Online Certificate Status Protocol (OCSP) Nonce Extension
draft-ietf-lamps-ocsp-nonce-05

[Ballot comment]
I support Barry's discuss -- I'm assuming that there is some blindingly obvious reason for the text as is, but a: I don't see it and b: if there is, please add it to the document so others like me understand...

[Ballot comment]
Just some nits of varying severity from me...

Abstract

  This document specifies the updated format of the Nonce extension in
  Online Certificate Status Protocol (OCSP) request and response

nit(?): is it the format itself that is specified or constraints upon
the format?

Section 1

  Due to not having an upper or lower limit of the length of the Nonce
  extension, the OCSP responders that follow [RFC6960] may be
  vulnerable to various attacks like Denial of Service attacks
  [RFC4732], chosen prefix attacks to get a desired signature from the
  OCSP responder and possible evasions that can use the Nonce extension
  data for evasion.  [...]

nit: "evasions that can use [...] for evasion" is slightly awkward
wording.  Could we say something different about what is being evaded?

                      This document specifies a lower limit of 1 and an
  upper limit of 32 to the length of the Nonce extension.  This

(pedantic nit): the length of the extension, or the length of the OCTET
STRING bearining the nonce value, contained in the extension?

Section 2

Thanks for agreeing to remove the unrelated list of OCSP extnsions.

Section 2.1

I'm happy to see the discussion with Barry about mandating the behavior
of new clients more tightly without breaking old clients.

  A server MUST reject any OCSP request having a Nonce extension with
  length of 0 octets or more than 32 octets with the malformedRequest
  OCSPResponseStatus as described in section 4.2.1 of [RFC6960].

(same nit about exactly which length is being constrained.)

Section 3.1

(side note) the bit about the Nonce being optional in the response even
if it was present in the request is actually in 6960 itself if you read
carefully; 5019 has a bit more exposition on it but may not, strictly
speaking, be a necessary reference.

Section 5.x

[I expect that the RFC Editor will adjust the formatting/wording a bit,
especially since "old syntax" and "new syntax" in the context of 1998
vs. 2008 ASN.1 syntax is probably going to make people think ASN.1, as
opposed to "OLD text" and "NEW text" or just "OLD"/"NEW".]

[Ballot comment]
I support Barry's DISCUSS.

I'll also repeat one of Barry's observations:  In Section 2, the list of extensions that exist seems to be an unnecessary citation if all this document needs to talk about is the Nonce extension.

[Ballot comment]
Hi,

This document is simple and easy to read and understand, to thank your for that.

As someone with little security knowledge, I was left wondering how the determination of what length nonce is required is made?  E.g., is there some calculation that is performed that concludes that 16 bytes is okay, but 32 is better and any longer is pointless?  Or is that described in another document that could be referenced (perhaps this is covered by the last parts of rfc4086)?

Hence, my comment on this document is whether it would be helpful to have any background text that explains why the particular length(s) of nonce has been chosen.

Regards,
Rob

[Ballot comment]
I support Barry's DISCUSS.

I'll repeat one of Ben's observations:  In Section 2, the list of extensions that exist seems to be an unnecessary citation if all this document needs to talk about is the Nonce extension.

[Ballot comment]
I'll repeat one of Ben's observations:  In Section 2, the list of extensions that exist seems to be an unnecessary citation if all this document needs to talk about is the Nonce extension.

[Ballot discuss]
This should be a very easy discussion to have and to resolve:

— Section 2.1 —

  The OCSP
  clients SHOULD use a length of 32 octets for the Nonce extension.
  The minimum nonce length of 1 octet is defined to provide the
  backward compatibility with older clients following [RFC6960]
  however, the newer OCSP clients MUST use a length of at least 16
  octets for Nonce extension.

I’m puzzled by this, so please explain: as long as we’re talking about new clients, developed with this document in place, why shouldn’t it be a MUST to use 32 octets?  Why would a new client use 16 bits, rather than 32, and what are the considerations that the coder would need to understand in making that decision?

[Ballot comment]
The rest of my comments are very minor; please consider them, but there’s no need to respond to them in detail.  Thanks.

General nit: I find the use of “the” in citations to be jarring, as it’s uncustomary... we normally say “in RFC 6960”, not “in the RFC 6960”.  I’m sure the RFC Editor will sort that out for consistency within the series, though it might not be a bad thing to help them out in advance.  I note odd use of “the” throughout the document as well, with extraneous “the” in various places, and missing “the” in others.

Also, please check for consistency in capitalization of “Nonce extension” vs “nonc extension” throughout.

— Section 1 —

  Due to not having an upper or lower limit of the length of the Nonce
  extension, the OCSP responders that follow [RFC6960] may be
  vulnerable to various attacks like Denial of Service attacks
  [RFC4732], chosen prefix attacks to get a desired signature from the
  OCSP responder and possible evasions that can use the Nonce extension
  data for evasion.

Nit: The length of this sentence makes me want the Oxford comma in the list: please add a comma after “OCSP responder” to aid the readability.  (One could also shorten the sentence by, “Lacking limits on the length of the Nonce extension, ...”)

— Section 2 —
It’s a small thing, but I found myself wondering why you include a list of OCSP extensions, and then say that you only care about Nonce here.  What’s the benefit to the reader of mentioning the others at all?

— Section 3.1 —

  The Nonce extension is used to avoid replay attacks.

Another small thing: You say this in the Abstract and in Sections 2.1, 3, and 3.1.  By the time I got to 3.1 I wondered why the repetition was needed.

— Section 3.2 —

  If the value of the nonce used by a client in OCSP request is not
  random enough,

I find “is not random enough” to be odd, and kind of vague.  What you mean here is really “is not random and has an element of predictability,” yes?

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Functions Operator has reviewed draft-ietf-lamps-ocsp-nonce-03, which is currently in Last Call, and has the following comments:

We understand that this document doesn't require any registry actions.

While it's often helpful for a document's IANA Considerations section to remain in place upon publication even if there are no actions, if the authors strongly prefer to remove it, we do not object.

If this assessment is not accurate, please respond as soon as possible.

Thank you,

Sabrina Tanamal
Senior IANA Services Specialist

The following Last Call announcement was sent out (ends 2020-09-02):

From: The IESG
To: IETF-Announce
CC: housley@vigilsec.com, rdd@cert.org, Russ Housley , draft-ietf-lamps-ocsp-nonce@ietf.org, spasm@ietf.org, lamps-chairs@ietf.org
Reply-To: last-call@ietf.org
Sender:
Subject: Last Call:  (OCSP Nonce Extension) to Proposed Standard


The IESG has received a request from the Limited Additional Mechanisms for
PKIX and SMIME WG (lamps) to consider the following document: - 'OCSP Nonce
Extension'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2020-09-02. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


  This document specifies the updated format of the Nonce extension in
  Online Certificate Status Protocol (OCSP) request and response
  messages.  OCSP is used to check the status of a certificate and the
  Nonce extension is used in the OCSP request and response messages to
  avoid replay attacks.  This document updates the RFC 6960




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-lamps-ocsp-nonce/



No IPR declarations have been submitted directly on this I-D.

Shepherd Write-up for draft-ietf-lamps-ocsp-nonce-02


(1) What type of RFC is being requested (BCP, Proposed Standard, Internet
Standard, Informational, Experimental, or Historic)?  Why is this the
proper type of RFC?  Is this type of RFC indicated in the title page
header?

  Proposed Standard.  Yes, the header calls for Standards Track.
 
  This new RFC will update RFC 6960, which is a Proposed Standard.
 

(2) The IESG approval announcement includes a Document Announcement
Write-Up.  Please provide such a Document Announcement Write-Up.  Recent
examples can be found in the "Action" announcements for approved
documents.  The approval announcement contains the following sections:

  Technical Summary:

    This document updates RFC 6960 to specify a maximum size for a nonce
    in the Online Certificate Status Protocol (OCSP),  The nonce is used
    in the OCSP request and response messages to detect replay attacks.

  Working Group Summary:

    There is consensus for this document in the LAMPS WG.

  Document Quality:

    OCSP has wide support.  Several people have expressed support of
    the size limit on the nonce that is specified in this document.
 
  Personnel:

    Russ Housley is the document shepherd.
    Roman Danyliw is the responsible area director.


(3) Briefly describe the review of this document that was performed by
the Document Shepherd.  If this version of the document is not ready for
publication, please explain why the document is being forwarded to the
IESG.

  The document shepherd did a thorough review of the document during
  WG Last Call.  A few concerns were raised, and they were explained or
  resolved.


(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed?

  No concerns.


(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization?  If so, describe the review that took
place.

  Several people that were involved in the PKIX WG were part of the
  review that took place during LAMPS WG Last Call.


(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the IESG
should be aware of?  For example, perhaps he or she is uncomfortable with
certain parts of the document, or has concerns whether there really is a
need for it.  In any event, if the WG has discussed those issues and has
indicated that it still wishes to advance the document, detail those
concerns here.

  No concerns.


(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed.  If not, explain why?

  The author explicitly stated that he is unaware of any additional
  IP that was introduced in the updates to the document.

  The author explicitly stated that he does not hold any IPR related
  to the document.


(8) Has an IPR disclosure been filed that references this document?  If
so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

  No IPR disclosures have been submitted directly on this document,
  the individual I-D that came earlier (draft-msahni-lamps-ocsp-nonce),
  or RFC 6960.


(9) How solid is the WG consensus behind this document?  Does it
represent the strong concurrence of a few individuals, with others being
silent, or does the WG as a whole understand and agree with it?

  There is consensus for this document in the LAMPS WG.


(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent?  If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director.  (It should be in a
separate email because this questionnaire is publicly available.)

  No one has threatened an appeal.


(11) Identify any ID nits the Document Shepherd has found in this
document.  (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist).  Boilerplate checks are not enough; this check needs to be
thorough.

  IDnits reports:
  -- The draft header indicates that this document updates RFC6960, but the
    abstract doesn't seem to directly say this.  It does mention RFC6960
    though, so this could be OK.
  The Abstract includes: "This document updates the RFC 6960".
  This warning seems to be the result of "the" or a missing period.


(12) Describe how the document meets any required formal review criteria,
such as the MIB Doctor, media type, and URI type reviews.

  No special reviews are needed.


(13) Have all references within this document been identified as either
normative or informative?

  Yes.


(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state?  If such normative
references exist, what is the plan for their completion?

  No.


(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in the
Last Call procedure.

  There are no downward normative references.


(16) Will publication of this document change the status of any existing
RFCs?  Are those RFCs listed on the title page header, listed in the
abstract, and discussed in the introduction?  If the RFCs are not listed
in the Abstract and Introduction, explain why, and point to the part of
the document where the relationship of this document to the other RFCs is
discussed.  If this information is not in the document, explain why the
WG considers it unnecessary.

  This new RFC will update RFC 6090, which is clearly stated on the
  title page and the Abstract.


(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document.  Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly identified.
Confirm that newly created IANA registries include a detailed
specification of the initial contents for the registry, that allocations
procedures for future registrations are defined, and a reasonable name
for the new registry has been suggested (see RFC 5226).

  This document does not call for any IANA actions.


(18) List any new IANA registries that require Expert Review for future
allocations.  Provide any public guidance that the IESG would find useful
in selecting the IANA Experts for these new registries.

  No new IANA registries are needed.


(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.

  The ASN.1 module in RFC 6960, once updated with the changes in
  this document, properly compiles.  (Thanks for Jim Schaad for
  doing that for the LAMPS WG.)

Shepherd Write-up for draft-ietf-lamps-ocsp-nonce-02


(1) What type of RFC is being requested (BCP, Proposed Standard, Internet
Standard, Informational, Experimental, or Historic)?  Why is this the
proper type of RFC?  Is this type of RFC indicated in the title page
header?

  Proposed Standard.  Yes, the header calls for Standards Track.
 
  This new RFC will update RFC 6960, which is a Proposed Standard.
 

(2) The IESG approval announcement includes a Document Announcement
Write-Up.  Please provide such a Document Announcement Write-Up.  Recent
examples can be found in the "Action" announcements for approved
documents.  The approval announcement contains the following sections:

  Technical Summary:

    This document updates RFC 6960 to specify a maximum size for a nonce
    in the Online Certificate Status Protocol (OCSP),  The nonce is used
    in the OCSP request and response messages to detect replay attacks.

  Working Group Summary:

    There is consensus for this document in the LAMPS WG.

  Document Quality:

    OCSP has wide support.  Several people have expressed support of
    the size limit on the nonce that is specified in this document.
 
  Personnel:

    Russ Housley is the document shepherd.
    Roman Danyliw is the responsible area director.


(3) Briefly describe the review of this document that was performed by
the Document Shepherd.  If this version of the document is not ready for
publication, please explain why the document is being forwarded to the
IESG.

  The document shepherd did a thorough review of the document during
  WG Last Call.  A few concerns were raised, and they were explained or
  resolved.


(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed?

  No concerns.


(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization?  If so, describe the review that took
place.

  Several people that were involved in the PKIX WG were part of the
  review that took place during LAMPS WG Last Call.


(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the IESG
should be aware of?  For example, perhaps he or she is uncomfortable with
certain parts of the document, or has concerns whether there really is a
need for it.  In any event, if the WG has discussed those issues and has
indicated that it still wishes to advance the document, detail those
concerns here.

  No concerns.


(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed.  If not, explain why?

  The author explicitly stated that he is unaware of any additional
  IP that was introduced in the updates to the document.

  The author explicitly stated that he does not hold any IPR related
  to the document.


(8) Has an IPR disclosure been filed that references this document?  If
so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

  No IPR disclosures have been submitted directly on this document,
  the individual I-D that came earlier (draft-msahni-lamps-ocsp-nonce),
  or RFC 6960.


(9) How solid is the WG consensus behind this document?  Does it
represent the strong concurrence of a few individuals, with others being
silent, or does the WG as a whole understand and agree with it?

  There is consensus for this document in the LAMPS WG.


(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent?  If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director.  (It should be in a
separate email because this questionnaire is publicly available.)

  No one has threatened an appeal.


(11) Identify any ID nits the Document Shepherd has found in this
document.  (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist).  Boilerplate checks are not enough; this check needs to be
thorough.

  IDnits reports:
  -- The draft header indicates that this document updates RFC6960, but the
    abstract doesn't seem to directly say this.  It does mention RFC6960
    though, so this could be OK.
  The Abstract includes: "This document updates the RFC 6960".
  This warning seems to be the result of "the" or a missing period.


(12) Describe how the document meets any required formal review criteria,
such as the MIB Doctor, media type, and URI type reviews.

  No special reviews are needed.


(13) Have all references within this document been identified as either
normative or informative?

  Yes.


(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state?  If such normative
references exist, what is the plan for their completion?

  No.


(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in the
Last Call procedure.

  There are no downward normative references.


(16) Will publication of this document change the status of any existing
RFCs?  Are those RFCs listed on the title page header, listed in the
abstract, and discussed in the introduction?  If the RFCs are not listed
in the Abstract and Introduction, explain why, and point to the part of
the document where the relationship of this document to the other RFCs is
discussed.  If this information is not in the document, explain why the
WG considers it unnecessary.

  This new RFC will update RFC 6090, which is clearly stated on the
  title page and the Abstract.


(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document.  Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly identified.
Confirm that newly created IANA registries include a detailed
specification of the initial contents for the registry, that allocations
procedures for future registrations are defined, and a reasonable name
for the new registry has been suggested (see RFC 5226).

  This document does not call for any IANA actions.


(18) List any new IANA registries that require Expert Review for future
allocations.  Provide any public guidance that the IESG would find useful
in selecting the IANA Experts for these new registries.

  No new IANA registries are needed.


(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.

  The ASN.1 module in RFC 6960, once updated with the changes in
  this document, properly compiles.  (Thanks for Jim Schaad for
  doing that for the LAMPS WG.)

Shepherd Write-up for draft-ietf-lamps-ocsp-nonce-02


(1) What type of RFC is being requested (BCP, Proposed Standard, Internet
Standard, Informational, Experimental, or Historic)?  Why is this the
proper type of RFC?  Is this type of RFC indicated in the title page
header?

  Proposed Standard.  Yes, the header calls for Standards Track.
 
  This new RFC will update RFC 6960, which is a Proposed Standard.
 

(2) The IESG approval announcement includes a Document Announcement
Write-Up.  Please provide such a Document Announcement Write-Up.  Recent
examples can be found in the "Action" announcements for approved
documents.  The approval announcement contains the following sections:

  Technical Summary:

    This document updates RFC 6960 to specify a maximum size for a nonce
    in the Online Certificate Status Protocol (OCSP),  The nonce is used
    in the OCSP request and response messages to detect replay attacks.

  Working Group Summary:

    There is consensus for this document in the LAMPS WG.

  Document Quality:

    OCSP has wide support.  Several people have expressed support of
    the size limit on the nonce that is specified in this document.
 
  Personnel:

    Russ Housley is the document shepherd.
    Roman Danyliw is the responsible area director.


(3) Briefly describe the review of this document that was performed by
the Document Shepherd.  If this version of the document is not ready for
publication, please explain why the document is being forwarded to the
IESG.

  The document shepherd did a thorough review of the document during
  WG Last Call.  A few concerns were raised, and they were explained or
  resolved.


(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed?

  No concerns.


(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization?  If so, describe the review that took
place.

  Several people that were involved in the PKIX WG were part of the
  review that took place during LAMPS WG Last Call.


(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the IESG
should be aware of?  For example, perhaps he or she is uncomfortable with
certain parts of the document, or has concerns whether there really is a
need for it.  In any event, if the WG has discussed those issues and has
indicated that it still wishes to advance the document, detail those
concerns here.

  No concerns.


(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed.  If not, explain why?

  The author explicitly stated that he is unaware of any additional
  IP that was introduced in the updates to the document.

  The author explicitly stated that he does not hold any IPR related
  to the document.


(8) Has an IPR disclosure been filed that references this document?  If
so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

  No IPR disclosures have been submitted directly on this document,
  the individual I-D that came earlier (draft-msahni-lamps-ocsp-nonce),
  or RFC 6960.


(9) How solid is the WG consensus behind this document?  Does it
represent the strong concurrence of a few individuals, with others being
silent, or does the WG as a whole understand and agree with it?

  There is consensus for this document in the LAMPS WG.


(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent?  If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director.  (It should be in a
separate email because this questionnaire is publicly available.)

  No one has threatened an appeal.


(11) Identify any ID nits the Document Shepherd has found in this
document.  (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist).  Boilerplate checks are not enough; this check needs to be
thorough.

  This document, once it is approved, will update RFC 6960.


(12) Describe how the document meets any required formal review criteria,
such as the MIB Doctor, media type, and URI type reviews.

  No special reviews are needed.


(13) Have all references within this document been identified as either
normative or informative?

  Yes.


(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state?  If such normative
references exist, what is the plan for their completion?

  No.


(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in the
Last Call procedure.

  There are no downward normative references.


(16) Will publication of this document change the status of any existing
RFCs?  Are those RFCs listed on the title page header, listed in the
abstract, and discussed in the introduction?  If the RFCs are not listed
in the Abstract and Introduction, explain why, and point to the part of
the document where the relationship of this document to the other RFCs is
discussed.  If this information is not in the document, explain why the
WG considers it unnecessary.

  This new RFC will update RFC 6090, which is clearly stated on the
  title page and the Abstract.


(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document.  Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly identified.
Confirm that newly created IANA registries include a detailed
specification of the initial contents for the registry, that allocations
procedures for future registrations are defined, and a reasonable name
for the new registry has been suggested (see RFC 5226).

  This document does not call for any IANA actions.


(18) List any new IANA registries that require Expert Review for future
allocations.  Provide any public guidance that the IESG would find useful
in selecting the IANA Experts for these new registries.

  No new IANA registries are needed.


(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.

  The ASN.1 module in RFC 6960, once updated with the changes in
  this document, properly compiles.  (Thanks for Jim Schaad for
  doing that for the LAMPS WG.)