| draft-ietf-lamps-ocsp-nonce-00.txt | draft-ietf-lamps-ocsp-nonce-01.txt | |||
|---|---|---|---|---|
| LAMPS M. Sahni, Ed. | LAMPS M. Sahni, Ed. | |||
| Internet-Draft Palo Alto Networks | Internet-Draft Palo Alto Networks | |||
| Intended status: Standards Track April 23, 2020 | Intended status: Standards Track April 26, 2020 | |||
| Expires: October 25, 2020 | Expires: October 28, 2020 | |||
| OCSP Nonce Extension | OCSP Nonce Extension | |||
| draft-ietf-lamps-ocsp-nonce-00 | draft-ietf-lamps-ocsp-nonce-01 | |||
| Abstract | Abstract | |||
| This document specifies the updated format of the Nonce extension in | This document specifies the updated format of the Nonce extension in | |||
| Online Certificate Status Protocol (OCSP) request and response | Online Certificate Status Protocol (OCSP) request and response | |||
| messages. OCSP is used to check the status of a certificate and the | messages. OCSP is used to check the status of a certificate and the | |||
| Nonce extension is used in the OCSP request and response messages to | Nonce extension is used in the OCSP request and response messages to | |||
| avoid replay attacks. This document updates the RFC 6960 | avoid replay attacks. This document updates the RFC 6960 | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 34 ¶ | skipping to change at page 1, line 34 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on October 25, 2020. | This Internet-Draft will expire on October 28, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 11 ¶ | skipping to change at page 2, line 11 ¶ | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 2 | 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. OCSP Extensions . . . . . . . . . . . . . . . . . . . . . . . 2 | 2. OCSP Extensions . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2.1. Nonce Extension . . . . . . . . . . . . . . . . . . . . . 3 | 2.1. Nonce Extension . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Security Considerations . . . . . . . . . . . . . . . . . . . 4 | 3. Security Considerations . . . . . . . . . . . . . . . . . . . 3 | |||
| 3.1. Replay Attack . . . . . . . . . . . . . . . . . . . . . . 4 | 3.1. Replay Attack . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.2. Nonce Collision . . . . . . . . . . . . . . . . . . . . . 4 | 3.2. Nonce Collision . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 5. Changes to Appendix B. of RFC 6960 . . . . . . . . . . . . . 4 | 5. Changes to Appendix B. of RFC 6960 . . . . . . . . . . . . . 4 | |||
| 5.1. Changes to Appendix B.1. OCSP in ASN.1 - 1998 Syntax . . 4 | 5.1. Changes to Appendix B.1. OCSP in ASN.1 - 1998 Syntax . . 4 | |||
| 5.2. Changes to Appendix B.2 OCSP in ASN.1 - 2008 Syntax . . . 5 | 5.2. Changes to Appendix B.2 OCSP in ASN.1 - 2008 Syntax . . . 5 | |||
| 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 6.1. Normative References . . . . . . . . . . . . . . . . . . 5 | 6.1. Normative References . . . . . . . . . . . . . . . . . . 5 | |||
| 6.2. Informative References . . . . . . . . . . . . . . . . . 6 | 6.2. Informative References . . . . . . . . . . . . . . . . . 5 | |||
| 6.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 6.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 1. Introduction | 1. Introduction | |||
| This document updates the usage and format of the Nonce extension | This document updates the usage and format of the Nonce extension | |||
| used in OCSP request and response messages. This extension was | used in OCSP request and response messages. This extension was | |||
| previously defined in section 4.1.1 of [RFC6960]. The [RFC6960] does | previously defined in section 4.1.1 of [RFC6960]. The [RFC6960] does | |||
| not mention any minimum and maximum length of the nonce extension. | not mention any minimum and maximum length of the nonce extension. | |||
| Due to not having an upper or lower limit of the length of the Nonce | Due to not having an upper or lower limit of the length of the Nonce | |||
| skipping to change at page 3, line 44 ¶ | skipping to change at page 3, line 44 ¶ | |||
| A server MUST reject any OCSP request having a Nonce extension with | A server MUST reject any OCSP request having a Nonce extension with | |||
| length of more than 32 octets with the malformedRequest | length of more than 32 octets with the malformedRequest | |||
| OCSPResponseStatus as described in section 4.2.1 of [RFC6960] | OCSPResponseStatus as described in section 4.2.1 of [RFC6960] | |||
| The minimum nonce length of 1 octet is defined to provide the | The minimum nonce length of 1 octet is defined to provide the | |||
| backward compatibility with clients following [RFC6960]. However the | backward compatibility with clients following [RFC6960]. However the | |||
| newer OCSP clients MUST use length of at least 16 octets for Nonce | newer OCSP clients MUST use length of at least 16 octets for Nonce | |||
| extension and the value of the nonce MUST be generated using a | extension and the value of the nonce MUST be generated using a | |||
| cryptographically strong pseudorandom number generator. | cryptographically strong pseudorandom number generator. | |||
| id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp } | ||||
| id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 } | ||||
| Nonce ::= OCTET STRING(SIZE(1..32)) | Nonce ::= OCTET STRING(SIZE(1..32)) | |||
| 3. Security Considerations | 3. Security Considerations | |||
| The security considerations of OCSP, in general, are described in the | The security considerations of OCSP, in general, are described in the | |||
| [RFC6960]. The Nonce extension is used to avoid replay attacks | [RFC6960]. The Nonce extension is used to avoid replay attacks | |||
| during the interval in which the previous OCSP response for a | during the interval in which the previous OCSP response for a | |||
| certificate is not expired but the responder has a changed status for | certificate is not expired but the responder has a changed status for | |||
| that certificate. Including client's Nonce value in the OCSP | that certificate. Including client's Nonce value in the OCSP | |||
| response makes sure that the response is the latest response from the | response makes sure that the response is the latest response from the | |||
| End of changes. 6 change blocks. | ||||
| 10 lines changed or deleted | 6 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||