IETF Logo Mail Archive

Re: [Spasm] An OCSP response extension

Sean Turner <sean@sn3rd.com> Tue, 14 March 2017 15:16 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72560129502 for <spasm@ietfa.amsl.com>; Tue, 14 Mar 2017 08:16:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M7qJoAQgXtIv for <spasm@ietfa.amsl.com>; Tue, 14 Mar 2017 08:16:29 -0700 (PDT)
Received: from mail-qt0-x231.google.com (mail-qt0-x231.google.com [IPv6:2607:f8b0:400d:c0d::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2752212965D for <spasm@ietf.org>; Tue, 14 Mar 2017 08:16:28 -0700 (PDT)
Received: by mail-qt0-x231.google.com with SMTP id r45so58000448qte.3 for <spasm@ietf.org>; Tue, 14 Mar 2017 08:16:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=cqJVWWSJLPuBL6bR6GJa56KR8ITgLjlu2lbGBpReWTY=; b=MvCFdOOpaIxpy9pJNTob1GqB52/0Qwgbl6Io6BkM2enCBe3C90ufBkV5ErRMvtY+Uf fdqYktpsODgQePXxJ8cRj8xp0CJq8obLy3biORzTopgBC/cd8UAozr65jOnBE3/CIg3A evb1mmEiQ+FMdlGarGowoJHWHGZyVqSJQNq3c=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=cqJVWWSJLPuBL6bR6GJa56KR8ITgLjlu2lbGBpReWTY=; b=GOELMbXiT9dfY8I+VvbvP8pOsod42ll8afdFDeQop7c195xIXDd84AYPXHibENrm4A ZvWcB7DeFBnMceHhBjvFUeOAVa39lLTMLowMTCmZ5DMQEyNsPslx5reJ15Wx6pBV7EoS TYq+iZEnaUG0ZMoHvoC1Q0xEyckOi4V4noShUcw3fc2m4IAqyiwypciFy+cjEWd9dcDz q2Utuc155hQ2FjiyD0AltC+aLpYNQ35q188yYnwoXt0LWYJenVIFVW773mleUja6+s5+ fORY3cXGUGmtv9rpugzGR5336qZedU1SJcKQrqRa7/GoxfPERfZ4anYbHQSpaon1k7Px 4FOg==
X-Gm-Message-State: AMke39n30AAIn81D+ZXnSodJ5+AKdqry/bLmNFKAck0QrJA8v9Tyh+uqK0cnTDHt3s1Vww==
X-Received: by 10.237.34.8 with SMTP id n8mr40529877qtc.98.1489504587154; Tue, 14 Mar 2017 08:16:27 -0700 (PDT)
Received: from [172.16.0.18] ([96.231.228.203]) by smtp.gmail.com with ESMTPSA id j1sm14555584qkf.57.2017.03.14.08.16.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 14 Mar 2017 08:16:26 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <CAErg=HEOVMSw+BjC6d4YAm=f9yES+1167x-1=-XqT=HxGd2k5w@mail.gmail.com>
Date: Tue, 14 Mar 2017 11:16:23 -0400
Cc: Rich Salz <rsalz@akamai.com>, SPASM <spasm@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <3591C2E8-27D6-4F4E-86DC-546859742995@sn3rd.com>
References: <b404a8551c8645b1aaa3675dc1d8da0f@usma1ex-dag1mb1.msg.corp.akamai.com> <7B492EB7-CC0D-4706-85AC-8844F5BCF847@vigilsec.com> <244b0812054a41598425c6cdbf511392@usma1ex-dag1mb1.msg.corp.akamai.com> <e64fa37d9d4049cea615d793ab10cc12@usma1ex-dag1mb1.msg.corp.akamai.com> <CAMfhd9XngCH5zb2pLsj-niKuq=D3hvr3S22kU-8MGbM1xjyx3w@mail.gmail.com> <6d9976eb3fdd4bb2840a5d91ee66eec2@usma1ex-dag1mb1.msg.corp.akamai.com> <CAMfhd9U4dH0Uw5=OCqhycYrx0u3hoUQPW_07fHUYyiL5O8E-hg@mail.gmail.com> <2CDB8533-CB33-484A-AAB2-FD8FD0CB8D74@vigilsec.com> <6FC056E9-C31E-4E49-B9D8-63DC19AD419A@sn3rd.com> <CAErg=HEOVMSw+BjC6d4YAm=f9yES+1167x-1=-XqT=HxGd2k5w@mail.gmail.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/CCa1B9Qlm8WVJbBNge3oR2mwKr4>
Subject: Re: [Spasm] An OCSP response extension
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Mar 2017 15:16:32 -0000

> On Mar 9, 2017, at 22:15, Ryan Sleevi <ryan-ietf@sleevi.com> wrote:
> 
> 
> 
> On Thu, Mar 9, 2017 at 9:13 PM, Sean Turner <sean@sn3rd.com> wrote:
> If this is going to be get widely implemented should we look at updating RFC5019 which says:
> "The responder SHOULD NOT include responseExtensions”?
> 
> How do you see "widely implemented”?

I naively was thinking along the “worldly” level (aka WebPKI).

> I mentioned to Rich privately, but I think this is something that the CA/Browser Forum should consider profiling out and expressly forbidding for the time being, and if later ended up valuable (e.g. in the context of must-staple certificates), would need to aggressively profile the acceptable values suitable for the Web PKI.
> 
> In the context of other PKIs, however, I have no thought and experience to inform on the value of that, which is why I was asking about "widely implemented" - for example, if used by the FPKI or Grid PKI, would that be "widely implemented"? If 5019 dropped the SHOULD NOT for that reason, would the CA/B Forum need to profile it back in for the Web PKI?

So this is an interesting point and it’s kind of like when we looked at profiling OCSP for STIR (i.e., getting cert status for originators of digital signed SIP requests).  The HA OCSP profile was close to what we wanted so we use it as the base and then profiled stuff in (in some case back in and in some cases new stuff in).  If the HA OCSP profile had an applicability statement, which really nobody was doing back in the day, then it would be clear where it applied and where it didn’t.  I’m certainly not proposing anybody write up an applicability statement because well different communities can profile it as they see fit.  The only wrinkle here is that some communities are more hesitant than other to profile things back in because they get push back about being “non-standard,” but this might just have to go with the territory.

spt

v2.23.0 | Report a Bug | By Email