[DNSOP] New I-D for OCSP over DNS

"Dr. Pala" <director@openca.org> Fri, 27 October 2017 21:10 UTC

Return-Path: <director@openca.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 09C5513B144 for <dnsop@ietfa.amsl.com>; Fri, 27 Oct 2017 14:10:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.272
X-Spam-Status: No, score=-0.272 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_HK_NAME_DR=0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id DKSdATQ6Spxi for <dnsop@ietfa.amsl.com>; Fri, 27 Oct 2017 14:10:46 -0700 (PDT)
Received: from mail.katezarealty.com (mail.katezarealty.com []) by ietfa.amsl.com (Postfix) with ESMTP id 944091386A1 for <dnsop@ietf.org>; Fri, 27 Oct 2017 14:10:46 -0700 (PDT)
Received: from localhost (unknown []) by mail.katezarealty.com (Postfix) with ESMTP id C56723741019 for <dnsop@ietf.org>; Fri, 27 Oct 2017 21:10:45 +0000 (UTC)
X-Virus-Scanned: amavisd-new at katezarealty.com
Received: from mail.katezarealty.com ([]) by localhost (mail.katezarealty.com []) (amavisd-new, port 10024) with LMTP id uAYCbl-rD8nN for <dnsop@ietf.org>; Fri, 27 Oct 2017 17:10:40 -0400 (EDT)
Received: from maxs-mbp.cablelabs.com (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.katezarealty.com (Postfix) with ESMTPSA id 137B53741015 for <dnsop@ietf.org>; Fri, 27 Oct 2017 17:10:40 -0400 (EDT)
To: DNSOp WG <dnsop@ietf.org>
From: "Dr. Pala" <director@openca.org>
Organization: OpenCA Labs
Message-ID: <c40df475-cb18-0f89-50d4-0e3a08ab4f75@openca.org>
Date: Fri, 27 Oct 2017 15:10:39 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms030803000802090100020201"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/voPhZC9JksBETzfmUZm5RZzlp7E>
Subject: [DNSOP] New I-D for OCSP over DNS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Oct 2017 21:10:48 -0000

Hello all,

As suggested by some people from other WGs, I just wanted to cross-post 
this message here since the proposal heavily rely on DNS and can be 
leveraged in many different environments (e.g., Server and Client 
(browsers) authentication, document validation, IoT identities, etc.) 
and we would like to receive feedback from anybody who might be 
interested in the topic.

*Context. *We are currently working on specifying how to use DNS as a 
transport protocol for revocation information for digital certificates. 
In particular, we are working on how to leverage the distributed nature 
of DNS to efficiently (and possibly at a lower operational costs) 
distribute OCSP (Online Certificate Status Protocol) responses to 

*Current Status.* We started this work sometime ago but never really had 
the time to finish it. Now it seems we can focus more on the topic and 
would like to discuss this work in a more public venue. We have recently 
updated the two competing I-D we submitted sometime ago into the latest 
reference I-D that is available here:


Please feel free to contact us for any help (you might require or you 
might provide), feedback, etc.


Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo