[Secdispatch] Clarification for a question about OCSP caching from Nick (Cloudflare)
"Dr. Pala" <madwolf@openca.org> Tue, 19 November 2019 13:10 UTC
Return-Path: <madwolf@openca.org>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E44A11208FE for <secdispatch@ietfa.amsl.com>; Tue, 19 Nov 2019 05:10:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.437
X-Spam-Level: *
X-Spam-Status: No, score=1.437 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_SBL_CSS=3.335, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2wpMaJzhqdEY for <secdispatch@ietfa.amsl.com>; Tue, 19 Nov 2019 05:10:58 -0800 (PST)
Received: from mail.katezarealty.com (mail.katezarealty.com [104.168.158.213]) by ietfa.amsl.com (Postfix) with ESMTP id F2D9D1208BB for <secdispatch@ietf.org>; Tue, 19 Nov 2019 05:10:57 -0800 (PST)
Received: from localhost (unknown [127.0.0.1]) by mail.katezarealty.com (Postfix) with ESMTP id C1C5937413DF; Tue, 19 Nov 2019 13:10:57 +0000 (UTC)
X-Virus-Scanned: amavisd-new at katezarealty.com
Received: from mail.katezarealty.com ([127.0.0.1]) by localhost (mail.katezarealty.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id VWSssSLWe0bC; Tue, 19 Nov 2019 08:10:56 -0500 (EST)
Received: from Maxs-MacBook-Pro-2.local (unknown [101.100.166.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.katezarealty.com (Postfix) with ESMTPSA id 1B71037408D6; Tue, 19 Nov 2019 08:10:55 -0500 (EST)
To: secdispatch@ietf.org, Nick Sullivan <nick=40cloudflare.com@dmarc.ietf.org>, Tim Hollebeek <tim.hollebeek@digicert.com>
From: "Dr. Pala" <madwolf@openca.org>
Message-ID: <265ce9c3-8d24-b8c2-f13c-a54280a7ffba@openca.org>
Date: Tue, 19 Nov 2019 21:10:54 +0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.2.2
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------3B831676579B708DADB1F256"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/A8Znxd6I4PliAFmlChS9I-QOmG4>
Subject: [Secdispatch] Clarification for a question about OCSP caching from Nick (Cloudflare)
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2019 13:10:59 -0000
Hi Nick, all, at the end of the second presentation on lowering the costs of revocation, if I am not mistaken, your question/comment (Nick) was about the fact that Cloudflare hosts / serve most of the cached OCSP responses and that the system does not have issues. I am not sure if this comment is pertinent to what we are trying to solve here... let me elaborate a bit more. The work we have been doing around the proposed topic of work is aimed at /_lowering the cost of *generating* and *distributing* these large volumes of signed data_/ when there is actually no need for that. By optimizing the protocol to provide range responses (or other methods, if we decide to go with a different approaches), we can reduce the number of signatures needed from a CA and their distribution - very expensive operations. In other words, the proposal is /_not aimed at fixing any caching issues_/ because, as you noticed in your comment, that works just fine. The proposal at hand, instead, is about fixing a problem that CAs are facing today - high costs of deploying and running such systems. On the other hand, your comment made me think about the caching service you mentioned and its associated costs. Is it a service for which your company charge CAs ? If so, would you be able to share what are currently the costs incurred by CAs to leverage your service ? (I totally understand if you are not willing to - after all, this is usually the secret sauce :D) Last but not least, I also would like to point out that optimizing the revocation can also help open-source communities, small companies, universities, non-profit, etc. by enabling them to deploy cost-efficient systems that can provide good quality of service using less resources (computational, storage, network). Please let me know, Cheers, Max P.S.: If we could combine this idea with OCSP over DNS, we could really provide access to revocation technology for everybody, not just who can afford the price. Unfortunately we know how that discussion went, and I still think it is a very evident mistake not doing it (I am still working on this in my spare time - I think it is of enormous value for emerging countries to have access to cheap secure technologies and, in my opinion, IETF is dropping / has dropped the ball on this for not-so-honorable reasons, I suspect...). I hope We can fix it in the open-source community. -- Best Regards, Massimiliano Pala, Ph.D. OpenCA Labs Director OpenCA Logo
- [Secdispatch] Clarification for a question about … Dr. Pala
- Re: [Secdispatch] Clarification for a question ab… Nick Sullivan
- Re: [Secdispatch] Clarification for a question ab… Dr. Pala
- Re: [Secdispatch] Clarification for a question ab… Carrick Bartle
- Re: [Secdispatch] Clarification for a question ab… Eric Rescorla
- Re: [Secdispatch] Clarification for a question ab… Tim Hollebeek
- Re: [Secdispatch] Clarification for a question ab… Michael Richardson
- Re: [Secdispatch] Clarification for a question ab… Eric Rescorla
- Re: [Secdispatch] Clarification for a question ab… Carrick Bartle
- Re: [Secdispatch] Clarification for a question ab… Carrick Bartle