IETF Logo Mail Archive

Re: [Secdispatch] Clarification for a question about OCSP caching from Nick (Cloudflare)

Eric Rescorla <ekr@rtfm.com> Wed, 27 November 2019 22:20 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17CC8120145 for <secdispatch@ietfa.amsl.com>; Wed, 27 Nov 2019 14:20:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PDg80nD7FGn7 for <secdispatch@ietfa.amsl.com>; Wed, 27 Nov 2019 14:20:48 -0800 (PST)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87558120108 for <secdispatch@ietf.org>; Wed, 27 Nov 2019 14:20:48 -0800 (PST)
Received: by mail-lj1-x22b.google.com with SMTP id t5so26224361ljk.0 for <secdispatch@ietf.org>; Wed, 27 Nov 2019 14:20:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IpW877pZSGqes71/Q1+XuJshkp5VPRNLhQ3p0JraA2g=; b=O2rQrZg4KLCZcgbs2yIjtxRl14hxr7duVwm2rXrK+H66qXSXF7b95luZqBbjdsTcb9 G1fW1T0FGYn7fB8iUUExdWFZG+tWRXxLqPgjgV7x6nYzMeqUEFdWzvDj+UPm32qtlgda j/zYK97jxpWbw2NNYNX3crHIR0DMMTNW6qBuUHP9VS8E8vg7d24IGH4Xl/893jtsUaXN jj30PkSMP0FFDF0FABA1Gy8iiko1HW0ZiTCooza7SkKnO0qDzTuodQfKgr19ir/0gEZK VSb7PJj36Fg/lTrTl8XbrwYgBPPrHLCCzEKO/uwX8qbxyqhuFEqUYFmC2sx3KFV2Uw4n XYfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IpW877pZSGqes71/Q1+XuJshkp5VPRNLhQ3p0JraA2g=; b=Gb13eomyrfK4mQjNGDA4IkLYYQafgi/iwNqEqRUVxXtNIgrIJr5dgD5KIC95zFrc+Z F5yq0DRmKgbBxJGLFiwrlgex8wMDlHXfuf+Nd+5F3TaD1nbKd/Y4UcvpXXerD2AZ/k76 BCYgmlP8zvEbUxWpWLv8CjDNQzHr+2XraP8rCEiEkSXHi2b3DjYSwUHuEeMcgZBUQS0g 7AuKMFuo/Y7NksdMM3w3DLaG0/QYTfoWKkMZ7Wx0S5S/3ldzy1PuF5Pjl7hcpskRBU+X B9bHgSDBkPmUCN3ZHotWb6ji4ZBZAqkYrSOrsDVGzuFRTkvoEARhzRxJC2c1F3jSEDUa VtPg==
X-Gm-Message-State: APjAAAUCCSWXP4Rh86CcnkVw5bodadCXBwYW+tidX3I0HatFZ76KQFRK EzacSFVhT05Ize49usJaEaTiPaTkC2Dcjekeu99CSQ==
X-Google-Smtp-Source: APXvYqzHTG7b3ntPOIaCJXHmAHJOb0YS7UIvebt/TomCZ1c+P9viLox6THzMPk4260YWBa7kHkvXa4P41Qv6BRLdnxk=
X-Received: by 2002:a2e:3a12:: with SMTP id h18mr26239925lja.217.1574893246663; Wed, 27 Nov 2019 14:20:46 -0800 (PST)
MIME-Version: 1.0
References: <265ce9c3-8d24-b8c2-f13c-a54280a7ffba@openca.org> <CAFDDyk9x1w-voWdM31zwExkj3UWX9Dir4d4JF2DQrxYArH-jbg@mail.gmail.com> <5e81fda8-52d3-e39a-1999-ac98efd4ae70@openca.org> <58FB63D0-58A3-4610-8A86-43D6050C5FAA@icloud.com> <CABcZeBPmghr-nhXzjsuL48PrRAAN4m9_Qgc=BPRSkMwHJVxi3w@mail.gmail.com> <20002.1574876578@dooku.sandelman.ca>
In-Reply-To: <20002.1574876578@dooku.sandelman.ca>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 27 Nov 2019 14:20:10 -0800
Message-ID: <CABcZeBP+hkjhk0rZPafDw=6Z21aN=SJCAovp-42Q0DQGX+Hzqw@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: "Dr. Pala" <madwolf@openca.org>, Carrick Bartle <cbartle891=40icloud.com@dmarc.ietf.org>, IETF SecDispatch <secdispatch@ietf.org>, Nick Sullivan <nick@cloudflare.com>, Tim Hollebeek <tim.hollebeek@digicert.com>
Content-Type: multipart/alternative; boundary="00000000000086e2fe05985b6818"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/NW9l47Rcn5iKDUyy1rG8hKUTMo4>
Subject: Re: [Secdispatch] Clarification for a question about OCSP caching from Nick (Cloudflare)
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 22:20:54 -0000

On Wed, Nov 27, 2019 at 9:43 AM Michael Richardson <mcr+ietf@sandelman.ca>
wrote:

>
> Eric Rescorla <ekr@rtfm.com> wrote:
>     > It's probably useful to start with a clear problem statement. if I
>     > understood Max's presentation correctly, it's that it's too
> expensive to
>     > compute all the OCSP signatures.  I'm not sure I'm persuaded that
> that's
>     > true, as public key signatures are very fast (especially if you use
> ECDSA),
>     > and even the largest public CAs don't actually have that many
> certificates
>     > on the grand scheme of things [0]. However, to the extent to which
> it is
>     > true, it seems like the natural response would be to move to a batch
>     > signature scheme, such as the one David Benjamin proposed for TLS
> [1].
>
> This would work well for TLS.
> It would be good to understand if the problems that Dr. Pala is talking
> about
> are specifically about TLS, or if it relates to some other system common in
> the cable industry.
>

I think it's less a matter of TLS versus not TLS but rather of what you are
trying to optimize for.

If it's just signing bandwidth then this is a good solution. If it's also
network bandwidth, then perhaps less so, though we'd need to do the math.

-Ekr



> --
> ]               Never tell me the odds!                 | ipv6 mesh
> networks [
> ]   Michael Richardson, Sandelman Software Works        | network
> architect  [
> ]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on
> rails    [
>
> _______________________________________________
> Secdispatch mailing list
> Secdispatch@ietf.org
> https://www.ietf.org/mailman/listinfo/secdispatch
>

v2.23.0 | Report a Bug | By Email