| rfc9919v1.txt | rfc9919.txt | |||
|---|---|---|---|---|
| skipping to change at line 12 ¶ | skipping to change at line 12 ¶ | |||
| Internet Engineering Task Force (IETF) 伊藤 忠彦 (T. Ito) | Internet Engineering Task Force (IETF) 伊藤 忠彦 (T. Ito) | |||
| Request for Comments: 9919 SECOM CO., LTD. | Request for Comments: 9919 SECOM CO., LTD. | |||
| Obsoletes: 5019 C. Wilson | Obsoletes: 5019 C. Wilson | |||
| Category: Standards Track Apple, Inc. | Category: Standards Track Apple, Inc. | |||
| ISSN: 2070-1721 C. Bonnell | ISSN: 2070-1721 C. Bonnell | |||
| DigiCert, Inc. | DigiCert, Inc. | |||
| S. Turner | S. Turner | |||
| sn3rd | sn3rd | |||
| January 2026 | January 2026 | |||
| Updates to the Lightweight Online Certificate Status Protocol (OCSP) | The Lightweight Online Certificate Status Protocol (OCSP) Profile for | |||
| Profile for High Volume Environments | High-Volume Environments | |||
| Abstract | Abstract | |||
| This specification defines a profile of the Online Certificate Status | This specification defines a profile of the Online Certificate Status | |||
| Protocol (OCSP) that addresses the scalability issues inherent when | Protocol (OCSP) that addresses the scalability issues inherent when | |||
| using OCSP in large scale (high volume) Public Key Infrastructure | using OCSP in large scale (high volume) Public Key Infrastructure | |||
| (PKI) environments and/or in PKI environments that require a | (PKI) environments and/or in PKI environments that require a | |||
| lightweight solution to minimize communication bandwidth and client- | lightweight solution to minimize communication bandwidth and client- | |||
| side processing. | side processing. | |||
| skipping to change at line 93 ¶ | skipping to change at line 93 ¶ | |||
| 8.4. Denial-of-Service Attacks | 8.4. Denial-of-Service Attacks | |||
| 8.5. Modification of HTTP Header Fields | 8.5. Modification of HTTP Header Fields | |||
| 8.6. Request Authentication and Authorization | 8.6. Request Authentication and Authorization | |||
| 8.7. Use of SHA-1 for the Calculation of CertID Field Values | 8.7. Use of SHA-1 for the Calculation of CertID Field Values | |||
| 9. IANA Considerations | 9. IANA Considerations | |||
| 10. References | 10. References | |||
| 10.1. Normative References | 10.1. Normative References | |||
| 10.2. Informative References | 10.2. Informative References | |||
| Appendix A. Differences from RFC 5019 | Appendix A. Differences from RFC 5019 | |||
| Appendix B. Examples | Appendix B. Examples | |||
| B.1. Root Certification Authority Certificate | B.1. Root CA Certificate | |||
| B.2. End-Entity Certificate | B.2. End-Entity Certificate | |||
| B.3. OCSP Responder Certificate | B.3. OCSP Responder Certificate | |||
| B.4. OCSP Request | B.4. OCSP Request | |||
| B.5. OCSP Response | B.5. OCSP Response | |||
| Acknowledgments | Acknowledgments | |||
| Authors' Addresses | Authors' Addresses | |||
| 1. Introduction | 1. Introduction | |||
| The Online Certificate Status Protocol [RFC6960] specifies a | The Online Certificate Status Protocol [RFC6960] specifies a | |||
| skipping to change at line 340 ¶ | skipping to change at line 340 ¶ | |||
| Clients MUST validate the signature on the OCSPResponse. | Clients MUST validate the signature on the OCSPResponse. | |||
| If the response is signed by a delegate of the issuing certification | If the response is signed by a delegate of the issuing certification | |||
| authority (CA), a valid responder certificate MUST be referenced in | authority (CA), a valid responder certificate MUST be referenced in | |||
| the BasicOCSPResponse.certs structure. | the BasicOCSPResponse.certs structure. | |||
| It is RECOMMENDED that the OCSP responder's certificate contain the | It is RECOMMENDED that the OCSP responder's certificate contain the | |||
| id-pkix-ocsp-nocheck extension, as defined in [RFC6960], to indicate | id-pkix-ocsp-nocheck extension, as defined in [RFC6960], to indicate | |||
| to the client that it need not check the certificate's status. In | to the client that it need not check the certificate's status. In | |||
| addition, it is RECOMMENDED that neither an OCSP authorityInfoAccess | addition, it is RECOMMENDED that neither an OCSP Authority | |||
| (AIA) extension nor cRLDistributionPoints (CRLDP) extension be | Information Access (AIA) extension nor CRL Distribution Points | |||
| included in the OCSP responder's certificate. Accordingly, the | (CRLDP) extension be included in the OCSP responder's certificate. | |||
| responder's signing certificate SHOULD be relatively short-lived and | Accordingly, the responder's signing certificate SHOULD be relatively | |||
| renewed regularly. | short-lived and renewed regularly. | |||
| Clients MUST be able to identify OCSP responder certificates using | Clients MUST be able to identify OCSP responder certificates using | |||
| the byKey field and SHOULD be able to identify OCSP responder | the byKey field and SHOULD be able to identify OCSP responder | |||
| certificates using the byName field of the ResponseData.ResponderID | certificates using the byName field of the ResponseData.ResponderID | |||
| [RFC6960] choices. | [RFC6960] choices. | |||
| Older responders that provide backward compatibility with [RFC5019] | Older responders that provide backward compatibility with the | |||
| MAY use the byName field to represent the ResponderID but should | protocol defined in [RFC5019] MAY use the byName field to represent | |||
| transition to using the byKey field as soon as practical. | the ResponderID but should transition to using the byKey field as | |||
| soon as practical. | ||||
| Newer responders that conform to this profile MUST use the byKey | Newer responders that conform to this profile MUST use the byKey | |||
| field to represent the ResponderID to reduce the size of the | field to represent the ResponderID to reduce the size of the | |||
| response. | response. | |||
| 3.2.3. OCSPResponseStatus Values | 3.2.3. OCSPResponseStatus Values | |||
| As long as the OCSP infrastructure has authoritative records for a | As long as the OCSP infrastructure has authoritative records for a | |||
| particular certificate, an OCSPResponseStatus of "successful" will be | particular certificate, an OCSPResponseStatus of "successful" will be | |||
| returned. When access to authoritative records for a particular | returned. When access to authoritative records for a particular | |||
| skipping to change at line 417 ¶ | skipping to change at line 418 ¶ | |||
| For the purposes of this profile, ASN.1-encoded GeneralizedTime | For the purposes of this profile, ASN.1-encoded GeneralizedTime | |||
| values, such as thisUpdate, nextUpdate, and producedAt, MUST be | values, such as thisUpdate, nextUpdate, and producedAt, MUST be | |||
| expressed Greenwich Mean Time (Zulu) and MUST include seconds (i.e., | expressed Greenwich Mean Time (Zulu) and MUST include seconds (i.e., | |||
| times are YYYYMMDDHHMMSSZ), even where the number of seconds is zero. | times are YYYYMMDDHHMMSSZ), even where the number of seconds is zero. | |||
| GeneralizedTime values MUST NOT include fractional seconds. | GeneralizedTime values MUST NOT include fractional seconds. | |||
| 4. Client Behavior | 4. Client Behavior | |||
| 4.1. OCSP Responder Discovery | 4.1. OCSP Responder Discovery | |||
| Clients MUST support the authorityInfoAccess extension as defined in | Clients MUST support the AIA extension as defined in [RFC5280] and | |||
| [RFC5280] and MUST recognize the id-ad-ocsp access method. This | MUST recognize the id-ad-ocsp access method. This enables CAs to | |||
| enables CAs to inform clients how they can contact the OCSP service. | inform clients how they can contact the OCSP service. | |||
| In the case where a client is checking the status of a certificate | In the case where a client is checking the status of a certificate | |||
| that contains both an authorityInformationAccess (AIA) extension | that contains both an AIA extension pointing to an OCSP responder and | |||
| pointing to an OCSP responder and a cRLDistributionPoints extension | a CRLDP extension pointing to a CRL, the client SHOULD attempt to | |||
| pointing to a CRL, the client SHOULD attempt to contact the OCSP | contact the OCSP responder first. Clients MAY attempt to retrieve | |||
| responder first. Clients MAY attempt to retrieve the CRL if no | the CRL if no OCSPResponse is received from the responder after a | |||
| OCSPResponse is received from the responder after a locally | locally configured timeout and number of retries. | |||
| configured timeout and number of retries. | ||||
| 4.2. Sending an OCSP Request | 4.2. Sending an OCSP Request | |||
| To avoid needless network traffic, applications MUST verify the | To avoid needless network traffic, applications MUST verify the | |||
| signature of signed data before asking an OCSP client to check the | signature of signed data before asking an OCSP client to check the | |||
| status of certificates used to verify the data. If the signature is | status of certificates used to verify the data. If the signature is | |||
| invalid or the application is not able to verify it, an OCSP check | invalid or the application is not able to verify it, an OCSP check | |||
| MUST NOT be requested. | MUST NOT be requested. | |||
| Similarly, an application MUST validate the signature on certificates | Similarly, an application MUST validate the signature on certificates | |||
| skipping to change at line 488 ¶ | skipping to change at line 488 ¶ | |||
| and caches. This tolerance period should be chosen based on the | and caches. This tolerance period should be chosen based on the | |||
| accuracy and precision of time synchronization technology available | accuracy and precision of time synchronization technology available | |||
| to the calling application environment. For example, Internet peers | to the calling application environment. For example, Internet peers | |||
| with low latency connections typically expect NTP time | with low latency connections typically expect NTP time | |||
| synchronization to keep them accurate within parts of a second; | synchronization to keep them accurate within parts of a second; | |||
| higher latency environments or where an NTP analogue is not available | higher latency environments or where an NTP analogue is not available | |||
| may have to be more liberal in their tolerance (e.g., allow one day | may have to be more liberal in their tolerance (e.g., allow one day | |||
| difference). | difference). | |||
| See the security considerations in Section 8 for additional details | See the security considerations in Section 8 for additional details | |||
| on replay and man-in-the-middle attacks. | on replay and on-path attacks. | |||
| 6. Transport Profile | 6. Transport Profile | |||
| OCSP clients can send HTTP-based OCSP requests using either the GET | OCSP clients can send HTTP-based OCSP requests using either the GET | |||
| or POST method. The OCSP responder MUST support requests and | or POST method. The OCSP responder MUST support requests and | |||
| responses over HTTP. When sending requests that are less than or | responses over HTTP. When sending requests that are less than or | |||
| equal to 255 bytes in total (after encoding) including the scheme and | equal to 255 bytes in total (after encoding), including the scheme | |||
| delimiters (http://), server name and base64-encoded OCSPRequest | and delimiters (http://), server name, and base64-encoded OCSPRequest | |||
| structure, clients MUST use the GET method (to enable OCSP response | structure, clients MUST use the GET method (to enable OCSP response | |||
| caching). OCSP requests larger than 255 bytes SHOULD be submitted | caching). OCSP requests larger than 255 bytes SHOULD be submitted | |||
| using the POST method. In all cases, clients MUST follow the | using the POST method. In all cases, clients MUST follow the | |||
| descriptions in Appendix A.1 of [RFC6960] when constructing these | descriptions in Appendix A.1 of [RFC6960] when constructing these | |||
| messages. | messages. | |||
| When constructing a GET message, OCSP clients MUST base64-encode the | When constructing a GET message, OCSP clients MUST base64-encode the | |||
| OCSPRequest structure according to Section 4 of [RFC4648]. Clients | OCSPRequest structure according to Section 4 of [RFC4648]. Clients | |||
| MUST NOT include whitespace or any other characters that are not part | MUST NOT include whitespace or any other characters that are not part | |||
| of the base64 character repertoire in the base64-encoded string. | of the base64 character repertoire in the base64-encoded string. | |||
| skipping to change at line 619 ¶ | skipping to change at line 619 ¶ | |||
| in authoritative OCSP responses. | in authoritative OCSP responses. | |||
| OCSP responders SHOULD include one or more of these HTTP header | OCSP responders SHOULD include one or more of these HTTP header | |||
| fields in non-authoritative OCSP responses. | fields in non-authoritative OCSP responses. | |||
| For example, assume that an OCSP response has the following timestamp | For example, assume that an OCSP response has the following timestamp | |||
| values: | values: | |||
| thisUpdate = March 19, 2023 01:00:00 GMT | thisUpdate = March 19, 2023 01:00:00 GMT | |||
| nextUpdate = March 21, 2023 01:00:00 GMT | nextUpdate = March 21, 2023 01:00:00 GMT | |||
| productedAt = March 19, 2023 01:00:00 GMT | producedAt = March 19, 2023 01:00:00 GMT | |||
| and that an OCSP client requests the response on March 20, 2023 | and that an OCSP client requests the response on March 20, 2023 | |||
| 01:00:00 GMT. In this scenario, the HTTP response may look like | 01:00:00 GMT. In this scenario, the HTTP response may look like | |||
| this: | this: | |||
| Content-Type: application/ocsp-response | Content-Type: application/ocsp-response | |||
| Content-Length: 1000 | Content-Length: 1000 | |||
| Date: Mon, 20 Mar 2023 01:00:00 GMT | Date: Mon, 20 Mar 2023 01:00:00 GMT | |||
| Last-Modified: Sun, 19 Mar 2023 01:00:00 GMT | Last-Modified: Sun, 19 Mar 2023 01:00:00 GMT | |||
| ETag: "97df3588b5a3f24babc3851b372f0ba7 | ETag: "97df3588b5a3f24babc3851b372f0ba7 | |||
| skipping to change at line 665 ¶ | skipping to change at line 665 ¶ | |||
| to establish a new HTTP session with the OCSP responder. | to establish a new HTTP session with the OCSP responder. | |||
| Third, it reduces the number of round trips the client needs to make | Third, it reduces the number of round trips the client needs to make | |||
| in order to complete a handshake. | in order to complete a handshake. | |||
| Fourth, it simplifies the client-side OCSP implementation by enabling | Fourth, it simplifies the client-side OCSP implementation by enabling | |||
| a situation where the client need only the ability to parse and | a situation where the client need only the ability to parse and | |||
| recognize OCSP responses. | recognize OCSP responses. | |||
| This functionality has been specified as an extension to the TLS | This functionality has been specified as an extension to the TLS | |||
| protocol [RFC9846] in Section 4.4.2 of [RFC9846] but can be applied | protocol in Section 4.4.2 of [RFC9846] but can be applied to any | |||
| to any client-server protocol. | client-server protocol. | |||
| It is RECOMMENDED by this profile that both TLS clients and servers | It is RECOMMENDED by this profile that both TLS clients and servers | |||
| implement the certificate status request extension mechanism for TLS. | implement the certificate status request extension mechanism for TLS. | |||
| Further information regarding caching issues can be obtained from | Further information regarding caching issues can be obtained from | |||
| [RFC3143]. | [RFC3143]. | |||
| 8. Security Considerations | 8. Security Considerations | |||
| The following considerations apply in addition to the security | The following considerations apply in addition to the security | |||
| skipping to change at line 695 ¶ | skipping to change at line 695 ¶ | |||
| order to mitigate this attack, clients MUST have access to an | order to mitigate this attack, clients MUST have access to an | |||
| accurate source of time and ensure that the OCSP responses they | accurate source of time and ensure that the OCSP responses they | |||
| receive are sufficiently fresh. | receive are sufficiently fresh. | |||
| Clients that do not have an accurate source of date and time are | Clients that do not have an accurate source of date and time are | |||
| vulnerable to service disruption. For example, a client with a | vulnerable to service disruption. For example, a client with a | |||
| sufficiently fast clock may reject a fresh OCSP response. Similarly, | sufficiently fast clock may reject a fresh OCSP response. Similarly, | |||
| a client with a sufficiently slow clock may incorrectly accept | a client with a sufficiently slow clock may incorrectly accept | |||
| expired valid responses for certificates that may in fact be revoked. | expired valid responses for certificates that may in fact be revoked. | |||
| Future versions of the OCSP protocol may provide a way for the client | Future versions of OCSP may provide a way for the client to know | |||
| to know whether the responder supports nonces or does not support | whether the responder supports nonces or does not support nonces. If | |||
| nonces. If a client can determine that the responder supports | a client can determine that the responder supports nonces, it MUST | |||
| nonces, it MUST reject a reply that does not contain an expected | reject a reply that does not contain an expected nonce. Otherwise, | |||
| nonce. Otherwise, clients that opt to include a nonce in the request | clients that opt to include a nonce in the request SHOULD NOT reject | |||
| SHOULD NOT reject a corresponding OCSPResponse solely on the basis of | a corresponding OCSPResponse solely on the basis of the nonexistent | |||
| the nonexistent expected nonce but MUST fall back to validating the | expected nonce but MUST fall back to validating the OCSPResponse | |||
| OCSPResponse based on time. | based on time. | |||
| 8.2. Man-in-the-Middle Attacks | 8.2. Man-in-the-Middle Attacks | |||
| To mitigate risk associated with this class of attack, the client | To mitigate risk associated with this class of attack, the client | |||
| MUST properly validate the signature on the response. | MUST properly validate the signature on the response. | |||
| The use of signed responses in OCSP serves to authenticate the | The use of signed responses in OCSP serves to authenticate the | |||
| identity of the OCSP responder and to verify that it is authorized to | identity of the OCSP responder and to verify that it is authorized to | |||
| sign responses on the CA's behalf. | sign responses on the CA's behalf. | |||
| skipping to change at line 875 ¶ | skipping to change at line 875 ¶ | |||
| * Section 3.2.2 requires new OCSP responders to use the byKey field | * Section 3.2.2 requires new OCSP responders to use the byKey field | |||
| and support migration from byName fields. | and support migration from byName fields. | |||
| * Section 6 clarifies that OCSP clients MUST NOT include whitespace | * Section 6 clarifies that OCSP clients MUST NOT include whitespace | |||
| or any other characters that are not part of the base64 character | or any other characters that are not part of the base64 character | |||
| repertoire in the base64-encoded string. | repertoire in the base64-encoded string. | |||
| Appendix B. Examples | Appendix B. Examples | |||
| B.1. Root Certification Authority Certificate | B.1. Root CA Certificate | |||
| This is a self-signed certificate for the certification authority | This is a self-signed certificate for the CA that issued the end- | |||
| that issued the end-entity certificate and OCSP-delegated responder | entity certificate and OCSP-delegated responder example certificates | |||
| example certificates below. | below. | |||
| The key pair for the certification authority is the "testECCP521" key | The key pair for the CA is the "testECCP521" key from Section 2.3 of | |||
| from Section 2.3 of [RFC9500]. | [RFC9500]. | |||
| -----BEGIN CERTIFICATE----- | -----BEGIN CERTIFICATE----- | |||
| MIICKDCCAYqgAwIBAgIBATAKBggqhkjOPQQDBDA4MQswCQYDVQQGEwJYWDEUMBIG | MIICKDCCAYqgAwIBAgIBATAKBggqhkjOPQQDBDA4MQswCQYDVQQGEwJYWDEUMBIG | |||
| A1UECgwLQ2VydHMgJ3IgVXMxEzARBgNVBAMMCklzc3VpbmcgQ0EwHhcNMjQwNDAy | A1UECgwLQ2VydHMgJ3IgVXMxEzARBgNVBAMMCklzc3VpbmcgQ0EwHhcNMjQwNDAy | |||
| MTIzNzQ3WhcNMjUwNDAyMTIzNzQ3WjA4MQswCQYDVQQGEwJYWDEUMBIGA1UECgwL | MTIzNzQ3WhcNMjUwNDAyMTIzNzQ3WjA4MQswCQYDVQQGEwJYWDEUMBIGA1UECgwL | |||
| Q2VydHMgJ3IgVXMxEzARBgNVBAMMCklzc3VpbmcgQ0EwgZswEAYHKoZIzj0CAQYF | Q2VydHMgJ3IgVXMxEzARBgNVBAMMCklzc3VpbmcgQ0EwgZswEAYHKoZIzj0CAQYF | |||
| K4EEACMDgYYABAHQ/XJXqEx0f1YldcBzhdvr8vUr6lgIPbgv3RUx2KrjzIdf8C/3 | K4EEACMDgYYABAHQ/XJXqEx0f1YldcBzhdvr8vUr6lgIPbgv3RUx2KrjzIdf8C/3 | |||
| +i2iYNjrYtbS9dZJJ44yFzagYoy7swMItuYY2wD2KtIExkYDWbyBiriWG/Dw/A7F | +i2iYNjrYtbS9dZJJ44yFzagYoy7swMItuYY2wD2KtIExkYDWbyBiriWG/Dw/A7F | |||
| quikKBc85W8A3psVfB5cgsZPVi/K3vxKTCj200LPPvYW/ILTO3KFySHyvzb92KNC | quikKBc85W8A3psVfB5cgsZPVi/K3vxKTCj200LPPvYW/ILTO3KFySHyvzb92KNC | |||
| MEAwHQYDVR0OBBYEFI7CFAlgduqQOOk5rhttUsQXfZ++MA8GA1UdEwEB/wQFMAMB | MEAwHQYDVR0OBBYEFI7CFAlgduqQOOk5rhttUsQXfZ++MA8GA1UdEwEB/wQFMAMB | |||
| skipping to change at line 1586 ¶ | skipping to change at line 1586 ¶ | |||
| : } | : } | |||
| : } | : } | |||
| : } | : } | |||
| : } | : } | |||
| : } | : } | |||
| Acknowledgments | Acknowledgments | |||
| The authors of this version of the document wish to thank Alex Deacon | The authors of this version of the document wish to thank Alex Deacon | |||
| and Ryan Hurst for their work to produce the original version of the | and Ryan Hurst for their work to produce the original version of the | |||
| lightweight profile for the OCSP protocol. | lightweight profile for OCSP. | |||
| The authors of this version of the document wish to thank Paul | The authors of this version of the document wish to thank Paul | |||
| Kyzivat, Russ Housley, Rob Stradling, Roman Danyliw, and Wendy Brown | Kyzivat, Russ Housley, Rob Stradling, Roman Danyliw, and Wendy Brown | |||
| for their reviews, feedback, and suggestions. | for their reviews, feedback, and suggestions. | |||
| The authors wish to thank Magnus Nystrom of RSA Security, Inc., | The authors wish to thank Magnus Nystrom of RSA Security, Inc., | |||
| Jagjeet Sondh of Vodafone Group R&D, and David Engberg of CoreStreet, | Jagjeet Sondh of Vodafone Group R&D, and David Engberg of CoreStreet, | |||
| Ltd. for their contributions to the original [RFC5019] specification. | Ltd. for their contributions to the original [RFC5019] specification. | |||
| Listed organizational affiliations reflect the authors' affiliations | Listed organizational affiliations reflect the authors' affiliations | |||
| at the time RFC 5019 was published. | at the time RFC 5019 was published. | |||
| End of changes. 15 change blocks. | ||||
| 41 lines changed or deleted | 41 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||