IETF Logo Mail Archive

Re: [lamps] The Status of OCSP and its future

Dmitry Belyavsky <beldmit@gmail.com> Fri, 25 October 2019 07:15 UTC

Return-Path: <beldmit@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B72E41200F8 for <spasm@ietfa.amsl.com>; Fri, 25 Oct 2019 00:15:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xg56Ri5OkF0n for <spasm@ietfa.amsl.com>; Fri, 25 Oct 2019 00:15:02 -0700 (PDT)
Received: from mail-vs1-xe2f.google.com (mail-vs1-xe2f.google.com [IPv6:2607:f8b0:4864:20::e2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3F6F1200FD for <spasm@ietf.org>; Fri, 25 Oct 2019 00:15:01 -0700 (PDT)
Received: by mail-vs1-xe2f.google.com with SMTP id e12so798799vsr.4 for <spasm@ietf.org>; Fri, 25 Oct 2019 00:15:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=J2zkOKv+6XzDAuwgAyN+mBn695R+dxDA2CKuPxOFWuU=; b=j+ySWSBX/RKuWcguTyDZotvqNyGS6hEDJdFcfROWWqiETIrktqyn971p8l76HQwzkg qQPnDPDec3xTL9eBft9cN2/se2GTfNfkG8ejm+mEGkMdNM1a7MTFPNRmY3Mg33ixdrqH GU6wb8zheaRiD6PiBt+uyrPlYhR9GQp8imyIPLBM6caHvai2OInopErE/Zrlc862eEEc y48RfH1zBU8ld9gaQoialbpNc3DmLm7Hx6u3wp8QLHDs6zLo3ie9kknRxPKWxtoEeR0z NbDLUjPFey5KlrLC6XnFcqIJuRewqw4XDJIVhCzNWzwFaPdALPR1G/YqvsSD8Z5977LZ Civg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=J2zkOKv+6XzDAuwgAyN+mBn695R+dxDA2CKuPxOFWuU=; b=WEwnhdQVn7sP+/NCaYoNi7sIPKvGZTawIg6hoMJtSjnJMQ0lmLTRr4D8jx5cbModK3 mvOzCTWZ4f318Lr51UD4GRPPHK/cDY5Pa30wAD1xs7Q6nHYKP4Xp2NAOzoHn3cYVgjw+ kE6VKdgupCZ2Y4M/rPluSYAeJsp8UsVF9yjES6mPyimJCYEM54OUfIyz+yNIeELrGLX3 9dXLl4JgOnZmaIAd8OSZSEIPxyCyiH8By1eIK0OpKGNlP03Ct+adnu1WK/jCMNIzIbIi E/NslGNvmRPI4EbaVIJBCBESetkQulFMTOXEHMPejzJC3y+8pONDo8bb6utL6OimiEdA 1+Cw==
X-Gm-Message-State: APjAAAU0LoVVS3jgpdI5v1MQcxixOvhJKcTG4FFV0EhL7JfOYRfy93LG 4yz48i9TQA9AnsuSTiDpw0KtAixODUq4fKPZMhA5CJF+mZY=
X-Google-Smtp-Source: APXvYqySW4Rp0VoZz9OkuQ7d9QUqh4nI4YhvdgBxmBH8yII1dRCcN696ND5sce2Rift0nTVgKyk+WsJ83g8dZG295wQ=
X-Received: by 2002:a67:d890:: with SMTP id f16mr1253216vsj.119.1571987700525; Fri, 25 Oct 2019 00:15:00 -0700 (PDT)
MIME-Version: 1.0
References: <8c84cf2c-c192-c13b-17e5-7ae09b748530@openca.org> <84e130d2-2df2-2f96-0200-716b333a1390@primekey.com>
In-Reply-To: <84e130d2-2df2-2f96-0200-716b333a1390@primekey.com>
From: Dmitry Belyavsky <beldmit@gmail.com>
Date: Fri, 25 Oct 2019 10:14:49 +0300
Message-ID: <CADqLbzLrjagRkpRqt3_gpiYGTooWU5bTN02w4q2r8Mjf3_-BxQ@mail.gmail.com>
To: Tomas Gustavsson <tomas.gustavsson@primekey.com>
Cc: LAMPS <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007b30f20595b6e8b3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/hxI6JWDeF6TctjXODqwrs-iw3Sc>
Subject: Re: [lamps] The Status of OCSP and its future
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Oct 2019 07:15:04 -0000

Dear Tomas,

On Fri, Oct 25, 2019 at 9:58 AM Tomas Gustavsson <
tomas.gustavsson@primekey.com> wrote:

>
>
> >
> > Our approach stem from two practical considerations: the occasion to
> > provide optimized responses for the non-revoked case, and the
> > possibility to reduce the number of round trips required to retrieve the
> > revocation status for the full chain of certificates. In particular:
> >
> >   * /*Optimizing for the common case (non-revoked certificate).*/ In
> >     particular, for certificates that have no revocation information, we
> >     do not have to provide specific responses for each individual
> >     certificate (as we do in the revoked case), but we can provide
> >     responses for ranges of certificates where the status is not
> >     revoked. In a PKI with a population of 100M certificate and a
> >     revocation rate of 5%, using "range" response types reduces the need
> >     for calculating OCSP responses from 100M to 1M (i.e. 2N + 1 where N
> >     is the population of revoked certificates). This allows to
> >     pre-generate responses more quickly, allows for lower costs of
> >     running the revocation infrastructure, and it is better for the
> >     planet :D
>
> What could a "range" of certificates be based on?
> (I consider sequential serialnumbers to be dead by now)
>

E.g. notBefore time?

-- 
SY, Dmitry Belyavsky

v2.34.0 | Report a Bug | By Email | System Status