Re: [Secdispatch] Clarification for a question about OCSP caching from Nick (Cloudflare)

Tim Hollebeek <tim.hollebeek@digicert.com> Tue, 26 November 2019 19:55 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D883120127 for <secdispatch@ietfa.amsl.com>; Tue, 26 Nov 2019 11:55:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com header.b=Oy2gT+oz; dkim=pass (1024-bit key) header.d=digicert.com header.b=OQLNprC/
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BQuwXu-CjwYz for <secdispatch@ietfa.amsl.com>; Tue, 26 Nov 2019 11:55:37 -0800 (PST)
Received: from us-smtp-delivery-173.mimecast.com (us-smtp-delivery-173.mimecast.com [63.128.21.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA18F120018 for <secdispatch@ietf.org>; Tue, 26 Nov 2019 11:55:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=mimecast20190124; t=1574798135; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Zf0F6DqkOmNDVWH6z3ek7Vs2volz0LM44W8yXadnRqM=; b=Oy2gT+oztxK5zQNFgLEuOWYvEl7thLnIM4+WVWFVZ0thytaUq7eYQZ2Dj3LnqngQbbTTD1 j5wbL9dQxTTVMCemRUg6rWzEbnjxFKG6TnP3gB1BAKD/lB4zyz4g8sPAf7W+kWsdcdRD61 jubmT6ac56iu9mQMAgooorvb7dtACF4=
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02lp2052.outbound.protection.outlook.com [104.47.38.52]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-270-NCOfqPM3O2C3L8-LvKV7cg-1; Tue, 26 Nov 2019 14:55:30 -0500
X-MC-Unique: NCOfqPM3O2C3L8-LvKV7cg-1
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EtOob0qK+Hty2/SZj5/WHWmTDoY5OzjPpd1/yftzvSt8xYR+KG/sVyyLN6Ecvls15wMg4bfDSEhZNnjnS8MerwFTqCOGPebBlEllMN1DV6aUipV7dXjPkBSvUuj3pCixPWt5X2o/9c+YkJmi1Yj/gr02D1zn/GXzstnD2gQUGm7SlLByVvQrxvWd25KITC4DbHk1NAN8VjiB0GXbzcRRV0wZTnll2rb7TQM8o6gOSagxm1/SX066vzagAHx0xBfGYB4RtFZuudP8ZxUP8PEazgIfmZBdxdoJizK8U5zN4nl+12nyjGWiMU07FXsNhV66tWOsH9oHsnLfMwDpDEFc8g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Zf0F6DqkOmNDVWH6z3ek7Vs2volz0LM44W8yXadnRqM=; b=oXRfzi8ax9b7iXi6E78Szsbglu3AEihBFM9Sq+veCpdbD7etiYtMSEEAalBx8KVrFA8OEB/DAoWQyNXqud3HTkANRAECdYaVv+HFfeg5r1IUYhYXrWGRl5r638fl5VqUDFUp57+XVeei57D02FJkwGPa48G/0xGHcOyaYDdISvjKVPdwMJq/LEdzrNhni7ArS5CsOB5QS0V0PjBeRRw1naFyj35RkbRExbOYi7QbyHp6/BVDOj0mWZlVBQZQKyLNOmSNWi1xL0GezF9o/kPd6NZ282MRG/+ubrsSlvlswYmT1/45oRrJ9pJZ5JhEmzk1yrq2v5Okdz4ZNw6rIUOlWA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Zf0F6DqkOmNDVWH6z3ek7Vs2volz0LM44W8yXadnRqM=; b=OQLNprC/mYuvYW0yzt8bsSIWBJCGiVpgxa2NHvDP0g3a5srwAVtp++7d4AK1rtg5Q6i1EOvsaFIPmZpfRrhrNrM6NACkL9Ye6fvPkx5uvbLrpf/jUJTUfmtQKY9KL7yg5qjsaT9HJZuc1P3dfVWzK1OLwdKva+5iY7lHWfABLbE=
Received: from CH2PR14MB3644.namprd14.prod.outlook.com (10.186.137.20) by CH2PR14MB3944.namprd14.prod.outlook.com (20.180.16.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.18; Tue, 26 Nov 2019 19:55:27 +0000
Received: from CH2PR14MB3644.namprd14.prod.outlook.com ([fe80::f4a8:8f67:3f90:2736]) by CH2PR14MB3644.namprd14.prod.outlook.com ([fe80::f4a8:8f67:3f90:2736%4]) with mapi id 15.20.2474.023; Tue, 26 Nov 2019 19:55:27 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Carrick Bartle <cbartle891@icloud.com>, "Dr. Pala" <madwolf@openca.org>
CC: Nick Sullivan <nick@cloudflare.com>, IETF SecDispatch <secdispatch@ietf.org>
Thread-Topic: [Secdispatch] Clarification for a question about OCSP caching from Nick (Cloudflare)
Thread-Index: AQHVntrLBvBdg70fIEi/GUO8I2l8aKeTgzEAgAAbu4CACeIigIAAYLDw
Date: Tue, 26 Nov 2019 19:55:27 +0000
Message-ID: <CH2PR14MB36444B9F84F39AD8F9BD68FB83450@CH2PR14MB3644.namprd14.prod.outlook.com>
References: <265ce9c3-8d24-b8c2-f13c-a54280a7ffba@openca.org> <CAFDDyk9x1w-voWdM31zwExkj3UWX9Dir4d4JF2DQrxYArH-jbg@mail.gmail.com> <5e81fda8-52d3-e39a-1999-ac98efd4ae70@openca.org> <58FB63D0-58A3-4610-8A86-43D6050C5FAA@icloud.com>
In-Reply-To: <58FB63D0-58A3-4610-8A86-43D6050C5FAA@icloud.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=tim.hollebeek@digicert.com;
x-originating-ip: [98.111.253.32]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f56e9aff-247b-4e71-bfd4-08d772aa95a6
x-ms-traffictypediagnostic: CH2PR14MB3944:
x-microsoft-antispam-prvs: <CH2PR14MB3944FB18A26EB1B4C479062B83450@CH2PR14MB3944.namprd14.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0233768B38
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(346002)(376002)(136003)(39850400004)(366004)(40224003)(51914003)(189003)(199004)(51444003)(11346002)(53546011)(66066001)(30864003)(229853002)(86362001)(6436002)(5660300002)(55016002)(6306002)(9686003)(99286004)(14454004)(966005)(316002)(54906003)(446003)(66574012)(52536014)(26005)(186003)(6246003)(110136005)(102836004)(2906002)(478600001)(76116006)(33656002)(256004)(3846002)(6116002)(71200400001)(561944003)(71190400001)(4326008)(66446008)(66946007)(66556008)(66616009)(66476007)(64756008)(81166006)(8936002)(81156014)(8676002)(44832011)(14444005)(305945005)(25786009)(76176011)(7696005)(74316002)(7736002)(6506007); DIR:OUT; SFP:1102; SCL:1; SRVR:CH2PR14MB3944; H:CH2PR14MB3644.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: wlL/svQwYJk5tk7ZFhvfcJSgTRw/zYh83Yvrxzpp17aF0KFI3OPntoBtRyAZQcv1T/WyqH6TsyzIh0Zj8x4EQuHOad/eGDi81AxaxsjcCRehPvO86YKH/apzhmnPEY6wYRCOYgPLfUU70nR4L4PGv2+Di7z1mG+XnktvLj5aRkJBldHxFhrxqGGbogxOsPWHbFmm0R0OOt1BC+btByNHiqE91BzDRbsi2ML39RbfTnthxGDBnNSiJAAW0ILd+Cm8RKi+o5xZsaIe8dG0FJ/MFQWR6I01L8ltOsU6HH11iZiDr4/KLoBPQbpd8XLnHNh8jXWEUEBCT6GGQwl+vt0msr793wPxSqG/ps1LypH1+Xf3kBdZdlg1s7/ax6uZxunvs9YyHTyWqf2sRIC3pTKMAN7Cye5CkWuPGITFMQClrje86iusRRC/3Mg+05cTyoLvY1NEOl5m4Pbvm0p9BcW6eSixnzOQEydWuiJkuYSEmPw=
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_0028_01D5A469.89363490"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f56e9aff-247b-4e71-bfd4-08d772aa95a6
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Nov 2019 19:55:27.5042 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ZX/QARckGc/i1RFf4IYId8UxU/fSA9V0oHwh8JBXkBpABl/N5ncRqkGNMj8WziDPn2wCrTxKW4r10k098pF0J0hSX4V1Z79iL4le9/jSjpw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR14MB3944
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/tOrUT8tC_CLe9gbw-Ei6Efz8Pn0>
Subject: Re: [Secdispatch] Clarification for a question about OCSP caching from Nick (Cloudflare)
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Nov 2019 19:55:42 -0000

Hello,

 

I'm a big fan of the bloom filters that several browsers are deploying.
However, these filters express an aggregate of all the information across
multiple CRLs, and have some false positives due to the compression.  It
naively seems to me that creating these bloom filters based on compressed
CRLs would be a bad idea, as it would compound the errors.  But I'd love to
see or work with people on data on that, because perhaps with the proper
tuning that isn't really an issue.  So if you're using bloom filters, you
probably want to spend the time working on raw CRLs, and either way, this
proposal is of no interest to you since you're not relying on OCSP on the
client side.

 

However, that's not the use case that ranges really address.  Ranges are NOT
intended for clients that want the status of multiple certificates.  Indeed,
they don't work particularly well for that use case because it doesn't take
too many revocations before you have to get a bit lucky for multiple of the
certificates you are interested in to be in the same range.

 

The real use case is for devices that do not have the storage capacity to
take advantage of the bloom filter approach.  These clients still need OCSP
to be efficient for single certificates.  And it is, on the client end.
However, on the server end, generating individual OCSP responses and
distributing them to a CDN for every valid certificate is a significant
workload.  This is especially true because the smaller and more resource
constrained your devices are, the likelihood is you have many, many more of
them.  So it makes sense to think about how to optimize for the "most
lightbulbs are not revoked" case.

Both the generation time and the amount of CDN content that needs to be
distributed is greatly reduced by allowing range-based responses.

 

So again, this isn't about saving OCSP requests at all, and this proposal
has absolutely no impact on the very intelligent and forward looking
endpoint that choose to avoid OCSP requests by compressing CRLs and
replacing OCSP with local lookup.  It's designed for systems and ecosystems
who can't do that, which is not the Apple use case.

 

-Tim

 

From: Carrick Bartle <cbartle891@icloud.com> 
Sent: Tuesday, November 26, 2019 8:43 AM
To: Dr. Pala <madwolf@openca.org>
Cc: Nick Sullivan <nick@cloudflare.com>om>; IETF SecDispatch
<secdispatch@ietf.org>rg>; Tim Hollebeek <tim.hollebeek@digicert.com>
Subject: Re: [Secdispatch] Clarification for a question about OCSP caching
from Nick (Cloudflare)

 

Hi Max,

 

What's the current proposal? The draft
<https://tools.ietf.org/html/draft-pala-ocspv2-00>  doesn't appear to
contain details beyond the notion of providing ranges and information about
the entire chain, and it doesn't seem to address the issues raised in the
PKIX and LAMPS discussions linked here
<https://datatracker.ietf.org/meeting/106/materials/agenda-106-secdispatch-0
3> .

 

At Apple, we also cache OCSP responses in a compressed form, i.e. in Bloom
filters. Having the option to receive CRLs in a compressed format like that
would definitely be more efficient for us. I'm not convinced that ranges
would be as helpful. CRLs are helpful when someone is compiling an entire
catalog of revoked certificates. OCSP is helpful when you want to check the
revocation status of one particular certificate. If OCSP is instead a hybrid
of these two approaches, this assumes that the client is going to want data
on the other certificates in the range they receive (many of which won't
even exist, since, as someone commented in the pkix thread, serial numbers
are often (usually?) randomized). I'm not sure how often that additional
revocation information is actually going to be useful to the client.
Statistics on that is the sort of data that would be helpful in evaluating
this proposal. If it turns out, for instance, that providing ranges ends up
saving only, say, 0.1% of OCSP requests, it probably wouldn't be worth the
effort.

 

As for returning revocation data for the entire chain, the question must be
asked: which chain? In some cases, certificates are cross-signed, and so
there is no one chain to provide revocation data for. Is the client
effectively going to delegate finding the best chain to the OCSP responder?
I'm not sure that's in the client's best interest, and I'm not sure OCSP
responders are going to want to bother handling that.

 

Carrick

 

 





On Nov 20, 2019, at 2:47 PM, Dr. Pala <madwolf@openca.org
<mailto:madwolf@openca.org> > wrote:

 

Hi Nick,

thanks for the reply. My comments are inline...

On 11/20/19 1:07 PM, Nick Sullivan wrote:

Hi Max,

 

Thanks for your clarification. I now understand the work is aimed at
optimizing the number of signatures by the CA's OCSP responder and the
number of bytes of unique OCSP data.

 

Yes, that is correct. The other optimization is about the ability to provide
responses for the whole chain in a single message.



Currently, the number of OCSP signatures the CA needs to do is linear in the
number of active certificates. This proposal changes this so that the number
of signatures is linear in the number of revocations of active certificates.
It's conceptually similar to NSEC in that way: it's a cover proposal in
which the artifacts are constant size, but require a linear number
signatures in the size of the revocation set. Contrast this with CRLs, which
require a constant number of signatures, but are linear in the size of the
revocation set. So maybe the goals could be better phrased in terms of
lowering the cost of generating compared to OCSP and distributing compared
to CRLs.

 

I am not sure I follow. In PKIs, today, we use both mechanisms. This is
because usually the CRLs are used as a backup mechanism for OCSP - we also
need to support both because of Certification Policies (exactly as in the
Internet PKI environment), therefore it is not a choice :D The proposed
approach can be used to (a) limit the amount of data that needs to be
generated, stored, and transferred when pre-computing responses, and (b) to
compute all responses and serve them from memory - even small instances
without any hardware acceleration could achieve reasonable performances
(also for shorter validity periods in responses).



This proposal implies a middle-ground PKI deployment that has enough
revocations for CRL to be inefficient but not enough to cause the negative
space of the serial number to be of the same order as the number of
certificates. It would be great to see examples of PKIs that motivate this
optimization, which is why I suggested that data could help.

Technically, you are correct. If we could predict the size of CRLs, we could
potentially try to understand what that threshold is. However, as I
explained in the presentation, the size is fairly unpredictable. That is why
we primarily use OCSP today.

 

I should also note that while this proposal reduces the number of OCSP
signatures (which can be on the order of 104 signatures for 2-year certs),
the impact is less dramatic for CAs that issue shorter-lived certs. For
example, Let's Encrypt only signs around 13 OCSP responses for each of their
3-month certificates.

That is correct, the impact is less with short-lived certificates because in
those environment, the population of active certificates is usually smaller.
If the population is still large, you still have the same problem.

You mention that your OCSP responses have a 7 days validity, correct ? My
question is: which considerations went into deciding such a large validity
period for the OCSP responses (7 days) ? Maybe costs considerations drove
the decision ? From a security standpoint, such long validity periods blinds
clients from detecting revocation that might happen during the 7-days
validity period (the problem is worse now with the deployment of OCSP
stapling because clients do not fetch fresh responses at connect time,
AFAIK, if stapling is supported). I would expect that few minutes validity
windows or maybe few hours would be a better choice - but how much does that
cost to Let's Encrypt ?

The Cable industry has used certificates, for few decades now, for different
purposes - as a hardware certification tool and to secure our networks - in
this environment, the typical life-span of a certificate is many years (up
to 20) and it is tied to the envisioned life-span of the device (no
renewal). As you can see, in our environment, CRLs will never be an option
and OCSP simply costs too much (for an infrastructure that, over all, has an
active population of several hundreds million of active certificates - we
might be even beyond that with just the three OpenCable, PacketCable, and
DOCSIS).

Ultimately, we need to work on the solution so that we can have our vendors
to integrate it in their products, like CableModes, that are going to be
deployed (and provide internet connectivity) for hundreds of millions of
households for the next 10 to 20 years. We need to lower the security risks
associated with the infrastructures that brings Internet to many of us -
revocation is important to prevent possible compromises to go undetected. I
think that everybody who has Cable should support this work that is going to
directly impact them for many years. 

Cheers,
Max

P.S.: I also have other personal motivations for this work. I think that
this is also the right thing to do for non-technical reasons - I come from
the OpenSource world that so much has give for the success of the Internet
but where there is no money. More efficient technologies could be leveraged
by communities around the world who deserve good security but costs get in
the way. I know it is not a technical detail, but I think we shall always
try to have these considerations in our minds - making the world a better
place and less wasteful (energy) is an amendable goal in general and
emerging communities could really benefit from our work.

 

On Tue, Nov 19, 2019 at 9:11 PM Dr. Pala <madwolf@openca.org
<mailto:madwolf@openca.org> > wrote:

Hi Nick, all,

at the end of the second presentation on lowering the costs of revocation,
if I am not mistaken, your question/comment (Nick) was about the fact that
Cloudflare hosts / serve most of the cached OCSP responses and that the
system does not have issues.

I am not sure if this comment is pertinent to what we are trying to solve
here... let me elaborate a bit more.

The work we have been doing around the proposed topic of work is aimed at
lowering the cost of generating and distributing these large volumes of
signed data when there is actually no need for that. By optimizing the
protocol to provide range responses (or other methods, if we decide to go
with a different approaches), we can reduce the number of signatures needed
from a CA and their distribution - very expensive operations.

In other words, the proposal is not aimed at fixing any caching issues
because, as you noticed in your comment, that works just fine. The proposal
at hand, instead, is about fixing a problem that CAs are facing today - high
costs of deploying and running such systems.

On the other hand, your comment made me think about the caching service you
mentioned and its associated costs. 

Is it a service for which your company charge CAs ? If so, would you be able
to share what are currently the costs incurred by CAs to leverage your
service ? (I totally understand if you are not willing to - after all, this
is usually the secret sauce :D)

Last but not least, I also would like to point out that optimizing the
revocation can also help open-source communities, small companies,
universities, non-profit, etc. by enabling them to deploy cost-efficient
systems that can provide good quality of service using less resources
(computational, storage, network).

Please let me know,

Cheers,
Max

P.S.: If we could combine this idea with OCSP over DNS, we could really
provide access to revocation technology for everybody, not just who can
afford the price. Unfortunately we know how that discussion went, and I
still think it is a very evident mistake not doing it  (I am still working
on this in my spare time - I think it is of enormous value for emerging
countries to have access to cheap secure technologies and, in my opinion,
IETF is dropping / has dropped the ball on this for not-so-honorable
reasons, I suspect...). I hope We can fix it in the open-source community.

-- 

Best Regards,

Massimiliano Pala, Ph.D.
OpenCA Labs Director

<dhmacjdifkefaoin.png>

-- 

Best Regards,

Massimiliano Pala, Ph.D.
OpenCA Labs Director

<ijeffbhlgncflbab.png>

_______________________________________________
Secdispatch mailing list
 <mailto:Secdispatch@ietf.org> Secdispatch@ietf.org
 <https://www.ietf.org/mailman/listinfo/secdispatch>
https://www.ietf.org/mailman/listinfo/secdispatch