draft-ietf-krb-wg-ocsp-for-pkinit-00.txt   draft-ietf-krb-wg-ocsp-for-pkinit-01.txt 
NETWORK WORKING GROUP L. Zhu NETWORK WORKING GROUP L. Zhu
Internet-Draft K. Jaganathan Internet-Draft K. Jaganathan
Expires: February 8, 2005 Microsoft Corporation Expires: February 8, 2005 Microsoft Corporation
N. Williams N. Williams
Sun Microsystems Sun Microsystems
August 10, 2004 August 10, 2004
OCSP Support for PKINIT OCSP Support for PKINIT
draft-ietf-krb-wg-ocsp-for-pkinit-00 draft-ietf-krb-wg-ocsp-for-pkinit-01
Status of this Memo Status of this Memo
This document is an Internet-Draft and is subject to all provisions This document is an Internet-Draft and is subject to all provisions
of section 3 of RFC 3667. By submitting this Internet-Draft, each of section 3 of RFC 3667. By submitting this Internet-Draft, each
author represents that any applicable patent or other IPR claims of author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with which he or she become aware will be disclosed, in accordance with
RFC 3668. RFC 3668.
skipping to change at page 5, line 21 skipping to change at page 5, line 21
The corresponding pre-authentication field contains OCSP data as The corresponding pre-authentication field contains OCSP data as
follows: follows:
PA-PK-OCSP-DATA ::= SEQUENCE OF OcspResponse PA-PK-OCSP-DATA ::= SEQUENCE OF OcspResponse
OcspResponse ::= OCTET STRING OcspResponse ::= OCTET STRING
-- contains a complete OCSP response, -- contains a complete OCSP response,
-- defined in [RFC2560] -- defined in [RFC2560]
The client MAY send OCSP responses for certificates used in The client MAY send OCSP responses for certificates used in
PA-PK-AS-REQ via a PA-PK-OCSP-RESPONSE. PA-PK-AS-REQ [PKINIT] via a PA-PK-OCSP-RESPONSE.
The KDC that receives a PA-PK-OCSP-RESPONSE the SHOULD send a The KDC that receives a PA-PK-OCSP-RESPONSE the SHOULD send a
PA-PK-OCSP-RESPONSE in response. The client can request a PA-PK-OCSP-RESPONSE in response. The client can request a
PA-PK-OCSP-RESPONSE by using an empty sequence in its request. PA-PK-OCSP-RESPONSE by using an empty sequence in its request.
The KDC MAY send a PA-PK-OCSP-RESPONSE when it does not receive a
PA-PK-OCSP-RESPONSE from the client.
The PA-PK-OCSP-RESPONSE sent by the KDC contains OCSP responses for
certificates used in PA-PK-AS-REP [PKINIT].
Note the lack of integrity protection for the empty or missing OCSP Note the lack of integrity protection for the empty or missing OCSP
response; lack of an expected OCSP response from the KDC for the response; lack of an expected OCSP response from the KDC for the
KDC's certificates SHOULD be treated as an error by the client, KDC's certificates SHOULD be treated as an error by the client,
unless it is configured otherwise. unless it is configured otherwise.
When using OCSP, the response is signed by the OCSP server, which is When using OCSP, the response is signed by the OCSP server, which is
trusted by the receiver. Depending on local policy, further trusted by the receiver. Depending on local policy, further
verification of the validity of the OCSP servers MAY need to be done. verification of the validity of the OCSP servers MAY need to be done.
The client and the KDC SHOULD ignore invalid OCSP responses received The client and the KDC SHOULD ignore invalid OCSP responses received
via this mechanism, and they MAY implement CRL processing logic as a via this mechanism, and they MAY implement CRL processing logic as a
fall-back position, if the OCSP responses received via this mechanism fall-back position, if the OCSP responses received via this mechanism
alone are not sufficient for the verification of certificate alone are not sufficient for the verification of certificate
validity. The client and/or the KDC MAY ignore a valid OCSP response validity. The client and/or the KDC MAY ignore a valid OCSP response
and perform their own revocation status verification independently. and perform their own revocation status verification independently.
The KDC MAY send a PA-PK-OCSP-RESPONSE when it does not receive a
PA-PK-OCSP-RESPONSE from the client.
4. Security Considerations 4. Security Considerations
The pre-authentication data in this document do not actually The pre-authentication data in this document do not actually
authenticate any principals, and MUST be used in conjunction with authenticate any principals, and MUST be used in conjunction with
PKINIT. PKINIT.
There is a downgrade attack against clients which want OCSP responses There is a downgrade attack against clients which want OCSP responses
from the KDC for the KDC's certificates. The clients, however, can from the KDC for the KDC's certificates. The clients, however, can
treat the absence of valid OCSP responses as an error, based on their treat the absence of valid OCSP responses as an error, based on their
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/