IETF Logo Mail Archive

Re: [lamps] The Status of OCSP and its future

Tomas Gustavsson <tomas.gustavsson@primekey.com> Tue, 29 October 2019 14:34 UTC

Return-Path: <tomas.gustavsson@primekey.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E65E012001E for <spasm@ietfa.amsl.com>; Tue, 29 Oct 2019 07:34:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=primekey.com header.b=x0YHq6Vn; dkim=pass (1024-bit key) header.d=primekey.com header.b=x0YHq6Vn
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aVKJZzAVTIkR for <spasm@ietfa.amsl.com>; Tue, 29 Oct 2019 07:34:26 -0700 (PDT)
Received: from mail.primekey.com (mail.primekey.com [84.55.121.163]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9FEB12000F for <spasm@ietf.org>; Tue, 29 Oct 2019 07:34:25 -0700 (PDT)
Received: from mail.primekey.com (localhost [127.0.0.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.primekey.com (Postfix) with ESMTPS id BF22C6AA0090 for <spasm@ietf.org>; Tue, 29 Oct 2019 15:34:12 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=primekey.com; s=mail; t=1572359652; bh=0EJhylCG6VBbohDFb80EN8hTDcIDvXrYCUnR7UT5d1M=; h=Subject:To:References:From:Date:In-Reply-To:From; b=x0YHq6Vnkt300Mfyk8e1ijZ7vXnBGaa+xQQu8Tk14Is5O7y1e03rIq5/6L4L5tmlg Und/ssZc/IjEl7zZfWQPL7VK+uDdOhO6fyAqJx7FKpog6cn/0QhZe1hi00TAdFGl0w f/bvvNQ7Aaosfw10A8vndA53yaK0NHc2uQtmKY/Y=
Received: from [192.168.43.52] (m80-170-216-165.cust.tele2.se [80.170.216.165]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.primekey.com (Postfix) with ESMTPSA id 9A32C6AA006B for <spasm@ietf.org>; Tue, 29 Oct 2019 15:34:09 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=primekey.com; s=mail; t=1572359652; bh=0EJhylCG6VBbohDFb80EN8hTDcIDvXrYCUnR7UT5d1M=; h=Subject:To:References:From:Date:In-Reply-To:From; b=x0YHq6Vnkt300Mfyk8e1ijZ7vXnBGaa+xQQu8Tk14Is5O7y1e03rIq5/6L4L5tmlg Und/ssZc/IjEl7zZfWQPL7VK+uDdOhO6fyAqJx7FKpog6cn/0QhZe1hi00TAdFGl0w f/bvvNQ7Aaosfw10A8vndA53yaK0NHc2uQtmKY/Y=
To: spasm@ietf.org
References: <8c84cf2c-c192-c13b-17e5-7ae09b748530@openca.org> <84e130d2-2df2-2f96-0200-716b333a1390@primekey.com> <7c618415-21d7-64c8-e43d-2617d59185f4@openca.org>
From: Tomas Gustavsson <tomas.gustavsson@primekey.com>
Openpgp: preference=signencrypt
Autocrypt: addr=tomas.gustavsson@primekey.com; prefer-encrypt=mutual; keydata= mQENBEyuwwYBCAD31Jsxn1lf7rnFc7y3Ol+TE7pU7ohO78kMdoVrZdAMnU9W0P33GedbU+kF 8/RFq7HlXV8a91RkgtdcMAK8tSdtBKDGZCOJZm5qOZ/EHikY8k/7s1wgSQSF4hYSG/IABCCA W139joDFl4L3buWyk2lsYX1HDBpuXGDL5HFyu165T0ZVlt23T04xmAwpIHUViKUWw1QYnlRz s66Desn2WeP+X8/QlqF1zOTUXbgrThB1X/Oh2+wzP08HVoTQCzlrEMeb9x2k+oa8PtVdnflh nZKBtyyBkZxRoHG3tNKcaf7JLoadSXcSKSKvfApcsxpP2JpkQgIhLi3JWik/Z+RR2WD1ABEB AAG0MFRvbWFzIEd1c3RhdnNzb24gPHRvbWFzLmd1c3RhdnNzb25AcHJpbWVrZXkuY29tPokB NwQTAQgAIQUCWX8yTAIbIwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRBibcSbAEP+QGAU CAC82dn8XCQ8Ei7gxQAdRSc2imaP/388i/ObDMYhNhg5j4gXs3tkfxuCvhwkzskUFgOtmaEy uz/gIiVjQIsjQrHh5tl9M0q2tqbDHJpWfE6/SkXPUmTqQ0VGyq1MmZ3/zg2jSoll74qBSfdH V7sWugRXeCBxfaPeYo8DdPCGi27yrdL8zb3xkJ3BxPcDGNdkLm+Yza+qAOrssCD7MSLN+6Sd ML5Xcmw6pgRPlQ0aCsM7scrwgBNb7KrwxaqBxqwcuqF0NMgNjeiEHi2Oj3HOZdYU4Blk2GFq 9zHuCzTWumgNOlfksZ9K3ZMJBn6KLPot5bVXIKdnHwWRzoKMDxkSZjM5uQENBEyuwwYBCADZ 98eCFQ64zKo1OKkUgEJHO1JdsiqRO1znu6KyaTcd2vXfOCGkFFVBL+vjzzyyYV7Sg1/AaG4r l9TKJCwvx8mUmTJkKQspTfOj6AY33bmfMB/8LBYj2BjtxXyMucPjNTJqbL2r1HeGPV2nwyof MAyo2qcYuiLs20Ob7U8vooOV3GDDKEkXtJYZzTEU6qabGsepGIvMu770OZwvm4akQiCGe5sQ 4+/UH1pMZQNi+/fGbONFx+TUVMM8EkXD6dQ5WoL+xPabPjqiUmR7EBvg0uocr70Ag93tWk1d 4RgFcicjwMFcPg4TZ8Y/3Y7Nmbyo14+4SMNfNPFLgQMawL+cLLkdABEBAAGJAR8EGAECAAkC GwwFAlYXhXUACgkQYm3EmwBD/kA2igf/QNpPe7sLt3KdRD3x4cStxGjLCWyj7x1YLVnV4Nnu TvaNhC+KHx3uG39y1x3PJQwslpeSQ6JipOUmxeQjjGJGQZLV41L1PCJVhCL98Dinr6dJkYB7 cAVhfmW8PI51jiANExLZu8U5gnthj5CGv4428ODQgSoRI0demG3HmVCNrKdap+orhT8zRkq8 DuHTO01U7PKsfvQ2k8AqSAC/JjMOs1mpFe032IApXxlZkE+33Q3dE5BiJmICYg8hsRXvpKTm ZMCdNZJUQLq+XNpg6RtAPQIPMmCepXrE9M/KuH+jFS2G5+Hx5VBSM644E1G2i+HOPCVdHjof iaNi3V/ItEG3jw==
Message-ID: <573f540c-288d-5f7a-26da-9b7266f2ad45@primekey.com>
Date: Tue, 29 Oct 2019 21:34:10 +0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <7c618415-21d7-64c8-e43d-2617d59185f4@openca.org>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/SfccDVtY68r211TlmswI3XWr5M4>
Subject: Re: [lamps] The Status of OCSP and its future
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Oct 2019 14:34:29 -0000

Hi Max,

On 2019-10-25 21:30, Dr. Pala wrote:
> Hi Tomas,
> 
> On 10/25/19 12:52 AM, Tomas Gustavsson wrote:
>> On 2019-10-24 17:01, Dr. Pala wrote:
>>> Hi All,
>>>
>>> I just wanted to start the conversation around the status of revocation
>>> [...]
>>> today, the larger the PKI is, the higher the costs of providing a good
>>> revocation infrastructure is.
>> As there are many PKIs today with 100M+ entities, some with and some
>> without revocation infrastructure, I think it's a bit too broad claim
>> for all use cases.
>> It is certainly true of all operations, the larger the scale the larger
>> infrastructure costs usually are, where OCSP I'd say is generally a very
>> minor part.
>> It differs from use case to use case though, I think it would be good
>> for the discussion to provide more details on your problematic use case,
>> architecture, use pattern etc. Many things are use case and
>> implementation choice specific.
> 
> This is a good point - very practical approach. A sample use-case is our
> industry (Cable). In particular, in our industry, we leverage PKIs to
> secure the communication in our networks: each Cable Modem and DVRs come
> with one or more certificates from our infrastructure. This covers all
> modems from all vendors from all operators.
> 
> Our Network, though, are going through radical changes that are aimed at
> providing the 10Gig platform we just released the standard for. In
> particular, the new architectures will see an increasing number of
> "entities" that require authentication.
> 
> As you can see, our PKI tend to be larger than what you typically see in
> the Web PKI (quite small in comparison - even combining all providers),
> therefore improving the efficiency and reducing the costs is a big win
> for the industry in general and for the users since we can now provide
> OCSP responses with shorter validity periods, thus reducing the risk
> level of our Access Networks.
> 
> This is not the only use-case, though.
> 
> Many IoT environments are starting to use digital certificates for
> authentication at a scale. Some environments, like the Power Grid, are
> already deploying solutions that use certificates to protect the
> communication up to the customers' premises.
> 
> Another use-case that I am bringing forward is Cellular. In particular,
> we already have standardized the use of certificates in some
> environments (e.g., CBRS-A, 5G Fixed, etc.) and it is expected that by
> freeing the network authentication from the need of a physical SIM (and
> associated licensing costs) we will see more and more devices (e.g., Fix
> and Industrial) using this technology.

These are all good examples of where PKI is used. Perhaps I am too eager
to quickly dive into technical details :-). What I was looking for was
some sort of calculations in the cost today using current technologies,
and the possible gains.

For example, (a very speculative one so please forgive my ignorance. I
am quite familiar with telecom and smart metering, but not with cable
modems):
- 100M set top boxes
- 100 media servers
Each set top box talks to media servers, load balanced.
Mutual TLS authentication, and revocation checks on all certificates
OCPS response lifetime 24h
Certificate lifetime of 1 year, renewal after 7 months

We will have somewhere around 150M certificates active. Servers can use
OCSP stapling, hence only 100 OCSP requests per day.
Each server may have contact with all set top boxes during an evening,
so each server has to make 150M OCSP requests per day. Servers cache
responses and don't make the same request twice if it already have a
fresh response. Everyone start their set top box during a two hour
window in the evening, so 150M*100/7200 OCSP requests must be handled
per second during this two hour window (it's almost 2M/second). Is this
something that you are thinking about where OCSP does not scale enough?

It is more about being able to respond quickly enough than to provision
the revocation information to OCSP responders though, so I'm not sure I
got the problem picture clear still.

> 
> This said, I think that reducing the costs of providing revocation
> information is a good goal in general and can help reducing
> authentication risks by providing shorter validity responses.
> 
>>> Our approach stem from two practical considerations: the occasion to
>>> provide optimized responses for the non-revoked case, and the
>>> [...]
>>>     planet :D
>> What could a "range" of certificates be based on?
>> (I consider sequential serialnumbers to be dead by now)
> 
> Our current approach is very simple. Take a CRL and produce (a) one
> response for each revoked certificate, and (b) one response for each
> range between revoked serial numbers. For example, if you have the
> following serial numbers revoked { 3, 5, 12 }, then you would sign 3
> responses for the 3 revoked certificates, plus the response from "0" to
> "3", two responses for the gaps between {3 and 5} and {5 and 12}, plus
> the last response for 5+. In this case, the number of revoked
> certificates is 3 and the number of signed responses is 2N + 1 = { 3
> revoked } + { 1 from 0 to the first entry } + { 2 gaps } + { 1 from last
> to infinity } = 7
> 
> Therefore, with this approach, if you are good at keeping the number of
> revoked certificates low, you can see how efficient this technique can
> be - especially when you revoked/valid certificate ratio is very low.

I think relying on sequential serialnumbers to be a big risk. It assumes
a lot of the PKI implementation, which may not be true. It is certainly
not true for the Web PKI, and also not for the IoT, Enterprise and smart
grid deployments we have been involved with. Any standard should not
rely on such PKI implementation details.

> 
>>>   * /*Providing Full Chain responses.*/ Although single OCSP responders
>>>     can be authoritative for their own CA only, they can attach the
>>>     responses for the full chain as additional data. If we add this
>>>     possibility, then a single OCSP request can provide the
>>>     client/server with the full chain of certificates up to the Root.
>>>     This might be tricky in complex scenarios where cross-certification
>>>     is used, but it would definitely work for the Web PKI and IoT use cases.
>> If extra round-tripping is needed it is certainly a concern. This is
>> also valid and discussed in the Web PKI case.
> It is to be mentioned that providing the full chain is possible today -
> however, no clients I know leverages this option. This, I think, it is
> because of several factors (i.e., trust model, AIA in certificates,
> etc.) that, if you are interested, we can explore separately.
>>> Given these considerations - and the fact that large PKIs are being
>>> deployed, today, for the IoT case - we would like to start the
>>> discussion around the current status of OCSP and possibly work on a
>>> proposal for moving forward with a more efficient protocol.
>> We do se working use cases with OCSP for huge number of devices, but in
>> IoT it's all use case dependent so I'm interested in more on your use case.
> 
> I hope that I provided you with some compelling scenarios here - I think
> that by optimizing the provisioning of revocation information we can
> help not only our specific use cases, but also the deployment of
> revocation information infrastructures that are low-cost for
> environments where using CDNs, Load Balancers, etc. is not an option
> because of the cost :D
> 
> Thanks for the reply - I do really appreciate the feedback!
> 
> Cheers,
> Max
> 
> -- 
> Best Regards,
> Massimiliano Pala, Ph.D.
> OpenCA Labs Director
> OpenCA Logo
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
>

v2.34.0 | Report a Bug | By Email | System Status