IETF Logo Mail Archive

Re: [pkix] Optimizing OCSP - Time for some spec work ?

Peter Gutmann <pgut001@cs.auckland.ac.nz> Thu, 31 October 2019 02:44 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 051961200B2 for <pkix@ietfa.amsl.com>; Wed, 30 Oct 2019 19:44:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.197
X-Spam-Level:
X-Spam-Status: No, score=-4.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JsjCx0FtU-0A for <pkix@ietfa.amsl.com>; Wed, 30 Oct 2019 19:44:47 -0700 (PDT)
Received: from mx4-int.auckland.ac.nz (mx4-int.auckland.ac.nz [130.216.125.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26DE3120059 for <pkix@ietf.org>; Wed, 30 Oct 2019 19:44:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1572489888; x=1604025888; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=bUKM6LiY7EmUZH+wrX92sFyK3ChotTADjCVvjSHvPzI=; b=CGSJXxM3jmfcrzSpIgSGtmWtVkzSVeArUF9eQ9ISlTt+Xf0MCgwFOw1t ipG7ntGn/rKXv4FJqAIp7dA2XMknnjGY+tIdnDoqONGy7j6M7XnXWHLRu voJxBG7saB3ED9952C/o1/DYUZp8lKHcucp8TuRa1/nknaAe4kJ5jMr9R gsKzQii497CmZDYMVMalyOE5Bys0unaluqjXoiZFKgo3Yee/aqfTT2v48 rduKUY8zebt1Thz3oMWKACdgtYHxy/wYP0aS60+Lx+fmC/OuzgKmITSlh o7jaM09roX5vTqk0U8DfUNgwnyMPXueJ++/GVkbXS+ynwLi4A/Fd9JC5H g==;
X-IronPort-AV: E=Sophos;i="5.68,249,1569240000"; d="scan'208";a="97231778"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.3.4 - Outgoing - Outgoing
Received: from exchangemx.uoa.auckland.ac.nz (HELO uxcn13-tdc-c.UoA.auckland.ac.nz) ([10.6.3.4]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 31 Oct 2019 15:44:46 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-c.UoA.auckland.ac.nz (10.6.3.4) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 31 Oct 2019 15:44:44 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.5]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.5]) with mapi id 15.00.1395.000; Thu, 31 Oct 2019 15:44:44 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "David A. Cooper" <david.cooper=40nist.gov@dmarc.ietf.org>, "pkix@ietf.org" <pkix@ietf.org>
Thread-Topic: [pkix] Optimizing OCSP - Time for some spec work ?
Thread-Index: AQHVinrq4I5nEcgfh0O9xU1lviUJBKdqnCAD///+JoCAAAZCgIACJUtogAFyqQCAARg4AIAExIr/
Date: Thu, 31 Oct 2019 02:44:44 +0000
Message-ID: <1572489885488.93880@cs.auckland.ac.nz>
References: <31256d2d-dcfb-85f7-3850-accb2b2d6b89@openca.org> <1571969278256.43657@cs.auckland.ac.nz> <a87cd195-8b26-6bbd-8e37-473478e1a956@openca.org> <20191025152019.pevdicon45ql6zml@nmhq.net> <1572088035404.16022@cs.auckland.ac.nz> <20191027221258.ldl2f5a3anu7qyfy@nmhq.net>, <c675ac19-6326-b572-5bad-b7c96aa458ca@nist.gov>
In-Reply-To: <c675ac19-6326-b572-5bad-b7c96aa458ca@nist.gov>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/TjCvCOxvtu7ghOn-08uJeHk4N1k>
Subject: Re: [pkix] Optimizing OCSP - Time for some spec work ?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Oct 2019 02:44:49 -0000

David A. Cooper <david.cooper=40nist.gov@dmarc.ietf.org> writes:

>I also don't see how this "I've checked the entire chain from the cert you
>requested all the way up to the root.  You're welcome" extension would work.

See my previous message, it's not meant to be perfect, just an improvement on
current usage.  In particular:

>Consider a scenario in which a CA's private key had been compromised, and its
>certificate had been revoked.

In that case the browser vendors [0 again, from the previous message] push out
an emergency update because they don't trust revocation checking to get the
job done.

So it really depends on the usage scenario.  If you can make it better than
the current mess, that's at least some progress.

Peter.

v2.23.0 | Report a Bug | By Email