[pkix] Client-side OCSP stapling? Re: Proposal for working on PKIX revocation open issues
Anders Rundgren <anders.rundgren.net@gmail.com> Sat, 15 November 2014 05:11 UTC
Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F6DF1A0AF1 for <pkix@ietfa.amsl.com>; Fri, 14 Nov 2014 21:11:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fFMArIlytjKr for <pkix@ietfa.amsl.com>; Fri, 14 Nov 2014 21:11:45 -0800 (PST)
Received: from mail-wg0-x22e.google.com (mail-wg0-x22e.google.com [IPv6:2a00:1450:400c:c00::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 826AA1A00AE for <pkix@ietf.org>; Fri, 14 Nov 2014 21:11:45 -0800 (PST)
Received: by mail-wg0-f46.google.com with SMTP id x13so21149991wgg.19 for <pkix@ietf.org>; Fri, 14 Nov 2014 21:11:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=pnNp2CbDo6dVMTja1e9qxlBB+nJt2B+0jnb/6bGjguo=; b=CrElTahQQN2RJRo7ZmvmS0ppVP8GDJPOX0PdXkFLR29tX2RM7YX0yxiu3HeEpq9qwj pBwD97AdzYwKVXwGDEoTaZGqXaoXbdtTVLLpVe22SdAc8PBO6PPBjtgbo1dz21hCT8Ct 3veTz2vJvpwdPY/M7Jnx8gQXIXdZu92No2+ZnvzdzXHvgLNeVO0NwkqhbneKwxrB7Scf HmPKORDFdj/pOXvUMNZZ/jIuouf1Lm2fnm3hRqrEhIRXinpm+ZssrG3RrABojaG56c3Y ZUzPUl1AottAVbxV8bUKtIcttGbRVVczFvWilJWdJ5VKrdkjZ6GOMphtnhOQwj9fLv1D 4csg==
X-Received: by 10.180.84.5 with SMTP id u5mr13749567wiy.12.1416028304341; Fri, 14 Nov 2014 21:11:44 -0800 (PST)
Received: from [192.168.1.79] (13.118.176.95.rev.sfr.net. [95.176.118.13]) by mx.google.com with ESMTPSA id dc8sm5829973wib.7.2014.11.14.21.11.43 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 14 Nov 2014 21:11:43 -0800 (PST)
Message-ID: <5466E08E.70103@gmail.com>
Date: Sat, 15 Nov 2014 06:11:42 +0100
From: Anders Rundgren <anders.rundgren.net@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: "Dr. Massimiliano Pala" <massimiliano.pala@gmail.com>, "pkix@ietf.org" <pkix@ietf.org>
References: <5466AF87.2050307@gmail.com>
In-Reply-To: <5466AF87.2050307@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/x1VNkKmCRAKnoGmeuNQ6KCuP02E
Subject: [pkix] Client-side OCSP stapling? Re: Proposal for working on PKIX revocation open issues
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Nov 2014 05:11:48 -0000
Since you want to do something in revocation I would like to describe an existing potentially global PKI-using system that maybe could be improved. The EU e-passport system needs for crossborder-checking of biometrics a pretty elaborate PKI scheme which among many things require the parties to expose two public ports on the Internet; one for the actual communication using HTTPS[1] and another for publishing CRLs using HTTP. This isn't rocket-science but it still requires multiple FW settings and proxies. If OCSP responses could be stapled (TLS client cert auth is used), relying parties would only have to open a single inbound port. Cross-border reliability would probably also be improved since the client (sender) wouldn't be able to submit any data unless its OCSP is running (the PKIs are unique per country). TLS 1.3 and 2.0 are in the workings so the timing is right... Anders 1] I might add that I believe HTTPS with client certificate auth is a very poor choice for cross-border communication when each party run their own PKI. Signed messages permit a multi-tier architecture and quarantining of not yet trusted messages, greatly simplifying operation. BSI are experts on crypto, but n00bs on IT :-)
- [pkix] Proposal for working on PKIX revocation op… Dr. Massimiliano Pala
- Re: [pkix] Proposal for working on PKIX revocatio… Anders Rundgren
- [pkix] Client-side OCSP stapling? Re: Proposal fo… Anders Rundgren
- Re: [pkix] Proposal for working on PKIX revocatio… Massimiliano Pala
- Re: [pkix] Proposal for working on PKIX revocatio… Anders Rundgren
- Re: [pkix] Client-side OCSP stapling? Re: Proposa… Massimiliano Pala
- Re: [pkix] Proposal for working on PKIX revocatio… Paul Hoffman
- Re: [pkix] [therightkey] Proposal for working on … Ben Laurie
- Re: [pkix] [therightkey] Proposal for working on … Nico Williams