Re: [lamps] The Status of OCSP and its future
Phillip Hallam-Baker <phill@hallambaker.com> Fri, 25 October 2019 16:55 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9643120992 for <spasm@ietfa.amsl.com>; Fri, 25 Oct 2019 09:55:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.781
X-Spam-Level:
X-Spam-Status: No, score=0.781 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MALFORMED_FREEMAIL=1.159, MISSING_HEADERS=1.021, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1XCI10BEAOCo for <spasm@ietfa.amsl.com>; Fri, 25 Oct 2019 09:55:13 -0700 (PDT)
Received: from mail-oi1-f195.google.com (mail-oi1-f195.google.com [209.85.167.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E570112098B for <spasm@ietf.org>; Fri, 25 Oct 2019 09:55:12 -0700 (PDT)
Received: by mail-oi1-f195.google.com with SMTP id v186so2060203oie.5 for <spasm@ietf.org>; Fri, 25 Oct 2019 09:55:12 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:cc; bh=pp5wmep3nCGCvI+vcf01QwBRFhYXCPzVI78kj+QM+L4=; b=UUwwgkbYJWc2X81PCFfUNxKfnQ3Paww3s+bL/DutxiHmDdExNbYVUzBHJUxIhDmg5D JdbcNlh3j+z1bVkfgh1TKyXhn+oGzPEEWweShevR5Pqrd3vBEOqtyOw6eQNxgqh2eRNO JYDrdN8jKBZBmXEB6tMtJ/IbTOu2OuejwPqPX1RYr8wJU8jp0rjTA/Q9iHUiP0ioRSzq KK2XVQshH5E754lajGCajcZ5v6eiSpNJK6vnUD1w/RNZ57tZYgd/TP6kRqkLNucyJTe5 cw12XqzNkm284OT7tJd+veki3ROJ5hDxSlFzvE31wgPEu9zqIqJLAgumX9b4YoM2KQH6 m0VQ==
X-Gm-Message-State: APjAAAUCBr6ICTrMT/JTOEit1aABzeagpc1lqSyT9+XeH/qJgJQC/JRH Rh4mKhGyRSBUlq32y+5yOUWX9fMUmg6FdTr9Rwj98q1IRKw=
X-Received: by 2002:aca:4a49:: with SMTP id x70mt3611608oia.17.1572022511996; Fri, 25 Oct 2019 09:55:11 -0700 (PDT)
MIME-Version: 1.0
References: <8c84cf2c-c192-c13b-17e5-7ae09b748530@openca.org> <CAErg=HE6fJ3nfXhakckbf=ghJ6=kXQCmYy5_+LNHprqvYeEJFA@mail.gmail.com> <07ee43b6-a1b2-c2d4-2361-e6f87d0197c0@openca.org> <CAErg=HHv6X2++OZfmcNgS2kMh2oMWfefSMZLBWjN_-oH=tDZEA@mail.gmail.com>
In-Reply-To: <CAErg=HHv6X2++OZfmcNgS2kMh2oMWfefSMZLBWjN_-oH=tDZEA@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Fri, 25 Oct 2019 12:55:00 -0400
Message-ID: <CAMm+Lwii1z4OUtaUK3WPO8aOx6cvJ7tj6E1t6XgWPwupEgU_SA@mail.gmail.com>
Cc: "Dr. Pala" <madwolf@openca.org>, LAMPS WG <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000069320d0595bf03ad"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Ki7brr4y5szvBH78dHHgAitBFLA>
Subject: Re: [lamps] The Status of OCSP and its future
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Oct 2019 16:55:15 -0000
Returning to the original point, yes, there is indeed a problem with the scalability of issuerDistributionPoints as we discovered when we visited this whole discussion in 1998. At the time we had a whole set of IPR issues covering a patent claim as well. I don't recall whether it got anywhere but I suggested a mechanism which avoids the scaling issue. The problem with distribution points is that the partition of the certificate space has to be decided in advance. Which forces the issuers to be conservative in their partitioning. Worse, you are then obliged to maintain separate CRLs for each partition whether you want to or not. This is avoided by the introduction of a scope extension in the CRLs specifying that it applies to a range of certificate serial numbers. This means that if there are 500 revoked certs, the issuer can issue five CRLs with 100 each. And then if the number increases to 750, they can increase to 8 CRLs each of which is less than a hundred. There are other schemes that can be used. It is actually possible to compress CRLs even when the serial numbers are random numbers, Rob Straddling and myself made some proposals in that area which I will probably adopt at some point in the Mesh. To respond to the specific points: On Fri, Oct 25, 2019 at 11:38 AM Dr. Pala <madwolf@openca.org> wrote: > Hi Phillip, All, > > thanks for the reply - lots of interesting considerations. Please forgive > me if I am not familiar with the details around your proposal (Mesh), > however I think it is a good idea to work in the space - as you say, > although the approach might be different, the problem is actually the same. > > From what you write, it seems that your approach is more "radical" and try > to tackle the problem for a specific angle - the security of keys. I do not > see this to be a competitor solution, but more as a comprehensive approach. > In this vision, the two solutions might also have different time horizons: > shorter for the OCSP optimization and longer for more comprehensive changes. > There is a BOF in Singapore on Friday. I am currently working with people to get the Web site put in order. http://mathmesh.com/ There is a video series presenting the technical approach, the first parts of which are available here: https://www.youtube.com/playlist?list=PLK2hHAOxepEgGUx4SitfD4pIPHi86KHpi These will be available as a download for people who are looking for some in-flight entertainment for the flights to/from Singapore. We also have some Internet drafts of which about 6 are reasonably complete at this point (but not final of course). This said, I would like to re-focus the conversation on the proposed idea > and ask you if you see any issue related to the proposal itself. Without > more text and an I-D it is difficult to have a clear vision around it, but > at least the core idea is there :D > > Also, in case we do move forward, would you like to participate in the > effort ? > Yes, I am interested in both. There might even be existing (but long expired!) drafts. I don't necessarily think the Mesh is in competition with or irrelevant to PKIX. It might well be that what we end up doing is deciding that we want to take advantage of the technology but want it in an ASN.1 idiom. That is certainly possible but would obviously be a lot more design effort as one of the reasons I was able to develop the Mesh in such a short time with limited resources was that I ignored legacy constraints.
- [lamps] The Status of OCSP and its future Dr. Pala
- Re: [lamps] The Status of OCSP and its future Ryan Sleevi
- Re: [lamps] The Status of OCSP and its future Phillip Hallam-Baker
- Re: [lamps] The Status of OCSP and its future Michael Richardson
- Re: [lamps] The Status of OCSP and its future Tomas Gustavsson
- Re: [lamps] The Status of OCSP and its future Dmitry Belyavsky
- Re: [lamps] The Status of OCSP and its future Tomas Gustavsson
- Re: [lamps] The Status of OCSP and its future Dr. Pala
- Re: [lamps] The Status of OCSP and its future Dr. Pala
- Re: [lamps] The Status of OCSP and its future Phillip Hallam-Baker
- Re: [lamps] The Status of OCSP and its future Dr. Pala
- Re: [lamps] The Status of OCSP and its future Dr. Pala
- Re: [lamps] The Status of OCSP and its future Ryan Sleevi
- Re: [lamps] The Status of OCSP and its future Phillip Hallam-Baker
- Re: [lamps] The Status of OCSP and its future Tomas Gustavsson