| rfc9654.original | rfc9654.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force H. Sharma, Ed. | Internet Engineering Task Force (IETF) H. Sharma, Ed. | |||
| Internet-Draft Netskope Inc | Request for Comments: 9654 Netskope Inc | |||
| Obsoletes: 8954 (if approved) 22 May 2024 | Obsoletes: 8954 August 2024 | |||
| Updates: 6960 (if approved) | Updates: 6960 | |||
| Intended status: Standards Track | Category: Standards Track | |||
| Expires: 23 November 2024 | ISSN: 2070-1721 | |||
| Online Certificate Status Protocol (OCSP) Nonce Extension | Online Certificate Status Protocol (OCSP) Nonce Extension | |||
| draft-ietf-lamps-ocsp-nonce-update-11 | ||||
| Abstract | Abstract | |||
| RFC 8954 imposed the size constraints on the optional Nonce extension | RFC 8954 imposed size constraints on the optional Nonce extension for | |||
| for the Online Certificate Status Protocol (OCSP). OCSP is used for | the Online Certificate Status Protocol (OCSP). OCSP is used to check | |||
| checking the status of a certificate, and the Nonce extension is used | the status of a certificate, and the Nonce extension is used to | |||
| to cryptographically bind an OCSP response message to a particular | cryptographically bind an OCSP response message to a particular OCSP | |||
| OCSP request message. | request message. | |||
| Some environments use cryptographic algorithms that generate a Nonce | Some environments use cryptographic algorithms that generate a Nonce | |||
| value that is longer than 32 octets. This document updates the | value that is longer than 32 octets. This document updates the | |||
| maximum allowed length of Nonce to 128 octets. This document also | maximum allowed length of Nonce to 128 octets. This document also | |||
| modifies Nonce section to clearly define the encoding format and | modifies the Nonce section to clearly define the encoding format and | |||
| values distinctively for an easier implementation and understanding. | values distinctively for easier implementation and understanding. | |||
| This document obsoletes RFC 8954 and provides updated ASN.1 modules | This document obsoletes RFC 8954 and provides updated ASN.1 modules | |||
| for OCSP, updates RFC 6960. | for OCSP, updates RFC 6960. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This is an Internet Standards Track document. | |||
| provisions of BCP 78 and BCP 79. | ||||
| Internet-Drafts are working documents of the Internet Engineering | ||||
| Task Force (IETF). Note that other groups may also distribute | ||||
| working documents as Internet-Drafts. The list of current Internet- | ||||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
| Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
| and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
| time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
| material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Further information on | |||
| Internet Standards is available in Section 2 of RFC 7841. | ||||
| This Internet-Draft will expire on 23 November 2024. | Information about the current status of this document, any errata, | |||
| and how to provide feedback on it may be obtained at | ||||
| https://www.rfc-editor.org/info/rfc9654. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2024 IETF Trust and the persons identified as the | Copyright (c) 2024 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
| license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
| and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
| extracted from this document must include Revised BSD License text as | to this document. Code Components extracted from this document must | |||
| described in Section 4.e of the Trust Legal Provisions and are | include Revised BSD License text as described in Section 4.e of the | |||
| provided without warranty as described in the Revised BSD License. | Trust Legal Provisions and are provided without warranty as described | |||
| in the Revised BSD License. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction | |||
| 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2 | 1.1. Requirements Language | |||
| 2. OCSP Extensions . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. OCSP Extensions | |||
| 2.1. Nonce Extension . . . . . . . . . . . . . . . . . . . . . 3 | 2.1. Nonce Extension | |||
| 3. Security Considerations . . . . . . . . . . . . . . . . . . . 4 | 3. Security Considerations | |||
| 3.1. Replay Attack . . . . . . . . . . . . . . . . . . . . . . 4 | 3.1. Replay Attack | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | 4. IANA Considerations | |||
| Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 5 | 5. References | |||
| References . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 5.1. Normative References | |||
| Normative References . . . . . . . . . . . . . . . . . . . . . 5 | 5.2. Informative References | |||
| Informative References . . . . . . . . . . . . . . . . . . . . 6 | Appendix A. ASN.1 Modules | |||
| Appendix A. ASN.1 Modules . . . . . . . . . . . . . . . . . . . 6 | A.1. OCSP in ASN.1 - 1998 Syntax | |||
| A.1. OCSP in ASN.1 - 1998 Syntax . . . . . . . . . . . . . . . 6 | A.2. OCSP in ASN.1 - 2008 Syntax | |||
| A.2. OCSP in ASN.1 - 2008 Syntax . . . . . . . . . . . . . . . 10 | Acknowledgements | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 14 | Author's Address | |||
| 1. Introduction | 1. Introduction | |||
| Nonce extension was previously defined in Section 4.4.1 of [RFC6960]. | The Nonce extension was previously defined in Section 4.4.1 of | |||
| The Nonce cryptographically binds an OCSP request and a response. It | [RFC6960]. The Nonce cryptographically binds an OCSP request and a | |||
| guarantees the freshness of an OCSP response and to avoid replay | response. It guarantees the freshness of an OCSP response and avoids | |||
| attacks. This extension was updated in [RFC8954]. [RFC8954] limits | replay attacks. This extension was updated in [RFC8954]. [RFC8954] | |||
| the maximum Nonce length to 32 octets. To support cryptographic | limits the maximum Nonce length to 32 octets. To support | |||
| algorithms that generate a Nonce that is longer than 32 octets, this | cryptographic algorithms that generate a Nonce that is longer than 32 | |||
| document updates the maximum allowed size of the Nonce to 128 octets. | octets, this document updates the maximum allowed size of the Nonce | |||
| In addition, this document recommends that the OCSP requester and | to 128 octets. In addition, this document recommends that the OCSP | |||
| responder use a Nonce with a minimum length of 32 octets. | requester and responder use a Nonce with a minimum length of 32 | |||
| octets. | ||||
| 1.1. Requirements Language | 1.1. Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 2. OCSP Extensions | 2. OCSP Extensions | |||
| The message formats for OCSP requests and responses are defined in | The message formats for OCSP requests and responses are defined in | |||
| [RFC6960] and Nonce extension was updated in [RFC8954]. [RFC6960] | [RFC6960] and the Nonce extension was updated in [RFC8954]. | |||
| also defines the standard extensions for OCSP messages based on the | [RFC6960] also defines the standard extensions for OCSP messages | |||
| extension model employed in X.509 version 3 certificates (see | based on the extension model employed in X.509 version 3 certificates | |||
| [RFC5280]). [RFC8954] replaces this section to limit the minimum and | (see [RFC5280]). [RFC8954] replaces this section to limit the | |||
| maximum length for the Nonce value. This document extends the | minimum and maximum length for the Nonce value. This document | |||
| maximum allowed nonce length to 128 octets and does not change the | extends the maximum allowed nonce length to 128 octets and does not | |||
| specifications of any of the other standard extensions defined in | change the specifications of any of the other extensions defined in | |||
| [RFC6960]. | [RFC6960]. | |||
| 2.1. Nonce Extension | 2.1. Nonce Extension | |||
| The Nonce cryptographically binds a request and a response to prevent | The Nonce cryptographically binds a request and a response to prevent | |||
| replay attacks. The Nonce is included as one of the | replay attacks. The Nonce is included as one of the | |||
| requestExtensions in requests; in responses, it would be included as | requestExtensions in requests; in responses, it is included as one of | |||
| one of the responseExtensions. In both the request and the response, | the responseExtensions. In both the request and the response, the | |||
| the Nonce will be identified by the object identifier id-pkix-ocsp- | Nonce is identified by the object identifier id-pkix-ocsp-nonce, | |||
| nonce, while the extnValue is the encoded value of Nonce. If the | while the extnValue is the encoded value of Nonce. If the Nonce | |||
| Nonce extension is present, then the length of the Nonce MUST be at | extension is present, then the length of the Nonce MUST be at least 1 | |||
| least 1 octet and can be up to 128 octets. [RFC8954] compliant | octet and can be up to 128 octets. Implementations compliant with | |||
| implementations will be unable to process nonces generated per the | [RFC8954] will not be able to process nonces generated per the new | |||
| new specification with sizes in excess of the limit of 32 octets that | specification with sizes in excess of the limit (32 octets) specified | |||
| was specified in [RFC8954]. | in [RFC8954]. | |||
| An OCSP requester that implements this document MUST use a minimum | An OCSP requester that implements the extension in this document MUST | |||
| length of 32 octets for Nonce in the Nonce extension. | use a minimum length of 32 octets for Nonce in the Nonce extension. | |||
| An OCSP responder , supporting the Nonce extension, MUST accept Nonce | An OCSP responder that supports the Nonce extension MUST accept Nonce | |||
| lengths of at least 16 octets and up to and including 32 octets. | lengths of at least 16 octets and up to and including 32 octets. A | |||
| Responder MAY choose to respond without the Nonce extension for | responder MAY choose to respond without the Nonce extension for | |||
| requests where the length of the Nonce is in between 1 octet and 15 | requests in which the length of the Nonce is in between 1 octet and | |||
| octets or 33 octets and 128 octets. | 15 octets or 33 octets and 128 octets. | |||
| Responders, that implements this document MUST reject any OCSP | Responders that implement the extension in this document MUST reject | |||
| request that has a Nonce with a length of either 0 octets or more | any OCSP request that has a Nonce with a length of either 0 octets or | |||
| than 128 octets, with the malformedRequest OCSPResponseStatus as | greater than 128 octets, with the malformedRequest OCSPResponseStatus | |||
| described in Section 4.2.1 of [RFC6960]. | as described in Section 4.2.1 of [RFC6960]. | |||
| The value of the Nonce MUST be generated using a cryptographically | The value of the Nonce MUST be generated using a cryptographically | |||
| strong pseudorandom number generator (see [RFC4086]). The minimum | strong pseudorandom number generator (see [RFC4086]). The minimum | |||
| Nonce length of 1 octet is defined to provide backward compatibility | Nonce length of 1 octet is defined to provide backward compatibility | |||
| with older OCSP requester that follow [RFC6960]. | with older OCSP requesters that follow [RFC6960]. | |||
| id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp } | id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp } | |||
| id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 } | id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 } | |||
| Nonce ::= OCTET STRING(SIZE(1..128)) | Nonce ::= OCTET STRING(SIZE(1..128)) | |||
| Example of an encoded OCSP Nonce extension with 32 octet Nonce in | ||||
| hexadecimal format. | ||||
| 30 2f 06 09 2b 06 01 05 05 07 30 01 02 04 22 04 | The following is an example of an encoded OCSP Nonce extension with a | |||
| 20 dd 49 d4 07 2c 44 9d a1 c3 17 bd 1c 1b df fe | 32-octet Nonce in hexadecimal format. | |||
| db e1 50 31 2e c4 cd 0a dd 18 e5 bd 6f 84 bf 14 | ||||
| c8 | ||||
| Here is the decoded version of the above example. | 30 2f 06 09 2b 06 01 05 05 07 30 01 02 04 22 04 | |||
| Offset, Length and Object Identifier are in decimal. | 20 dd 49 d4 07 2c 44 9d a1 c3 17 bd 1c 1b df fe | |||
| db e1 50 31 2e c4 cd 0a dd 18 e5 bd 6f 84 bf 14 | ||||
| c8 | ||||
| Here is the decoded version of the above example. Offset, Length, | ||||
| and Object Identifier are in decimal. | ||||
| Offset Length | Offset Length | |||
| 0 47 : SEQUENCE { | 0 47 : SEQUENCE { | |||
| 2 9 : OBJECT IDENTIFIER ocspNonce (1 3 6 1 5 5 7 48 1 2) | 2 9 : OBJECT IDENTIFIER ocspNonce (1 3 6 1 5 5 7 48 1 2) | |||
| 13 34 : OCTET STRING, encapsulates { | 13 34 : OCTET STRING, encapsulates { | |||
| 15 32 : OCTET STRING | 15 32 : OCTET STRING | |||
| : DD 49 D4 07 2C 44 9D A1 C3 17 BD 1C 1B DF FE DB | : DD 49 D4 07 2C 44 9D A1 C3 17 BD 1C 1B DF FE DB | |||
| : E1 50 31 2E C4 CD 0A DD 18 E5 BD 6F 84 BF 14 C8 | : E1 50 31 2E C4 CD 0A DD 18 E5 BD 6F 84 BF 14 C8 | |||
| : } | : } | |||
| : } | : } | |||
| 3. Security Considerations | 3. Security Considerations | |||
| The security considerations of OCSP, in general, are described in | The security considerations of OCSP, in general, are described in | |||
| [RFC6960]. During the interval in which the previous OCSP response | [RFC6960]. During the interval in which the previous OCSP response | |||
| for a certificate is not expired but the responder has a changed | for a certificate is not expired but the responder has a changed | |||
| status for that certificate, a copy of that OCSP response can be used | status for that certificate, a copy of that OCSP response can be used | |||
| to indicate that the status of the certificate is still valid. | to indicate that the status of the certificate is still valid. | |||
| Including a requester's nonce value in the OCSP response makes sure | Including a requester's nonce value in the OCSP response ensures that | |||
| that the response is the latest response from the server and not an | the response is the most recent response from the server and not an | |||
| old copy. | old copy. | |||
| 3.1. Replay Attack | 3.1. Replay Attack | |||
| The Nonce extension is used to avoid replay attacks. Since the OCSP | The Nonce extension is used to avoid replay attacks. Since the OCSP | |||
| responder may choose not to send the Nonce extension in the OCSP | responder may choose not to send the Nonce extension in the OCSP | |||
| response even if the requester has sent the Nonce extension in the | response even if the requester has sent the Nonce extension in the | |||
| request [RFC5019], an on-path attacker can intercept the OCSP request | request [RFC5019], an on-path attacker can intercept the OCSP request | |||
| and respond with an earlier response from the server without the | and respond with an earlier response from the server without the | |||
| Nonce extension. This can be mitigated by configuring the server to | Nonce extension. This can be mitigated by configuring the server to | |||
| use a short time interval between the thisUpdate and nextUpdate | use a short time interval between the thisUpdate and nextUpdate | |||
| fields in the OCSP response. | fields in the OCSP response. | |||
| 4. IANA Considerations | 4. IANA Considerations | |||
| For the ASN.1 Module in Appendix A.1, IANA is requested to assign an | For the ASN.1 modules in Appendixes A.1 and A.2, IANA has assigned | |||
| object identifier (OID) for the module identifier to replace TBD1. | the following object identifiers (OIDs) in the "SMI Security for PKIX | |||
| The OID for the module should be allocated in the "SMI Security for | Module Identifier" registry (1.3.6.1.5.5.7.0): | |||
| PKIX Module Identifier" registry (1.3.6.1.5.5.7.0), and the | ||||
| Description for the new OID should be set to "id-mod-ocsp-2024-88". | ||||
| For the ASN.1 Module in Appendix A.2, IANA is requested to assign an | ||||
| object identifier (OID) for the module identifier to replace TBD2. | ||||
| The OID for the module should be allocated in the "SMI Security for | ||||
| PKIX Module Identifier" registry (1.3.6.1.5.5.7.0), and the | ||||
| Description for the new OID should be set to "id-mod-ocsp-2024-08". | ||||
| Acknowledgements | ||||
| The authors of this document wish to thank Mohit Sahni for his work | +=======+=====================+ | |||
| to produce [RFC8954]. | | Value | Description | | |||
| +=======+=====================+ | ||||
| | 111 | id-mod-ocsp-2024-88 | | ||||
| +-------+---------------------+ | ||||
| | 112 | id-mod-ocsp-2024-08 | | ||||
| +-------+---------------------+ | ||||
| The authors wish to thank Russ Housley, Corey Bonnell, Michael | Table 1 | |||
| StJohns and Carl Wallace for the feedback and suggestions. | ||||
| References | 5. References | |||
| Normative References | 5.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, | [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, | |||
| "Randomness Requirements for Security", BCP 106, RFC 4086, | "Randomness Requirements for Security", BCP 106, RFC 4086, | |||
| DOI 10.17487/RFC4086, June 2005, | DOI 10.17487/RFC4086, June 2005, | |||
| <https://www.rfc-editor.org/info/rfc4086>. | <https://www.rfc-editor.org/info/rfc4086>. | |||
| skipping to change at page 6, line 19 ¶ | skipping to change at line 242 ¶ | |||
| <https://www.rfc-editor.org/info/rfc6960>. | <https://www.rfc-editor.org/info/rfc6960>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [RFC8954] Sahni, M., Ed., "Online Certificate Status Protocol (OCSP) | [RFC8954] Sahni, M., Ed., "Online Certificate Status Protocol (OCSP) | |||
| Nonce Extension", RFC 8954, DOI 10.17487/RFC8954, November | Nonce Extension", RFC 8954, DOI 10.17487/RFC8954, November | |||
| 2020, <https://www.rfc-editor.org/info/rfc8954>. | 2020, <https://www.rfc-editor.org/info/rfc8954>. | |||
| Informative References | 5.2. Informative References | |||
| [Err5891] RFC Errata, Erratum ID 5891, RFC 6960, | ||||
| <https://www.rfc-editor.org/errata/eid5891>. | ||||
| [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the | [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the | |||
| Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, | Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, | |||
| DOI 10.17487/RFC5912, June 2010, | DOI 10.17487/RFC5912, June 2010, | |||
| <https://www.rfc-editor.org/info/rfc5912>. | <https://www.rfc-editor.org/info/rfc5912>. | |||
| [Errata5891] | ||||
| RFC Errata, Erratum ID 5891, RFC 6960, | ||||
| <https://www.rfc-editor.org/errata/eid5891>. | ||||
| Appendix A. ASN.1 Modules | Appendix A. ASN.1 Modules | |||
| This section includes the ASN.1 modules for OCSP and replaces the | This section includes the ASN.1 modules for OCSP and replaces the | |||
| entirity of Section 5 of [RFC8954]. It addresses Errata id 5891 | entirety of Section 5 of [RFC8954]. It addresses Errata ID 5891 | |||
| [Errata5891] as well. | [Err5891] as well. | |||
| Appendix A.1 includes an ASN.1 module that conforms to the 1998 | Appendix A.1 includes an ASN.1 module that conforms to the 1998 | |||
| version of ASN.1 for all syntax elements of OCSP. This module | version of ASN.1 for all syntax elements of OCSP. This module | |||
| replaces the modules Appendix B.1 of [RFC6960]. | replaces the module in Appendix B.1 of [RFC6960]. | |||
| Appendix A.2 includes an ASN.1 module, corresponding to the module | Appendix A.2 includes an ASN.1 module, corresponding to the module | |||
| present in A.1, that conforms to the 2008 version of ASN.1. This | present in Appendix A.1, that conforms to the 2008 version of ASN.1. | |||
| module replaces the modules in Section 4 of [RFC5912] and | This module replaces the modules in Section 4 of [RFC5912] and | |||
| Appendix B.2 of [RFC6960]. Although a 2008 ASN.1 module is provided, | Appendix B.2 of [RFC6960]. Although a 2008 ASN.1 module is provided, | |||
| the module in Appendix A.1 remains the normative module as per the | the module in Appendix A.1 remains the normative module per the | |||
| policy of the PKIX working group. | policy of the PKIX Working Group. | |||
| A.1. OCSP in ASN.1 - 1998 Syntax | A.1. OCSP in ASN.1 - 1998 Syntax | |||
| OCSP-2024-88 | ||||
| {iso(1) identified-organization(3) dod(6) internet(1) | ||||
| security(5) mechanisms(5) pkix(7) id-mod(0) | ||||
| id-mod-ocsp-2024-88(TBD1)} | ||||
| DEFINITIONS EXPLICIT TAGS ::= | OCSP-2024-88 | |||
| {iso(1) identified-organization(3) dod(6) internet(1) | ||||
| security(5) mechanisms(5) pkix(7) id-mod(0) | ||||
| id-mod-ocsp-2024-88(111)} | ||||
| BEGIN | DEFINITIONS EXPLICIT TAGS ::= | |||
| IMPORTS | BEGIN | |||
| -- PKIX Certificate Extensions | IMPORTS | |||
| AuthorityInfoAccessSyntax, CRLReason, GeneralName | ||||
| FROM PKIX1Implicit88 { iso(1) identified-organization(3) | ||||
| dod(6) internet(1) security(5) mechanisms(5) pkix(7) | ||||
| id-mod(0) id-pkix1-implicit(19) } | ||||
| Name, CertificateSerialNumber, Extensions, | -- PKIX Certificate Extensions | |||
| id-kp, id-ad-ocsp, Certificate, AlgorithmIdentifier | AuthorityInfoAccessSyntax, CRLReason, GeneralName | |||
| FROM PKIX1Explicit88 { iso(1) identified-organization(3) | FROM PKIX1Implicit88 { iso(1) identified-organization(3) | |||
| dod(6) internet(1) security(5) mechanisms(5) pkix(7) | dod(6) internet(1) security(5) mechanisms(5) pkix(7) | |||
| id-mod(0) id-pkix1-explicit(18) }; | id-mod(0) id-pkix1-implicit(19) } | |||
| OCSPRequest ::= SEQUENCE { | Name, CertificateSerialNumber, Extensions, | |||
| tbsRequest TBSRequest, | id-kp, id-ad-ocsp, Certificate, AlgorithmIdentifier | |||
| optionalSignature [0] EXPLICIT Signature OPTIONAL } | FROM PKIX1Explicit88 { iso(1) identified-organization(3) | |||
| dod(6) internet(1) security(5) mechanisms(5) pkix(7) | ||||
| id-mod(0) id-pkix1-explicit(18) }; | ||||
| TBSRequest ::= SEQUENCE { | OCSPRequest ::= SEQUENCE { | |||
| version [0] EXPLICIT Version DEFAULT v1, | tbsRequest TBSRequest, | |||
| requestorName [1] EXPLICIT GeneralName OPTIONAL, | optionalSignature [0] EXPLICIT Signature OPTIONAL } | |||
| requestList SEQUENCE OF Request, | ||||
| requestExtensions [2] EXPLICIT Extensions OPTIONAL } | ||||
| Signature ::= SEQUENCE { | TBSRequest ::= SEQUENCE { | |||
| signatureAlgorithm AlgorithmIdentifier, | version [0] EXPLICIT Version DEFAULT v1, | |||
| signature BIT STRING, | requestorName [1] EXPLICIT GeneralName OPTIONAL, | |||
| certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } | requestList SEQUENCE OF Request, | |||
| requestExtensions [2] EXPLICIT Extensions OPTIONAL } | ||||
| Version ::= INTEGER { v1(0) } | Signature ::= SEQUENCE { | |||
| signatureAlgorithm AlgorithmIdentifier, | ||||
| signature BIT STRING, | ||||
| certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } | ||||
| Nonce ::= OCTET STRING(SIZE(1..128)) | Version ::= INTEGER { v1(0) } | |||
| Request ::= SEQUENCE { | Nonce ::= OCTET STRING(SIZE(1..128)) | |||
| reqCert CertID, | ||||
| singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL } | ||||
| CertID ::= SEQUENCE { | Request ::= SEQUENCE { | |||
| hashAlgorithm AlgorithmIdentifier, | reqCert CertID, | |||
| issuerNameHash OCTET STRING, -- Hash of issuer's DN | singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL } | |||
| issuerKeyHash OCTET STRING, -- Hash of issuer's public key | ||||
| serialNumber CertificateSerialNumber } | ||||
| OCSPResponse ::= SEQUENCE { | CertID ::= SEQUENCE { | |||
| responseStatus OCSPResponseStatus, | hashAlgorithm AlgorithmIdentifier, | |||
| responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } | issuerNameHash OCTET STRING, -- Hash of issuer's DN | |||
| issuerKeyHash OCTET STRING, -- Hash of issuer's public key | ||||
| serialNumber CertificateSerialNumber } | ||||
| OCSPResponseStatus ::= ENUMERATED { | OCSPResponse ::= SEQUENCE { | |||
| successful (0), -- Response has valid confirmations | responseStatus OCSPResponseStatus, | |||
| malformedRequest (1), -- Illegal confirmation request | responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } | |||
| internalError (2), -- Internal error in issuer | ||||
| tryLater (3), -- Try again later | ||||
| -- (4) is not used | ||||
| sigRequired (5), -- Must sign the request | ||||
| unauthorized (6) -- Request unauthorized | ||||
| } | ||||
| ResponseBytes ::= SEQUENCE { | OCSPResponseStatus ::= ENUMERATED { | |||
| responseType OBJECT IDENTIFIER, | successful (0), -- Response has valid confirmations | |||
| response OCTET STRING } | malformedRequest (1), -- Illegal confirmation request | |||
| internalError (2), -- Internal error in issuer | ||||
| tryLater (3), -- Try again later | ||||
| -- (4) is not used | ||||
| sigRequired (5), -- Must sign the request | ||||
| unauthorized (6) -- Request unauthorized | ||||
| } | ||||
| BasicOCSPResponse ::= SEQUENCE { | ResponseBytes ::= SEQUENCE { | |||
| tbsResponseData ResponseData, | responseType OBJECT IDENTIFIER, | |||
| signatureAlgorithm AlgorithmIdentifier, | response OCTET STRING } | |||
| signature BIT STRING, | ||||
| certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } | ||||
| ResponseData ::= SEQUENCE { | BasicOCSPResponse ::= SEQUENCE { | |||
| version [0] EXPLICIT Version DEFAULT v1, | tbsResponseData ResponseData, | |||
| responderID ResponderID, | signatureAlgorithm AlgorithmIdentifier, | |||
| producedAt GeneralizedTime, -- The format for | signature BIT STRING, | |||
| -- GeneralizedTime is as | certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } | |||
| -- specified in Section | ||||
| -- 4.1.2.5.2 of [RFC5280] | ||||
| responses SEQUENCE OF SingleResponse, | ||||
| responseExtensions [1] EXPLICIT Extensions OPTIONAL } | ||||
| ResponderID ::= CHOICE { | ResponseData ::= SEQUENCE { | |||
| byName [1] Name, | version [0] EXPLICIT Version DEFAULT v1, | |||
| byKey [2] KeyHash } | responderID ResponderID, | |||
| producedAt GeneralizedTime, -- The format for | ||||
| -- GeneralizedTime is as | ||||
| -- specified in Section | ||||
| -- 4.1.2.5.2 of [RFC5280] | ||||
| responses SEQUENCE OF SingleResponse, | ||||
| responseExtensions [1] EXPLICIT Extensions OPTIONAL } | ||||
| KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key | ResponderID ::= CHOICE { | |||
| -- (i.e., the SHA-1 hash of the value of the | byName [1] Name, | |||
| -- BIT STRING subjectPublicKey [excluding | byKey [2] KeyHash } | |||
| -- the tag, length, and number of unused | ||||
| -- bits] in the responder's certificate) | ||||
| SingleResponse ::= SEQUENCE { | KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key | |||
| certID CertID, | -- (i.e., the SHA-1 hash of the value of the | |||
| certStatus CertStatus, | -- BIT STRING subjectPublicKey [excluding | |||
| thisUpdate GeneralizedTime, | -- the tag, length, and number of unused | |||
| nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, | -- bits] in the responder's certificate) | |||
| singleExtensions [1] EXPLICIT Extensions OPTIONAL } | ||||
| CertStatus ::= CHOICE { | SingleResponse ::= SEQUENCE { | |||
| good [0] IMPLICIT NULL, | certID CertID, | |||
| revoked [1] IMPLICIT RevokedInfo, | certStatus CertStatus, | |||
| unknown [2] IMPLICIT UnknownInfo } | thisUpdate GeneralizedTime, | |||
| nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, | ||||
| singleExtensions [1] EXPLICIT Extensions OPTIONAL } | ||||
| RevokedInfo ::= SEQUENCE { | CertStatus ::= CHOICE { | |||
| revocationTime GeneralizedTime, | good [0] IMPLICIT NULL, | |||
| revocationReason [0] EXPLICIT CRLReason OPTIONAL } | revoked [1] IMPLICIT RevokedInfo, | |||
| unknown [2] IMPLICIT UnknownInfo } | ||||
| UnknownInfo ::= NULL | RevokedInfo ::= SEQUENCE { | |||
| revocationTime GeneralizedTime, | ||||
| revocationReason [0] EXPLICIT CRLReason OPTIONAL } | ||||
| ArchiveCutoff ::= GeneralizedTime | UnknownInfo ::= NULL | |||
| AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER | ArchiveCutoff ::= GeneralizedTime | |||
| ServiceLocator ::= SEQUENCE { | AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER | |||
| issuer Name, | ||||
| locator AuthorityInfoAccessSyntax } | ||||
| CrlID ::= SEQUENCE { | ServiceLocator ::= SEQUENCE { | |||
| crlUrl [0] EXPLICIT IA5String OPTIONAL, | issuer Name, | |||
| crlNum [1] EXPLICIT INTEGER OPTIONAL, | locator AuthorityInfoAccessSyntax } | |||
| crlTime [2] EXPLICIT GeneralizedTime OPTIONAL } | ||||
| PreferredSignatureAlgorithms ::= SEQUENCE OF PreferredSignatureAlgorithm | CrlID ::= SEQUENCE { | |||
| crlUrl [0] EXPLICIT IA5String OPTIONAL, | ||||
| crlNum [1] EXPLICIT INTEGER OPTIONAL, | ||||
| crlTime [2] EXPLICIT GeneralizedTime OPTIONAL } | ||||
| PreferredSignatureAlgorithm ::= SEQUENCE { | PreferredSignatureAlgorithms ::= SEQUENCE OF PreferredSignatureAlgorithm | |||
| sigIdentifier AlgorithmIdentifier, | ||||
| certIdentifier AlgorithmIdentifier OPTIONAL } | ||||
| PreferredSignatureAlgorithm ::= SEQUENCE { | ||||
| sigIdentifier AlgorithmIdentifier, | ||||
| certIdentifier AlgorithmIdentifier OPTIONAL } | ||||
| id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } | -- Object Identifiers | |||
| id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp } | ||||
| id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 } | ||||
| id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 } | ||||
| id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 } | ||||
| id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 } | ||||
| id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 } | ||||
| id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 } | ||||
| id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 } | ||||
| id-pkix-ocsp-pref-sig-algs OBJECT IDENTIFIER ::= { id-pkix-ocsp 8 } | ||||
| id-pkix-ocsp-extended-revoke OBJECT IDENTIFIER ::= { id-pkix-ocsp 9 } | ||||
| END | id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } | |||
| id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp } | ||||
| id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 } | ||||
| id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 } | ||||
| id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 } | ||||
| id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 } | ||||
| id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 } | ||||
| id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 } | ||||
| id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 } | ||||
| id-pkix-ocsp-pref-sig-algs OBJECT IDENTIFIER ::= { id-pkix-ocsp 8 } | ||||
| id-pkix-ocsp-extended-revoke OBJECT IDENTIFIER ::= { id-pkix-ocsp 9 } | ||||
| END | ||||
| A.2. OCSP in ASN.1 - 2008 Syntax | A.2. OCSP in ASN.1 - 2008 Syntax | |||
| OCSP-2024-08 | OCSP-2024-08 | |||
| {iso(1) identified-organization(3) dod(6) internet(1) | {iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) id-mod(0) | security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-ocsp-2024-08(TBD2)} | id-mod-ocsp-2024-08(112)} | |||
| DEFINITIONS EXPLICIT TAGS ::= | DEFINITIONS EXPLICIT TAGS ::= | |||
| BEGIN | BEGIN | |||
| IMPORTS | IMPORTS | |||
| Extensions{}, EXTENSION | Extensions{}, EXTENSION | |||
| FROM PKIX-CommonTypes-2009 -- From [RFC5912] | FROM PKIX-CommonTypes-2009 -- From [RFC5912] | |||
| {iso(1) identified-organization(3) dod(6) internet(1) security(5) | {iso(1) identified-organization(3) dod(6) internet(1) security(5) | |||
| mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} | mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} | |||
| AlgorithmIdentifier{}, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, PUBLIC-KEY | AlgorithmIdentifier{}, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, PUBLIC-KEY | |||
| FROM AlgorithmInformation-2009 -- From [RFC5912] | FROM AlgorithmInformation-2009 -- From [RFC5912] | |||
| {iso(1) identified-organization(3) dod(6) internet(1) security(5) | {iso(1) identified-organization(3) dod(6) internet(1) security(5) | |||
| mechanisms(5) pkix(7) id-mod(0) | mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-algorithmInformation-02(58)} | id-mod-algorithmInformation-02(58)} | |||
| AuthorityInfoAccessSyntax, GeneralName, CrlEntryExtensions, CRLReason | AuthorityInfoAccessSyntax, GeneralName, CrlEntryExtensions, CRLReason | |||
| FROM PKIX1Implicit-2009 -- From [RFC5912] | FROM PKIX1Implicit-2009 -- From [RFC5912] | |||
| {iso(1) identified-organization(3) dod(6) internet(1) security(5) | {iso(1) identified-organization(3) dod(6) internet(1) security(5) | |||
| mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} | mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} | |||
| Name, CertificateSerialNumber, id-kp, id-ad-ocsp, Certificate | Name, CertificateSerialNumber, id-kp, id-ad-ocsp, Certificate | |||
| FROM PKIX1Explicit-2009 -- From [RFC5912] | FROM PKIX1Explicit-2009 -- From [RFC5912] | |||
| {iso(1) identified-organization(3) dod(6) internet(1) security(5) | {iso(1) identified-organization(3) dod(6) internet(1) security(5) | |||
| mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} | mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} | |||
| sa-dsaWithSHA1, sa-rsaWithMD2, sa-rsaWithMD5, sa-rsaWithSHA1 | sa-dsaWithSHA1, sa-rsaWithMD2, sa-rsaWithMD5, sa-rsaWithSHA1 | |||
| FROM PKIXAlgs-2009 -- From [RFC5912] | FROM PKIXAlgs-2009 -- From [RFC5912] | |||
| {iso(1) identified-organization(3) dod(6) internet(1) security(5) | {iso(1) identified-organization(3) dod(6) internet(1) security(5) | |||
| mechanisms(5) pkix(7) id-mod(0) | mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-pkix1-algorithms2008-02(56)}; | id-mod-pkix1-algorithms2008-02(56)}; | |||
| OCSPRequest ::= SEQUENCE { | OCSPRequest ::= SEQUENCE { | |||
| tbsRequest TBSRequest, | tbsRequest TBSRequest, | |||
| optionalSignature [0] EXPLICIT Signature OPTIONAL } | optionalSignature [0] EXPLICIT Signature OPTIONAL } | |||
| TBSRequest ::= SEQUENCE { | TBSRequest ::= SEQUENCE { | |||
| version [0] EXPLICIT Version DEFAULT v1, | version [0] EXPLICIT Version DEFAULT v1, | |||
| requestorName [1] EXPLICIT GeneralName OPTIONAL, | requestorName [1] EXPLICIT GeneralName OPTIONAL, | |||
| requestList SEQUENCE OF Request, | requestList SEQUENCE OF Request, | |||
| requestExtensions [2] EXPLICIT Extensions {{re-ocsp-nonce | | requestExtensions [2] EXPLICIT Extensions {{re-ocsp-nonce | | |||
| re-ocsp-response, ..., | re-ocsp-response, ..., | |||
| re-ocsp-preferred-signature-algorithms}} OPTIONAL } | re-ocsp-preferred-signature-algorithms}} OPTIONAL } | |||
| Signature ::= SEQUENCE { | Signature ::= SEQUENCE { | |||
| signatureAlgorithm AlgorithmIdentifier | signatureAlgorithm AlgorithmIdentifier | |||
| { SIGNATURE-ALGORITHM, {...}}, | { SIGNATURE-ALGORITHM, {...}}, | |||
| signature BIT STRING, | signature BIT STRING, | |||
| certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } | certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } | |||
| Version ::= INTEGER { v1(0) } | Version ::= INTEGER { v1(0) } | |||
| Nonce ::= OCTET STRING(SIZE(1..128)) | Nonce ::= OCTET STRING(SIZE(1..128)) | |||
| Request ::= SEQUENCE { | Request ::= SEQUENCE { | |||
| reqCert CertID, | reqCert CertID, | |||
| singleRequestExtensions [0] EXPLICIT Extensions | singleRequestExtensions [0] EXPLICIT Extensions | |||
| { {re-ocsp-service-locator, | { {re-ocsp-service-locator, | |||
| ...}} OPTIONAL } | ...}} OPTIONAL } | |||
| CertID ::= SEQUENCE { | CertID ::= SEQUENCE { | |||
| hashAlgorithm AlgorithmIdentifier | hashAlgorithm AlgorithmIdentifier | |||
| {DIGEST-ALGORITHM, {...}}, | {DIGEST-ALGORITHM, {...}}, | |||
| issuerNameHash OCTET STRING, -- Hash of issuer's DN | issuerNameHash OCTET STRING, -- Hash of issuer's DN | |||
| issuerKeyHash OCTET STRING, -- Hash of issuer's public key | issuerKeyHash OCTET STRING, -- Hash of issuer's public key | |||
| serialNumber CertificateSerialNumber } | serialNumber CertificateSerialNumber } | |||
| OCSPResponse ::= SEQUENCE { | OCSPResponse ::= SEQUENCE { | |||
| responseStatus OCSPResponseStatus, | responseStatus OCSPResponseStatus, | |||
| responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } | responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } | |||
| OCSPResponseStatus ::= ENUMERATED { | OCSPResponseStatus ::= ENUMERATED { | |||
| successful (0), -- Response has valid confirmations | successful (0), -- Response has valid confirmations | |||
| malformedRequest (1), -- Illegal confirmation request | malformedRequest (1), -- Illegal confirmation request | |||
| internalError (2), -- Internal error in issuer | internalError (2), -- Internal error in issuer | |||
| tryLater (3), -- Try again later | tryLater (3), -- Try again later | |||
| -- (4) is not used | -- (4) is not used | |||
| sigRequired (5), -- Must sign the request | sigRequired (5), -- Must sign the request | |||
| unauthorized (6) -- Request unauthorized | unauthorized (6) -- Request unauthorized | |||
| } | } | |||
| RESPONSE ::= TYPE-IDENTIFIER | RESPONSE ::= TYPE-IDENTIFIER | |||
| ResponseSet RESPONSE ::= {basicResponse, ...} | ResponseSet RESPONSE ::= {basicResponse, ...} | |||
| ResponseBytes ::= SEQUENCE { | ResponseBytes ::= SEQUENCE { | |||
| responseType RESPONSE. | responseType RESPONSE. | |||
| &id ({ResponseSet}), | &id ({ResponseSet}), | |||
| response OCTET STRING (CONTAINING RESPONSE. | response OCTET STRING (CONTAINING RESPONSE. | |||
| &Type({ResponseSet}{@responseType}))} | &Type({ResponseSet}{@responseType}))} | |||
| basicResponse RESPONSE ::= | basicResponse RESPONSE ::= | |||
| { BasicOCSPResponse IDENTIFIED BY id-pkix-ocsp-basic } | { BasicOCSPResponse IDENTIFIED BY id-pkix-ocsp-basic } | |||
| BasicOCSPResponse ::= SEQUENCE { | BasicOCSPResponse ::= SEQUENCE { | |||
| tbsResponseData ResponseData, | tbsResponseData ResponseData, | |||
| signatureAlgorithm AlgorithmIdentifier{SIGNATURE-ALGORITHM, | signatureAlgorithm AlgorithmIdentifier{SIGNATURE-ALGORITHM, | |||
| {sa-dsaWithSHA1 | sa-rsaWithSHA1 | | {sa-dsaWithSHA1 | sa-rsaWithSHA1 | | |||
| sa-rsaWithMD5 | sa-rsaWithMD2, ...}}, | sa-rsaWithMD5 | sa-rsaWithMD2, ...}}, | |||
| signature BIT STRING, | signature BIT STRING, | |||
| certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } | certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } | |||
| ResponseData ::= SEQUENCE { | ResponseData ::= SEQUENCE { | |||
| version [0] EXPLICIT Version DEFAULT v1, | version [0] EXPLICIT Version DEFAULT v1, | |||
| responderID ResponderID, | responderID ResponderID, | |||
| producedAt GeneralizedTime, | producedAt GeneralizedTime, | |||
| responses SEQUENCE OF SingleResponse, | responses SEQUENCE OF SingleResponse, | |||
| responseExtensions [1] EXPLICIT Extensions | responseExtensions [1] EXPLICIT Extensions | |||
| {{re-ocsp-nonce, ..., | {{re-ocsp-nonce, ..., | |||
| re-ocsp-extended-revoke}} OPTIONAL } | re-ocsp-extended-revoke}} OPTIONAL } | |||
| ResponderID ::= CHOICE { | ResponderID ::= CHOICE { | |||
| byName [1] Name, | byName [1] Name, | |||
| byKey [2] KeyHash } | byKey [2] KeyHash } | |||
| KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key | KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key | |||
| -- (excluding the tag and length fields) | -- (excluding the tag and length fields) | |||
| SingleResponse ::= SEQUENCE { | SingleResponse ::= SEQUENCE { | |||
| certID CertID, | certID CertID, | |||
| certStatus CertStatus, | certStatus CertStatus, | |||
| thisUpdate GeneralizedTime, | thisUpdate GeneralizedTime, | |||
| nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, | nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, | |||
| singleExtensions [1] EXPLICIT Extensions{{re-ocsp-crl | | singleExtensions [1] EXPLICIT Extensions{{re-ocsp-crl | | |||
| re-ocsp-archive-cutoff | | re-ocsp-archive-cutoff | | |||
| CrlEntryExtensions, ...} | CrlEntryExtensions, ...} | |||
| } OPTIONAL } | } OPTIONAL } | |||
| CertStatus ::= CHOICE { | CertStatus ::= CHOICE { | |||
| good [0] IMPLICIT NULL, | good [0] IMPLICIT NULL, | |||
| revoked [1] IMPLICIT RevokedInfo, | revoked [1] IMPLICIT RevokedInfo, | |||
| unknown [2] IMPLICIT UnknownInfo } | unknown [2] IMPLICIT UnknownInfo } | |||
| RevokedInfo ::= SEQUENCE { | RevokedInfo ::= SEQUENCE { | |||
| revocationTime GeneralizedTime, | revocationTime GeneralizedTime, | |||
| revocationReason [0] EXPLICIT CRLReason OPTIONAL } | revocationReason [0] EXPLICIT CRLReason OPTIONAL } | |||
| UnknownInfo ::= NULL | UnknownInfo ::= NULL | |||
| ArchiveCutoff ::= GeneralizedTime | ArchiveCutoff ::= GeneralizedTime | |||
| AcceptableResponses ::= SEQUENCE OF RESPONSE.&id({ResponseSet}) | AcceptableResponses ::= SEQUENCE OF RESPONSE.&id({ResponseSet}) | |||
| ServiceLocator ::= SEQUENCE { | ServiceLocator ::= SEQUENCE { | |||
| issuer Name, | issuer Name, | |||
| locator AuthorityInfoAccessSyntax } | locator AuthorityInfoAccessSyntax } | |||
| CrlID ::= SEQUENCE { | CrlID ::= SEQUENCE { | |||
| crlUrl [0] EXPLICIT IA5String OPTIONAL, | crlUrl [0] EXPLICIT IA5String OPTIONAL, | |||
| crlNum [1] EXPLICIT INTEGER OPTIONAL, | crlNum [1] EXPLICIT INTEGER OPTIONAL, | |||
| crlTime [2] EXPLICIT GeneralizedTime OPTIONAL } | crlTime [2] EXPLICIT GeneralizedTime OPTIONAL } | |||
| PreferredSignatureAlgorithms ::= SEQUENCE OF PreferredSignatureAlgorithm | PreferredSignatureAlgorithms ::= SEQUENCE OF PreferredSignatureAlgorithm | |||
| PreferredSignatureAlgorithm ::= SEQUENCE { | PreferredSignatureAlgorithm ::= SEQUENCE { | |||
| sigIdentifier AlgorithmIdentifier{SIGNATURE-ALGORITHM, {...}}, | sigIdentifier AlgorithmIdentifier{SIGNATURE-ALGORITHM, {...}}, | |||
| certIdentifier AlgorithmIdentifier{PUBLIC-KEY, {...}} OPTIONAL | certIdentifier AlgorithmIdentifier{PUBLIC-KEY, {...}} OPTIONAL | |||
| } | } | |||
| -- Certificate Extensions | ||||
| ext-ocsp-nocheck EXTENSION ::= { SYNTAX NULL IDENTIFIED | ext-ocsp-nocheck EXTENSION ::= { SYNTAX NULL IDENTIFIED | |||
| BY id-pkix-ocsp-nocheck } | BY id-pkix-ocsp-nocheck } | |||
| -- Request Extensions | ||||
| re-ocsp-nonce EXTENSION ::= { SYNTAX Nonce | re-ocsp-nonce EXTENSION ::= { SYNTAX Nonce | |||
| IDENTIFIED BY id-pkix-ocsp-nonce } | IDENTIFIED BY id-pkix-ocsp-nonce } | |||
| re-ocsp-response EXTENSION ::= { SYNTAX AcceptableResponses IDENTIFIED | re-ocsp-response EXTENSION ::= { SYNTAX AcceptableResponses IDENTIFIED | |||
| BY id-pkix-ocsp-response } | BY id-pkix-ocsp-response } | |||
| re-ocsp-service-locator EXTENSION ::= { SYNTAX ServiceLocator | re-ocsp-service-locator EXTENSION ::= { SYNTAX ServiceLocator | |||
| IDENTIFIED BY | IDENTIFIED BY | |||
| id-pkix-ocsp-service-locator } | id-pkix-ocsp-service-locator } | |||
| re-ocsp-preferred-signature-algorithms EXTENSION ::= { | re-ocsp-preferred-signature-algorithms EXTENSION ::= { | |||
| SYNTAX PreferredSignatureAlgorithms | SYNTAX PreferredSignatureAlgorithms | |||
| IDENTIFIED BY id-pkix-ocsp-pref-sig-algs } | IDENTIFIED BY id-pkix-ocsp-pref-sig-algs } | |||
| -- Response Extensions | ||||
| re-ocsp-crl EXTENSION ::= { SYNTAX CrlID IDENTIFIED BY | re-ocsp-crl EXTENSION ::= { SYNTAX CrlID IDENTIFIED BY | |||
| id-pkix-ocsp-crl } | id-pkix-ocsp-crl } | |||
| re-ocsp-archive-cutoff EXTENSION ::= { SYNTAX ArchiveCutoff | re-ocsp-archive-cutoff EXTENSION ::= { SYNTAX ArchiveCutoff | |||
| IDENTIFIED BY | IDENTIFIED BY | |||
| id-pkix-ocsp-archive-cutoff } | id-pkix-ocsp-archive-cutoff } | |||
| re-ocsp-extended-revoke EXTENSION ::= { SYNTAX NULL IDENTIFIED BY | re-ocsp-extended-revoke EXTENSION ::= { SYNTAX NULL IDENTIFIED BY | |||
| id-pkix-ocsp-extended-revoke } | id-pkix-ocsp-extended-revoke } | |||
| -- Object Identifiers | ||||
| id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } | id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } | |||
| id-pkix-ocsp OBJECT IDENTIFIER ::= id-ad-ocsp | id-pkix-ocsp OBJECT IDENTIFIER ::= id-ad-ocsp | |||
| id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 } | id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 } | |||
| id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 } | id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 } | |||
| id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 } | id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 } | |||
| id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 } | id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 } | |||
| id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 } | id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 } | |||
| id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 } | id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 } | |||
| id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 } | id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 } | |||
| id-pkix-ocsp-pref-sig-algs OBJECT IDENTIFIER ::= { id-pkix-ocsp 8 } | id-pkix-ocsp-pref-sig-algs OBJECT IDENTIFIER ::= { id-pkix-ocsp 8 } | |||
| id-pkix-ocsp-extended-revoke OBJECT IDENTIFIER ::= { id-pkix-ocsp 9 } | id-pkix-ocsp-extended-revoke OBJECT IDENTIFIER ::= { id-pkix-ocsp 9 } | |||
| END | END | |||
| Acknowledgements | ||||
| The authors of this document thank Mohit Sahni for his work to | ||||
| produce [RFC8954]. | ||||
| The authors also thank Russ Housley, Corey Bonnell, Michael StJohns, | ||||
| and Carl Wallace for their feedback and suggestions. | ||||
| Author's Address | Author's Address | |||
| Himanshu Sharma (editor) | Himanshu Sharma (editor) | |||
| Netskope Inc | Netskope Inc | |||
| 2445 Augustine Dr 3rd floor | 2445 Augustine Dr 3rd floor | |||
| Santa Clara, California 95054 | Santa Clara, California 95054 | |||
| United States of America | United States of America | |||
| Email: himanshu@netskope.com | Email: himanshu@netskope.com | |||
| URI: www.netskope.com | URI: www.netskope.com | |||
| End of changes. 115 change blocks. | ||||
| 403 lines changed or deleted | 409 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||