Re: [pkix] Clarification on OCSP with nonce
"Dr. Pala" <madwolf@openca.org> Mon, 19 March 2018 16:50 UTC
Return-Path: <madwolf@openca.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF13F12D7EC for <pkix@ietfa.amsl.com>; Mon, 19 Mar 2018 09:50:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_HK_NAME_DR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rvg52zpGtm2n for <pkix@ietfa.amsl.com>; Mon, 19 Mar 2018 09:50:04 -0700 (PDT)
Received: from mail.katezarealty.com (mail.katezarealty.com [104.168.158.213]) by ietfa.amsl.com (Postfix) with ESMTP id 2B299126CB6 for <pkix@ietf.org>; Mon, 19 Mar 2018 09:50:04 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by mail.katezarealty.com (Postfix) with ESMTP id EF1423741012 for <pkix@ietf.org>; Mon, 19 Mar 2018 16:50:03 +0000 (UTC)
X-Virus-Scanned: amavisd-new at katezarealty.com
Received: from mail.katezarealty.com ([127.0.0.1]) by localhost (mail.katezarealty.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id IT81dCHOaeUI for <pkix@ietf.org>; Mon, 19 Mar 2018 12:49:59 -0400 (EDT)
Received: from dhcp-98fb.meeting.ietf.org (dhcp-98fb.meeting.ietf.org [31.133.152.251]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.katezarealty.com (Postfix) with ESMTPSA id BB1BE3740FF5 for <pkix@ietf.org>; Mon, 19 Mar 2018 12:49:58 -0400 (EDT)
To: pkix@ietf.org
References: <SG2PR03MB1421D2648D78F83D159828999DD30@SG2PR03MB1421.apcprd03.prod.outlook.com>
From: "Dr. Pala" <madwolf@openca.org>
Message-ID: <63073250-9f7e-f926-7b25-8660f9fb2794@openca.org>
Date: Mon, 19 Mar 2018 16:49:56 +0000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <SG2PR03MB1421D2648D78F83D159828999DD30@SG2PR03MB1421.apcprd03.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------91B29CCCE67F0FC4F15ADE06"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/91Tr5MMVFkknFLXy5srsxDlsTt0>
Subject: Re: [pkix] Clarification on OCSP with nonce
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Mar 2018 16:50:07 -0000
Hi Koichi, unfortunately the current status of OCSP responders is not the greatest - for most CAs in the "browsers" ecosystem, responses are pre-calculated and delivered via CDNs. Thus, the NONCE can not be added to responses. We are currently working with different partners (some public CAs and other entities) on proposing an updated version the OCSP specs (think of it as OCSPv2) that address the current limitations of the protocol (we need this in many ecosystems where millions of devices are deployed) by lowering the number of signatures required from an OCSP responder - this would also help in producing shorter-lived responses thus increasing the security of the system (e.g., instead of the validity being 3 to 7 days, responses can have few hours to 1 day validity periods). Since there is no venue at the IETF to propose this work, we are currently working with other standardization groups that are willing to address this issue :D In case you are interested in participating, please let me know, we are very open to collaboration :D Cheers, Max On 3/12/18 10:06 AM, Koichi Sugimoto wrote: > > Hello. > > > > > > There is a description about OCSP with nonce in RFC 6960, but there is > no description for the behavior of OCSP responder when the client > sends an OCSP request with nonce. > > Specifically, will the OCSP responder that receives the OCSP request > with nonce give me an opinion on whether to omit the nonce and return > the response? > > In the discussion on the previous OCSP, I remember that there was an > opinion that the conclusion has already been made in RFC 3161 > regarding the behavior of nonce, and there is nothing to argue about OCSP. > > Recently OCSP traffic has been increasing, so in order to reduce the > load on the signature engine of the OCSP responder, I often want to > clarify because I want to omit the nonce and return a response. > > > > > > Regards, > > Koichi Sugimoto. > > > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix
- [pkix] Clarification on OCSP with nonce Koichi Sugimoto
- Re: [pkix] Clarification on OCSP with nonce Peter Gutmann
- Re: [pkix] Clarification on OCSP with nonce Dr. Pala