Re: [lamps] The Status of OCSP and its future
Tomas Gustavsson <tomas.gustavsson@primekey.com> Fri, 25 October 2019 07:53 UTC
Return-Path: <tomas.gustavsson@primekey.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD18512012E for <spasm@ietfa.amsl.com>; Fri, 25 Oct 2019 00:53:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=primekey.com header.b=lYD2V4Cq; dkim=pass (1024-bit key) header.d=primekey.com header.b=lYD2V4Cq
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8rcbhYRQ7cKX for <spasm@ietfa.amsl.com>; Fri, 25 Oct 2019 00:53:18 -0700 (PDT)
Received: from mail.primekey.com (mail.primekey.com [84.55.121.163]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34BA012012A for <spasm@ietf.org>; Fri, 25 Oct 2019 00:53:18 -0700 (PDT)
Received: from mail.primekey.com (localhost [127.0.0.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.primekey.com (Postfix) with ESMTPS id 26C9A6AA0098; Fri, 25 Oct 2019 09:53:05 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=primekey.com; s=mail; t=1571989985; bh=1uawdbX6rw//eu89dYPLuuotL4jwwDQHoLOzwa/Nd6A=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=lYD2V4Cq2HpO2Mm5UQ5ur212NYq2SP7sTnCAhXe8O41H8OvBWIkp7iqUuxH3tqk4w n3lD+j7d/RxMRicmATJGS04ILNcjw9CuGdilwWOhBfMaKmEBEpzpxaQZBREbHIlKLX QMRc9FoRzRwBdZELubDoico43i4g1YpbnFg0LCLw=
Received: from [10.11.0.15] (gatekeeper.primekey.se [84.55.121.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.primekey.com (Postfix) with ESMTPSA id 056436AA0094; Fri, 25 Oct 2019 09:53:05 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=primekey.com; s=mail; t=1571989985; bh=1uawdbX6rw//eu89dYPLuuotL4jwwDQHoLOzwa/Nd6A=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=lYD2V4Cq2HpO2Mm5UQ5ur212NYq2SP7sTnCAhXe8O41H8OvBWIkp7iqUuxH3tqk4w n3lD+j7d/RxMRicmATJGS04ILNcjw9CuGdilwWOhBfMaKmEBEpzpxaQZBREbHIlKLX QMRc9FoRzRwBdZELubDoico43i4g1YpbnFg0LCLw=
To: Dmitry Belyavsky <beldmit@gmail.com>
Cc: LAMPS <spasm@ietf.org>
References: <8c84cf2c-c192-c13b-17e5-7ae09b748530@openca.org> <84e130d2-2df2-2f96-0200-716b333a1390@primekey.com> <CADqLbzLrjagRkpRqt3_gpiYGTooWU5bTN02w4q2r8Mjf3_-BxQ@mail.gmail.com>
From: Tomas Gustavsson <tomas.gustavsson@primekey.com>
Openpgp: preference=signencrypt
Autocrypt: addr=tomas.gustavsson@primekey.com; prefer-encrypt=mutual; keydata= mQENBEyuwwYBCAD31Jsxn1lf7rnFc7y3Ol+TE7pU7ohO78kMdoVrZdAMnU9W0P33GedbU+kF 8/RFq7HlXV8a91RkgtdcMAK8tSdtBKDGZCOJZm5qOZ/EHikY8k/7s1wgSQSF4hYSG/IABCCA W139joDFl4L3buWyk2lsYX1HDBpuXGDL5HFyu165T0ZVlt23T04xmAwpIHUViKUWw1QYnlRz s66Desn2WeP+X8/QlqF1zOTUXbgrThB1X/Oh2+wzP08HVoTQCzlrEMeb9x2k+oa8PtVdnflh nZKBtyyBkZxRoHG3tNKcaf7JLoadSXcSKSKvfApcsxpP2JpkQgIhLi3JWik/Z+RR2WD1ABEB AAG0MFRvbWFzIEd1c3RhdnNzb24gPHRvbWFzLmd1c3RhdnNzb25AcHJpbWVrZXkuY29tPokB NwQTAQgAIQUCWX8yTAIbIwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRBibcSbAEP+QGAU CAC82dn8XCQ8Ei7gxQAdRSc2imaP/388i/ObDMYhNhg5j4gXs3tkfxuCvhwkzskUFgOtmaEy uz/gIiVjQIsjQrHh5tl9M0q2tqbDHJpWfE6/SkXPUmTqQ0VGyq1MmZ3/zg2jSoll74qBSfdH V7sWugRXeCBxfaPeYo8DdPCGi27yrdL8zb3xkJ3BxPcDGNdkLm+Yza+qAOrssCD7MSLN+6Sd ML5Xcmw6pgRPlQ0aCsM7scrwgBNb7KrwxaqBxqwcuqF0NMgNjeiEHi2Oj3HOZdYU4Blk2GFq 9zHuCzTWumgNOlfksZ9K3ZMJBn6KLPot5bVXIKdnHwWRzoKMDxkSZjM5uQENBEyuwwYBCADZ 98eCFQ64zKo1OKkUgEJHO1JdsiqRO1znu6KyaTcd2vXfOCGkFFVBL+vjzzyyYV7Sg1/AaG4r l9TKJCwvx8mUmTJkKQspTfOj6AY33bmfMB/8LBYj2BjtxXyMucPjNTJqbL2r1HeGPV2nwyof MAyo2qcYuiLs20Ob7U8vooOV3GDDKEkXtJYZzTEU6qabGsepGIvMu770OZwvm4akQiCGe5sQ 4+/UH1pMZQNi+/fGbONFx+TUVMM8EkXD6dQ5WoL+xPabPjqiUmR7EBvg0uocr70Ag93tWk1d 4RgFcicjwMFcPg4TZ8Y/3Y7Nmbyo14+4SMNfNPFLgQMawL+cLLkdABEBAAGJAR8EGAECAAkC GwwFAlYXhXUACgkQYm3EmwBD/kA2igf/QNpPe7sLt3KdRD3x4cStxGjLCWyj7x1YLVnV4Nnu TvaNhC+KHx3uG39y1x3PJQwslpeSQ6JipOUmxeQjjGJGQZLV41L1PCJVhCL98Dinr6dJkYB7 cAVhfmW8PI51jiANExLZu8U5gnthj5CGv4428ODQgSoRI0demG3HmVCNrKdap+orhT8zRkq8 DuHTO01U7PKsfvQ2k8AqSAC/JjMOs1mpFe032IApXxlZkE+33Q3dE5BiJmICYg8hsRXvpKTm ZMCdNZJUQLq+XNpg6RtAPQIPMmCepXrE9M/KuH+jFS2G5+Hx5VBSM644E1G2i+HOPCVdHjof iaNi3V/ItEG3jw==
Message-ID: <201561ae-fb90-cba8-87f3-c88a7324f483@primekey.com>
Date: Fri, 25 Oct 2019 09:53:14 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <CADqLbzLrjagRkpRqt3_gpiYGTooWU5bTN02w4q2r8Mjf3_-BxQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Ry8-ry3MJOKTb_Btz9ohxA7lKGw>
Subject: Re: [lamps] The Status of OCSP and its future
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Oct 2019 07:53:20 -0000
On 2019-10-25 09:14, Dmitry Belyavsky wrote: > Dear Tomas, > > On Fri, Oct 25, 2019 at 9:58 AM Tomas Gustavsson > <tomas.gustavsson@primekey.com <mailto:tomas.gustavsson@primekey.com>> > wrote: > > > > > > > Our approach stem from two practical considerations: the occasion to > > provide optimized responses for the non-revoked case, and the > > possibility to reduce the number of round trips required to > retrieve the > > revocation status for the full chain of certificates. In particular: > > > > * /*Optimizing for the common case (non-revoked certificate).*/ In > > particular, for certificates that have no revocation > information, we > > do not have to provide specific responses for each individual > > certificate (as we do in the revoked case), but we can provide > > responses for ranges of certificates where the status is not > > revoked. In a PKI with a population of 100M certificate and a > > revocation rate of 5%, using "range" response types reduces > the need > > for calculating OCSP responses from 100M to 1M (i.e. 2N + 1 > where N > > is the population of revoked certificates). This allows to > > pre-generate responses more quickly, allows for lower costs of > > running the revocation infrastructure, and it is better for the > > planet :D > > What could a "range" of certificates be based on? > (I consider sequential serialnumbers to be dead by now) > > > E.g. notBefore time? That certainly works for partitioning, often used in partitioned CRLs of course.
- [lamps] The Status of OCSP and its future Dr. Pala
- Re: [lamps] The Status of OCSP and its future Ryan Sleevi
- Re: [lamps] The Status of OCSP and its future Phillip Hallam-Baker
- Re: [lamps] The Status of OCSP and its future Michael Richardson
- Re: [lamps] The Status of OCSP and its future Tomas Gustavsson
- Re: [lamps] The Status of OCSP and its future Dmitry Belyavsky
- Re: [lamps] The Status of OCSP and its future Tomas Gustavsson
- Re: [lamps] The Status of OCSP and its future Dr. Pala
- Re: [lamps] The Status of OCSP and its future Dr. Pala
- Re: [lamps] The Status of OCSP and its future Phillip Hallam-Baker
- Re: [lamps] The Status of OCSP and its future Dr. Pala
- Re: [lamps] The Status of OCSP and its future Dr. Pala
- Re: [lamps] The Status of OCSP and its future Ryan Sleevi
- Re: [lamps] The Status of OCSP and its future Phillip Hallam-Baker
- Re: [lamps] The Status of OCSP and its future Tomas Gustavsson