Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-3132

Support returning "revoked" for unknown certificates in line with RFC6960

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 6.0.2
    • Component/s: None
    • Labels:
      None

      Description

      Currently when a certificate does not exist in the database, and the URL matches ocsp.nonexistingisbad (i.e. when nonexisting is not good) "unknown" is replied.

      To force clients to reject certificates RFC6960 allows (MAY) responders to return "revoked" instead.

      We probably need yet another configuration option.

      ocsp.nonexistingisunknown

      Default (taking into account all options) should be to:

      • return "ok" if the certificate exists in the database and is not revoked
      • return "revoked" if the certificate exists in the database and is revoked
      • return "unknown" if the certificate does not exist in the database

      It should be possible to configure:

      • return "ok" if the certificate exists in the database and is not revoked
      • return "revoked" if the certificate exists in the database and is revoked
      • return "ok" if the certificate does not exist in the database

      It should be possible to configure:

      • return "ok" if the certificate exists in the database and is not revoked
      • return "revoked" if the certificate exists in the database and is revoked
      • return "revoked" if the certificate does not exist in the database

      In the last case the transaction/audit log entry must still show that the certificate did not exist in the database. This is needed so that the OCSP responder can be monitored for queries for unknown certificates, as this can indicate rogue issuance.

      This issue should also add the OCSP responder response extension, if "revoked" is returned for an unknown certificate.

      ----- RFC6960
      4.4.8. Extended Revoked Definition

      This extension indicates that the responder supports the extended
      definition of the "revoked" status to also include non-issued
      certificates according to Section 2.2. One of its main purposes is
      to allow audits to determine the responder's type of operation.
      Clients do not have to parse this extension in order to determine the
      status of certificates in responses.

      This extension MUST be included in the OCSP response when that
      response contains a "revoked" status for a non-issued certificate.
      This extension MAY be present in other responses to signal that the
      responder implements the extended revoked definition. When included,
      this extension MUST be placed in responseExtensions, and it MUST NOT
      appear in singleExtensions.


        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                aveen Aveen Ismail
                Reporter:
                tomas Tomas Gustavsson
                Verified by:
                Tomas Gustavsson
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: