Re: [pkix] Client-side OCSP stapling? Re: Proposal for working on PKIX revocation open issues
Massimiliano Pala <massimiliano.pala@gmail.com> Sat, 15 November 2014 08:42 UTC
Return-Path: <massimiliano.pala@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 171431A1BC4; Sat, 15 Nov 2014 00:42:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YTOgJ5wAz0my; Sat, 15 Nov 2014 00:42:06 -0800 (PST)
Received: from mail-pa0-x229.google.com (mail-pa0-x229.google.com [IPv6:2607:f8b0:400e:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA3631A19EE; Sat, 15 Nov 2014 00:42:05 -0800 (PST)
Received: by mail-pa0-f41.google.com with SMTP id rd3so4490844pab.14 for <multiple recipients>; Sat, 15 Nov 2014 00:42:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=I+hvo9+EwGWiul9XxV3uoftuA8I15I0Mwe5sLddq5ec=; b=rYrPz7Wc6O2Q99GmfyTo+sht2WnB+x69a2DkoQJ4j1hGAkwh0//Ov4TVzgEVbsqvQV bbtqnIl05xT7KHyEX36h9HG2ZDGQAaTHRp270grGwMg4NVowS+pxjnz5BvZekGbxlNWV iTZBUG+hE9LkhohWUJITaXp58dD2sJg9PT7hOXxbsy4PNyoigTJ52+UDf9iSDQOKaEvK bQwojur3oJd9PZ4AWMvBEgbRj+HFGIBQg75FFlCa+BzR+lKvf0NPSOZTh/QrNDEShWla YMfbqFV2G4pufENIq1OjNHM0kJxEjRaudU8ZCeg/KnHTM+pmLzB/97BzoE5ufji79OSk Bf6A==
X-Received: by 10.70.90.11 with SMTP id bs11mr16120172pdb.16.1416040924778; Sat, 15 Nov 2014 00:42:04 -0800 (PST)
Received: from [100.107.83.90] ([172.56.30.49]) by mx.google.com with ESMTPSA id te2sm29529809pbc.51.2014.11.15.00.42.04 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 15 Nov 2014 00:42:04 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Massimiliano Pala <massimiliano.pala@gmail.com>
X-Mailer: iPhone Mail (12B411)
In-Reply-To: <5466E08E.70103@gmail.com>
Date: Sat, 15 Nov 2014 00:42:05 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <A674E880-6D09-46F8-B38F-BFCC4B9D1AD1@gmail.com>
References: <5466AF87.2050307@gmail.com> <5466E08E.70103@gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/5Y1o8po5z-HBFcWB5BLSi-s-wWY
Cc: "pkix@ietf.org" <pkix@ietf.org>, therightkey@ietf.org
Subject: Re: [pkix] Client-side OCSP stapling? Re: Proposal for working on PKIX revocation open issues
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Nov 2014 08:42:08 -0000
Thanks Anders! Do you have any contacts for people working at that project? We might want to reach out to them as possible implementors and maybe start a conversation with them about possible requirements ? And eventually let them know about the progresses we might accomplish in the area. Cheers, Max P.S.: Since Stephen and Kathleen asked me to have the conversation on The Right Key mailing list (therightkey@ietf.org) please could you send the replies only there? We should not use both therightkey and the pkix MLs :-) > On Nov 14, 2014, at 9:11 PM, Anders Rundgren <anders.rundgren.net@gmail.com> wrote: > > Since you want to do something in revocation I would like to > describe an existing potentially global PKI-using system that > maybe could be improved. > > The EU e-passport system needs for crossborder-checking of biometrics > a pretty elaborate PKI scheme which among many things require > the parties to expose two public ports on the Internet; one for > the actual communication using HTTPS[1] and another for publishing > CRLs using HTTP. This isn't rocket-science but it still requires > multiple FW settings and proxies. If OCSP responses could be > stapled (TLS client cert auth is used), relying parties would only > have to open a single inbound port. Cross-border reliability would > probably also be improved since the client (sender) wouldn't be able > to submit any data unless its OCSP is running (the PKIs are unique > per country). > > TLS 1.3 and 2.0 are in the workings so the timing is right... > > > Anders > > 1] I might add that I believe HTTPS with client certificate auth > is a very poor choice for cross-border communication when each party > run their own PKI. Signed messages permit a multi-tier architecture > and quarantining of not yet trusted messages, greatly simplifying > operation. BSI are experts on crypto, but n00bs on IT :-) > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix
- [pkix] Proposal for working on PKIX revocation op… Dr. Massimiliano Pala
- Re: [pkix] Proposal for working on PKIX revocatio… Anders Rundgren
- [pkix] Client-side OCSP stapling? Re: Proposal fo… Anders Rundgren
- Re: [pkix] Proposal for working on PKIX revocatio… Massimiliano Pala
- Re: [pkix] Proposal for working on PKIX revocatio… Anders Rundgren
- Re: [pkix] Client-side OCSP stapling? Re: Proposa… Massimiliano Pala
- Re: [pkix] Proposal for working on PKIX revocatio… Paul Hoffman
- Re: [pkix] [therightkey] Proposal for working on … Ben Laurie
- Re: [pkix] [therightkey] Proposal for working on … Nico Williams