server SHALL use the values contained in this field rather than the field from the subject certificate. 6. CRL Locator This extension can be supported either using OCSPv1 or using OCSPv2. An OCSP server may be operated in a mode whereby the server receives a request and fetches the CRL which authoritative for the identified certificate. The crlLocator request extension is defined for this purpose. This extension is included as one of the singleRequestExtensions in requests. id-pkix-ocsp-crl-locator OBJECT IDENTIFIER ::= {id-pkix-ocsp X} CrlLocator ::= CRLDistributionPoints The value for this field should be obtained by the client from the corresponding field in the subject certificate. When this field is present in the request and when a full certificate is sent, the server SHALL use the values contained in this field rather than the field from the subject certificate. Note: In this way, OCSP servers able to access CRLs may use that CRL information and transform it into an OCSP response. This may allow a client to support the OCSP protocol, even when CRLs are issued by CAs. 7. Security Considerations For this service to be effective, certificate using systems must connect to the certificate status service provider. In the event such a connection cannot be obtained, certificate-using systems could implement CRL processing logic as a fall-back position. Malpani & all [Page 20] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 A denial of service vulnerability is evident with respect to a flood of queries. The production of a cryptographic signature significantly affects response generation cycle time, thereby exacerbating the situation. Unsigned error responses open up the protocol to another denial of service attack, where the attacker sends false error responses. Nonces should be random. If the nonce is generated in a non-random way, replay attacks MAY be possible. Requests do not contain the responder they are directed to. This allows an attacker to replay a request to any number of OCSP responders. The reliance of HTTP caching in some deployment scenarios may result in unexpected results if intermediate servers are incorrectly configured or are known to possess cache management faults. Implementors are advised to take the reliability of HTTP cache mechanisms into account when deploying OCSP over HTTP. A "good" status for a certificate in OCSP does not imply that the certificate was ever issued or is in its validity period. Client applications need to check these facts for themselves. Two CAs around the world may perfectly pick the same DN, e.g. with a common name attribute like CN= Platinium CA. A *single* immediately ôsuperior CAö will never accept to issue two certificates for two CAs that have the same name but are indeed different, but two different ôsuperiorö CAs may perfectly do it. There are two possible ways to realize that these CAs, that have the same DN name, are indeed different: 1— to consider the chain of DNs names formed by a certification path starting from a root CA and finishing with ôPlatinium CAö. It is similar to identify two files with the same name, but placed in a different directory. 2— to consider the fact that the two ôPlatinium CAsö will necessarily get their certificates from two different superior CAs that have necessarily two different private keys. Hence the combination of the issuing key of superior CA and of the DN of the CA is unique. The second way is being used in OCSP (v1 and v2). In OCSP v1, issuerKeyHash from CertID is mandatory. issuerKeyHash is used in combination with issuerNameHash and serialNumber to uniquely identify a certificate. This mandates the client to first construct a certification path. In OCSP v2, both certificate and certIdWithSignature allow to uniquely identify a certificate. This does not mandate the client to first construct a certification path. Malpani & all [Page 21] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 The value of the issuing key whether it is provided by the client (in OCSP v 1 with issuerKeyHash) or looked for by the OCSP responder (in OCSP v2 with certificate or certIdWithSignature) is then used to verify that either the CRL from the right CRL Issuer is being read, the response from the right OCSP responder is being used or that the access is being done to the database from the right CA. The right CRL Issuer will have a certificate issued under that issuing key or will directly be signed by that issuing key. The right OCSP Responder will sign its responses under a key that has been issued under that issuing key or will directly sign its response under that issuing key. The identity of the owner of the right database must be verified using both the name of the CA and the value of that issuing key (or its hash). When using certificate or certIdWithSignature, in order to find out the right issuing key, the OCSP Responder must first build a certification path and then pick what may be the right issuing key for that CA name. Then it must verify the digital signature of the certificate either by using the full certificate or by using the hash value of it and the signature value (and algorithm identifier) which are provided in certIdWithSignature. If the right key was picked up, then the verification of the signature of the certificate will be successful. If the wrong key was picked up, then the verification of the signature of the certificate will fail, and the OCSP responder will either look for another key, or will say that it does not know. 8. References [RFC3280] Housley, R., Ford, W., Polk, W. and D. Solo, "Internet X.509 Public Key Infrastructure Certificate and CRL Profile", RFC 3280, April 2002. [RFC3281] Farrell, S., Housley, R., "An Internet Attribute Certificate Profile for Authorization" RFC 3281. April 2002. [RFC3369] Housley, R., "Cryptographic Message Syntax (CMS)". August 2002. [HTTP] Fielding, R., Gettys, J., Mogul, J., Frystyk, H. and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2068, January 1997. Malpani & all [Page 22] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [URL] Berners-Lee, T., Masinter, L. and M. McCahill, "Uniform Resource Locators (URL)", RFC 1738, December 1994. [X.690] ITU-T Recommendation X.690 (1994) | ISO/IEC 8825-1:1995, Information Technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER). [SHA1] National Institute of Standards and Technology. FIPS Pub 180-1: Secure Hash Standard. 17 April 1995. [RFC2437] Kaliski, B., "PKCS #1: RSA Encryption, Version 2.0", RFC 2437, October 1998. [DSS] National Institute of Standards and Technology. FIPS Pub 186: Digital Signature Standard. 19 May 1994. 9. Authors' Addresses Ambarish Malpani Malpani Consulting Services EMail: ambarish@malpani.biz Michael Myers TraceRoute Security, Inc. P.O. Box 3683 Half Moon Bay, CA 94019 EMail: myers@coastside.net Denis Pinkas Bull Services Rue Jean Jaures 78340 Les Clayes-sous-Bois France Email: Denis.Pinkas@bull.net Malpani & all [Page 23] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 Appendix A. A.1 OCSP over HTTP This section describes the formatting that will be done to the request and response to support HTTP. A.1.1 Request HTTP based OCSP requests MUST use the POST method to submit their requests. Where privacy is a requirement, OCSP transactions exchanged using HTTP MAY be protected using either TLS/SSL or some other lower layer protocol. An OCSP request using the POST method is constructed as follows: The Content-Type header has the value "application/ocsp-request" while the body of the message is the binary value of the DER encoding of the OCSPRequest. A.1.2 Response An HTTP-based OCSP response is composed of the appropriate HTTP headers, followed by the binary value of the DER encoding of the OCSPResponse. The Content-Type header has the value "application/ocsp-response". The Content-Length header SHOULD specify the length of the response. Other HTTP headers MAY be present and MAY be ignored if not understood by the requestor. Malpani & all [Page 24] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 Appendix B. OCSP in ASN.1 PKIXOCSP {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-ocspv2(X)} OCSP DEFINITIONS EXPLICIT TAGS::= BEGIN IMPORTS -- Directory Authentication Framework (X.509) Certificate, AlgorithmIdentifier, CRLReason FROM AuthenticationFramework { joint-iso-itu-t ds(5) module(1) authenticationFramework(7) 3 } -- PKIX Certificate Extensions AuthorityInfoAccessSyntax FROM PKIX1Implicit88 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit-88(2)} Name, GeneralName, CertificateSerialNumber, Extensions, id-kp, id-ad-ocsp FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit-88(1)} -- Cryptographic Message Syntax (CMS) IssuerAndSerialNumber FROM { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2001(14)} OCSPRequest ::= SEQUENCE { tbsRequest TBSRequest, optionalSignature [0] EXPLICIT Signature OPTIONAL } TBSRequest ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1, requestorName [1] EXPLICIT GeneralName OPTIONAL, requestList SEQUENCE OF Request, requestExtensions [2] EXPLICIT Extensions OPTIONAL } Signature ::= SEQUENCE { signatureAlgorithm AlgorithmIdentifier, signature BIT STRING, certs [0] EXPLICIT Certificates OPTIONAL } Version ::= INTEGER { v1(0), v2(1) } Request ::= SEQUENCE { reqCert ReqCert, singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL } Malpani & all [Page 25] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 Certificates ::= SEQUENCE SIZE(1..MAX) of Certificate ReqCert ::= CHOICE { certID CertID, fullCert [0] FullCertificate, certIdWithSignature [1] CertIdWithSignature } CertID ::= SEQUENCE { hashAlgorithm AlgorithmIdentifier, issuerNameHash OCTET STRING, -- Hash of Issuer's DN issuerKeyHash OCTET STRING, -- Hash of Issuers public key serialNumber CertificateSerialNumber } FullCertificate ::= CHOICE { certificate [0] Certificate, attributeCert [1] AttributeCertificate } CertIdWithSignature ::= SEQUENCE { issuerandSerialNumber IssuerandSerialNumber, tbsCertificateHash BIT STRING, certsignature CertSignature } CertSignature ::= SEQUENCE { signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING } OCSPResponse ::= SEQUENCE { responseStatus OCSPResponseStatus, responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } OCSPResponseStatus ::= ENUMERATED { successful (0), --Response has valid confirmations malformedRequest (1), --Illegal confirmation request internalError (2), --Internal error in issuer tryLater (3), --Try again later --(4) is not used sigRequired (5), --Must sign the request unauthorized (6), --Request unauthorized badCRL (8) --Error in CRL processing } ResponseBytes ::= SEQUENCE { responseType OBJECT IDENTIFIER, response OCTET STRING } BasicOCSPResponse ::= SEQUENCE { tbsResponseData ResponseData, signatureAlgorithm AlgorithmIdentifier, signature BIT STRING, certs [0] EXPLICIT Certificates OPTIONAL } Malpani & all [Page 26] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 ResponseData ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1, responderID ResponderID, producedAt GeneralizedTime, responses SEQUENCE OF SingleResponse, responseExtensions [1] EXPLICIT Extensions OPTIONAL } ResponderID ::= CHOICE { byName [1] Name, byKey [2] KeyHash } KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key --(excluding the tag, length and number of unused -- bits fields) SingleResponse ::= SEQUENCE { reqCert ReqCert, -- MUST be identical to the same field from the request certStatus CertStatus, thisUpdate GeneralizedTime, nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, singleExtensions [1] EXPLICIT Extensions OPTIONAL } CertStatus ::= CHOICE { good [0] IMPLICIT NULL, revoked [1] IMPLICIT RevokedInfo, unknown [2] IMPLICIT UnknownInfo } RevokedInfo ::= SEQUENCE { revocationTime GeneralizedTime, revocationReason [0] EXPLICIT CRLReason OPTIONAL } UnknownInfo ::= NULL -- this can be replaced with an enumeration ArchiveCutoff ::= GeneralizedTime AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER ServiceLocator ::= SEQUENCE { issuer Name, locator AuthorityInfoAccessSyntax } CrlLocator ::= CRLDistributionPoints Malpani & all [Page 27] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 -- Object Identifiers id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp } id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 } id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 } id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 } id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 } id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 } id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 } id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 } id-pkix-ocsp-crl-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp X } END Malpani & all [Page 28] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 Appendix C. MIME registrations C.1 application/ocsp-request To: ietf-types@iana.org Subject: Registration of MIME media type application/ocsp-request MIME media type name: application MIME subtype name: ocsp-request Required parameters: None Optional parameters: None Encoding considerations: binary Security considerations: Carries a request for information. This request may optionally be cryptographically signed. Interoperability considerations: None Published specification: IETF PKIX Working Group Draft on Online Certificate Status Protocol - OCSP Applications which use this media type: OCSP clients Additional information: Magic number(s): None File extension(s): .ORQ Macintosh File Type Code(s): none Person & email address to contact for further information: Ambarish Malpani Intended usage: COMMON Author/Change controller: Ambarish Malpani C.2 application/ocsp-response To: ietf-types@iana.org Subject: Registration of MIME media type application/ocsp-response MIME media type name: application MIME subtype name: ocsp-response Required parameters: None Optional parameters: None Encoding considerations: binary Malpani & all [Page 29] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 Security considerations: Carries a cryptographically signed response Interoperability considerations: None Published specification: IETF PKIX Working Group Draft on Online Certificate Status Protocol - OCSP Applications which use this media type: OCSP servers Additional information: Magic number(s): None File extension(s): .ORS Macintosh File Type Code(s): none Person & email address to contact for further information: Ambarish Malpani Intended usage: COMMON Author/Change controller: Ambarish Malpani Malpani & all [Page 30] INTERNET DRAFT OCSP extension and OCSPv2 protocol December 2002 Appendix D. Changes [This section will contain the differences in this document from RFC 2560bis) Full Copyright Statement Copyright (C) The Internet Society (1999). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Malpani & all [Page 31]