IETF Logo Mail Archive

Re: [lamps] draft-housley-lamps-norevavail-00

Tim Hollebeek <tim.hollebeek@digicert.com> Fri, 19 May 2023 17:23 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C37BC14CEED for <spasm@ietfa.amsl.com>; Fri, 19 May 2023 10:23:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AFP3ZsObHU-b for <spasm@ietfa.amsl.com>; Fri, 19 May 2023 10:23:23 -0700 (PDT)
Received: from NAM02-BN1-obe.outbound.protection.outlook.com (mail-bn1nam02on2070e.outbound.protection.outlook.com [IPv6:2a01:111:f400:7eb2::70e]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F5AAC14F75F for <spasm@ietf.org>; Fri, 19 May 2023 10:23:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gZLakbxXybhyQNaKgpXP1SxBa38bVT5ONUso4Mz6KDKxkCY833oDrN9gtEU8xbSiN46q4OmG8dN88q3cJ3QdPougqE/hqSfKRkKKUCSssiV6go2gk/KZxq3pFvtKfARoxCFnzhhq7+kZhNr+XZDrMu5xW1PTmCtkI0dOPF8HMvAzlmjs0URGCgD74ZsGflgcWNgL9ng3zKaI1UiO2jWXlkA2YyA9uS++Ud1/6MC23511wfJmhjszV1lD0ZsRdZh7yxmzYuwvbgbjK+XeZpi1xQpwGKiRv8sksNj8QSiqjF7UQMRLn9teWfFPqFZrZrgqK9WqMS8sQD2lr9r9S+o4JA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=FM/YsYq9MWLKg/XzPeWFHTUwdLVY12PuSFzkef4zMJA=; b=i/mOdGAkJGsTWZU1mBEN0S0kOT9P/2zz3/rQbBdQuKBZD4Q5E/cFmQCrh0tGXoV7A2FcWPySw+mohvayV+mOfLkM+wcLcNI15G1UepcnaZP/fKSoOy6rvBf4wz+BxrKuBZLtcZybOm32oMN9gZ3Mduz6BuGU4ZRS8XgqSMgHaplvM3pGng9Wom/tPH8AysTDQA8htqAgzeHzDculuX9DQ6XzdSMMuwbLpxtRA8l2gcS3cevhaGGhXrNhEFE5psvuxZVo6qT/YpMM6rSKOS4JlCPh0rnhnrfwLiL53MSlvi1gJiITcxfS4l64GDUKXmLOopPSTBsS5dkdme+giWKddQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FM/YsYq9MWLKg/XzPeWFHTUwdLVY12PuSFzkef4zMJA=; b=n8dCtuIsCY+kcCxlISAbbFHl1xDmXmAFNm0grYL7+tyqrKDvKuL7ef1J7PZDjCD+nI6A8bAyw24/+QZ99rqmFfmjcZkwnr38JCO+CBQM0OQU8JicWRc7n+vbZA2dBqMBXdMpo7UkqcRrglKFIu7pglQFJfkhSyFZKURMZ0rot00lqk4hMBYnPb4dI56a2XHaLPmS4FX1ThRy1cpQZfzIdJtYVdZSHE9dz0L9pwlphAb75Y/ndCrtCRfYGkYq1eZ3OImvIH3qX8+4o6+reRDN3HIFpQDnDMX+D63u1ddwJ/NyIBkhsb3Vo+OjHgVD6vFmwH/jEYPGdtrGf6Ofb8nYdw==
Received: from SN7PR14MB6492.namprd14.prod.outlook.com (2603:10b6:806:328::17) by SN7PR14MB7000.namprd14.prod.outlook.com (2603:10b6:806:2ed::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.21; Fri, 19 May 2023 17:23:20 +0000
Received: from SN7PR14MB6492.namprd14.prod.outlook.com ([fe80::4f62:78c4:f650:194b]) by SN7PR14MB6492.namprd14.prod.outlook.com ([fe80::4f62:78c4:f650:194b%5]) with mapi id 15.20.6411.019; Fri, 19 May 2023 17:23:19 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>, "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, Russ Housley <housley@vigilsec.com>, LAMPS <spasm@ietf.org>
CC: Joe Mandel <Joe.Mandel@secureg.io>, Tomofumi Okubo <tomofumi.okubo@gmail.com>
Thread-Topic: [lamps] draft-housley-lamps-norevavail-00
Thread-Index: AQHZic8Pz4iMDWVpPUiGdSnmzrFKNq9hoKDggAAZjYCAAAOZAIAAEeOAgAAHbLA=
Date: Fri, 19 May 2023 17:23:19 +0000
Message-ID: <SN7PR14MB6492BA2FF0D14C8CE1891406837C9@SN7PR14MB6492.namprd14.prod.outlook.com>
References: <168444309553.24047.14923062710269229403@ietfa.amsl.com> <E2BE1DCD-A241-4DDF-A5EC-DD3209C4CDA2@vigilsec.com> <SN7PR14MB649255412EFADEE00E0F6B00837C9@SN7PR14MB6492.namprd14.prod.outlook.com> <CH0PR11MB5739CCB7CDDCAD1D11F04DAE9F7C9@CH0PR11MB5739.namprd11.prod.outlook.com> <BB5FA3FE-445A-44C4-B4C7-471B15310582@akamai.com> <CH0PR11MB5739E4C8D14294F6868D18929F7C9@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB5739E4C8D14294F6868D18929F7C9@CH0PR11MB5739.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SN7PR14MB6492:EE_|SN7PR14MB7000:EE_
x-ms-office365-filtering-correlation-id: b1ee8f02-0f6e-4013-da56-08db588dbdb2
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5hcU2bu21pq4f5LeCv0OzgL9+orFYqzOluPRX18bDUXP3L3jKQTiGDIqAY27pTedIq4xJaaGPKadMmp+b8wnuNB9OuBAp54guIlbUfC0dmBse4Z9UNHM8616Pisr/QOq37zSiJ4KRLzqM9R3XOPweiDr9FtC/9YsI14WcXLO2FTaiK5rII85wNTI4Sx/glxy349f1X8/NgygiYgxjqeSSYJGfucwPTYDlUl/OKbbmsE8cpx0gb3jUrN8BD5VuSkBk4/hka1TY/QxUBnCwuiweDw5DBWKflGnU70NCR2G0ls8z4Wwe4Y578J5tkZ4DhlRawKQM7dZQxkKQpjfAJJpS4c8UGD4dHa1TEcr2EYte5Y2a/MCahQG1aP6vWNKxwyQC6qAfuZGAr1Im7ZNkvIdW6FGJZHJYvQYao7RrVbS8u/6aFCjbuLjhNjInzEGQLEDft40BKf9JBuDs/uq12n9KPCB+tBpvQ2lzWegu98MnH6jRNtPZw185JR1rZgKXIlRWbtmBpET5V8MihRiv8wlHtMBWByGw0sRPFubee6cbFJBaJ/3KuJZitne0zbQGXMzLNPuuZ8G4oS8fSPif1ozOO/T7dCbsuGX41wAfGPCOEo=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN7PR14MB6492.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(396003)(39860400002)(376002)(366004)(346002)(136003)(451199021)(66946007)(4326008)(64756008)(76116006)(66556008)(66476007)(478600001)(66446008)(54906003)(316002)(110136005)(86362001)(38070700005)(33656002)(83380400001)(6506007)(186003)(9686003)(26005)(53546011)(52536014)(41300700001)(5660300002)(2906002)(8676002)(44832011)(7696005)(55016003)(71200400001)(8936002)(122000001)(38100700002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: CA8OXmIzceyB210bFCNkdGjBZG/mpI1Sb9CR0k6EI9EWvm4TSLkP2/+1zOb46LCL+CgpQrhD0vv5GCnhWGoYIqKUl/Kkkx59iLZkMkrJq82qsExmCG8mVOI9BT6E6rYeGCAjLk7LTESLREpH/a0N7Ysd3JCAYP2kbgZfBLxeXkp266WgIgSWII1gcOxAJlexm9VfN4gRbVpbwL0iDgpZYb3GkHciEbPX2aX7Ur9K7whgCtpfqOWkvWb/2iiiabDGrrIPufBWkZ0cEoscDiA5MDKSonM0VGWdZCyNBwHj3r9D+IFIvVei2JgxzrW+TQn/X5Uf83pymg7sYHeg+MQ/jvBLZzv4MzuBrrPJIlQY4GuniuqoVS+IgI+2uyiml6vPwaM/ucPKIlwpA+5IiEOe0twjK421EkjnKujDA8WFX9tlCwFZAPjwezwnXRZ+RdBoMS2TqGMHwHQar0vlrREhx7JsHMBmWvjvsExB5v2GjTMahbITCXwb6An3qSERjneILasa1C2+L71coRn/g4nxJUSgp7F/VdSuEGvovNNv63iSbFt7QfTjh2agTv+aySQtAkxGQkYe7/eulTky3z2uQhr1wOyh1yOtX+xc8uAkWiWB36XILGtx6EbGcIVRUCpoD8aAVgEr0ANnGe7i490Z77r/34A06cQIu+Aj55+lmotVgSNoRQefUlVaLjvWlc2MOuzksloHVDwpxvSa+BV+6kQ2ACz7u00sJMK7EUw4KkugpKaIUDkfXeYQsHtKV6G+i3QFQO2BEOLwnk/iwCYUklXacAM+dXGtlBdo7s+23k8cMWxwTpIrR15JTDqgQE4B4rH4MJ5Rqn8fjXk+fJwWdTFlubQ14v498XGUAy0I6euGktTbc3CuUE56G9eoxpe+Pb5dpTgijjOSbxdsCHMhb+ny7fQjGgaJ2joVLM8/5yef83FMuHIxAB8HVx2KwdE9KHH0PefIh2krGYKfGiPR/DG+p3aZHYkbcn71L5oL7LMFXAt5VguwlE0JBQpIpt9k/bFqKizztJZUmQAkayxTgKk5v4/be1HmqgjLl9G+RnbcaDOHf2ifElM3mc5+b0/3dy0/Ds08DFd8RZ2UpEcGcuPZJEFfEIx+NDmt75Gfp5jUZCnzTd4UVstMClYCZo83jzHm5ZdlMiulo5Q9Lw+xaEcSJpo2Dedy5XmhnHUg5I9zr2GZZnsj4BZYJwhGlhgkodbELPnEGQOXoKz4kBWPDoNf8Tou/1a+MCKtr4gQiaZ7JQSlFtrIc/Cz6Bn2yrIYfM5WjsSsFEaZYsIZ58LLc5bwl/YaMVvbzE4Lnz/wZsiBanGuCwDAlLbD1updvJaAkDcTxx1wEuiDVAspVZCSVoio+6Cfq30fV4gLy/HBaNAviTfxxAAxwICaDBVg7wubM7YKpx6sDj4H8l7WTrsPs8+Gzhelp9frkzKB5mlTVLaGQ7AblOpSR7Yt4Id3wNOXDVNb5Ma6k9r+OPpxNars833Kb4cPNhiVMXTHaWV5BN8WqvGEWk71GA8zYE8GkM2gfvadbBUgs2sZcweEMDtvr8TT8n/NZy3kFVZyRnDbHNmRgZdU9xxgeya2HbaGKfvzfdYcWlhKoQsP2+PvpxrKNQ==
Content-Type: multipart/alternative; boundary="_000_SN7PR14MB6492BA2FF0D14C8CE1891406837C9SN7PR14MB6492namp_"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SN7PR14MB6492.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b1ee8f02-0f6e-4013-da56-08db588dbdb2
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 May 2023 17:23:19.8754 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: uRj9o/JPby+ZxTVHWuRjuHtyZz5COMN6MkI0O3hKkpAAPmS481PZXiV7fnEUFEyL0nbbqc69oJTb9CHuy+k+OfQ7MgKYqyWmVoCsE3shTuA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR14MB7000
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/0Hr14RIhi1uDWIWxF0QGsjExuD8>
Subject: Re: [lamps] draft-housley-lamps-norevavail-00
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 May 2023 17:23:27 -0000

I was aware of that argument, but I was wondering if there was anything additional going on here that I had failed to think of.  With some people being very focused on certificate size, having an extension B that says “extension A intentionally left blank” perhaps needs some justification.  Or perhaps not.  On balance, I think it is best people have the option to be able to do so, for the reasons Rich mentions, but I have no strong feelings about it.

Since Mike mentioned browsers, when this last came up at CABF about seven years ago, we also answered the question about how browsers would handle this.  It’s actually trivial since they all mostly soft-fail on OCSP anyway.  In fact, in response to those discussions, Mozilla added code to ignore OCSP extensions for certificates with lifetimes less than some small number of days.  Some people even use it.

-Tim

From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
Sent: Friday, May 19, 2023 12:48 PM
To: Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org>; Tim Hollebeek <tim.hollebeek@digicert.com>; Russ Housley <housley@vigilsec.com>; LAMPS <spasm@ietf.org>
Cc: Joe Mandel <Joe.Mandel@secureg.io>; Tomofumi Okubo <tomofumi.okubo@gmail.com>
Subject: RE: [lamps] draft-housley-lamps-norevavail-00

> In my security experience, it is always better to explicitly state something – the alarm did not sound – rather than have something implied by its absence

Fair enough.

---
Mike Ounsworth

From: Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org<mailto:rsalz=40akamai.com@dmarc.ietf.org>>
Sent: Friday, May 19, 2023 10:44 AM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com<mailto:Mike.Ounsworth@entrust.com>>; Tim Hollebeek <tim.hollebeek@digicert.com<mailto:tim.hollebeek@digicert.com>>; Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>>; LAMPS <spasm@ietf.org<mailto:spasm@ietf.org>>
Cc: Joe Mandel <Joe.Mandel@secureg.io<mailto:Joe.Mandel@secureg.io>>; Tomofumi Okubo <tomofumi.okubo@gmail.com<mailto:tomofumi.okubo@gmail.com>>
Subject: [EXTERNAL] Re: [lamps] draft-housley-lamps-norevavail-00

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________
So yeah, exactly what Tim said: in what case is it helpful to explicitly state “No revocation info available” vs just leaving those extns out?

(Separate thread, separate issue)

In my security experience, it is always better to explicitly state something – the alarm did not sound – rather than have something implied by its absence – did the alarm sound? Do I know the CA is modern, did it make a mistake (been known to happen), etc.


Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

v2.23.0 | Report a Bug | By Email