| rfc9654.original.xml | rfc9654.xml | |||
|---|---|---|---|---|
| <?xml version="1.0" encoding="utf-8"?> | <?xml version="1.0" encoding="UTF-8"?> | |||
| <?xml-model href="rfc7991bis.rnc"?> <!-- Required for schema validation and sch | ||||
| ema-aware editing --> | ||||
| <!-- <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> --> | ||||
| <!-- This third-party XSLT can be enabled for direct transformations in XML proc | ||||
| essors, including most browsers --> | ||||
| <!DOCTYPE rfc [ | <!DOCTYPE rfc [ | |||
| <!ENTITY nbsp " "> | <!ENTITY nbsp " "> | |||
| <!ENTITY zwsp "​"> | <!ENTITY zwsp "​"> | |||
| <!ENTITY nbhy "‑"> | <!ENTITY nbhy "‑"> | |||
| <!ENTITY wj "⁠"> | <!ENTITY wj "⁠"> | |||
| ]> | ]> | |||
| <!-- If further character entities are required then they should be added to the | ||||
| DOCTYPE above. | ||||
| Use of an external entity file is not recommended. --> | ||||
| <rfc | <rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="std" consensus="true | |||
| xmlns:xi="http://www.w3.org/2001/XInclude" | " docName="draft-ietf-lamps-ocsp-nonce-update-11" number="9654" tocInclude="tru | |||
| category="std" | e" sortRefs="true" symRefs="true" ipr="trust200902" obsoletes="8954" updates=" | |||
| consensus="true" | 6960" submissionType="IETF" xml:lang="en" version="3"> | |||
| docName="draft-ietf-lamps-ocsp-nonce-update-11" | ||||
| ipr="trust200902" | ||||
| obsoletes="8954" | ||||
| updates="6960" | ||||
| submissionType="IETF" | ||||
| xml:lang="en" | ||||
| version="3"> | ||||
| <front> | <front> | |||
| <title abbrev="draft-ietf-lamps-ocsp-nonce-update-11">Online Certificate Sta | <title abbrev="OCSP Nonce Extension">Online Certificate Status Protocol (OCS | |||
| tus Protocol (OCSP) Nonce Extension</title> | P) Nonce Extension</title> | |||
| <!-- [REPLACE/DELETE] abbrev. The abbreviated title is required if the full | <seriesInfo name="RFC" value="9654"/> | |||
| title is longer than 39 characters --> | ||||
| <seriesInfo name="Internet-Draft" value="draft-ietf-lamps-ocsp-nonce-update- | ||||
| 11"/> | ||||
| <author fullname="Himanshu Sharma" initials="H" role="editor" surname="Sharm a"> | <author fullname="Himanshu Sharma" initials="H" role="editor" surname="Sharm a"> | |||
| <!-- [CHECK] | ||||
| * initials should not include an initial for the surname | ||||
| * role="editor" is optional --> | ||||
| <!-- Can have more than one author --> | ||||
| <!-- all of the following elements are optional --> | ||||
| <organization>Netskope Inc</organization> | <organization>Netskope Inc</organization> | |||
| <address> | <address> | |||
| <postal> | <postal> | |||
| <!-- Reorder these if your country does things differently --> | ||||
| <street>2445 Augustine Dr 3rd floor</street> | <street>2445 Augustine Dr 3rd floor</street> | |||
| <city>Santa Clara</city> | <city>Santa Clara</city> | |||
| <region>California</region> | <region>California</region> | |||
| <code>95054</code> | <code>95054</code> | |||
| <country>USA</country> | <country>United States of America</country> | |||
| <!-- Uses two letter country code --> | ||||
| </postal> | </postal> | |||
| <email>himanshu@netskope.com</email> | <email>himanshu@netskope.com</email> | |||
| <uri>www.netskope.com</uri> | <uri>www.netskope.com</uri> | |||
| </address> | </address> | |||
| </author> | </author> | |||
| <date year="2024"/> | <date month="August" year="2024"/> | |||
| <!-- On draft subbmission: | ||||
| * If only the current year is specified, the current day and month will | ||||
| be used. | ||||
| * If the month and year are both specified and are the current ones, th | ||||
| e current day will | ||||
| be used | ||||
| * If the year is not the current one, it is necessary to specify at lea | ||||
| st a month and day="1" will be used. | ||||
| --> | ||||
| <area>General</area> | <area>SEC</area> | |||
| <workgroup>Internet Engineering Task Force</workgroup> | <workgroup>lamps</workgroup> | |||
| <!-- "Internet Engineering Task Force" is fine for individual submissions. | ||||
| If this element is | ||||
| not present, the default is "Network Working Group", which is used by | ||||
| the RFC Editor as | ||||
| a nod to the history of the RFC Series. --> | ||||
| <keyword>Online Certificate Status Protocol (OCSP) Nonce Extension</keyword> | <keyword>OCSP</keyword> | |||
| <!-- [REPLACE/DELETE]. Multiple allowed. Keywords are incorporated into HTM | <keyword>Nonce</keyword> | |||
| L output files for | <keyword>backward compatibility</keyword> | |||
| use by search engines. --> | ||||
| <abstract> | <abstract> | |||
| <t> | <t> | |||
| RFC 8954 imposed the size constraints on the | RFC 8954 imposed size constraints on the | |||
| optional Nonce extension for the Online Certificate Status Protocol (OCSP). | optional Nonce extension for the Online Certificate Status Protocol (OCSP). | |||
| OCSP is used for checking the status of a certificate, and the Nonce extension | OCSP is used to check the status of a certificate, and the Nonce ext ension | |||
| is used to cryptographically bind an OCSP response message to a part icular | is used to cryptographically bind an OCSP response message to a part icular | |||
| OCSP request message. | OCSP request message. | |||
| </t> | </t> | |||
| <t> | <t> | |||
| Some environments use cryptographic algorithms that generate a Nonce | Some environments use cryptographic algorithms that generate a Nonce | |||
| value that is longer than 32 octets. | value that is longer than 32 octets. This document also | |||
| This document updates the maximum allowed length of Nonce to 128 oct | modifies the "Nonce" section of RFC 6960 to clearly define and differentiate | |||
| ets. This document also modifies Nonce section to clearly define the encoding fo | the encoding format and values for easier implementation and understanding. | |||
| rmat | This document obsoletes RFC 8954, which includes updated ASN.1 modules | |||
| and values distinctively for an easier implementation and understand | for OCSP, and updates RFC 6960. | |||
| ing. | ||||
| This document obsoletes RFC 8954 and provides updated ASN.1 modules | ||||
| for OCSP, updates RFC 6960. | ||||
| </t> | </t> | |||
| </abstract> | </abstract> | |||
| </front> | </front> | |||
| <middle> | <middle> | |||
| <section> | <section> | |||
| <name>Introduction</name> | <name>Introduction</name> | |||
| <t> | <t> | |||
| Nonce extension was previously defined in Section 4.4.1 of <xref tar | The Nonce extension was previously defined in <xref target="RFC6960" | |||
| get="RFC6960"/>. | sectionFormat="of" section="4.4.1"/>. | |||
| The Nonce cryptographically binds an OCSP request and a respons | The Nonce cryptographically binds an OCSP request and a response | |||
| e. It guarantees the freshness of an OCSP response and to avoid replay attacks. | . It guarantees the freshness of an OCSP response and avoids replay attacks. | |||
| This extension was updated in <xref target="RFC8954"/>. <xref targe t="RFC8954"/> limits the maximum Nonce | This extension was updated in <xref target="RFC8954"/>. <xref targe t="RFC8954"/> limits the maximum Nonce | |||
| length to 32 octets. To support cryptographic algorithms that generate | length to 32 octets. To support cryptographic algorithms that generate | |||
| a Nonce that is longer than 32 octets, this document updates the | a Nonce that is longer than 32 octets, this document updates the | |||
| maximum allowed size of the Nonce to 128 octets. In addition, this | maximum allowed size of the Nonce to 128 octets. In addition, this | |||
| document recommends that the OCSP requester and responder use a | document recommends that the OCSP requester and responder use a | |||
| Nonce with a minimum length of 32 octets. | Nonce with a minimum length of 32 octets. | |||
| </t> | </t> | |||
| <section> | <section> | |||
| <name>Requirements Language</name> | <name>Requirements Language</name> | |||
| <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", | <t> | |||
| "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT | The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", | |||
| RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be | "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14> | |||
| interpreted as described in BCP 14 <xref target="RFC2119"/> | ", | |||
| <xref target="RFC8174"/> when, and only when, they appear in | "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", | |||
| all capitals, as shown here.</t> | "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", | |||
| "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to | ||||
| be | ||||
| interpreted as described in BCP 14 <xref target="RFC2119"/> <xref | ||||
| target="RFC8174"/> when, and only when, they appear in all capitals, as | ||||
| shown here. | ||||
| </t> | ||||
| </section> | </section> | |||
| </section> | </section> | |||
| <section> | <section> | |||
| <name>OCSP Extensions</name> | <name>OCSP Extensions</name> | |||
| <t> | <t> | |||
| The message formats for OCSP requests and responses are defined in | The message formats for OCSP requests and responses are defined in | |||
| <xref target="RFC6960"/> and Nonce extension was updated in <xref target="RFC 8954"/>. <xref target="RFC6960"/> | <xref target="RFC6960"/> and the Nonce extension was updated in <xref target= "RFC8954"/>. <xref target="RFC6960"/> | |||
| also defines the standard extensions for OCSP messages based on the | also defines the standard extensions for OCSP messages based on the | |||
| extension model employed in X.509 version 3 certificates (see | extension model employed in X.509 version 3 certificates (see | |||
| <xref target="RFC5280"/>). <xref target="RFC8954"/> replaces this section to limit the minimum | <xref target="RFC5280"/>). <xref target="RFC8954"/> replaces <xref target="R FC6960" sectionFormat="of" section="4.4.1"/> to limit the minimum | |||
| and maximum length for the Nonce value. | and maximum length for the Nonce value. | |||
| This document extends the maximum allowed nonce length to 128 octets and does not change the specifications | This document extends the maximum allowed nonce length to 128 octets and does not change the specifications | |||
| of any of the other standard extensions defined in <xref target="RFC6960"/>. | of any of the other extensions defined in <xref target="RFC6960"/>. | |||
| </t> | </t> | |||
| <section> | <section> | |||
| <name>Nonce Extension</name> | <name>Nonce Extension</name> | |||
| <t> | <t> | |||
| The Nonce cryptographically binds a request and a response to prevent | The Nonce cryptographically binds a request and a response to prevent | |||
| replay attacks. The Nonce is included as one of the | replay attacks. The Nonce is included as one of the | |||
| requestExtensions in requests; in responses, it would be included as | requestExtensions in requests; in responses, it is included as | |||
| one of the responseExtensions. In both the request and the response, | one of the responseExtensions. In both the request and the response, | |||
| the Nonce will be identified by the object identifier id-pkix-ocsp- | the Nonce is identified by the object identifier id-pkix-ocsp-nonce, whil | |||
| nonce, while the extnValue is the encoded value of Nonce. If the | e the extnValue is the encoded value of Nonce. If the | |||
| Nonce extension is present, then the length of the Nonce MUST be at | Nonce extension is present, then the length of the Nonce <bcp14>MUST</bcp | |||
| least 1 octet and can be up to 128 octets. [RFC8954] compliant | 14> be at | |||
| implementations will be unable to process nonces | least 1 octet and can be up to 128 octets. Implementations compliant with | |||
| generated per the new specification with sizes in excess of the limit | <xref target="RFC8954"/> | |||
| of 32 octets that was specified in [RFC8954]. | will not be able to process nonces | |||
| generated per the new specification with sizes in excess of the limit (32 | ||||
| octets) specified in <xref target="RFC8954"/>. | ||||
| </t> | </t> | |||
| <t> | <t> | |||
| An OCSP requester that implements this document MUST use a minimum | An OCSP requester that implements the extension in this document <bcp14> MUST</bcp14> use a minimum | |||
| length of 32 octets for Nonce in the Nonce extension. | length of 32 octets for Nonce in the Nonce extension. | |||
| </t> | </t> | |||
| <t> | <t> | |||
| An OCSP responder , supporting the Nonce extension, MUST accept Nonce len | An OCSP responder that supports the Nonce extension <bcp14>MUST</bcp14> a | |||
| gths | ccept Nonce lengths | |||
| of at least 16 octets and up to and including 32 octets. Responder MAY choose | of at least 16 octets and up to and including 32 octets. A responder <bcp14>M | |||
| to respond without the Nonce extension | AY</bcp14> choose to respond without the Nonce extension | |||
| for requests where the length of the Nonce is in between 1 octet and | for requests in which the length of the Nonce is in between 1 octet and | |||
| 15 octets or 33 octets and 128 octets. | 15 octets or 33 octets and 128 octets. | |||
| </t> | </t> | |||
| <t> | <t> | |||
| Responders, that implements this document MUST reject any OCSP | Responders that implement the extension in this document <bcp14>MUST</bcp | |||
| request that has a Nonce with a length of either 0 octets or more | 14> reject any OCSP | |||
| request that has a Nonce with a length of either 0 octets or greater | ||||
| than 128 octets, with the malformedRequest OCSPResponseStatus as | than 128 octets, with the malformedRequest OCSPResponseStatus as | |||
| described in Section 4.2.1 of [RFC6960]. | described in <xref target="RFC6960" sectionFormat="of" section="4.2.1"/>. | |||
| </t> | </t> | |||
| <t> | <t> | |||
| The value of the Nonce MUST be generated using a cryptographically | The value of the Nonce <bcp14>MUST</bcp14> be generated using a cryptogra phically | |||
| strong pseudorandom number generator (see <xref target="RFC4086"/>). The minimum | strong pseudorandom number generator (see <xref target="RFC4086"/>). The minimum | |||
| Nonce length of 1 octet is defined to provide backward compatibility | Nonce length of 1 octet is defined to provide backward compatibility | |||
| with older OCSP requester that follow <xref target="RFC6960"/>. | with older OCSP requesters that follow <xref target="RFC6960"/>. | |||
| </t> | </t> | |||
| <artwork><![CDATA[ | <sourcecode type="asn.1"><![CDATA[ | |||
| id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp } | id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp } | |||
| id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 } | id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 } | |||
| Nonce ::= OCTET STRING(SIZE(1..128)) | Nonce ::= OCTET STRING(SIZE(1..128)) | |||
| ]]></artwork> | ]]></sourcecode> | |||
| <artwork><![CDATA[ | ||||
| Example of an encoded OCSP Nonce extension with 32 octet Nonce in | <t>The following is an example of an encoded OCSP Nonce extension with a 32-octe | |||
| hexadecimal format. | t Nonce in | |||
| hexadecimal format.</t> | ||||
| <artwork><![CDATA[ | ||||
| 30 2f 06 09 2b 06 01 05 05 07 30 01 02 04 22 04 | 30 2f 06 09 2b 06 01 05 05 07 30 01 02 04 22 04 | |||
| 20 dd 49 d4 07 2c 44 9d a1 c3 17 bd 1c 1b df fe | 20 dd 49 d4 07 2c 44 9d a1 c3 17 bd 1c 1b df fe | |||
| db e1 50 31 2e c4 cd 0a dd 18 e5 bd 6f 84 bf 14 | db e1 50 31 2e c4 cd 0a dd 18 e5 bd 6f 84 bf 14 | |||
| c8 | c8 | |||
| ]]></artwork> | ||||
| <t> | ||||
| Here is the decoded version of the above example. | Here is the decoded version of the above example. | |||
| Offset, Length and Object Identifier are in decimal. | Offset, Length, and Object Identifier are in decimal. | |||
| </t> | ||||
| <artwork><![CDATA[ | ||||
| Offset Length | Offset Length | |||
| 0 47 : SEQUENCE { | 0 47 : SEQUENCE { | |||
| 2 9 : OBJECT IDENTIFIER ocspNonce (1 3 6 1 5 5 7 48 1 2) | 2 9 : OBJECT IDENTIFIER ocspNonce | |||
| 13 34 : OCTET STRING, encapsulates { | : (1 3 6 1 5 5 7 48 1 2) | |||
| 15 32 : OCTET STRING | 13 34 : OCTET STRING, encapsulates { | |||
| : DD 49 D4 07 2C 44 9D A1 C3 17 BD 1C 1B DF FE DB | 15 32 : OCTET STRING | |||
| : E1 50 31 2E C4 CD 0A DD 18 E5 BD 6F 84 BF 14 C8 | : DD 49 D4 07 2C 44 9D A1 C3 17 BD 1C 1B DF FE DB | |||
| : } | : E1 50 31 2E C4 CD 0A DD 18 E5 BD 6F 84 BF 14 C8 | |||
| : } | : } | |||
| : } | ||||
| ]]></artwork> | ]]></artwork> | |||
| </section> | </section> | |||
| </section> | </section> | |||
| <section> | <section> | |||
| <name>Security Considerations</name> | <name>Security Considerations</name> | |||
| <t>The security considerations of OCSP, in general, are described in | <t>The security considerations of OCSP, in general, are described in | |||
| <xref target="RFC6960"/>. During the interval in which the previous OCSP res ponse | <xref target="RFC6960"/>. During the interval in which the previous OCSP res ponse | |||
| for a certificate is not expired but the responder has a changed | for a certificate is not expired but the responder has a changed | |||
| status for that certificate, a copy of that OCSP response can be used | status for that certificate, a copy of that OCSP response can be used | |||
| to indicate that the status of the certificate is still valid. | to indicate that the status of the certificate is still valid. | |||
| Including a requester's nonce value in the OCSP response makes sure that | Including a requester's nonce value in the OCSP response ensures that | |||
| the response is the latest response from the server and not an old | the response is the most recent response from the server and not an old | |||
| copy.</t> | copy.</t> | |||
| <section> | <section> | |||
| <name>Replay Attack</name> | <name>Replay Attack</name> | |||
| <t>The Nonce extension is used to avoid replay attacks. Since the O CSP | <t>The Nonce extension is used to avoid replay attacks. Since the O CSP | |||
| responder may choose not to send the Nonce extension in the OCSP | responder may choose not to send the Nonce extension in the OCSP | |||
| response even if the requester has sent the Nonce extension in the | response even if the requester has sent the Nonce extension in the | |||
| request <xref target="RFC5019"/>, an on-path attacker can intercept the OCSP request | request <xref target="RFC5019"/>, an on-path attacker can intercept the OCSP request | |||
| and respond with an earlier response from the server without the | and respond with an earlier response from the server without the | |||
| Nonce extension. This can be mitigated by configuring the server to | Nonce extension. This can be mitigated by configuring the server to | |||
| use a short time interval between the thisUpdate and nextUpdate | use a short time interval between the thisUpdate and nextUpdate | |||
| fields in the OCSP response.</t> | fields in the OCSP response.</t> | |||
| </section> | </section> | |||
| </section> | </section> | |||
| <section anchor="IANA"> | <section anchor="IANA"> | |||
| <name>IANA Considerations</name> | <name>IANA Considerations</name> | |||
| <t> | <t> | |||
| For the ASN.1 Module in Appendix A.1, IANA is requested to assign an | For the ASN.1 modules in Appendixes <xref target="asn-1998" format="co | |||
| object identifier (OID) for the module identifier to replace TBD1. The | unter"/> and | |||
| OID for the module should be allocated in the "SMI Security for PKIX | <xref target="asn-2008" format="counter"/>, IANA has assigned the following | |||
| Module Identifier" registry (1.3.6.1.5.5.7.0), and the Description | object identifiers (OIDs) in the "SMI Security for PKIX | |||
| for the new OID should be set to "id-mod-ocsp-2024-88". | Module Identifier" registry (1.3.6.1.5.5.7.0): </t> | |||
| </t> | ||||
| <t> | ||||
| For the ASN.1 Module in Appendix A.2, IANA is requested to assign an | ||||
| object identifier (OID) for the module identifier to replace TBD2. The | ||||
| OID for the module should be allocated in the "SMI Security for PKIX | ||||
| Module Identifier" registry (1.3.6.1.5.5.7.0), and the Description | ||||
| for the new OID should be set to "id-mod-ocsp-2024-08". | ||||
| </t> | ||||
| </section> | ||||
| <section anchor="Acknowledgements" numbered="false"> | ||||
| <name>Acknowledgements</name> | ||||
| <t> | ||||
| The authors of this document wish to thank Mohit Sahni for his work to | ||||
| produce <xref target="RFC8954"/>. | ||||
| </t> | ||||
| <t> | ||||
| The authors wish to thank Russ Housley, Corey Bonnell, | ||||
| Michael StJohns and Carl Wallace for the feedback and suggestions. | ||||
| </t> | <table anchor="iana-tab"> | |||
| <name></name> | ||||
| <thead> | ||||
| <tr> | ||||
| <th>Value</th> | ||||
| <th>Description</th> | ||||
| </tr> | ||||
| </thead> | ||||
| <tbody> | ||||
| <tr> | ||||
| <td>111</td> | ||||
| <td>id-mod-ocsp-2024-88</td> | ||||
| </tr> | ||||
| <tr> | ||||
| <td>112</td> | ||||
| <td>id-mod-ocsp-2024-08</td> | ||||
| </tr> | ||||
| </tbody> | ||||
| </table> | ||||
| </section> | </section> | |||
| <!-- NOTE: The Acknowledgements and Contributors sections are at the end of this template --> | ||||
| </middle> | </middle> | |||
| <back> | <back> | |||
| <references> | <references> | |||
| <name>References</name> | <name>References</name> | |||
| <references> | <references> | |||
| <name>Normative References</name> | <name>Normative References</name> | |||
| <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2 119.xml"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2 119.xml"/> | |||
| <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4 086.xml"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4 086.xml"/> | |||
| <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5 019.xml"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5 019.xml"/> | |||
| <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5 280.xml"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5 280.xml"/> | |||
| <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6 960.xml"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6 960.xml"/> | |||
| <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8 174.xml"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8 174.xml"/> | |||
| <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8 954.xml"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8 954.xml"/> | |||
| <!-- The recommended and simplest way to include a well known reference --> | ||||
| </references> | </references> | |||
| <references> | <references> | |||
| <name>Informative References</name> | <name>Informative References</name> | |||
| <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5 912.xml"/> | <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5 912.xml"/> | |||
| <reference anchor="Errata5891" target="https://www.rfc-editor.org/errata | ||||
| /eid5891" quoteTitle="false"> | <reference anchor="Err5891" quote-title="false" target="https://www.rfc-editor.o | |||
| <front> | rg/errata/eid5891"> | |||
| <title>Erratum ID 5891</title> | <front> | |||
| <author> | <title>Erratum ID 5891</title> | |||
| <organization showOnFrontPage="true">RFC Errata</organization> | <author> | |||
| </author> | <organization>RFC Errata</organization> | |||
| </front> | </author> | |||
| <refcontent>RFC 6960</refcontent> | </front> | |||
| </reference> | <refcontent>RFC 6960</refcontent> | |||
| </reference> | ||||
| </references> | </references> | |||
| </references> | </references> | |||
| <section anchor="asn-modules" title="ASN.1 Modules"> | <section anchor="asn-modules" title="ASN.1 Modules"> | |||
| <t> | <t> | |||
| This section includes the ASN.1 modules for OCSP and replaces the entiri | This section includes the ASN.1 modules for OCSP and replaces the entire | |||
| ty of Section 5 of <xref target="RFC8954"/>. | ty of <xref target="RFC8954" sectionFormat="of" section="5"/>. | |||
| It addresses Errata id 5891 <xref target="Errata5891"/> as well. | It addresses Errata ID 5891 <xref target="Err5891"/> as well. | |||
| </t> | </t> | |||
| <t> | <t> | |||
| Appendix A.1 includes an ASN.1 module that conforms to the 1998 | <xref target="asn-1998"/> includes an ASN.1 module that conforms to the 1998 | |||
| version of ASN.1 for all syntax elements of OCSP. | version of ASN.1 for all syntax elements of OCSP. | |||
| This module replaces the modules Appendix B.1 of <xref target="RFC6960"/ >. | This module replaces the module in <xref target="RFC6960" sectionFormat= "of" section="B.1"/>. | |||
| </t> | </t> | |||
| <t> | <t> | |||
| Appendix A.2 includes an ASN.1 module, corresponding to the module | <xref target="asn-2008"/> includes an ASN.1 module, corresponding to the | |||
| present in A.1, that conforms to the 2008 version of ASN.1. This module | module | |||
| replaces the modules in Section 4 of <xref target="RFC5912"/> and Append | present in <xref target="asn-1998"/>, that conforms to the 2008 version | |||
| ix B.2 of | of ASN.1. This module | |||
| <xref target="RFC6960"/>. Although a 2008 ASN.1 module is provided, the | replaces the modules in <xref target="RFC5912" sectionFormat="of" sectio | |||
| module in | n="4"/> and | |||
| Appendix A.1 remains the normative module as per the policy of the PKIX | <xref target="RFC6960" sectionFormat="of" section="B.2"/>. Although a 20 | |||
| working group. | 08 ASN.1 module is provided, the module in | |||
| <xref target="asn-1998"/> remains the normative module per the policy of | ||||
| the PKIX Working Group. | ||||
| </t> | </t> | |||
| <section anchor="asn-1998" title="OCSP in ASN.1 - 1998 Syntax"> | <section anchor="asn-1998" title="OCSP in ASN.1 - 1998 Syntax"> | |||
| <artwork><![CDATA[ | <sourcecode type="asn.1" markers="true"><![CDATA[ | |||
| OCSP-2024-88 | OCSP-2024-88 | |||
| {iso(1) identified-organization(3) dod(6) internet(1) | { iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) id-mod(0) | security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-ocsp-2024-88(TBD1)} | id-mod-ocsp-2024-88(111) } | |||
| DEFINITIONS EXPLICIT TAGS ::= | DEFINITIONS EXPLICIT TAGS ::= | |||
| BEGIN | BEGIN | |||
| IMPORTS | IMPORTS | |||
| AuthorityInfoAccessSyntax, CRLReason, GeneralName | ||||
| FROM PKIX1Implicit88 -- From [RFC5280] | ||||
| { iso(1) identified-organization(3) dod(6) | ||||
| internet(1) security(5) mechanisms(5) pkix(7) | ||||
| id-mod(0) id-pkix1-implicit(19) } | ||||
| -- PKIX Certificate Extensions | Name, CertificateSerialNumber, Extensions, | |||
| AuthorityInfoAccessSyntax, CRLReason, GeneralName | id-kp, id-ad-ocsp, Certificate, AlgorithmIdentifier | |||
| FROM PKIX1Implicit88 { iso(1) identified-organization(3) | FROM PKIX1Explicit88 -- From [RFC5280] | |||
| dod(6) internet(1) security(5) mechanisms(5) pkix(7) | { iso(1) identified-organization(3) dod(6) | |||
| id-mod(0) id-pkix1-implicit(19) } | internet(1) security(5) mechanisms(5) pkix(7) | |||
| id-mod(0) id-pkix1-explicit(18) } ; | ||||
| Name, CertificateSerialNumber, Extensions, | ||||
| id-kp, id-ad-ocsp, Certificate, AlgorithmIdentifier | ||||
| FROM PKIX1Explicit88 { iso(1) identified-organization(3) | ||||
| dod(6) internet(1) security(5) mechanisms(5) pkix(7) | ||||
| id-mod(0) id-pkix1-explicit(18) }; | ||||
| OCSPRequest ::= SEQUENCE { | OCSPRequest ::= SEQUENCE { | |||
| tbsRequest TBSRequest, | tbsRequest TBSRequest, | |||
| optionalSignature [0] EXPLICIT Signature OPTIONAL } | optionalSignature [0] EXPLICIT Signature OPTIONAL } | |||
| TBSRequest ::= SEQUENCE { | TBSRequest ::= SEQUENCE { | |||
| version [0] EXPLICIT Version DEFAULT v1, | version [0] EXPLICIT Version DEFAULT v1, | |||
| requestorName [1] EXPLICIT GeneralName OPTIONAL, | requestorName [1] EXPLICIT GeneralName OPTIONAL, | |||
| requestList SEQUENCE OF Request, | requestList SEQUENCE OF Request, | |||
| requestExtensions [2] EXPLICIT Extensions OPTIONAL } | requestExtensions [2] EXPLICIT Extensions OPTIONAL } | |||
| Signature ::= SEQUENCE { | Signature ::= SEQUENCE { | |||
| signatureAlgorithm AlgorithmIdentifier, | signatureAlgorithm AlgorithmIdentifier, | |||
| signature BIT STRING, | signature BIT STRING, | |||
| certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } | certs [0] EXPLICIT SEQUENCE OF | |||
| Certificate OPTIONAL } | ||||
| Version ::= INTEGER { v1(0) } | Version ::= INTEGER { v1(0) } | |||
| Nonce ::= OCTET STRING(SIZE(1..128)) | Nonce ::= OCTET STRING (SIZE(1..128)) | |||
| Request ::= SEQUENCE { | Request ::= SEQUENCE { | |||
| reqCert CertID, | reqCert CertID, | |||
| singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL } | singleRequestExtensions [0] EXPLICIT | |||
| Extensions OPTIONAL } | ||||
| CertID ::= SEQUENCE { | CertID ::= SEQUENCE { | |||
| hashAlgorithm AlgorithmIdentifier, | hashAlgorithm AlgorithmIdentifier, | |||
| issuerNameHash OCTET STRING, -- Hash of issuer's DN | issuerNameHash OCTET STRING, -- Hash of issuer's DN | |||
| issuerKeyHash OCTET STRING, -- Hash of issuer's public key | issuerKeyHash OCTET STRING, -- Hash of issuer's public key | |||
| serialNumber CertificateSerialNumber } | serialNumber CertificateSerialNumber } | |||
| OCSPResponse ::= SEQUENCE { | OCSPResponse ::= SEQUENCE { | |||
| responseStatus OCSPResponseStatus, | responseStatus OCSPResponseStatus, | |||
| responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } | responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } | |||
| OCSPResponseStatus ::= ENUMERATED { | OCSPResponseStatus ::= ENUMERATED { | |||
| successful (0), -- Response has valid confirmations | successful (0), -- Response has valid confirmations | |||
| malformedRequest (1), -- Illegal confirmation request | malformedRequest (1), -- Illegal confirmation request | |||
| internalError (2), -- Internal error in issuer | internalError (2), -- Internal error in issuer | |||
| tryLater (3), -- Try again later | tryLater (3), -- Try again later | |||
| -- (4) is not used | -- (4) is not used | |||
| sigRequired (5), -- Must sign the request | sigRequired (5), -- Must sign the request | |||
| unauthorized (6) -- Request unauthorized | unauthorized (6) -- Request unauthorized | |||
| } | } | |||
| ResponseBytes ::= SEQUENCE { | ResponseBytes ::= SEQUENCE { | |||
| responseType OBJECT IDENTIFIER, | responseType OBJECT IDENTIFIER, | |||
| response OCTET STRING } | response OCTET STRING } | |||
| BasicOCSPResponse ::= SEQUENCE { | BasicOCSPResponse ::= SEQUENCE { | |||
| tbsResponseData ResponseData, | tbsResponseData ResponseData, | |||
| signatureAlgorithm AlgorithmIdentifier, | signatureAlgorithm AlgorithmIdentifier, | |||
| signature BIT STRING, | signature BIT STRING, | |||
| certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } | certs [0] EXPLICIT SEQUENCE OF | |||
| Certificate OPTIONAL } | ||||
| ResponseData ::= SEQUENCE { | ResponseData ::= SEQUENCE { | |||
| version [0] EXPLICIT Version DEFAULT v1, | version [0] EXPLICIT Version DEFAULT v1, | |||
| responderID ResponderID, | responderID ResponderID, | |||
| producedAt GeneralizedTime, -- The format for | producedAt GeneralizedTime, | |||
| -- GeneralizedTime is as | -- The format for GeneralizedTime is | |||
| -- specified in Section | -- as specified in Section 4.1.2.5.2 | |||
| -- 4.1.2.5.2 of [RFC5280] | -- [RFC5280] | |||
| responses SEQUENCE OF SingleResponse, | responses SEQUENCE OF SingleResponse, | |||
| responseExtensions [1] EXPLICIT Extensions OPTIONAL } | responseExtensions [1] EXPLICIT Extensions OPTIONAL } | |||
| ResponderID ::= CHOICE { | ResponderID ::= CHOICE { | |||
| byName [1] Name, | byName [1] Name, | |||
| byKey [2] KeyHash } | byKey [2] KeyHash } | |||
| KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key | KeyHash ::= OCTET STRING | |||
| -- (i.e., the SHA-1 hash of the value of the | -- SHA-1 hash of responder's public key (i.e., the | |||
| -- BIT STRING subjectPublicKey [excluding | -- SHA-1 hash of the value of the BIT STRING | |||
| -- the tag, length, and number of unused | -- subjectPublicKey [excluding the tag, length, and | |||
| -- bits] in the responder's certificate) | -- number of unused bits] in the responder's | |||
| -- certificate) | ||||
| SingleResponse ::= SEQUENCE { | SingleResponse ::= SEQUENCE { | |||
| certID CertID, | certID CertID, | |||
| certStatus CertStatus, | certStatus CertStatus, | |||
| thisUpdate GeneralizedTime, | thisUpdate GeneralizedTime, | |||
| nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, | nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, | |||
| singleExtensions [1] EXPLICIT Extensions OPTIONAL } | singleExtensions [1] EXPLICIT Extensions OPTIONAL } | |||
| CertStatus ::= CHOICE { | CertStatus ::= CHOICE { | |||
| good [0] IMPLICIT NULL, | good [0] IMPLICIT NULL, | |||
| revoked [1] IMPLICIT RevokedInfo, | revoked [1] IMPLICIT RevokedInfo, | |||
| unknown [2] IMPLICIT UnknownInfo } | unknown [2] IMPLICIT UnknownInfo } | |||
| RevokedInfo ::= SEQUENCE { | RevokedInfo ::= SEQUENCE { | |||
| revocationTime GeneralizedTime, | revocationTime GeneralizedTime, | |||
| revocationReason [0] EXPLICIT CRLReason OPTIONAL } | revocationReason [0] EXPLICIT CRLReason OPTIONAL } | |||
| UnknownInfo ::= NULL | UnknownInfo ::= NULL | |||
| ArchiveCutoff ::= GeneralizedTime | ArchiveCutoff ::= GeneralizedTime | |||
| AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER | AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER | |||
| ServiceLocator ::= SEQUENCE { | ServiceLocator ::= SEQUENCE { | |||
| issuer Name, | issuer Name, | |||
| locator AuthorityInfoAccessSyntax } | locator AuthorityInfoAccessSyntax } | |||
| CrlID ::= SEQUENCE { | CrlID ::= SEQUENCE { | |||
| crlUrl [0] EXPLICIT IA5String OPTIONAL, | crlUrl [0] EXPLICIT IA5String OPTIONAL, | |||
| crlNum [1] EXPLICIT INTEGER OPTIONAL, | crlNum [1] EXPLICIT INTEGER OPTIONAL, | |||
| crlTime [2] EXPLICIT GeneralizedTime OPTIONAL } | crlTime [2] EXPLICIT GeneralizedTime OPTIONAL } | |||
| PreferredSignatureAlgorithms ::= SEQUENCE OF PreferredSignatureAlgorithm | PreferredSignatureAlgorithms ::= SEQUENCE OF | |||
| PreferredSignatureAlgorithm | ||||
| PreferredSignatureAlgorithm ::= SEQUENCE { | PreferredSignatureAlgorithm ::= SEQUENCE { | |||
| sigIdentifier AlgorithmIdentifier, | sigIdentifier AlgorithmIdentifier, | |||
| certIdentifier AlgorithmIdentifier OPTIONAL } | certIdentifier AlgorithmIdentifier OPTIONAL } | |||
| -- Object Identifiers | -- Object Identifiers | |||
| id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } | id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } | |||
| id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp } | id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp } | |||
| id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 } | id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 } | |||
| skipping to change at line 446 ¶ | skipping to change at line 424 ¶ | |||
| id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 } | id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 } | |||
| id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 } | id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 } | |||
| id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 } | id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 } | |||
| id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 } | id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 } | |||
| id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 } | id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 } | |||
| id-pkix-ocsp-pref-sig-algs OBJECT IDENTIFIER ::= { id-pkix-ocsp 8 } | id-pkix-ocsp-pref-sig-algs OBJECT IDENTIFIER ::= { id-pkix-ocsp 8 } | |||
| id-pkix-ocsp-extended-revoke OBJECT IDENTIFIER ::= { id-pkix-ocsp 9 } | id-pkix-ocsp-extended-revoke OBJECT IDENTIFIER ::= { id-pkix-ocsp 9 } | |||
| END | END | |||
| ]]> | ]]> | |||
| </artwork> | </sourcecode> | |||
| </section> | </section> | |||
| <section anchor="asn-2008" title="OCSP in ASN.1 - 2008 Syntax"> | <section anchor="asn-2008" title="OCSP in ASN.1 - 2008 Syntax"> | |||
| <artwork><![CDATA[ | <sourcecode type="asn.1" markers="true"><![CDATA[ | |||
| OCSP-2024-08 | OCSP-2024-08 | |||
| {iso(1) identified-organization(3) dod(6) internet(1) | { iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) id-mod(0) | security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-ocsp-2024-08(TBD2)} | id-mod-ocsp-2024-08(112) } | |||
| DEFINITIONS EXPLICIT TAGS ::= | DEFINITIONS EXPLICIT TAGS ::= | |||
| BEGIN | BEGIN | |||
| IMPORTS | IMPORTS | |||
| Extensions{}, EXTENSION | ||||
| FROM PKIX-CommonTypes-2009 -- From [RFC5912] | ||||
| { iso(1) identified-organization(3) dod(6) | ||||
| internet(1) security(5) mechanisms(5) pkix(7) | ||||
| id-mod(0) id-mod-pkixCommon-02(57) } | ||||
| Extensions{}, EXTENSION | AlgorithmIdentifier{}, DIGEST-ALGORITHM, | |||
| FROM PKIX-CommonTypes-2009 -- From [RFC5912] | SIGNATURE-ALGORITHM, PUBLIC-KEY | |||
| {iso(1) identified-organization(3) dod(6) internet(1) security(5) | FROM AlgorithmInformation-2009 -- From [RFC5912] | |||
| mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} | { iso(1) identified-organization(3) dod(6) | |||
| internet(1) security(5) mechanisms(5) pkix(7) | ||||
| AlgorithmIdentifier{}, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, PUBLIC-KEY | id-mod(0) id-mod-algorithmInformation-02(58) } | |||
| FROM AlgorithmInformation-2009 -- From [RFC5912] | ||||
| {iso(1) identified-organization(3) dod(6) internet(1) security(5) | ||||
| mechanisms(5) pkix(7) id-mod(0) | ||||
| id-mod-algorithmInformation-02(58)} | ||||
| AuthorityInfoAccessSyntax, GeneralName, CrlEntryExtensions, CRLReason | AuthorityInfoAccessSyntax, GeneralName, | |||
| FROM PKIX1Implicit-2009 -- From [RFC5912] | CrlEntryExtensions, CRLReason | |||
| {iso(1) identified-organization(3) dod(6) internet(1) security(5) | FROM PKIX1Implicit-2009 -- From [RFC5912] | |||
| mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} | { iso(1) identified-organization(3) dod(6) | |||
| internet(1) security(5) mechanisms(5) pkix(7) | ||||
| id-mod(0) id-mod-pkix1-implicit-02(59) } | ||||
| Name, CertificateSerialNumber, id-kp, id-ad-ocsp, Certificate | Name, Certificate, CertificateSerialNumber, | |||
| FROM PKIX1Explicit-2009 -- From [RFC5912] | id-kp, id-ad-ocsp | |||
| {iso(1) identified-organization(3) dod(6) internet(1) security(5) | FROM PKIX1Explicit-2009 -- From [RFC5912] | |||
| mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} | { iso(1) identified-organization(3) dod(6) | |||
| internet(1) security(5) mechanisms(5) pkix(7) | ||||
| id-mod(0) id-mod-pkix1-explicit-02(51) } | ||||
| sa-dsaWithSHA1, sa-rsaWithMD2, sa-rsaWithMD5, sa-rsaWithSHA1 | sa-dsaWithSHA1, sa-rsaWithMD2, | |||
| FROM PKIXAlgs-2009 -- From [RFC5912] | sa-rsaWithMD5, sa-rsaWithSHA1 | |||
| {iso(1) identified-organization(3) dod(6) internet(1) security(5) | FROM PKIXAlgs-2009 -- From [RFC5912] | |||
| mechanisms(5) pkix(7) id-mod(0) | { iso(1) identified-organization(3) dod(6) | |||
| id-mod-pkix1-algorithms2008-02(56)}; | internet(1) security(5) mechanisms(5) pkix(7) | |||
| id-mod(0) id-mod-pkix1-algorithms2008-02(56) } ; | ||||
| OCSPRequest ::= SEQUENCE { | OCSPRequest ::= SEQUENCE { | |||
| tbsRequest TBSRequest, | tbsRequest TBSRequest, | |||
| optionalSignature [0] EXPLICIT Signature OPTIONAL } | optionalSignature [0] EXPLICIT Signature OPTIONAL } | |||
| TBSRequest ::= SEQUENCE { | TBSRequest ::= SEQUENCE { | |||
| version [0] EXPLICIT Version DEFAULT v1, | version [0] EXPLICIT Version DEFAULT v1, | |||
| requestorName [1] EXPLICIT GeneralName OPTIONAL, | requestorName [1] EXPLICIT GeneralName OPTIONAL, | |||
| requestList SEQUENCE OF Request, | requestList SEQUENCE OF Request, | |||
| requestExtensions [2] EXPLICIT Extensions {{re-ocsp-nonce | | requestExtensions [2] EXPLICIT Extensions | |||
| re-ocsp-response, ..., | {{ re-ocsp-nonce | re-ocsp-response | | |||
| re-ocsp-preferred-signature-algorithms}} OPTIONAL } | re-ocsp-preferred-signature-algorithms, | |||
| ... }} OPTIONAL } | ||||
| Signature ::= SEQUENCE { | Signature ::= SEQUENCE { | |||
| signatureAlgorithm AlgorithmIdentifier | signatureAlgorithm AlgorithmIdentifier | |||
| { SIGNATURE-ALGORITHM, {...}}, | { SIGNATURE-ALGORITHM, {...}}, | |||
| signature BIT STRING, | signature BIT STRING, | |||
| certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } | certs [0] EXPLICIT SEQUENCE OF | |||
| Certificate OPTIONAL } | ||||
| Version ::= INTEGER { v1(0) } | Version ::= INTEGER { v1(0) } | |||
| Nonce ::= OCTET STRING(SIZE(1..128)) | Nonce ::= OCTET STRING (SIZE(1..128)) | |||
| Request ::= SEQUENCE { | Request ::= SEQUENCE { | |||
| reqCert CertID, | reqCert CertID, | |||
| singleRequestExtensions [0] EXPLICIT Extensions | singleRequestExtensions [0] EXPLICIT Extensions | |||
| { {re-ocsp-service-locator, | {{ re-ocsp-service-locator, | |||
| ...}} OPTIONAL } | ... }} OPTIONAL } | |||
| CertID ::= SEQUENCE { | CertID ::= SEQUENCE { | |||
| hashAlgorithm AlgorithmIdentifier | hashAlgorithm AlgorithmIdentifier | |||
| {DIGEST-ALGORITHM, {...}}, | { DIGEST-ALGORITHM, {...}}, | |||
| issuerNameHash OCTET STRING, -- Hash of issuer's DN | issuerNameHash OCTET STRING, -- Hash of issuer's DN | |||
| issuerKeyHash OCTET STRING, -- Hash of issuer's public key | issuerKeyHash OCTET STRING, -- Hash of issuer's public key | |||
| serialNumber CertificateSerialNumber } | serialNumber CertificateSerialNumber } | |||
| OCSPResponse ::= SEQUENCE { | OCSPResponse ::= SEQUENCE { | |||
| responseStatus OCSPResponseStatus, | responseStatus OCSPResponseStatus, | |||
| responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } | responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } | |||
| OCSPResponseStatus ::= ENUMERATED { | OCSPResponseStatus ::= ENUMERATED { | |||
| successful (0), -- Response has valid confirmations | successful (0), -- Response has valid confirmations | |||
| malformedRequest (1), -- Illegal confirmation request | malformedRequest (1), -- Illegal confirmation request | |||
| internalError (2), -- Internal error in issuer | internalError (2), -- Internal error in issuer | |||
| tryLater (3), -- Try again later | tryLater (3), -- Try again later | |||
| -- (4) is not used | -- (4) is not used | |||
| sigRequired (5), -- Must sign the request | sigRequired (5), -- Must sign the request | |||
| unauthorized (6) -- Request unauthorized | unauthorized (6) -- Request unauthorized | |||
| } | } | |||
| RESPONSE ::= TYPE-IDENTIFIER | RESPONSE ::= TYPE-IDENTIFIER | |||
| ResponseSet RESPONSE ::= {basicResponse, ...} | ResponseSet RESPONSE ::= { basicResponse, ... } | |||
| ResponseBytes ::= SEQUENCE { | ResponseBytes ::= SEQUENCE { | |||
| responseType RESPONSE. | responseType RESPONSE.&id ({ResponseSet}), | |||
| &id ({ResponseSet}), | response OCTET STRING (CONTAINING RESPONSE. | |||
| response OCTET STRING (CONTAINING RESPONSE. | &Type({ResponseSet}{@responseType}))} | |||
| &Type({ResponseSet}{@responseType}))} | ||||
| basicResponse RESPONSE ::= | basicResponse RESPONSE ::= | |||
| { BasicOCSPResponse IDENTIFIED BY id-pkix-ocsp-basic } | { BasicOCSPResponse IDENTIFIED BY id-pkix-ocsp-basic } | |||
| BasicOCSPResponse ::= SEQUENCE { | BasicOCSPResponse ::= SEQUENCE { | |||
| tbsResponseData ResponseData, | tbsResponseData ResponseData, | |||
| signatureAlgorithm AlgorithmIdentifier{SIGNATURE-ALGORITHM, | signatureAlgorithm AlgorithmIdentifier | |||
| {sa-dsaWithSHA1 | sa-rsaWithSHA1 | | { SIGNATURE-ALGORITHM, | |||
| sa-rsaWithMD5 | sa-rsaWithMD2, ...}}, | { sa-dsaWithSHA1 | | |||
| sa-rsaWithSHA1 | | ||||
| sa-rsaWithMD5 | | ||||
| sa-rsaWithMD2, | ||||
| ... }}, | ||||
| signature BIT STRING, | signature BIT STRING, | |||
| certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } | certs [0] EXPLICIT SEQUENCE OF | |||
| Certificate OPTIONAL } | ||||
| ResponseData ::= SEQUENCE { | ResponseData ::= SEQUENCE { | |||
| version [0] EXPLICIT Version DEFAULT v1, | version [0] EXPLICIT Version DEFAULT v1, | |||
| responderID ResponderID, | responderID ResponderID, | |||
| producedAt GeneralizedTime, | producedAt GeneralizedTime, | |||
| responses SEQUENCE OF SingleResponse, | responses SEQUENCE OF SingleResponse, | |||
| responseExtensions [1] EXPLICIT Extensions | responseExtensions [1] EXPLICIT Extensions | |||
| {{re-ocsp-nonce, ..., | {{ re-ocsp-nonce | | |||
| re-ocsp-extended-revoke}} OPTIONAL } | re-ocsp-extended-revoke, | |||
| ... }} OPTIONAL } | ||||
| ResponderID ::= CHOICE { | ResponderID ::= CHOICE { | |||
| byName [1] Name, | byName [1] Name, | |||
| byKey [2] KeyHash } | byKey [2] KeyHash } | |||
| KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key | KeyHash ::= OCTET STRING | |||
| -- (excluding the tag and length fields) | -- SHA-1 hash of responder's public key | |||
| -- (excluding the tag and length and number | ||||
| -- of unused bits) | ||||
| SingleResponse ::= SEQUENCE { | SingleResponse ::= SEQUENCE { | |||
| certID CertID, | certID CertID, | |||
| certStatus CertStatus, | certStatus CertStatus, | |||
| thisUpdate GeneralizedTime, | thisUpdate GeneralizedTime, | |||
| nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, | nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, | |||
| singleExtensions [1] EXPLICIT Extensions{{re-ocsp-crl | | singleExtensions [1] EXPLICIT Extensions | |||
| re-ocsp-archive-cutoff | | {{ re-ocsp-crl | | |||
| CrlEntryExtensions, ...} | re-ocsp-archive-cutoff | | |||
| } OPTIONAL } | CrlEntryExtensions, | |||
| ... }} OPTIONAL } | ||||
| CertStatus ::= CHOICE { | CertStatus ::= CHOICE { | |||
| good [0] IMPLICIT NULL, | good [0] IMPLICIT NULL, | |||
| revoked [1] IMPLICIT RevokedInfo, | revoked [1] IMPLICIT RevokedInfo, | |||
| unknown [2] IMPLICIT UnknownInfo } | unknown [2] IMPLICIT UnknownInfo } | |||
| RevokedInfo ::= SEQUENCE { | RevokedInfo ::= SEQUENCE { | |||
| revocationTime GeneralizedTime, | revocationTime GeneralizedTime, | |||
| revocationReason [0] EXPLICIT CRLReason OPTIONAL } | revocationReason [0] EXPLICIT CRLReason OPTIONAL } | |||
| UnknownInfo ::= NULL | UnknownInfo ::= NULL | |||
| ArchiveCutoff ::= GeneralizedTime | ArchiveCutoff ::= GeneralizedTime | |||
| AcceptableResponses ::= SEQUENCE OF RESPONSE.&id({ResponseSet}) | AcceptableResponses ::= SEQUENCE OF RESPONSE.&id({ResponseSet}) | |||
| ServiceLocator ::= SEQUENCE { | ServiceLocator ::= SEQUENCE { | |||
| issuer Name, | issuer Name, | |||
| locator AuthorityInfoAccessSyntax } | locator AuthorityInfoAccessSyntax } | |||
| CrlID ::= SEQUENCE { | CrlID ::= SEQUENCE { | |||
| crlUrl [0] EXPLICIT IA5String OPTIONAL, | crlUrl [0] EXPLICIT IA5String OPTIONAL, | |||
| crlNum [1] EXPLICIT INTEGER OPTIONAL, | crlNum [1] EXPLICIT INTEGER OPTIONAL, | |||
| crlTime [2] EXPLICIT GeneralizedTime OPTIONAL } | crlTime [2] EXPLICIT GeneralizedTime OPTIONAL } | |||
| PreferredSignatureAlgorithms ::= SEQUENCE OF PreferredSignatureAlgorithm | PreferredSignatureAlgorithms ::= SEQUENCE OF | |||
| PreferredSignatureAlgorithm | ||||
| PreferredSignatureAlgorithm ::= SEQUENCE { | PreferredSignatureAlgorithm ::= SEQUENCE { | |||
| sigIdentifier AlgorithmIdentifier{SIGNATURE-ALGORITHM, {...}}, | sigIdentifier AlgorithmIdentifier | |||
| certIdentifier AlgorithmIdentifier{PUBLIC-KEY, {...}} OPTIONAL | { SIGNATURE-ALGORITHM, {...} }, | |||
| } | certIdentifier AlgorithmIdentifier {PUBLIC-KEY, {...}} | |||
| OPTIONAL } | ||||
| -- Certificate Extensions | -- Certificate Extensions | |||
| ext-ocsp-nocheck EXTENSION ::= { SYNTAX NULL IDENTIFIED | ext-ocsp-nocheck EXTENSION ::= { | |||
| BY id-pkix-ocsp-nocheck } | SYNTAX NULL IDENTIFIED BY id-pkix-ocsp-nocheck } | |||
| -- Request Extensions | -- Request Extensions | |||
| re-ocsp-nonce EXTENSION ::= { SYNTAX Nonce | re-ocsp-nonce EXTENSION ::= { | |||
| IDENTIFIED BY id-pkix-ocsp-nonce } | SYNTAX Nonce IDENTIFIED BY id-pkix-ocsp-nonce } | |||
| re-ocsp-response EXTENSION ::= { SYNTAX AcceptableResponses IDENTIFIED | re-ocsp-response EXTENSION ::= { | |||
| BY id-pkix-ocsp-response } | SYNTAX AcceptableResponses IDENTIFIED BY | |||
| id-pkix-ocsp-response } | ||||
| re-ocsp-service-locator EXTENSION ::= { SYNTAX ServiceLocator | re-ocsp-service-locator EXTENSION ::= { | |||
| IDENTIFIED BY | SYNTAX ServiceLocator IDENTIFIED BY | |||
| id-pkix-ocsp-service-locator } | id-pkix-ocsp-service-locator } | |||
| re-ocsp-preferred-signature-algorithms EXTENSION ::= { | re-ocsp-preferred-signature-algorithms EXTENSION ::= { | |||
| SYNTAX PreferredSignatureAlgorithms | SYNTAX PreferredSignatureAlgorithms IDENTIFIED BY | |||
| IDENTIFIED BY id-pkix-ocsp-pref-sig-algs } | id-pkix-ocsp-pref-sig-algs } | |||
| -- Response Extensions | -- Response Extensions | |||
| re-ocsp-crl EXTENSION ::= { SYNTAX CrlID IDENTIFIED BY | re-ocsp-crl EXTENSION ::= { | |||
| id-pkix-ocsp-crl } | SYNTAX CrlID IDENTIFIED BY id-pkix-ocsp-crl } | |||
| re-ocsp-archive-cutoff EXTENSION ::= { SYNTAX ArchiveCutoff | re-ocsp-archive-cutoff EXTENSION ::= { | |||
| IDENTIFIED BY | SYNTAX ArchiveCutoff IDENTIFIED BY | |||
| id-pkix-ocsp-archive-cutoff } | id-pkix-ocsp-archive-cutoff } | |||
| re-ocsp-extended-revoke EXTENSION ::= { SYNTAX NULL IDENTIFIED BY | re-ocsp-extended-revoke EXTENSION ::= { | |||
| id-pkix-ocsp-extended-revoke } | SYNTAX NULL IDENTIFIED BY id-pkix-ocsp-extended-revoke } | |||
| -- Object Identifiers | -- Object Identifiers | |||
| id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } | id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } | |||
| id-pkix-ocsp OBJECT IDENTIFIER ::= id-ad-ocsp | id-pkix-ocsp OBJECT IDENTIFIER ::= id-ad-ocsp | |||
| id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 } | id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 } | |||
| id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 } | id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 } | |||
| id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 } | id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 } | |||
| id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 } | id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 } | |||
| id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 } | id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 } | |||
| id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 } | id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 } | |||
| id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 } | id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 } | |||
| id-pkix-ocsp-pref-sig-algs OBJECT IDENTIFIER ::= { id-pkix-ocsp 8 } | id-pkix-ocsp-pref-sig-algs OBJECT IDENTIFIER ::= { id-pkix-ocsp 8 } | |||
| id-pkix-ocsp-extended-revoke OBJECT IDENTIFIER ::= { id-pkix-ocsp 9 } | id-pkix-ocsp-extended-revoke OBJECT IDENTIFIER ::= { id-pkix-ocsp 9 } | |||
| END | END | |||
| ]]> | ]]> | |||
| </artwork> | </sourcecode> | |||
| </section> | ||||
| </section> | </section> | |||
| <section anchor="Acknowledgements" numbered="false"> | ||||
| <name>Acknowledgements</name> | ||||
| <t> | ||||
| The authors of this document thank <contact fullname="Mohit Sahni"/> f | ||||
| or his work to produce <xref target="RFC8954"/>. | ||||
| </t> | ||||
| <t> | ||||
| The authors also thank <contact fullname="Russ Housley"/>, <contact fu | ||||
| llname="Corey Bonnell"/>, | ||||
| <contact fullname="Michael StJohns"/>, <contact fullname="Tomas Gustav | ||||
| sson"/>, and <contact fullname="Carl Wallace"/> for their feedback and suggestio | ||||
| ns. | ||||
| </t> | ||||
| </section> | </section> | |||
| </back> | </back> | |||
| </rfc> | </rfc> | |||
| End of changes. 106 change blocks. | ||||
| 333 lines changed or deleted | 344 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||