Online Certificate Status Protocol Algorithm Agility
draft-ietf-pkix-ocspagility-11

[Ballot discuss]
> A responder MAY maximize the potential for ensuring interoperability
> by selecting a supported signature algorithm using the following
> order of precedence, as long as the selected algorithm meets all
> security requirements of the OCSP responder, where the first method
> has the highest precedence:
>
> 1.  Select an algorithm specified as a preferred signing algorithm in
>    the client request
>
> 2.  Select the signing algorithm used to sign a CRL issued by the
>    certificate issuer providing status information for the
>    certificate specified by CertID
>
> 3.  Select the signing algorithm used to sign the OCSPRequest
>
> 4.  Select a signature algorithm that has been advertised as being
>    the default signature algorithm for the signing service using an
>    out of band mechanism
>
> 5.  Select a mandatory or recommended signing algorithm specified for
>    the version of the OCSP protocol in use
>
> A responder SHOULD always apply the lowest numbered selection
> mechanism that is known, supported, and that meets the responder's
> criteria for cryptographic algorithm strength.

I am confused by the last sentence and how it uses the words "selection mechanism". Does this sentence talk about algorithms or the above selection methods? But the selection methods do not have an algorithmic strength, nor are they negotiated. Suggested replacement text:

A responder SHOULD always apply the lowest numbered selecetion mechanism that results in the selection of a known and supported algorithm that meets the responder's criteria for cryptographic algorithm strength.

[Ballot comment]
1. Section 8.1 uses the phrases "considered unacceptably insecure" and "not considered acceptably secure". Are these equivalent?

2. In Section 8.3, please consider citing RFC 4732 on the concept of denial of service attacks.

[Ballot comment]
The RFC Editor will ask you to remove the citation from the Abstract.

---

http://www.rfc-editor.org/rfc-style-guide/abbrev.expansion.txt shows
that OCSP is not a "well-known" acronym. SO could you please expand it
in the document title, the Abstract, and on first use in Section 2.

---

A number of other acronyms are used without expansion.
CA
CRL
DSA

---

Section 5.1

Did you think of splitting option 5 into:
  5. select a mandatory algorithm
  6. select a recommended algorithm
since there is a very marked difference in the likelihood of success.

[Ballot discuss]
I find a small discrepency at the end of Section 4

  The server SHOULD use one of the preferred signature algorithms for
  signing OCSP responses to the requesting client.

This means (I think) that the server MAY use an algarithm not listed by the client as preferred. You need to cover:
- under what circumstances
- what expectations of success it will have

But, in fact, I think the whole of Section 5 is dedicated to the question of how to select a suitable algorithm, and that means that this sentence in Section 4 needs to be replaced with:

  Section 5 of this document describes how a server selects an
  algorithm for signing OCSP responses to the requesting client.

[Ballot comment]
I am going to recuse myself from this draft because I was involved in proposing the ASN.1 structure.  I don't consider that an insignificant contribution.  I am however happy with this draft.

[Ballot comment]
I am going to recuse myself from this draft because I was involved in drafting it in what I think was not an insignificant way.  I am however happy with this draft.

[Ballot comment]
In Section 4:

  The client MUST support each of the specified preferred signature
  algorithms and the client MUST specify the algorithms in the order of
  preference.

I think this is not actually saying what the order is. I suggest adding something like
"from the most preferred to the least preferred"


8.3. Denial of Service Attack

  Algorithm agility mechanisms defined in this document introduces a
  slightly increased attack surface for Denial of Service attacks where
  the client request is altered to require algorithms that are not
  supported by the server, alternatively does not match pre-generated
  responses.

The last part (after the final comma) is not readable.


[NEWASN] - is this a Downref? If it is (and it wasn't explicitly called out during the IETF LC), is [NEWASN] in the Downref registry?

[Ballot discuss]
> A responder MAY maximize the potential for ensuring interoperability
> by selecting a supported signature algorithm using the following
> order of precedence, as long as the selected algorithm meets all
> security requirements of the OCSP responder, where the first method
> has the highest precedence:
>
> 1.  Select an algorithm specified as a preferred signing algorithm in
>    the client request
>
> 2.  Select the signing algorithm used to sign a CRL issued by the
>    certificate issuer providing status information for the
>    certificate specified by CertID
>
> 3.  Select the signing algorithm used to sign the OCSPRequest
>
> 4.  Select a signature algorithm that has been advertised as being
>    the default signature algorithm for the signing service using an
>    out of band mechanism
>
> 5.  Select a mandatory or recommended signing algorithm specified for
>    the version of the OCSP protocol in use
>
> A responder SHOULD always apply the lowest numbered selection
> mechanism that is known, supported, and that meets the responder's
> criteria for cryptographic algorithm strength.

I am confused by the last sentence and how it uses the words "selection mechanism". Does this sentence talk about algorithms or the above selection methods? But the selection methods do not have an algorithmic strength, nor are they negotiated. Suggested replacement text:

A responder SHOULD always apply the lowest numbered selecetion mechanism that results in the selection of a known and supported algorithm that meets the responder's criteria for cryptographic algorithm strength.

Writeup for OCSP Algorithm Agility: draft-ietf-pkix-ocspagility-08

(1.a) Who is the Document Shepherd for this document?

        Has the Document Shepherd personally reviewed this version of the document and, in particular, does he or she believe this version is ready for forwarding to the IESG for publication?

Stephen Kent is the document shepherd for this document. I have personally reviewed this version of the document and believes this version is ready for forwarding to the IESG for ublication.

    (1.b) Has the document had adequate review both from key WG members and from key non-WG members? Does the Document Shepherd have any concerns about the depth or breadth of the reviews that have been performed?

The document has received adequate review from key WG members. This includes major implementers of the OCSP protocol.

    (1.c) Does the Document Shepherd have concerns that the document needs more review from a particular or broader perspective, e.g., security, operational complexity, someone familiar with AAA, internationalization or XML?

No.

    (1.d) Does the Document Shepherd have any specific concerns or issues with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. Has an IPR disclosure related to this document been filed? If so, please include a reference to the disclosure and summarize the WG discussion and conclusion on this issue.

There are no specific concerns to highlight to the AD or IESG. No IPR disclosures have been filed related to this document.

    (1.e) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it?

This document has involved a reasonably large part of active WG participants and various alternatives has been discussed in detail. The solution represented in the current draft represent WG consensus.

    (1.f) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarize the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is entered into the ID Tracker.)

No.

    (1.g) Has the Document Shepherd personally verified that the
          document satisfies all ID nits? (See http://www.ietf.org/ID-Checklist.html and http://tools.ietf.org/tools/idnits/). Boilerplate checks are not enough; this check needs to be thorough. Has the document met all formal review criteria it needs to, such as the MIB Doctor, media type and URI type reviews?

Yes.

    (1.h) Has the document split its references into normative and informative? Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the
strategy for their completion? Are there normative references
that are downward references, as described in [RFC3967]? If
so, list these downward references to support the Area Director in the Last Call procedure for them [RFC3967].

References have been split into normative and informative sections.

    (1.i) Has the Document Shepherd verified that the document IANA consideration section exists and is consistent with the body of the document? If the document specifies protocol
extensions, are reservations requested in appropriate IANA
registries? Are the IANA registries clearly identified? If the document creates a new registry, does it define the proposed initial contents of the registry and an allocation procedure for future registrations? Does it suggest a reasonable name for the new registry? See [RFC5226]. If the document describes an Expert Review process has Shepherd conferred with the Responsible Area Director so that the IESG can appoint the needed Expert during the IESG Evaluation?

The I-D has an IANA Considerations section that this document requires no actions by IANA.

    (1.j) Has the Document Shepherd verified that sections of the document that are written in a formal language, such as XML
code, BNF rules, MIB definitions, etc., validate correctly in
an automated checker?

The ASN.1 modules provided in this document has been compiled and tested separately by Jim Schaad, the PKIX resident ASN.1 expert.

    (1.k) The IESG approval announcement includes a Document
Announcement Write-Up. Please provide such a Document Announcement Write-Up? Recent examples can be found in the
"Action" announcements for approved documents. The approval announcement contains the following sections:

          Technical Summary
          Relevant content can frequently be found in the abstract and/or introduction of the document. If not, this may be an indication that there are deficiencies in the abstract or introduction.

          Working Group Summary
            Was there anything in WG process that is worth noting? For example, was there controversy about particular points or were there decisions where the consensus was particularly rough?

          Document Quality
            Are there existing implementations of the protocol? Have a significant number of vendors indicated their plan to implement the specification? Are there any reviewers that
merit special mention as having done a thorough review, e.g., one that resulted in important changes or a conclusion that the document had no substantive issues? If there was a MIB Doctor, Media Type or other expert review, what was its course (briefly)? In the case of a Media Type review, on what date was the request posted?

Technical Summary

The Online Certificate Status protocol (OCSP), RFC 2560 is a core PKIX query response protocol for obtaining certificate status information. The OSCP specification requires server responses to be signed but does not specify a mechanism for selecting the signature algorithm to be used leading to possible interoperability failures in contexts where multiple signature algorithms are in use. This document specifies an algorithm for server signature algorithm selection and an extension that allows a client to advise a server that specific signature algorithms are supported.


Work Group Summary

The first draft was submitted about a year ago but did not gain momentum as the author changed employment. A second author was assigned in July to speed up the process. The WG discussions focused mainly on the algorithm selection algorithm, mandatory to implement algorithms and how to specify algorithms. The discussions were productive but non-controversial.


Document Quality
The document is brief and clearly written.