Re: [pkix] [therightkey] Proposal for working on PKIX revocation open issues
Ben Laurie <benl@google.com> Mon, 17 November 2014 15:52 UTC
Return-Path: <benl@google.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E78D1A6FDD for <pkix@ietfa.amsl.com>; Mon, 17 Nov 2014 07:52:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.972
X-Spam-Level:
X-Spam-Status: No, score=-1.972 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0NEa0QjeiF4w for <pkix@ietfa.amsl.com>; Mon, 17 Nov 2014 07:52:49 -0800 (PST)
Received: from mail-qa0-x22e.google.com (mail-qa0-x22e.google.com [IPv6:2607:f8b0:400d:c00::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A74351A6FFE for <pkix@ietf.org>; Mon, 17 Nov 2014 07:52:49 -0800 (PST)
Received: by mail-qa0-f46.google.com with SMTP id n8so14654990qaq.33 for <pkix@ietf.org>; Mon, 17 Nov 2014 07:52:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:references:from:date:message-id:subject:to :content-type; bh=hWczGDn9geTcKYSQwNSTKEIA5pvNWHJsF0mVkSM9SiM=; b=FsLO1Ko/0TxNjnRh3wvt3x0GImTH3t2rZqzLrBOhnp7NVPW6J34YaFgiqQk5HRYqHb U2NBWIRUkqjjTZdYqVMQR38hgmMZ3cOxlrxuL+ECr8joacpWgU1SsuAap7Sal7a9FQXt nFhxjb3/7aRl292q/PHlFOmX+i09CQ8SFXjtPP2XF9hYo/6N82TEgzIMY95VRdTZvVfm byVrxrKAW8+HR5PJeMO/O7wZpZoildEHivyYh4VJD7Yd/eRqJyLK36bCRUbk3FV40xBF zJpGelednHn4czQjyngKLrGSVoj2pBrm83XuSgJETWSFArt53h4CmL3TwNHB5vO7pagr 4Yww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:from:date:message-id :subject:to:content-type; bh=hWczGDn9geTcKYSQwNSTKEIA5pvNWHJsF0mVkSM9SiM=; b=I7UmkOWGyzI0EZXcO+oSwUP83IK5gnlmqd5TbRxoq85mDIK7tgyplDl/j510kaX1QG mdom8OjiUWzoF6TOjZwUbryufLtmdv0TSUstNYbrFsl6WISQJMhwHCMHZAyk7w9k3tic nQkGWk6jucgPEyDDLjoiXHkphf2FT5uRzONgiVlCPKWSOW11onw9elH80CgERbmSHjKK YsbFpjBT6rC9gGQLFqaKGi5do7DbZo8Y6WzkXrasiCd2eTuP0AXDM9BDCGZGlB1glsFW zUk1ZoOLttNrpsKiF9uiptPeHvC3FFfbTrTwGoQAnmwZp4lsxy3sRuAZtRXvZgaPk9vw v7Pw==
X-Gm-Message-State: ALoCoQndtJTs6wPn7azoNl7ElSBuY6lqUgbfbKmW41L0YDUC+mAaINZSnSGW6EGo72pG28UqHWu+
X-Received: by 10.224.136.194 with SMTP id s2mr7976695qat.82.1416239568632; Mon, 17 Nov 2014 07:52:48 -0800 (PST)
MIME-Version: 1.0
References: <5466AF87.2050307@gmail.com>
From: Ben Laurie <benl@google.com>
Date: Mon, 17 Nov 2014 15:52:48 +0000
Message-ID: <CABrd9SQkXK99ski74A8EyqHDptBsVs_aN6117Br8NyuPhYAa_Q@mail.gmail.com>
To: "Dr. Massimiliano Pala" <massimiliano.pala@gmail.com>, therightkey@ietf.org, "pkix@ietf.org" <pkix@ietf.org>
Content-Type: multipart/alternative; boundary="001a11c2d8e26862ab05080ff842"
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/0h49AVnF-J9BJtaQ_y1MTzPrVVE
X-Mailman-Approved-At: Mon, 17 Nov 2014 12:49:35 -0800
Subject: Re: [pkix] [therightkey] Proposal for working on PKIX revocation open issues
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Nov 2014 15:52:52 -0000
On Sat Nov 15 2014 at 1:42:31 AM Dr. Massimiliano Pala < massimiliano.pala@gmail.com> wrote: > Dear PKIX Enthusiasts, > > Although great work has been done in the past... 20 years.. (?) on > providing very good protocols in the PKIX work, I think that we all > agree that we still have some unresolved issues. In particular, the > revocation is still a hot topic (especially for online environments) > could use improvement over the current status of things. In particular, > by looking at current specifications, some work is needed to address > concerns especially in non-web environments. > > For example, current specifications about OCSP stapling do not address > the case of client authentication (which is a widespread use case > outside the web environment) or, again, defining some new transport > protocols for delivering OCSP responses which might reduce operational > costs for revocation service providers. > > After proposing the idea to Stephen Farrell and Kathleen Moriarty, we > would like to know if there might be interests in participating in > updating the status of the current revocation mechanisms for PKIX. This > said, the scope of the work I am proposing is very limited. Specifically: > > (a) Defining new transport protocols for revocation information > availability (e.g., OCSP over DNS or OCSP over LDAP) > (b) (Possibly) defining a more lightweight revocation mechanisms (e.g. > Lightweight Revocation Tokens) > (c) (Possibly) helping other working groups to revise and update how > revocation information are provided (e.g., the client authentication case) > (d) (Possibly) introducing privacy consideration when it comes to > revocation checking > FWIW, we (Google) are interested in doing the same thing for revocation that CT does for certs - i.e. providing a verifiable log/map of revocation status. Not sure if that fits into your remit above (on the face of it, it does not). > > Because of these considerations, I am proposing to start a conversation > - for now, Stephen and Kathleen suggested we use (or "abuse") the "The > Right Key" mailing list to see if there might be enough interest in the > work from implementers to address these issues. I know that we (OpenCA) > are interested in implementing these features, and we would like that > the work would be standardized. > > At minimal, I would like (a) to happen. This could be achieved in 6 > months (and we might not even need to meet). (b) and (c) are also > desirable in order to provide better support for non-browsers and small > devices (AFAIK, some work might be relevant for DICE). (d) is something > that we should, I think, all be mindful and at least some considerations > should be provided. The scope of the work, however, will be limited to > revocation. > > Please, if you are interested and would like to start the discussion, > post your opinion on therightkey@ietf.org - also, please, circulate this > proposal to anybody who might be interested in collaborating on this issue. > > Please also note that we did decide not to use the pkix@ietf.org mailing > list because we thought therightkey@ietf.org might provide a more active > pool of implementors. > > Looking forward to receive all your inputs and start working on the topics. > > Cheers, > Max > > > _______________________________________________ > therightkey mailing list > therightkey@ietf.org > https://www.ietf.org/mailman/listinfo/therightkey >
- [pkix] Proposal for working on PKIX revocation op… Dr. Massimiliano Pala
- Re: [pkix] Proposal for working on PKIX revocatio… Anders Rundgren
- [pkix] Client-side OCSP stapling? Re: Proposal fo… Anders Rundgren
- Re: [pkix] Proposal for working on PKIX revocatio… Massimiliano Pala
- Re: [pkix] Proposal for working on PKIX revocatio… Anders Rundgren
- Re: [pkix] Client-side OCSP stapling? Re: Proposa… Massimiliano Pala
- Re: [pkix] Proposal for working on PKIX revocatio… Paul Hoffman
- Re: [pkix] [therightkey] Proposal for working on … Ben Laurie
- Re: [pkix] [therightkey] Proposal for working on … Nico Williams