Network Working Group                                            M.Myers
draft-ietf-pkix-ocspv2-ext-01.txt                    TraceRoute Security
                                                              A. Malpani
                                             Malpani Consulting Services
                                                                D.Pinkas
                                                                    Bull
Target category: Standards Track                           December 2002
Expires in 6 months


                   X.509 Internet Public Key Infrastructure
                Online Certificate Status Protocol, version 2
                      draft-ietf-pkix-ocspv2-ext-01.txt


Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet- Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

Copyright Notice

   Copyright (C) The Internet Society (1999-2002).  All Rights Reserved.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document (in uppercase, as shown) are to be interpreted as described
   in [RFC2119].

1.  Abstract

   The Online Certificate Status Protocol (OCSP) enables applications to
   determine on line the revocation status of a certificate. This 
   document specifies one extension for the OCSP protocol and defines 
   a version v2 for that protocol which allows additional means to 
   designate the certificate for which the revocation status is 
   requested. It also allows to ask for the revocation status of either 
   a public key certificate (PKC) or an attribute certificate (AC).



Malpani & all                                                   [Page 1]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002


2. General

   OCSP is a protocol useful in determining the current status of a 
   digital certificate without requiring CRLs. Additional mechanisms 
   addressing PKIX operational requirements are specified in separate 
   documents.

   This document specifies one extensions that may be used with OCSP 
   in a request.

   Currently the serviceLocator extension may be used in a request to 
   route the request to the OCSP server which is known to be 
   authoritative for the identified certificate. The client fills in 
   that extension by copying the AuthorityInfoAccess (AIA) field from 
   the certificate which specifies the address of the OCSP server. 

   However, if the CA that has issued the certificate has chosen to only 
   issue CRLs, and if the client wants to talk to a single OCSP server 
   to get the revocation status of a certificate, that OCSP server may 
   not know where the CRL is available. For that reason a new extension 
   is being defined to allow the OCSP server to locate the CRL. That 
   extension is called the crlLocator. The client may fill-in that 
   extension by copying the CRLDistributionPoints (CDP) field from the 
   certificate which specifies the address of the CRL repository. 

   This document also specifies OCSPv2 which differs from OCSPv1 by the 
   fact that more means are provided to specify the certificate for 
   which the revocation status is provided. OCSPv2 also allows to get 
   the revocation status of Attribute Certificates.

   RFC 2560bis allows to reference the certificate using the following 
   structure:

   CertID          ::=     SEQUENCE {
       hashAlgorithm       AlgorithmIdentifier,
       issuerNameHash      OCTET STRING, -- Hash of Issuer's DN
       issuerKeyHash       OCTET STRING, -- Hash of Issuer's public key
       serialNumber        CertificateSerialNumber }

   Since the hash of the issuer's public key is mandatory, the protocol 
   can only be used when a certification path has been constructed 
   before. A goal of OCSPv2 is to allow to use the protocol when the 
   only information available is either the full certificate itself or 
   an ambiguous reference of the certificate for which the query will 
   be made.

   In many cases, it is more efficient to first make sure that the 
   certificate is not revoked, before trying to build a certification 
   path and making accesses to a repository (e.g. using LDAP). 





Malpani & all                                                   [Page 2]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002

   In addition, since only the hash of the issuer name is transmitted, 
   it was not easy for the OCSP responder, when using OCSPv1, to 
   identify the CA, unless working with an a priori list of CAs. The 
   goal of that extension is also to allow to fulfill the service, even 
   when the CAs are not a priori known to the OCSP responder.

OCSPv2 still allows the use of CertID (for backward compatibility), but 
allows for two other options:

   a) to send the full certificate,

   b) to send the issuer name, the certificate serial number, a hash 
      value computed over the ASN.1 DER encoded tbsCertificate field 
      from the certificate, and the signature (value and algorithm 
      identifier) of the certificate.

The hash value is computed using the hash function designated in the 
algorithm identifier of the signature.

   While sending the whole certificate allows an OCSP server to pick up 
   any information from the certificate, the certificate while being 
   transmitted may be observed.  A confidentiality service would 
   certainly provide an adequate protection, but the protocol will not 
   release private information, if only the issuer name, the 
   certificate serial number, a hash value and the signature are 
   disclosed.  In this way the second option may be preferable.  It is 
   up to the client to decide which option suits its needs.

   The OCSP response has been extended to cover the same possibilities 
   (the OCSP server simply copies what it received).

   In this document, the terms client and requestor are used
   interchangeably to indicate the entity making the OCSP request,
   while the terms server and responder are used to indicate the entity
   providing the response.

3. OCSPv2

3.1 Protocol Overview

   In lieu of or as a supplement to checking against a periodic CRL, it
   may be necessary to obtain timely information regarding the
   revocation status of a certificate (cf. [RFC3280], Section 3.3).
   Examples include high-value funds transfer or large stock trades.

   The Online Certificate Status Protocol (OCSP) enables applications to
   determine the (revocation) state of an identified certificate. OCSP
   may be used to satisfy some of the operational requirements of
   providing more timely revocation information than is possible with
   CRLs and may also be used to obtain additional status information. An
   OCSP client issues a status request to an OCSP responder and suspends
   acceptance of the certificate in question until the responder
   provides a response.


Malpani & all                                                   [Page 3]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002


   This protocol specifies the data that needs to be exchanged between
   an application checking the status of a certificate and the server
   providing that status.

3.2  Request

   An OCSP request contains the following data:

   -- protocol version
   -- service request
   -- target certificate identifier
   -- optional extensions which MAY be processed by the OCSP Responder

   Upon receipt of a request, an OCSP Responder determines if:

   1. the message is well formed

   2. the responder is configured to provide the requested service and

   3. the request contains the information needed by the responder. If
   any one of the prior conditions are not met, the OCSP responder
   produces an error message; otherwise, it returns a definitive
   response.

3.3  Response

   OCSP responses can be of various types.  An OCSP response consists of
   a response type and the bytes of the actual response. 

   There is one basic type of OCSP response that MUST be supported by 
   all OCSP servers and clients. The rest of this section pertains only 
   to this basic response type.

   All definitive response messages SHALL be digitally signed. The key
   used to sign the response MUST belong to one of the following:

   -- the CA who issued the certificate in question
   -- a Trusted Responder whose public key is trusted by the requestor
   -- a CA Designated Responder (Authorized Responder) who holds a
      specially marked certificate issued directly by the CA, indicating
      that the responder may issue OCSP responses for that CA

   A definitive response message is composed of:

   -- version of the response syntax
   -- name of the responder
   -- responses for each of the certificates in a request
   -- optional extensions
   -- signature algorithm OID
   -- signature computed across hash of the response




Malpani & all                                                   [Page 4]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002

   The response for each of the certificates in a request consists of

   -- target certificate identifier
   -- certificate status value
   -- response validity interval
   -- optional extensions

   This specification defines the following definitive response
   indicators for use in the certificate status value:

   -- good
   -- revoked
   -- unknown

   The "good" state indicates that the certificate has not been
   revoked. It does not indicate that the certificate was ever issued,
   or is in its validity interval.

   The "revoked" state indicates that the certificate has been revoked
   (either permanently or temporarily (on hold)).

   The "unknown" state indicates that the responder does not know, or
   is unwilling to tell, the requestor the status of the certificate. A
   client may be able to get a definitive response later, or at another
   responder.

   Response extensions may be used to convey additional information on
   assertions made by the responder regarding the status of the
   certificate such as positive statement about issuance, expiry, etc.

3.4  Exception Cases

   In case of errors, the OCSP Responder may return an error message.
   These messages are not signed. 

Errors can be of the following types:

   -- malformedRequest
   -- internalError
   -- tryLater
   -- sigRequired
   -- unauthorized

   A server produces the "malformedRequest" response if the request
   received does not conform to the OCSP syntax.

   The response "internalError" indicates that the OCSP responder
   reached an inconsistent internal state. The query should be retried,
   potentially with another responder.

   In the event that the OCSP responder is operational, but unable to
   return a status for the requested certificate, the "tryLater"
   response can be used to indicate that the service exists, but is
   temporarily unable to respond.

Malpani & all                                                   [Page 5]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002


   The response "sigRequired" is returned in cases where the server
   requires the client sign the request in order to construct a
   response.

   The response "unauthorized" is returned in cases where the client is
   not authorized to make this query to this server.

3.5  Semantics of thisUpdate, nextUpdate and producedAt

   Responses can contain three times in them - thisUpdate, nextUpdate
   and producedAt. The semantics of these fields are:

   - thisUpdate: The time at which the status being indicated is known
                 to be correct
   - nextUpdate: The time at or before which newer information will be
                 available about the status of the certificate
   - producedAt: The time at which the OCSP responder signed this
                 response.

   If nextUpdate is not set, the responder is indicating that it is
   does not know when newer revocation information will be available
   (examples of why a responder might not know when new revocation
   information is likely to be available are that the CA hasn't told
   it, or because newer information is available all the time).

3.6  OCSP Signature Authority Delegation

   The key that signs a certificate's status information need not be the
   same key that signed the certificate. 

   A certificate's issuer explicitly delegates OCSP signing authority by 
   issuing a certificate containing a unique value for extendedKeyUsage 
   in the OCSP signer's certificate. This certificate MUST be issued 
   directly to the responder by the cognizant CA.

3.7  CA Key Compromise

   If an OCSP responder knows that a particular CA's private key has
   been compromised, it MAY return the revoked state for all
   certificates issued by that CA.

3.8  Transports for OCSP

   While OCSP can be used over many transports, for interoperability,
   all OCSP clients and responders MUST support the use of HTTP [HTTP]
   as the transport.

4.  Functional Requirements

4.1  Certificate Content

   In order to convey to OCSP clients a well-known point of information
   access, CAs SHALL provide the capability to include the

Malpani & all                                                   [Page 6]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002


   AuthorityInfoAccess extension (defined in [RFC3280], section 4.2.2.1)
   in certificates that can be checked using OCSP.  Alternatively, the
   accessLocation for the OCSP provider may be configured locally at the
   OCSP client.

   CAs that support an OCSP service, either hosted locally or provided
   by an Authorized Responder, MUST provide for the inclusion of a value
   for a uniformResourceIndicator (URI) accessLocation and the OID value
   id-ad-ocsp for the accessMethod in the AccessDescription SEQUENCE.

   The value of the accessLocation field in the subject certificate
   defines the transport (e.g. HTTP) used to access the OCSP responder
   and may contain other transport dependent information (e.g. a URL).

4.2  Signed Response Acceptance Requirements

   Prior to accepting a signed response as valid, OCSP clients SHALL
   confirm that:

   1. The certificate identified in a received response corresponds to
   that which was identified in the corresponding request;

   2. The signature on the response is valid;

   3. The identity of the signer matches the intended recipient of the
   request.

   4. The signer is currently authorized to sign the response.

   5. The time at which the status being indicated is known to be
   correct (thisUpdate) is sufficiently recent.

   6. When nextUpdate is set in the response, it is greater than the 
      current time.

   7. The producedAt time in the response is sufficiently recent.

   8. If the request contained a nonce, the response must contain the
      same nonce (see section 5.4.1).

   NOTE: The first criteria does not imply that a client should reject
   an OCSP response from a server that contains statuses of
   a superset or subset of the certificates whose statuses were 
   requested i.e. it is all right for a server to, in an OCSP response 
   provide the statuses of only some of the certificates requested, and 
   some other certificates whose statues were not requested. For 
   example, if a client requests the status of certificates with serial 
   numbers 1 and 2 and gets a response which has the statuses of 
   certificates with serial numbers 1 and 3, the client can accept that 
   response for the status of the certificate with serial number 1, 
   assuming the rest of the response acceptance criteria were met.



Malpani & all                                                   [Page 7]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002


5.  Detailed Protocol

   The ASN.1 syntax imports terms defined in [RFC3280]. For signature
   calculation, the data to be signed is encoded using the ASN.1
   distinguished encoding rules (DER) [X.690].

   ASN.1 EXPLICIT tagging is used as a default unless specified
   otherwise. The terms imported from elsewhere are: 
   Extensions, CertificateSerialNumber, SubjectPublicKeyInfo, Name,
   AlgorithmIdentifier, CRLReason, IssuerandSerialNumber.

5.1  Requests

   This section specifies the ASN.1 specification for a confirmation
   request. The actual formatting of the message could vary depending on
   the transport mechanism used (HTTP, SMTP, LDAP, etc.).

5.1.1  Request Syntax

   OCSPRequest     ::=     SEQUENCE {
       tbsRequest                  TBSRequest,
       optionalSignature   [0]     EXPLICIT Signature OPTIONAL }

   TBSRequest      ::=     SEQUENCE {
       version             [0]     EXPLICIT Version DEFAULT v1,
       requestorName       [1]     EXPLICIT GeneralName OPTIONAL,
       requestList                 SEQUENCE OF Request,
       requestExtensions   [2]     EXPLICIT Extensions OPTIONAL }

   Signature       ::=     SEQUENCE {
       signatureAlgorithm      AlgorithmIdentifier,
       signature               BIT STRING,
       certs               [0] EXPLICIT Certificates OPTIONAL}

   Version         ::=            INTEGER  {  v1(0), v2(1) }

   Request         ::=     SEQUENCE {
       reqCert                     ReqCert,
       singleRequestExtensions     [0] EXPLICIT Extensions OPTIONAL }

   Certificates    ::=     SEQUENCE SIZE(1..MAX) of Certificate

ReqCert  ::= CHOICE {
   certID                     CertID,
   fullCert               [0] FullCertificate,
   certIdWithSignature    [1] CertIdWithSignature }

CertID          ::=     SEQUENCE {
   hashAlgorithm       AlgorithmIdentifier,
   issuerNameHash      OCTET STRING, -- Hash of Issuer's DN
   issuerKeyHash       OCTET STRING, -- Hash of Issuers public key
   serialNumber        CertificateSerialNumber }


Malpani & all                                                   [Page 8]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002

Note: CertID is kept unchanged from OCSPv1.

OCSPv1 interoperablity can be obtained through the use of the certID 
element of the ReqCert CHOICE.  If certID is used in ReqCert, the value 
for version in the tbsRequest field of OCSPRequest SHALL be v1. If any 
other choice in ReqCert is used, the value for version SHALL be v2.


   issuerNameHash is the hash of the Issuer's distinguished name. The
   hash shall be calculated over the DER encoding of the issuer's name
   field in the certificate being checked. issuerKeyHash is the hash
   of the Issuer's public key. The hash shall be calculated over the
   value of the BIT STRING subjectPublicKey field (excluding the tag,
   length and number of unused bits) in the issuer's certificate. The
   hash algorithm used for both these hashes, is identified in
   hashAlgorithm. serialNumber is the serial number of the certificate
   for which status is being requested.

fullCert may be either a public key certificate, as defined in 
RFC 3280, or an attribute certificate, as defined in RFC 3281.

OCSP responder SHALL support public key certificates and MAY support 
Attribute Certificates.

   FullCertificate ::= CHOICE {
     certificate      [0]  Certificate,
     attributeCert    [1]  AttributeCertificate }

certIdWithSignature is a more compact way to specify unambiguously a 
certificate.

   CertIdWithSignature ::= SEQUENCE {
        issuerandSerialNumber     IssuerandSerialNumber,
        tbsCertificateHash        BIT STRING,
        certSignature             CertSignature
   }

IssuerandSerialNumber is defined in [RFC3369] section 10.2.4.

tbsCertificateHash contains a hash value computed over the ASN.1 DER 
encoded tbsCertificate field from the certificate using the hash 
function identified in the signature algorithm from the signature.

certSignature contains the signature fields from the certificate.

   CertSignature ::= SEQUENCE {
        signatureAlgorithm        AlgorithmIdentifier,
        signatureValue            BIT STRING
   }






Malpani & all                                                   [Page 9]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002

5.1.2  Notes on the Request Syntax

   The primary reason to use the hash of the CA's public key in addition
   to the hash of the CA's name, to identify the issuer, when CertID is 
   being used, is that it is possible that two CAs may choose to use the
   same Name (uniqueness in the Name is a recommendation that cannot be 
   enforced). Two CAs will never, however, have the same public key 
   unless the CAs either explicitly decided to share their private key, 
   or the key of one of the CAs was compromised. Including the hash of 
   the CA's public key allows an OCSP client to ensure that it and the 
   responder are both referring to the same CA.

   Support for any specific extension is OPTIONAL. The critical flag
   SHOULD NOT be set for any of them.  Section 6.4 suggests several
   useful extensions.  Additional extensions MAY be defined in
   additional RFCs. Unrecognized extensions MUST be ignored (unless they
   have the critical flag set and are not understood).

   The requestor MAY choose to sign the OCSP request. In that case,
   the signature is computed over the DER encoding of the tbsRequest
   structure.  If the request is signed, the requestor SHALL specify
   its name in the requestorName field. Also, for signed requests, the
   requestor MAY include certificates that help the OCSP responder
   verify the requestor's signature in the certs field of Signature.

5.1.3. Notes on the client behavior

   This standard mandates the client to verify that the key used to 
   sign the response belongs to one of the following:

       1) the CA who issued the certificate in question,

       2) a Trusted Responder whose public key is trusted by the
          requestor,

       3) a CA Designated Responder (Authorized Responder) who holds a 
          specially marked certificate issued directly by the CA, 
          indicating that the responder may issue OCSP responses for 
          that CA.

These three cases are then considered individually:

5.1.3.1. Responder whose public key is the same as the key from CA who 
issued the certificate

   In that case, the client MUST first verify the certification path of 
   the certificate and then use the key that was used to verify the 
   certificate to verify that the signature from the OCSP response is 
   correct. 






Malpani & all                                                  [Page 10]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002


5.1.3.2. Trusted Responder whose public key is trusted by the requestor

   In that case, the client must directly use the public key from 
   the Trusted Responder.  This means that the client may not know if 
   that key is revoked or not (unless out-of-bands means are being 
   used).

   There are three ways for the client to designate the issuer:

      a) using CertID.  In that case, issuerNameHash and issuerKeyHash 
         are provided by the client.  Since the client needs to provide 
         the issuerKeyHash, this means that it needs first to get the 
         superior CA certificate (e.g. it may be sent in a signed 
         message) and to verify that the issuer key was used to sign it.

      b) using the full certificate.  The client does not need to 
         verify first the certification path of the certificate. 

      c) using CertIdWithSignature. The client does not need to 
         verify first the certification path of the certificate. 

5.1.3.3. CA designated Responder who holds a specially marked 
certificate issued directly by the CA

   In that case, the client MUST use the AIA extension present in 
   the certificate to locate the Authorized Responder.  The client 
   does not need to verify first the certification path of the 
   certificate. However, when it gets the OCSP response, it SHALL 
   verify that the signature from the OCSP response is correct.  For 
   doing this, it MUST find a certificate which holds a special mark 
   (i.e. which contains in the Extended Key Usage the extension 
   id-kp-OCSPSigning) issued by the issuer of the certificate to be 
   verified and then make sure that this certificate allows to verify 
   the signature from the OCSP response.  It MUST verify the whole 
   certification path for that certificate and verify that none of the 
   certificates is revoked.

5.2  Response Syntax

   This section specifies the ASN.1 specification for a confirmation
   response. The actual formatting of the message could vary depending
   on the transport mechanism used (HTTP, SMTP, LDAP, etc.).

5.2.1  ASN.1 Specification of the OCSP Response

   An OCSP response at a minimum consists of a responseStatus field
   indicating the processing status of the prior request. If the value
   of responseStatus is one of the error conditions, responseBytes are
   not set.

   OCSPResponse ::= SEQUENCE {
      responseStatus         OCSPResponseStatus,
      responseBytes          [0] EXPLICIT ResponseBytes OPTIONAL }

Malpani & all                                                  [Page 11]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002


   OCSPResponseStatus ::= ENUMERATED {
       successful            (0),  --Response has valid confirmations
       malformedRequest      (1),  --Illegal confirmation request
       internalError         (2),  --Internal error in issuer
       tryLater              (3),  --Try again later
                                   --(4) is not used
       sigRequired           (5),  --Must sign the request
       unauthorized          (6),  --Request unauthorized
       badCRL                (8)   --Error in CRL processing
   }

The value for responseBytes consists of an OBJECT IDENTIFIER and a
   response syntax identified by that OID encoded as an OCTET STRING.

   ResponseBytes ::=       SEQUENCE {
       responseType   OBJECT IDENTIFIER,
       response       OCTET STRING }

   For a basic OCSP responder, responseType will be id-pkix-ocsp-basic.

   id-pkix-ocsp           OBJECT IDENTIFIER ::= { id-ad-ocsp }
   id-pkix-ocsp-basic     OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 }

   OCSP responders SHALL be capable of producing responses of the id-
   pkix-ocsp-basic response type. Correspondingly, OCSP clients SHALL be
   capable of receiving and processing responses of the id-pkix-ocsp-
   basic response type.

   The value for response SHALL be the DER encoding of
   BasicOCSPResponse.

   BasicOCSPResponse       ::= SEQUENCE {
      tbsResponseData          ResponseData,
      signatureAlgorithm       AlgorithmIdentifier,
      signature                BIT STRING,
      certs                [0] EXPLICIT Certificates OPTIONAL }

   The value for signature SHALL be computed on the DER encoding of
   tbsResponseData.  The responder MAY include certificates that help
   the OCSP client verify the responder's signature in the certs field
   of BasicOCSPResponse.

   ResponseData ::= SEQUENCE {
      version              [0] EXPLICIT Version DEFAULT v1,
      responderID              ResponderID,
      producedAt               GeneralizedTime,
      responses                SEQUENCE OF SingleResponse,
      responseExtensions   [1] EXPLICIT Extensions OPTIONAL }

   ResponderID ::= CHOICE {
      byName               [1] Name,
      byKey                [2] KeyHash }


Malpani & all                                                  [Page 12]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002


   KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key
   -- (i.e. the SHA-1 hash of the value of the BIT STRING 
   -- subjectPublicKey [excluding the tag, length and number of unused 
  --  bits] of the responder's certificate).

   SingleResponse ::= SEQUENCE {
      reqCert                      ReqCert,
      -- MUST be identical to the same field from the request
      certStatus                   CertStatus,
      thisUpdate                   GeneralizedTime,
      nextUpdate         [0]       EXPLICIT GeneralizedTime OPTIONAL,
      singleExtensions   [1]       EXPLICIT Extensions OPTIONAL }

CertStatus ::= CHOICE {
       good        [0]     IMPLICIT NULL,
       revoked     [1]     IMPLICIT RevokedInfo,
       unknown     [2]     IMPLICIT UnknownInfo }

   RevokedInfo ::= SEQUENCE {
       revocationTime              GeneralizedTime,
       revocationReason    [0]     EXPLICIT CRLReason OPTIONAL }

   UnknownInfo ::= NULL -- this can be replaced with an enumeration

5.2.2  Notes on OCSP Responses

5.2.2.1  Time

   The thisUpdate and nextUpdate fields define a recommended validity
   interval. This interval corresponds to the {thisUpdate, nextUpdate}
   interval in CRLs. Responses whose nextUpdate value is earlier than
   the local system time value SHOULD be considered unreliable.
   Responses whose thisUpdate time is later than the local system time
   SHOULD be considered unreliable. Responses where the nextUpdate
   value is not set is explained in more detail in Section 2.4).

   The producedAt time is the time at which this response was signed.

5.2.2.2  Authorized Responders

   The key that signs a certificate's status information need not be the
   same key that signed the certificate. It is necessary however to
   ensure that the entity signing this information is authorized to do
   so.  Therefore, a certificate's issuer MUST either sign the OCSP
   responses itself or it MUST explicitly designate this authority to
   another entity.  OCSP signing delegation SHALL be designated by the
   inclusion of id-kp-OCSPSigning in an extendedKeyUsage certificate
   extension included in the OCSP response signer's certificate.

   This certificate MUST be issued directly by the CA that issued the
   certificate in question.

   id-kp-OCSPSigning OBJECT IDENTIFIER ::= {id-kp 9}

Malpani & all                                                  [Page 13]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002


   Systems or applications that rely on OCSP responses MUST be capable
   of detecting and enforcing use of the id-kp-OCSPSigning value as
   described above. They MAY provide a means of locally configuring one
   or more OCSP signing authorities, and specifying the set of CAs for
   which each signing authority is trusted. They MUST reject the
   response if the certificate required to validate the signature on the
   response fails to meet at least one of the following criteria:

   1. Matches a local configuration of OCSP signing authority for the
   certificate in question; or

   2. Is the certificate of the CA that issued the certificate in
   question; or

   3. Includes a value of id-kp-OCSPSigning in an ExtendedKeyUsage
   extension and is issued by the CA that issued the certificate in
   question.

   Additional acceptance or rejection criteria may apply to either the
   response itself or to the certificate used to validate the signature
   on the response.

5.2.2.3.  Revocation Checking of an Authorized Responder

   Since an Authorized OCSP responder provides status information for
   one or more CAs, OCSP clients need to know how to check that an
   authorized responder's certificate has not been revoked. CAs may
   choose to deal with this problem in one of three ways:

   - A CA may specify that an OCSP client can trust a responder for the
   lifetime of the responder's certificate. The CA does so by including
   the extension id-pkix-ocsp-nocheck. This SHOULD be a non-critical
   extension.  The value of the extension should be NULL. CAs issuing
   such a certificate should realize that a compromise of the
   responder's key, is as serious as the compromise of a CA key used to
   sign CRLs, at least for the validity period of this certificate. 
   CA's may choose to issue this type of certificate with a very short
   lifetime and renew it frequently.

   id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }

   - A CA may specify how the responder's certificate be checked for
   revocation.  This can be done using CRL Distribution Points if the
   check should be done using CRLs or CRL Distribution Points, or
   Authority Information Access if the check should be done in some
   other way.  Details for specifying either of these two mechanisms are
   available in [RFC3280].

   - A CA may choose not to specify any method of revocation checking
   for the responder's certificate, in which case, it would be up to the
   OCSP client's local security policy to decide whether that
   certificate should be checked for revocation or not.


Malpani & all                                                  [Page 14]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002

5.2.2.4. Checks to be done by the responder

The key used to sign the response belongs to one of the following:

       1) the CA who issued the certificate in question,

       2) a Trusted Responder whose public key is trusted by the
          requestor,

       3) a CA Designated Responder (Authorized Responder) who holds a 
          specially marked certificate issued directly by the CA, 
          indicating that the responder may issue OCSP responses for 
          that CA.

5.2.2.4.1. Responder whose public key is the same as the key from CA who 
issued the certificate

   In that case, the OCSP server may either use a direct access to the 
   issuer database that contains the certificate or use CRLs that 
   originate directly from the issuer (e.g. communicated through a 
   trusted channel).  In that case either an access to a single data 
   base is supported or accesses to CRLs issued by one single issuer 
   are supported.  There cannot be any mistake about the name of the 
   issuer.

5.2.2.4.2. Trusted Responder whose public key is trusted by the 
requestor

   There are three ways for the client to designate the issuer:

      a) using CertID. 

         Since the issuer may be using CRLs or OCSP servers to provide 
         the revocation status information, and since the keys for 
         signing the CRLs may be the same or different from the keys 
         used to sign the certificate, the OCSP server MUST make sure 
         that either the CRL or the OCSP response that it is using 
         is signed with the right key.  This means that the OCSP 
         responder MUST build a certification path up to one of its 
         trust anchors and then get the public key of the issuer. 
         At that time, it MUST verify that this key matches the 
         issuerKeyHash.  This key MUST match with the private key that 
         has been used is used to sign the CRL or the OCSP response or 
         the certificates issued to designate the CRL issuer or the 
         OCSP responder. 

      b) using the full certificate. 

         When the OCSP responder has a direct access to the data base 
         of the issuer for which it is providing revocation status 
         information, then it SHALL make sure that it is the right 
         certificate by verifying that the certificate that was sent 
         matches the one in the data base. 


Malpani & all                                                  [Page 15]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002


         When the OCSP responder does not have access to the data base 
         of the issuers, then it SHALL make sure that it is the right 
         certificate by verifying the signature over that certificate. 

         This MUST be done by verifying the signature over that 
         certificate.  For doing this, the OCSP responder first needs 
         to build a certification path up to one of its trust anchors 
        (without necessarily verifying the revocation status of the 
         CAs from the path).  The presumed issuer key is then used to 
         verify the signature of the certificate.  That issuer key MUST 
         then be used to verify that this key is used to sign the CRL 
         or the OCSP response, or the certificates issued to designate 
         the CRL issuer or the OCSP responder.

      c) using CertIdWithSignature. 

         When the OCSP responder has a direct access to the data base 
         of the issuer for which it is providing revocation status 
         information, then it SHALL make sure that it is the right 
         certificate by verifying that the signature that was sent 
         matches with the signature of the certificate contained in 
         the data base. 

         When the OCSP responder does not have access to the data base 
         of the issuer, then it may use either CRLs or the OCSP 
         responder designated by the CA that has issued the certificate.

         When the OCSP responder does not have access to the data base 
         of the issuers, then it SHALL first make sure that it is the 
         right certificate. 

         This MUST be done by verifying the signature over that 
         certificate.  For doing this, the OCSP responder first needs 
         to build a certification path up to one of its trust anchors 
        (without necessarily verifying the revocation status of the CAs 
         from the path).  The presumed issuer key MUST then be used to 
         verify the signature of the certificate using both the 
         tbsCertificateHash and the signature value.  That issuer key 
         MUST then be used to verify that this key is used to sign the 
         CRL or the OCSP response, or the certificates issued to 
         designate the CRL issuer or the OCSP responder.

5.2.2.4.3. CA designated Responder who holds a specially marked 
certificate issued directly by the CA

   The OCSP server may either have a direct access to the data base from 
   the issuer or use CRLs issued by that issuer or a designated CRL 
   issuer. 

   It is up to the OCSP responder to be fully aware when it is handling 
   the revocation service for two CAs that would have the same name 
   (certified under different certification branches).  


Malpani & all                                                  [Page 16]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002


   When all issuers that are handled have different names, there is no 
   problem.  Otherwise, when some issuers have the same name, then 
   different cases apply depending on the ways the client designates the 
   issuer:

      a) using CertID. 

         In that case, the OCSP responder MUST use issuerKeyHash to 
         make sure that it is getting information from the right 
         issuer.  For doing this, the OCSP responder once needs to 
         build a certification path up to one of its trust anchors 
         (without necessarily verifying the revocation status of 
         the CAs from the path).  The presumed issuer key MUST then be 
         checked against the issuerKeyHash. T hat issuer key MUST then 
         be used to verify that this key is used to sign the CRL, or 
         the certificates issued to designate the CRL issuer or is 
         associated with a given data base.

      b) using the full certificate. 

         In that case, the OCSP responder MUST verify the signature over 
         the certificate.  For doing this, the OCSP responder once 
         needs to build a certification path up to one of its trust
         anchors (without necessarily verifying the revocation status of 
         the CAs from the path).  The presumed issuer key MUST then be 
         used to verify the signature of the certificate using both the 
         tbsCertificateHash and the signature value.  That issuer key 
         MUST then be used to verify that this key is used to sign the 
         CRL, or the certificates issued to designate the CRL issuer or 
         is associated with a given data base.

      c) using CertIdWithSignature. 

         In that case, the OCSP responder MUST verify the signature over 
         the certificate.  For doing this, the OCSP responder once 
         needs to build a certification path up to one of its trust
         anchors (without necessarily verifying the revocation status of 
         the CAs from the path).  The presumed issuer key MUST then be 
         used to verify the signature of the certificate.  That issuer 
         key MUST then be used to verify that this key is used to sign 
         the CRL, or the certificates issued to designate the CRL 
         issuer or is associated with a given data base.

5.3  Mandatory and Optional Cryptographic Algorithms

   OCSP clients and responders MUST support the RSA signature
   algorithm. This algorithm is defined in RFC 2437 [RFC2437]. 
   OCSP clients and responders MAY support the DSA signature algorithm. 
   This algorithm is defined in FIPS Pub 186 [DSS].
   OCSP responders MUST support the SHA1 hashing algorithm. 
   This algorithm is defined in FIPS Pub 180-1 [SHA1].



Malpani & all                                                  [Page 17]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002


5.4  Extensions

   This section defines some standard extensions, based on the extension
   model employed in X.509 version 3 certificates see [RFC3280]. Support
   for all extensions is optional for both clients and responders.  For
   each extension, the definition indicates its syntax, processing
   performed by the OCSP Responder, and any extensions which are
   included in the corresponding response.

5.4.1  Nonce

   The nonce cryptographically binds a response to a request to
   prevent replay attacks. In a request, a nonce (if present) is
   included as one of the requestExtensions in requests, while in
   responses (if present) it is included as one of the
   responseExtensions. In both the request and the response, the nonce
   is identified by the object identifier id-pkix-ocsp-nonce, while
   the extnValue is the value of the nonce. If a nonce is included in
   a request, then the response MUST contain the same nonce. Responses
   without the same nonce MUST NOT be trusted.

   id-pkix-ocsp-nonce     OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 }

     extnValue ::= OCTET STRING

5.4.2  CRL References

   It may be desirable for the OCSP responder to indicate the CRL on
   which a revoked or onHold certificate is found. This can be useful
   where OCSP is used between repositories, and also as an auditing
   mechanism. The CRL may be specified by a URL (the URL at which the
   CRL is available), a number (CRL number) or a time (the time at which
   the relevant CRL was created). 

   These extensions will be specified as singleExtensions. The 
   identifier for this extension will be id-pkix-ocsp-crl, while the 
   value will be CrlID.

   id-pkix-ocsp-crl       OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 }

   CrlID ::= SEQUENCE {
      crlUrl               [0]     EXPLICIT IA5String OPTIONAL,
      crlNum               [1]     EXPLICIT INTEGER OPTIONAL,
      crlTime              [2]     EXPLICIT GeneralizedTime OPTIONAL }

   For the choice crlUrl, the IA5String will specify the URL at which
   the CRL is available. For crlNum, the INTEGER will specify the value
   of the CRL number extension of the relevant CRL. For crlTime, the
   GeneralizedTime will indicate the time at which the relevant CRL was
   issued.




Malpani & all                                                  [Page 18]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002


5.4.3  Acceptable Response Types

   An OCSP client MAY wish to specify the kinds of response types it
   understands. To do so, it SHOULD use an extension with the OID id-
   pkix-ocsp-response, and the value AcceptableResponses.  This
   extension is included as one of the requestExtensions in requests.
   The OIDs included in AcceptableResponses are the OIDs of the various
   response types this client can accept (e.g., id-pkix-ocsp-basic).

   id-pkix-ocsp-response  OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 }

   AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER

   As noted in section 6.2.1, OCSP responders SHALL be capable of
   responding with responses of the id-pkix-ocsp-basic response type.
   Correspondingly, OCSP clients SHALL be capable of receiving and
   processing responses of the id-pkix-ocsp-basic response type.

5.4.4  Archive Cutoff

   An OCSP responder MAY choose to retain revocation information beyond
   a certificate's expiration. The date obtained by subtracting this
   retention interval value from the producedAt time in a response is
   defined as the certificate's "archive cutoff" date.

   OCSP-enabled applications would use an OCSP archive cutoff date to
   contribute to a proof that a digital signature was (or was not)
   reliable on the date it was produced even if the certificate needed
   to validate the signature has long since expired.

   OCSP servers that provide support for such historical reference
   SHOULD include an archive cutoff date extension in responses.  If
   included, this value SHALL be provided as an OCSP singleExtensions
   extension identified by id-pkix-ocsp-archive-cutoff and of syntax
   GeneralizedTime.

   id-pkix-ocsp-archive-cutoff  OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 }

   ArchiveCutoff ::= GeneralizedTime

   To illustrate, if a server is operated with a 7-year retention
   interval policy and status was produced at time t1 then the value for
   ArchiveCutoff in the response would be (t1 - 7 years).

5.4.5  CRL Entry Extensions

   All the extensions specified as CRL Entry Extensions - in Section 5.3
   of [RFC3280] - are also supported as singleExtensions.






Malpani & all                                                  [Page 19]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002

5.4.6  Service Locator

   An OCSP server may be operated in a mode whereby the server receives
   a request and routes it to the OCSP server which is known to be
   authoritative for the identified certificate.  The serviceLocator
   request extension is defined for this purpose.  This extension is
   included as one of the singleRequestExtensions in requests.

   id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 }

   ServiceLocator ::= SEQUENCE {
       issuer    Name,
       locator   AuthorityInfoAccessSyntax OPTIONAL }

   Values for these fields are obtained from the corresponding fields in
   the subject certificate.

   When this field is present in the request and when a full 
   certificate is sent, the server SHALL use the values contained in 
   this field rather than the field from the subject certificate.

6. CRL Locator

This extension can be supported either using OCSPv1 or using OCSPv2.

An OCSP server may be operated in a mode whereby the server receives a
request and fetches the CRL which authoritative for the identified
certificate. The crlLocator request extension is defined for this 
purpose.

This extension is included as one of the singleRequestExtensions in
requests.

   id-pkix-ocsp-crl-locator OBJECT IDENTIFIER ::= {id-pkix-ocsp X}

   CrlLocator ::= CRLDistributionPoints

The value for this field should be obtained by the client from the 
corresponding field in the subject certificate.

   When this field is present in the request and when a full 
   certificate is sent, the server SHALL use the values contained in 
   this field rather than the field from the subject certificate.

Note: In this way, OCSP servers able to access CRLs may use that CRL 
information and transform it into an OCSP response. This may allow a 
client to support the OCSP protocol, even when CRLs are issued by CAs.

7.  Security Considerations

   For this service to be effective, certificate using systems must
   connect to the certificate status service provider.  In the event 
   such a connection cannot be obtained, certificate-using systems could
   implement CRL processing logic as a fall-back position.

Malpani & all                                                  [Page 20]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002

   A denial of service vulnerability is evident with respect to a flood
   of queries.  The production of a cryptographic signature 
   significantly affects response generation cycle time, thereby 
   exacerbating the situation. Unsigned error responses open up the 
   protocol to another denial of service attack, where the attacker 
   sends false error responses.

   Nonces should be random. If the nonce is generated in a non-random
   way, replay attacks MAY be possible.

   Requests do not contain the responder they are directed to. This
   allows an attacker to replay a request to any number of OCSP
   responders.

   The reliance of HTTP caching in some deployment scenarios may result
   in unexpected results if intermediate servers are incorrectly
   configured or are known to possess cache management faults.
   Implementors are advised to take the reliability of HTTP cache
   mechanisms into account when deploying OCSP over HTTP.

   A "good" status for a certificate in OCSP does not imply that the
   certificate was ever issued or is in its validity period. Client
   applications need to check these facts for themselves.

   Two CAs around the world may perfectly pick the same DN, e.g. with a
   common name attribute like CN= Platinium CA. A *single* immediately 
   ôsuperior CAö will never accept to issue two certificates for two 
   CAs that have the same name but are indeed different, but two 
   different ôsuperiorö CAs may perfectly do it.

   There are two possible ways to realize that these CAs, that have 
   the same DN name, are indeed different:

      1— to consider the chain of DNs names formed by a certification 
         path starting from a root CA and finishing with ôPlatinium CAö.
         It is similar to identify two files with the same name, but 
         placed in a different directory. 

      2— to consider the fact that the two ôPlatinium CAsö will 
         necessarily get their certificates from two different superior 
         CAs that have necessarily two different private keys. 
         Hence the combination of the issuing key of superior CA and of 
         the DN of the CA is unique. 

   The second way is being used in OCSP (v1 and v2).

   In OCSP v1, issuerKeyHash from CertID is mandatory. issuerKeyHash 
   is used in combination with issuerNameHash and serialNumber to 
   uniquely identify a certificate. This mandates the client to first 
   construct a certification path.

   In OCSP v2, both certificate and certIdWithSignature allow to
   uniquely identify a certificate. This does not mandate the client 
   to first construct a certification path. 

Malpani & all                                                  [Page 21]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002

   The value of the issuing key whether it is provided by the client 
   (in OCSP v 1 with issuerKeyHash) or looked for by the OCSP 
   responder (in OCSP v2 with certificate or certIdWithSignature) 
   is then used to verify that either the CRL from the right CRL 
   Issuer is being read, the response from the right OCSP responder 
   is being used or that the access is being done to the database from 
   the right CA.

   The right CRL Issuer will have a certificate issued under that 
   issuing key or will directly be signed by that issuing key.

   The right OCSP Responder will sign its responses under a key that 
   has been issued under that issuing key or will directly sign its 
   response under that issuing key.

   The identity of the owner of the right database must be verified 
   using both the name of the CA and the value of that issuing key 
   (or its hash).

   When using certificate or certIdWithSignature, in order to find 
   out the right issuing key, the OCSP Responder must first build a 
   certification path and then pick what may be the right issuing key 
   for that CA name. 

   Then it must verify the digital signature of the certificate 
   either by using the full certificate or by using the hash value 
   of it and the signature value (and algorithm identifier) which are 
   provided in certIdWithSignature. 

   If the right key was picked up, then the verification of the 
   signature of the certificate will be successful.

   If the wrong key was picked up, then the verification of the 
   signature of the certificate will fail, and the OCSP responder will 
   either look for another key, or will say that it does not know.

8.  References

   [RFC3280] Housley, R., Ford, W., Polk, W. and D. Solo, "Internet
             X.509 Public Key Infrastructure Certificate and CRL
             Profile", RFC 3280, April 2002.

   [RFC3281] Farrell, S., Housley, R., "An Internet Attribute 
             Certificate Profile for Authorization" RFC 3281. 
             April 2002.

   [RFC3369] Housley, R., "Cryptographic Message Syntax (CMS)".
             August 2002.

   [HTTP]    Fielding, R., Gettys, J., Mogul, J., Frystyk, H. and T.
             Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC
             2068, January 1997.



Malpani & all                                                  [Page 22]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002


   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
             Requirement Levels", BCP 14, RFC 2119, March 1997.

   [URL]     Berners-Lee, T., Masinter, L. and M. McCahill, "Uniform
             Resource Locators (URL)", RFC 1738, December 1994.

   [X.690]   ITU-T Recommendation X.690 (1994) | ISO/IEC 8825-1:1995,
             Information Technology - ASN.1 encoding rules:
             Specification of Basic Encoding Rules (BER), Canonical
             Encoding Rules (CER) and Distinguished Encoding Rules
             (DER).

   [SHA1]    National Institute of Standards and Technology.
             FIPS Pub 180-1: Secure Hash Standard.  17 April 1995.

   [RFC2437] Kaliski, B., "PKCS #1: RSA Encryption, Version 2.0",
             RFC 2437, October 1998.

   [DSS]     National Institute of Standards and Technology.
             FIPS Pub 186: Digital Signature Standard.  19 May 1994.

9.  Authors' Addresses

   Ambarish Malpani
   Malpani Consulting Services
   EMail: ambarish@malpani.biz

   Michael Myers
   TraceRoute Security, Inc.
   P.O. Box 3683
   Half Moon Bay, CA  94019
   EMail: myers@coastside.net

   Denis Pinkas
   Bull Services
   Rue Jean Jaures
   78340 Les Clayes-sous-Bois
   France
   Email: Denis.Pinkas@bull.net















Malpani & all                                                  [Page 23]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002

Appendix A.

A.1 OCSP over HTTP

   This section describes the formatting that will be done to the
   request and response to support HTTP.

A.1.1 Request

   HTTP based OCSP requests MUST use the POST method to submit their
   requests.  Where privacy is a requirement, OCSP transactions
   exchanged using HTTP MAY be protected using either TLS/SSL or some
   other lower layer protocol.

   An OCSP request using the POST method is constructed as follows: The
   Content-Type header has the value "application/ocsp-request" while
   the body of the message is the binary value of the DER encoding of
   the OCSPRequest.

A.1.2 Response

   An HTTP-based OCSP response is composed of the appropriate HTTP
   headers, followed by the binary value of the DER encoding of the
   OCSPResponse. The Content-Type header has the value
   "application/ocsp-response". The Content-Length header SHOULD specify
   the length of the response. Other HTTP headers MAY be present and MAY
   be ignored if not understood by the requestor.




























Malpani & all                                                  [Page 24]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002

Appendix B.  OCSP in ASN.1

PKIXOCSP {iso(1) identified-organization(3) dod(6) internet(1)
  security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-ocspv2(X)}

OCSP DEFINITIONS EXPLICIT TAGS::=

BEGIN

IMPORTS

      -- Directory Authentication Framework (X.509)
             Certificate, AlgorithmIdentifier, CRLReason
             FROM AuthenticationFramework { joint-iso-itu-t ds(5)
                      module(1) authenticationFramework(7) 3 }

      -- PKIX Certificate Extensions
             AuthorityInfoAccessSyntax
          FROM PKIX1Implicit88 {iso(1) identified-organization(3)
                  dod(6) internet(1) security(5) mechanisms(5) pkix(7)
                  id-mod(0) id-pkix1-implicit-88(2)}

          Name, GeneralName, CertificateSerialNumber, Extensions,
           id-kp, id-ad-ocsp
             FROM PKIX1Explicit88 {iso(1) identified-organization(3)
                  dod(6) internet(1) security(5) mechanisms(5) pkix(7)
                  id-mod(0) id-pkix1-explicit-88(1)}

      -- Cryptographic Message Syntax (CMS)
          IssuerAndSerialNumber
             FROM { iso(1) member-body(2) us(840) rsadsi(113549)
                  pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2001(14)}


OCSPRequest     ::=     SEQUENCE {
    tbsRequest                  TBSRequest,
    optionalSignature   [0]     EXPLICIT Signature OPTIONAL }

TBSRequest      ::=     SEQUENCE {
    version             [0] EXPLICIT Version DEFAULT v1,
    requestorName       [1] EXPLICIT GeneralName OPTIONAL,
    requestList             SEQUENCE OF Request,
    requestExtensions   [2] EXPLICIT Extensions OPTIONAL }

Signature       ::=     SEQUENCE {
    signatureAlgorithm   AlgorithmIdentifier,
    signature            BIT STRING,
    certs                [0] EXPLICIT Certificates OPTIONAL }

Version  ::=  INTEGER  {  v1(0), v2(1) }

Request ::=     SEQUENCE {
    reqCert                    ReqCert,
    singleRequestExtensions    [0] EXPLICIT Extensions OPTIONAL }

Malpani & all                                                  [Page 25]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002

Certificates    ::=     SEQUENCE SIZE(1..MAX) of Certificate

ReqCert  ::= CHOICE {
   certID                     CertID,
   fullCert               [0] FullCertificate,
   certIdWithSignature    [1] CertIdWithSignature }

CertID ::= SEQUENCE {
    hashAlgorithm            AlgorithmIdentifier,
    issuerNameHash     OCTET STRING, -- Hash of Issuer's DN
    issuerKeyHash      OCTET STRING, -- Hash of Issuers public key
    serialNumber       CertificateSerialNumber }

   FullCertificate ::= CHOICE {
     certificate      [0]  Certificate,
     attributeCert    [1]  AttributeCertificate }

   CertIdWithSignature ::= SEQUENCE {
        issuerandSerialNumber    IssuerandSerialNumber,
        tbsCertificateHash       BIT STRING,
        certsignature            CertSignature
   }

   CertSignature ::= SEQUENCE {
        signatureAlgorithm        AlgorithmIdentifier,
        signatureValue            BIT STRING
   }

OCSPResponse ::= SEQUENCE {
   responseStatus             OCSPResponseStatus,
   responseBytes          [0] EXPLICIT ResponseBytes OPTIONAL }

OCSPResponseStatus ::= ENUMERATED {
    successful            (0),      --Response has valid confirmations
    malformedRequest      (1),      --Illegal confirmation request
    internalError         (2),      --Internal error in issuer
    tryLater              (3),      --Try again later
                                    --(4) is not used
    sigRequired           (5),      --Must sign the request
    unauthorized          (6),      --Request unauthorized
    badCRL                (8)       --Error in CRL processing
   }

ResponseBytes ::=       SEQUENCE {
    responseType   OBJECT IDENTIFIER,
    response       OCTET STRING }

BasicOCSPResponse       ::= SEQUENCE {
   tbsResponseData          ResponseData,
   signatureAlgorithm       AlgorithmIdentifier,
   signature                BIT STRING,
   certs                [0] EXPLICIT Certificates OPTIONAL }



Malpani & all                                                  [Page 26]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002


ResponseData ::= SEQUENCE {
   version              [0] EXPLICIT Version DEFAULT v1,
   responderID              ResponderID,
   producedAt               GeneralizedTime,
   responses                SEQUENCE OF SingleResponse,
   responseExtensions   [1] EXPLICIT Extensions OPTIONAL }

ResponderID ::= CHOICE {
   byName   [1] Name,
   byKey    [2] KeyHash }

KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
        --(excluding the tag, length and number of unused
        -- bits fields)

SingleResponse ::= SEQUENCE {
   reqCert                      ReqCert,
   -- MUST be identical to the same field from the request
   certStatus                   CertStatus,
   thisUpdate                   GeneralizedTime,
   nextUpdate           [0]     EXPLICIT GeneralizedTime OPTIONAL,
   singleExtensions     [1]     EXPLICIT Extensions OPTIONAL }

CertStatus ::= CHOICE {
    good                [0]     IMPLICIT NULL,
    revoked             [1]     IMPLICIT RevokedInfo,
    unknown             [2]     IMPLICIT UnknownInfo }

RevokedInfo ::= SEQUENCE {
    revocationTime              GeneralizedTime,
    revocationReason    [0]     EXPLICIT CRLReason OPTIONAL }

UnknownInfo ::= NULL -- this can be replaced with an enumeration

ArchiveCutoff ::= GeneralizedTime

AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER

ServiceLocator ::= SEQUENCE {
    issuer    Name,
    locator   AuthorityInfoAccessSyntax }

CrlLocator ::= CRLDistributionPoints











Malpani & all                                                  [Page 27]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002

-- Object Identifiers

id-kp-OCSPSigning            OBJECT IDENTIFIER ::= { id-kp 9 }
id-pkix-ocsp                 OBJECT IDENTIFIER ::= { id-ad-ocsp }
id-pkix-ocsp-basic           OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 }
id-pkix-ocsp-nonce           OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 }
id-pkix-ocsp-crl             OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 }
id-pkix-ocsp-response        OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 }
id-pkix-ocsp-nocheck         OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }
id-pkix-ocsp-archive-cutoff  OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 }
id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 }
id-pkix-ocsp-crl-locator     OBJECT IDENTIFIER ::= { id-pkix-ocsp X }

END









































Malpani & all                                                  [Page 28]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002

Appendix C. MIME registrations

C.1 application/ocsp-request

   To: ietf-types@iana.org
   Subject: Registration of MIME media type application/ocsp-request

   MIME media type name: application

   MIME subtype name: ocsp-request

   Required parameters: None

   Optional parameters: None

   Encoding considerations: binary

   Security considerations: Carries a  request for information. This
   request may optionally be cryptographically signed.

   Interoperability considerations: None

   Published specification: IETF PKIX Working Group Draft on Online
   Certificate Status Protocol - OCSP

   Applications which use this media type: OCSP clients

   Additional information:

      Magic number(s): None
      File extension(s): .ORQ
      Macintosh File Type Code(s): none

   Person & email address to contact for further information:
   Ambarish Malpani <ambarish@malpani.biz>

   Intended usage: COMMON

   Author/Change controller:
   Ambarish Malpani <ambarish@malpani.biz>

C.2 application/ocsp-response

   To: ietf-types@iana.org
   Subject: Registration of MIME media type application/ocsp-response

   MIME media type name: application
   MIME subtype name: ocsp-response

   Required parameters: None

   Optional parameters: None
   Encoding considerations: binary


Malpani & all                                                  [Page 29]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002

   Security considerations: Carries a cryptographically signed response

   Interoperability considerations: None

   Published specification: IETF PKIX Working Group Draft on Online
   Certificate Status Protocol - OCSP

   Applications which use this media type: OCSP servers

   Additional information:

   Magic number(s): None
   File extension(s): .ORS
   Macintosh File Type Code(s): none

   Person & email address to contact for further information:
   Ambarish Malpani <ambarish@malpani.biz>

   Intended usage: COMMON

   Author/Change controller:
   Ambarish Malpani <ambarish@malpani.biz>

































Malpani & all                                                  [Page 30]

INTERNET DRAFT      OCSP extension and OCSPv2 protocol     December 2002

Appendix D. Changes

[This section will contain the differences in this document from 
RFC 2560bis)

Full Copyright Statement

   Copyright (C) The Internet Society (1999).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.


















Malpani & all                                                  [Page 31]