Re: [Secdispatch] Clarification for a question about OCSP caching from Nick (Cloudflare)

It's probably useful to start with a clear problem statement. if I
understood Max's presentation correctly, it's that it's too expensive to
compute all the OCSP signatures.  I'm not sure I'm persuaded that that's
true, as public key signatures are very fast (especially if you use ECDSA),
and even the largest public CAs don't actually have that many certificates
on the grand scheme of things [0]. However, to the extent to which it is
true, it seems like the natural response would be to move to a batch
signature scheme, such as the one David Benjamin proposed for TLS [1]. This
would have the advantage that it doesn't require any new protocol
definition or reasoning, it's just a drop-in for the existing signatures.

-Ekr

[0] Let's Encrypt has about 10^8 certificates active.
[1] https://tools.ietf.org/html/draft-davidben-tls-batch-signing-00

On Tue, Nov 26, 2019 at 5:42 AM Carrick Bartle <cbartle891=
40icloud.com@dmarc.ietf.org> wrote:

> Hi Max,
>
> What's the current proposal? The draft
> <https://tools.ietf.org/html/draft-pala-ocspv2-00> doesn't appear to
> contain details beyond the notion of providing ranges and information about
> the entire chain, and it doesn't seem to address the issues raised in the
> PKIX and LAMPS discussions linked here
> <https://datatracker.ietf.org/meeting/106/materials/agenda-106-secdispatch-03>
> .
>
> At Apple, we also cache OCSP responses in a compressed form, i.e. in Bloom
> filters. Having the option to receive CRLs in a compressed format like that
> would definitely be more efficient for us. I'm not convinced that ranges
> would be as helpful. CRLs are helpful when someone is compiling an entire
> catalog of revoked certificates. OCSP is helpful when you want to check the
> revocation status of one particular certificate. If OCSP is instead a
> hybrid of these two approaches, this assumes that the client is going to
> want data on the other certificates in the range they receive (many of
> which won't even exist, since, as someone commented in the pkix thread,
> serial numbers are often (usually?) randomized). I'm not sure how often
> that additional revocation information is actually going to be useful to
> the client. Statistics on that is the sort of data that would be helpful in
> evaluating this proposal. If it turns out, for instance, that providing
> ranges ends up saving only, say, 0.1% of OCSP requests, it probably
> wouldn't be worth the effort.
>
> As for returning revocation data for the entire chain, the question must
> be asked: which chain? In some cases, certificates are cross-signed, and so
> there is no one chain to provide revocation data for. Is the client
> effectively going to delegate finding the best chain to the OCSP responder?
> I'm not sure that's in the client's best interest, and I'm not sure OCSP
> responders are going to want to bother handling that.
>
> Carrick
>
>
>
> On Nov 20, 2019, at 2:47 PM, Dr. Pala <madwolf@openca.org> wrote:
>
> Hi Nick,
>
> thanks for the reply. My comments are inline...
> On 11/20/19 1:07 PM, Nick Sullivan wrote:
>
> Hi Max,
>
> Thanks for your clarification. I now understand the work is aimed at
> optimizing the number of signatures by the CA's OCSP responder and the
> number of bytes of unique OCSP data.
>
> Yes, that is correct. The other optimization is about the ability to
> provide responses for the whole chain in a single message.
>
> Currently, the number of OCSP signatures the CA needs to do is linear in
> the number of active certificates. This proposal changes this so that the
> number of signatures is linear in the number of revocations of active
> certificates. It's conceptually similar to NSEC in that way: it's a cover
> proposal in which the artifacts are constant size, but require a linear
> number signatures in the size of the revocation set. Contrast this with
> CRLs, which require a constant number of signatures, but are linear in the
> size of the revocation set. So maybe the goals could be better phrased in
> terms of *lowering the cost of generating compared to OCSP
> and distributing compared to CRLs*.
>
> I am not sure I follow. In PKIs, today, we use both mechanisms. This is
> because usually the CRLs are used as a backup mechanism for OCSP - we also
> need to support both because of Certification Policies (exactly as in the
> Internet PKI environment), therefore it is not a choice :D The proposed
> approach can be used to (a) limit the amount of data that needs to be
> generated, stored, and transferred when pre-computing responses, and (b) to
> compute all responses and serve them from memory - even small instances
> without any hardware acceleration could achieve reasonable performances
> (also for shorter validity periods in responses).
>
> This proposal implies a middle-ground PKI deployment that has enough
> revocations for CRL to be inefficient but not enough to cause the negative
> space of the serial number to be of the same order as the number of
> certificates. It would be great to see examples of PKIs that motivate this
> optimization, which is why I suggested that data could help.
>
> Technically, you are correct. If we could predict the size of CRLs, we
> could potentially try to understand what that threshold is. However, as I
> explained in the presentation, the size is fairly unpredictable. That is
> why we primarily use OCSP today.
>
>
> I should also note that while this proposal reduces the number of OCSP
> signatures (which can be on the order of 104 signatures for 2-year certs),
> the impact is less dramatic for CAs that issue shorter-lived certs. For
> example, Let's Encrypt only signs around 13 OCSP responses for each of
> their 3-month certificates.
>
> That is correct, the impact is less with short-lived certificates because
> in those environment, the population of active certificates is usually
> smaller. If the population is still large, you still have the same problem.
>
> You mention that your OCSP responses have a 7 days validity, correct ? My
> question is: which considerations went into deciding such a large validity
> period for the OCSP responses (7 days) ? Maybe costs considerations drove
> the decision ? From a security standpoint, such long validity periods
> blinds clients from detecting revocation that might happen during the
> 7-days validity period (the problem is worse now with the deployment of
> OCSP stapling because clients do not fetch fresh responses at connect time,
> AFAIK, if stapling is supported). I would expect that few minutes validity
> windows or maybe few hours would be a better choice - but how much does
> that cost to Let's Encrypt ?
>
> The Cable industry has used certificates, for few decades now, for
> different purposes - as a hardware certification tool and to secure our
> networks - in this environment, the typical life-span of a certificate is
> many years (up to 20) and it is tied to the envisioned life-span of the
> device (no renewal). As you can see, in our environment, CRLs will never be
> an option and OCSP simply costs too much (for an infrastructure that, over
> all, has an active population of several hundreds million of active
> certificates - we might be even beyond that with just the three OpenCable,
> PacketCable, and DOCSIS).
>
> Ultimately, we need to work on the solution so that we can have our
> vendors to integrate it in their products, like CableModes, that are going
> to be deployed (and provide internet connectivity) for hundreds of millions
> of households for the next 10 to 20 years. We need to lower the security
> risks associated with the infrastructures that brings Internet to many of
> us - revocation is important to prevent possible compromises to go
> undetected. I think that everybody who has Cable should support this work
> that is going to directly impact them for many years.
>
> Cheers,
> Max
>
> P.S.: I also have other personal motivations for this work. I think that
> this is also the right thing to do for non-technical reasons - I come from
> the OpenSource world that so much has give for the success of the Internet
> but where there is no money. More efficient technologies could be leveraged
> by communities around the world who deserve good security but costs get in
> the way. I know it is not a technical detail, but I think we shall always
> try to have these considerations in our minds - making the world a better
> place and less wasteful (energy) is an amendable goal in general and
> emerging communities could really benefit from our work.
>
>
> On Tue, Nov 19, 2019 at 9:11 PM Dr. Pala <madwolf@openca.org> wrote:
>
>> Hi Nick, all,
>>
>> at the end of the second presentation on lowering the costs of
>> revocation, if I am not mistaken, your question/comment (Nick) was about
>> the fact that Cloudflare hosts / serve most of the cached OCSP responses
>> and that the system does not have issues.
>>
>> I am not sure if this comment is pertinent to what we are trying to solve
>> here... let me elaborate a bit more.
>>
>> The work we have been doing around the proposed topic of work is aimed at
>>  *lowering the cost of generating and distributing these large volumes
>> of signed data* when there is actually no need for that. By optimizing
>> the protocol to provide range responses (or other methods, if we decide to
>> go with a different approaches), we can reduce the number of signatures
>> needed from a CA and their distribution - very expensive operations.
>>
>> In other words, the proposal is *not aimed at fixing any caching issues* because,
>> as you noticed in your comment, that works just fine. The proposal at hand,
>> instead, is about fixing a problem that CAs are facing today - high costs
>> of deploying and running such systems.
>>
>> On the other hand, your comment made me think about the caching service
>> you mentioned and its associated costs.
>>
>> Is it a service for which your company charge CAs ? If so, would you be
>> able to share what are currently the costs incurred by CAs to leverage your
>> service ? (I totally understand if you are not willing to - after all, this
>> is usually the secret sauce :D)
>>
>> Last but not least, I also would like to point out that optimizing the
>> revocation can also help open-source communities, small companies,
>> universities, non-profit, etc. by enabling them to deploy cost-efficient
>> systems that can provide good quality of service using less resources
>> (computational, storage, network).
>>
>> Please let me know,
>>
>> Cheers,
>> Max
>>
>> P.S.: If we could combine this idea with OCSP over DNS, we could really
>> provide access to revocation technology for everybody, not just who can
>> afford the price. Unfortunately we know how that discussion went, and I
>> still think it is a very evident mistake not doing it  (I am still working
>> on this in my spare time - I think it is of enormous value for emerging
>> countries to have access to cheap secure technologies and, in my opinion,
>> IETF is dropping / has dropped the ball on this for not-so-honorable
>> reasons, I suspect...). I hope We can fix it in the open-source community.
>> --
>> Best Regards,
>> Massimiliano Pala, Ph.D.
>> OpenCA Labs Director
>> <dhmacjdifkefaoin.png>
>>
> --
> Best Regards,
> Massimiliano Pala, Ph.D.
> OpenCA Labs Director
> <ijeffbhlgncflbab.png>
> _______________________________________________
> Secdispatch mailing list
> Secdispatch@ietf.org
> https://www.ietf.org/mailman/listinfo/secdispatch
>
>
> _______________________________________________
> Secdispatch mailing list
> Secdispatch@ietf.org
> https://www.ietf.org/mailman/listinfo/secdispatch
>