Re: [Secdispatch] Clarification for a question about OCSP caching from Nick (Cloudflare)
Eric Rescorla <ekr@rtfm.com> Wed, 27 November 2019 22:20 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17CC8120145 for <secdispatch@ietfa.amsl.com>; Wed, 27 Nov 2019 14:20:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PDg80nD7FGn7 for <secdispatch@ietfa.amsl.com>; Wed, 27 Nov 2019 14:20:48 -0800 (PST)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87558120108 for <secdispatch@ietf.org>; Wed, 27 Nov 2019 14:20:48 -0800 (PST)
Received: by mail-lj1-x22b.google.com with SMTP id t5so26224361ljk.0 for <secdispatch@ietf.org>; Wed, 27 Nov 2019 14:20:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IpW877pZSGqes71/Q1+XuJshkp5VPRNLhQ3p0JraA2g=; b=O2rQrZg4KLCZcgbs2yIjtxRl14hxr7duVwm2rXrK+H66qXSXF7b95luZqBbjdsTcb9 G1fW1T0FGYn7fB8iUUExdWFZG+tWRXxLqPgjgV7x6nYzMeqUEFdWzvDj+UPm32qtlgda j/zYK97jxpWbw2NNYNX3crHIR0DMMTNW6qBuUHP9VS8E8vg7d24IGH4Xl/893jtsUaXN jj30PkSMP0FFDF0FABA1Gy8iiko1HW0ZiTCooza7SkKnO0qDzTuodQfKgr19ir/0gEZK VSb7PJj36Fg/lTrTl8XbrwYgBPPrHLCCzEKO/uwX8qbxyqhuFEqUYFmC2sx3KFV2Uw4n XYfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IpW877pZSGqes71/Q1+XuJshkp5VPRNLhQ3p0JraA2g=; b=Gb13eomyrfK4mQjNGDA4IkLYYQafgi/iwNqEqRUVxXtNIgrIJr5dgD5KIC95zFrc+Z F5yq0DRmKgbBxJGLFiwrlgex8wMDlHXfuf+Nd+5F3TaD1nbKd/Y4UcvpXXerD2AZ/k76 BCYgmlP8zvEbUxWpWLv8CjDNQzHr+2XraP8rCEiEkSXHi2b3DjYSwUHuEeMcgZBUQS0g 7AuKMFuo/Y7NksdMM3w3DLaG0/QYTfoWKkMZ7Wx0S5S/3ldzy1PuF5Pjl7hcpskRBU+X B9bHgSDBkPmUCN3ZHotWb6ji4ZBZAqkYrSOrsDVGzuFRTkvoEARhzRxJC2c1F3jSEDUa VtPg==
X-Gm-Message-State: APjAAAUCCSWXP4Rh86CcnkVw5bodadCXBwYW+tidX3I0HatFZ76KQFRK EzacSFVhT05Ize49usJaEaTiPaTkC2Dcjekeu99CSQ==
X-Google-Smtp-Source: APXvYqzHTG7b3ntPOIaCJXHmAHJOb0YS7UIvebt/TomCZ1c+P9viLox6THzMPk4260YWBa7kHkvXa4P41Qv6BRLdnxk=
X-Received: by 2002:a2e:3a12:: with SMTP id h18mr26239925lja.217.1574893246663; Wed, 27 Nov 2019 14:20:46 -0800 (PST)
MIME-Version: 1.0
References: <265ce9c3-8d24-b8c2-f13c-a54280a7ffba@openca.org> <CAFDDyk9x1w-voWdM31zwExkj3UWX9Dir4d4JF2DQrxYArH-jbg@mail.gmail.com> <5e81fda8-52d3-e39a-1999-ac98efd4ae70@openca.org> <58FB63D0-58A3-4610-8A86-43D6050C5FAA@icloud.com> <CABcZeBPmghr-nhXzjsuL48PrRAAN4m9_Qgc=BPRSkMwHJVxi3w@mail.gmail.com> <20002.1574876578@dooku.sandelman.ca>
In-Reply-To: <20002.1574876578@dooku.sandelman.ca>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 27 Nov 2019 14:20:10 -0800
Message-ID: <CABcZeBP+hkjhk0rZPafDw=6Z21aN=SJCAovp-42Q0DQGX+Hzqw@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: "Dr. Pala" <madwolf@openca.org>, Carrick Bartle <cbartle891=40icloud.com@dmarc.ietf.org>, IETF SecDispatch <secdispatch@ietf.org>, Nick Sullivan <nick@cloudflare.com>, Tim Hollebeek <tim.hollebeek@digicert.com>
Content-Type: multipart/alternative; boundary="00000000000086e2fe05985b6818"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/NW9l47Rcn5iKDUyy1rG8hKUTMo4>
Subject: Re: [Secdispatch] Clarification for a question about OCSP caching from Nick (Cloudflare)
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 22:20:54 -0000
On Wed, Nov 27, 2019 at 9:43 AM Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > Eric Rescorla <ekr@rtfm.com> wrote: > > It's probably useful to start with a clear problem statement. if I > > understood Max's presentation correctly, it's that it's too > expensive to > > compute all the OCSP signatures. I'm not sure I'm persuaded that > that's > > true, as public key signatures are very fast (especially if you use > ECDSA), > > and even the largest public CAs don't actually have that many > certificates > > on the grand scheme of things [0]. However, to the extent to which > it is > > true, it seems like the natural response would be to move to a batch > > signature scheme, such as the one David Benjamin proposed for TLS > [1]. > > This would work well for TLS. > It would be good to understand if the problems that Dr. Pala is talking > about > are specifically about TLS, or if it relates to some other system common in > the cable industry. > I think it's less a matter of TLS versus not TLS but rather of what you are trying to optimize for. If it's just signing bandwidth then this is a good solution. If it's also network bandwidth, then perhaps less so, though we'd need to do the math. -Ekr > -- > ] Never tell me the odds! | ipv6 mesh > networks [ > ] Michael Richardson, Sandelman Software Works | network > architect [ > ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on > rails [ > > _______________________________________________ > Secdispatch mailing list > Secdispatch@ietf.org > https://www.ietf.org/mailman/listinfo/secdispatch >
- [Secdispatch] Clarification for a question about … Dr. Pala
- Re: [Secdispatch] Clarification for a question ab… Nick Sullivan
- Re: [Secdispatch] Clarification for a question ab… Dr. Pala
- Re: [Secdispatch] Clarification for a question ab… Carrick Bartle
- Re: [Secdispatch] Clarification for a question ab… Eric Rescorla
- Re: [Secdispatch] Clarification for a question ab… Tim Hollebeek
- Re: [Secdispatch] Clarification for a question ab… Michael Richardson
- Re: [Secdispatch] Clarification for a question ab… Eric Rescorla
- Re: [Secdispatch] Clarification for a question ab… Carrick Bartle
- Re: [Secdispatch] Clarification for a question ab… Carrick Bartle