[lamps] The Status of OCSP and its future
"Dr. Pala" <madwolf@openca.org> Thu, 24 October 2019 15:01 UTC
Return-Path: <madwolf@openca.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79E7B1209AA for <spasm@ietfa.amsl.com>; Thu, 24 Oct 2019 08:01:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VnM5rCpD3ea7 for <spasm@ietfa.amsl.com>; Thu, 24 Oct 2019 08:01:14 -0700 (PDT)
Received: from mail.katezarealty.com (mail.katezarealty.com [104.168.158.213]) by ietfa.amsl.com (Postfix) with ESMTP id 509FC1208CC for <spasm@ietf.org>; Thu, 24 Oct 2019 08:01:14 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by mail.katezarealty.com (Postfix) with ESMTP id 1F0BA374137D for <spasm@ietf.org>; Thu, 24 Oct 2019 15:01:14 +0000 (UTC)
X-Virus-Scanned: amavisd-new at katezarealty.com
Received: from mail.katezarealty.com ([127.0.0.1]) by localhost (mail.katezarealty.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id vBKwJGHjFwFK for <spasm@ietf.org>; Thu, 24 Oct 2019 11:01:12 -0400 (EDT)
Received: from Maxs-MBP-2.cablelabs.com (unknown [192.160.73.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.katezarealty.com (Postfix) with ESMTPSA id BEA47374107C for <spasm@ietf.org>; Thu, 24 Oct 2019 11:01:12 -0400 (EDT)
To: LAMPS WG <spasm@ietf.org>
From: "Dr. Pala" <madwolf@openca.org>
Message-ID: <8c84cf2c-c192-c13b-17e5-7ae09b748530@openca.org>
Date: Thu, 24 Oct 2019 09:01:12 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------7E8A4155E4185C847049FB45"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Ug_HtJz5FQvLbiXIdGXH---q7N8>
Subject: [lamps] The Status of OCSP and its future
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Oct 2019 15:01:17 -0000
Hi All, I just wanted to start the conversation around the status of revocation infrastructures and possible work we can be doing to address some of new issues deriving from the deployment of large PKIs. In particular, we are working on the optimization of the OCSP protocol to better serve some of the use-cases we have. Specifically, for very large PKIs (i.e., few hundreds million certificates valid at any given time), the OCSP protocol does not scale well. In fact, taking into consideration how we operate OCSP responders today, the larger the PKI is, the higher the costs of providing a good revocation infrastructure is. Our approach stem from two practical considerations: the occasion to provide optimized responses for the non-revoked case, and the possibility to reduce the number of round trips required to retrieve the revocation status for the full chain of certificates. In particular: * /*Optimizing for the common case (non-revoked certificate).*/ In particular, for certificates that have no revocation information, we do not have to provide specific responses for each individual certificate (as we do in the revoked case), but we can provide responses for ranges of certificates where the status is not revoked. In a PKI with a population of 100M certificate and a revocation rate of 5%, using "range" response types reduces the need for calculating OCSP responses from 100M to 1M (i.e. 2N + 1 where N is the population of revoked certificates). This allows to pre-generate responses more quickly, allows for lower costs of running the revocation infrastructure, and it is better for the planet :D * /*Providing Full Chain responses.*/ Although single OCSP responders can be authoritative for their own CA only, they can attach the responses for the full chain as additional data. If we add this possibility, then a single OCSP request can provide the client/server with the full chain of certificates up to the Root. This might be tricky in complex scenarios where cross-certification is used, but it would definitely work for the Web PKI and IoT use cases. Given these considerations - and the fact that large PKIs are being deployed, today, for the IoT case - we would like to start the discussion around the current status of OCSP and possibly work on a proposal for moving forward with a more efficient protocol. What do you think ? Anybody would like to tackle this problem together ? Cheers, Max -- Best Regards, Massimiliano Pala, Ph.D. OpenCA Labs Director OpenCA Logo
- [lamps] The Status of OCSP and its future Dr. Pala
- Re: [lamps] The Status of OCSP and its future Ryan Sleevi
- Re: [lamps] The Status of OCSP and its future Phillip Hallam-Baker
- Re: [lamps] The Status of OCSP and its future Michael Richardson
- Re: [lamps] The Status of OCSP and its future Tomas Gustavsson
- Re: [lamps] The Status of OCSP and its future Dmitry Belyavsky
- Re: [lamps] The Status of OCSP and its future Tomas Gustavsson
- Re: [lamps] The Status of OCSP and its future Dr. Pala
- Re: [lamps] The Status of OCSP and its future Dr. Pala
- Re: [lamps] The Status of OCSP and its future Phillip Hallam-Baker
- Re: [lamps] The Status of OCSP and its future Dr. Pala
- Re: [lamps] The Status of OCSP and its future Dr. Pala
- Re: [lamps] The Status of OCSP and its future Ryan Sleevi
- Re: [lamps] The Status of OCSP and its future Phillip Hallam-Baker
- Re: [lamps] The Status of OCSP and its future Tomas Gustavsson