Re: [Secdispatch] Clarification for a question about OCSP caching from Nick (Cloudflare)

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 27 November 2019 17:43 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29751120B66 for <secdispatch@ietfa.amsl.com>; Wed, 27 Nov 2019 09:43:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.435
X-Spam-Level: *
X-Spam-Status: No, score=1.435 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_SBL_CSS=3.335, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s--qr8MP-Cgn for <secdispatch@ietfa.amsl.com>; Wed, 27 Nov 2019 09:42:59 -0800 (PST)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00::f03c:91ff:feae:de77]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80FF2120978 for <secdispatch@ietf.org>; Wed, 27 Nov 2019 09:42:59 -0800 (PST)
Received: from dooku.sandelman.ca (unknown [81.168.90.245]) by relay.sandelman.ca (Postfix) with ESMTPS id 5B2BD1F47D; Wed, 27 Nov 2019 17:42:57 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 2F77C2CC; Thu, 28 Nov 2019 01:42:58 +0800 (+08)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "Dr. Pala" <madwolf@openca.org>
cc: Carrick Bartle <cbartle891=40icloud.com@dmarc.ietf.org>, IETF SecDispatch <secdispatch@ietf.org>, Nick Sullivan <nick@cloudflare.com>, Tim Hollebeek <tim.hollebeek@digicert.com>
In-reply-to: <CABcZeBPmghr-nhXzjsuL48PrRAAN4m9_Qgc=BPRSkMwHJVxi3w@mail.gmail.com>
References: <265ce9c3-8d24-b8c2-f13c-a54280a7ffba@openca.org> <CAFDDyk9x1w-voWdM31zwExkj3UWX9Dir4d4JF2DQrxYArH-jbg@mail.gmail.com> <5e81fda8-52d3-e39a-1999-ac98efd4ae70@openca.org> <58FB63D0-58A3-4610-8A86-43D6050C5FAA@icloud.com> <CABcZeBPmghr-nhXzjsuL48PrRAAN4m9_Qgc=BPRSkMwHJVxi3w@mail.gmail.com>
Comments: In-reply-to Eric Rescorla <ekr@rtfm.com> message dated "Tue, 26 Nov 2019 06:25:53 -0800."
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Wed, 27 Nov 2019 18:42:58 +0100
Message-ID: <20002.1574876578@dooku.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/PW4T9udefj2Ae9T-gofrnZLtB0k>
Subject: Re: [Secdispatch] Clarification for a question about OCSP caching from Nick (Cloudflare)
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 17:43:01 -0000

Eric Rescorla <ekr@rtfm.com> wrote:
    > It's probably useful to start with a clear problem statement. if I
    > understood Max's presentation correctly, it's that it's too expensive to
    > compute all the OCSP signatures.  I'm not sure I'm persuaded that that's
    > true, as public key signatures are very fast (especially if you use ECDSA),
    > and even the largest public CAs don't actually have that many certificates
    > on the grand scheme of things [0]. However, to the extent to which it is
    > true, it seems like the natural response would be to move to a batch
    > signature scheme, such as the one David Benjamin proposed for TLS [1].

This would work well for TLS.
It would be good to understand if the problems that Dr. Pala is talking about
are specifically about TLS, or if it relates to some other system common in
the cable industry.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [