[Secdispatch] Clarification for a question about OCSP caching from Nick (Cloudflare)

"Dr. Pala" <madwolf@openca.org> Tue, 19 November 2019 13:10 UTC

Return-Path: <madwolf@openca.org>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id E44A11208FE for <secdispatch@ietfa.amsl.com>; Tue, 19 Nov 2019 05:10:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.437
X-Spam-Level: *
X-Spam-Status: No, score=1.437 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_SBL_CSS=3.335, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 2wpMaJzhqdEY for <secdispatch@ietfa.amsl.com>; Tue, 19 Nov 2019 05:10:58 -0800 (PST)
Received: from mail.katezarealty.com (mail.katezarealty.com []) by ietfa.amsl.com (Postfix) with ESMTP id F2D9D1208BB for <secdispatch@ietf.org>; Tue, 19 Nov 2019 05:10:57 -0800 (PST)
Received: from localhost (unknown []) by mail.katezarealty.com (Postfix) with ESMTP id C1C5937413DF; Tue, 19 Nov 2019 13:10:57 +0000 (UTC)
X-Virus-Scanned: amavisd-new at katezarealty.com
Received: from mail.katezarealty.com ([]) by localhost (mail.katezarealty.com []) (amavisd-new, port 10024) with LMTP id VWSssSLWe0bC; Tue, 19 Nov 2019 08:10:56 -0500 (EST)
Received: from Maxs-MacBook-Pro-2.local (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.katezarealty.com (Postfix) with ESMTPSA id 1B71037408D6; Tue, 19 Nov 2019 08:10:55 -0500 (EST)
To: secdispatch@ietf.org, Nick Sullivan <nick=40cloudflare.com@dmarc.ietf.org>, Tim Hollebeek <tim.hollebeek@digicert.com>
From: "Dr. Pala" <madwolf@openca.org>
Message-ID: <265ce9c3-8d24-b8c2-f13c-a54280a7ffba@openca.org>
Date: Tue, 19 Nov 2019 21:10:54 +0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.2.2
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------3B831676579B708DADB1F256"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/A8Znxd6I4PliAFmlChS9I-QOmG4>
Subject: [Secdispatch] Clarification for a question about OCSP caching from Nick (Cloudflare)
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2019 13:10:59 -0000

Hi Nick, all,

at the end of the second presentation on lowering the costs of 
revocation, if I am not mistaken, your question/comment (Nick) was about 
the fact that Cloudflare hosts / serve most of the cached OCSP responses 
and that the system does not have issues.

I am not sure if this comment is pertinent to what we are trying to 
solve here... let me elaborate a bit more.

The work we have been doing around the proposed topic of work is aimed 
at /_lowering the cost of *generating* and *distributing* these large 
volumes of signed data_/ when there is actually no need for that. By 
optimizing the protocol to provide range responses (or other methods, if 
we decide to go with a different approaches), we can reduce the number 
of signatures needed from a CA and their distribution - very expensive 

In other words, the proposal is /_not aimed at fixing any caching 
issues_/ because, as you noticed in your comment, that works just fine. 
The proposal at hand, instead, is about fixing a problem that CAs are 
facing today - high costs of deploying and running such systems.

On the other hand, your comment made me think about the caching service 
you mentioned and its associated costs.

Is it a service for which your company charge CAs ? If so, would you be 
able to share what are currently the costs incurred by CAs to leverage 
your service ? (I totally understand if you are not willing to - after 
all, this is usually the secret sauce :D)

Last but not least, I also would like to point out that optimizing the 
revocation can also help open-source communities, small companies, 
universities, non-profit, etc. by enabling them to deploy cost-efficient 
systems that can provide good quality of service using less resources 
(computational, storage, network).

Please let me know,


P.S.: If we could combine this idea with OCSP over DNS, we could really 
provide access to revocation technology for everybody, not just who can 
afford the price. Unfortunately we know how that discussion went, and I 
still think it is a very evident mistake not doing it  (I am still 
working on this in my spare time - I think it is of enormous value for 
emerging countries to have access to cheap secure technologies and, in 
my opinion, IETF is dropping / has dropped the ball on this for 
not-so-honorable reasons, I suspect...). I hope We can fix it in the 
open-source community.

Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo