Re: [stir] On OCSP, TNs, and Privacy
Brian Rosen <br@brianrosen.net> Tue, 28 July 2015 02:40 UTC
Return-Path: <br@brianrosen.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A0891A7D83 for <stir@ietfa.amsl.com>; Mon, 27 Jul 2015 19:40:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.821
X-Spam-Level:
X-Spam-Status: No, score=-1.821 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_NEUTRAL=0.779] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YAIzPAAiX55d for <stir@ietfa.amsl.com>; Mon, 27 Jul 2015 19:40:05 -0700 (PDT)
Received: from mail-qg0-f54.google.com (mail-qg0-f54.google.com [209.85.192.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 269541A70FD for <stir@ietf.org>; Mon, 27 Jul 2015 19:40:05 -0700 (PDT)
Received: by qgeu79 with SMTP id u79so66341252qge.1 for <stir@ietf.org>; Mon, 27 Jul 2015 19:40:04 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=ewCeBF18E8wNIAKP1ev0+7t+1uj+WxX9Rh+FX3J7mME=; b=lNKAf2ur26fh3sYt1I4l4lxkIllU/Jbc2Ohs/Db2ZqroeP29Sta+NSX9g/rUaf1QR9 bHUUNg3PU1CjFz0X01n7Of3nVBDV9J0kxAuYxMGvpItpHpPkJRLi4RHCitrsHD97jYbP n/mjZv8m/aeWPTz/7ahyRreY7YwKu+eeF9nYQizPLtu08eyOcuPPWR5rqsCcbuGyQ5ZR PDxrAQPflE5Bx5oKpr9iFZp016nTgnAKzcMUKS99Gnlcpsfknw2f/FJmQyKEShTJh6cH APTjbj7MNfM3V08a3LRhvUmTVuf8/E8OhXou9wHMWAltDmwG5G2nqsjSFeiVF1qRpj+I NiHQ==
X-Gm-Message-State: ALoCoQkqrWM3KNX0w0bTaGLsqU4uhMIknpudyYFfAChtSL7sHJjjLYO0e5O+n+6kcbA/QQhGz/uA
X-Received: by 10.140.40.168 with SMTP id x37mr45426302qgx.24.1438051204370; Mon, 27 Jul 2015 19:40:04 -0700 (PDT)
Received: from nrosebro-ltw7.cis.neustar.com (neustargw.va.neustar.com. [209.173.53.233]) by smtp.gmail.com with ESMTPSA id n6sm10355829qhb.16.2015.07.27.19.40.01 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 27 Jul 2015 19:40:03 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\))
From: Brian Rosen <br@brianrosen.net>
In-Reply-To: <CAL02cgS_5HrsbeK13T=j31j101hOuSxpjzzRKT93_2zze1xuAg@mail.gmail.com>
Date: Mon, 27 Jul 2015 22:39:56 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <BAFABE68-20A7-4C91-9F15-E33E3D5379B5@brianrosen.net>
References: <CAL02cgS_5HrsbeK13T=j31j101hOuSxpjzzRKT93_2zze1xuAg@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
X-Mailer: Apple Mail (2.2102)
Archived-At: <http://mailarchive.ietf.org/arch/msg/stir/HI8chp_Olet9HymvaL6UIvv19eU>
Cc: "stir@ietf.org" <stir@ietf.org>
Subject: Re: [stir] On OCSP, TNs, and Privacy
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2015 02:40:07 -0000
What this means in practice is that it’s TN per cert. I wouldn’t say that it’s impossible for a carrier to maintain dozens of copies of millions of private keys securely, but it’s hard. You need multiple copies because you have multiple elements that can initiate a call, and you don’t want to depend on a centralized resource to do something as basic as create a call. I think it’s hard enough that REQUIRING cert per TN is not acceptable. Folks with more intimate knowledge of carrier SIP infrastructure might have more insight than I do. It may be acceptable to have a centralized resource to manage millions of keys. Brian > On Jul 27, 2015, at 6:13 PM, Richard Barnes <rlb@ipv.sx> wrote: > > After the STIR meeting in Prague, Henning and I spent a few minutes > talking through options for revocation checking and certificate > scoping, and I think we have a better idea of what the optimal > solution looks like. Some notes are below, and some slides with > pictures attached. > > tl;dr: We should: > * Keep TNs in certificates and not bother with any OCSP extensions > * Require Identity-Info to include OCSP responses for all certs in the chain > > > # Background: Revocation in the web PKI > > In an HTTPS transaction, the HTTPS server provides the client with a > certificate, and it can optionally include an OCSP response ("staple" > it to the transaction). > > A certificate contains a validity interval, a key, and some names/TNs. > An OCSP responses contains a validity interval, a certificate ID > (i.e., a hash), and a status (good/revoked/unknown). In the web PKI, > certificates are required to be no more than 39 months long, and OCSP > responses no more than 10 days. > > Ideally, a client only considers a certificate valid if it is > accompanied by an OCSP response. In practice, this is not always > possible; because OCSP queries fail around 3% of the time, browsers > can't require OCSP. This operational fact will be important below, > but we will continue to have scoping cert lifetimes as an objective. > > In the web PKI, there are basically three revocation checking modalities: > > 1. Live OCSP checking [RFC6069] > 2. OCSP stapling / must_staple [RFC6066, draft-hallambaker-tlsfeature] > 3. Short-lived certificates (~OCSP lifetime) > > (The last of these is relatively novel, and has not been deployed. > Neither has must-staple. But they're both pretty trivial, and could > be folded into a STIR architecture pretty easily.) > > Right now, about 90% of TLS transactions use live OCSP, and about 10%. > CAs and browsers dearly want the world to move toward stapled OCSP or > short-lived certs, because these reduces latency and improve the > quality of revocation information. > > Revocation for CA certificates is currently done by having browsers > download a list from a centralized server, since there's no way to > staple more than one OCSP response. That solution works OK for the > web, but if I were designing something de novo, I would probably use > multi-stapling as well. > > > # Applying this experience to STIR > > Most of the below appear to be desired properties by the WG: > > * Verifier neeeds to know that a cert is valid for a specific number > * Scoped cert lifetime: Limit certs to ~1week lifetime (by OCSP if > issued longer) > * Caller privacy: Don't report what calls someone receives to a central server > * Carrier privacy: Don't allow a third party to figure out all the > numbers a carrier holds > * Minimize the rate at which the CA has to sign things > * Tolerate outages at the CA > > I'm going to assume for now that we will not do live OCSP. It > violates the caller privacy requirement, and as discussed above, it > just sucks operationally. So STIR should require OCSP to be sent in > "stapled" form, which probably means sending it in Identity-Info. And > while we're at it, we should also do "multi-stapling" -- send an OCSP > response for CA certs as well. > > So if we consider a server with 50k TNs / blocks, that leaves us with > basically 3 options: > > 1. 50k short-lived certs (no OCSP) > 2. 50k long-lived certs scoped to TNs + generic OCSP > 3. 1 long-lived cert not scoped to TN (or a few loosely scoped) + OCSP > with TN info > > (As I didn't quite get to say in the meeting, regardless of the > approach, you have to have 50k of *something*.) Of these, it seems > like the preference order is 2 > 1 > 3. > > Option 3 is bad from several perspectives: > * Putting TN info in the OCSP response enables someone to trawl for > numbers unless you access-control the OCSP server, so you inherit a > requirement to do that. > * With the rate of churn in number assignments, you're probably going > to have to update the long-lived cert pretty frequently anyway. > * Putting TN-specific stuff in certs is better than putting it in > OCSP. As bad as X.509 libraries can be, OCSP libraries are much > worse. > > Option 1 is mainly bad from the perspective of CA load and outages. > With Option 2, if the CA goes down, client can continue to use the > long-lived cert and just not bother doing OCSP (vs. tolerating an > expired cert). Slightly cleaner. Plus, there's a lot more experience > caching OCSP than new certs. OCSP signing can also be delegated, so > you can have the recurring operation done by a lower-risk key. > > Option 2 should be pretty easy to automate. You can probably re-use > tooling for OCSP stapling that has already been developed for use with > HTTPS. If you're a big box signing for a bunch of numbers, you do > need to select the right cert and OCSP response for a given call, but > that's a pretty simple lookup table. > <STIR.pptx>_______________________________________________ > stir mailing list > stir@ietf.org > https://www.ietf.org/mailman/listinfo/stir
- [stir] On OCSP, TNs, and Privacy Richard Barnes
- Re: [stir] On OCSP, TNs, and Privacy Brian Rosen
- Re: [stir] On OCSP, TNs, and Privacy Alex Bobotek
- [stir] CRTC: Empowering Canadians to protect them… Caron, Guy (A162859)
- Re: [stir] On OCSP, TNs, and Privacy Richard Barnes
- Re: [stir] On OCSP, TNs, and Privacy Richard Barnes
- Re: [stir] On OCSP, TNs, and Privacy Patrick Tarpey
- Re: [stir] On OCSP, TNs, and Privacy Richard Barnes
- Re: [stir] On OCSP, TNs, and Privacy Henning Schulzrinne
- Re: [stir] On OCSP, TNs, and Privacy Gorman, Pierce A [CTO]
- Re: [stir] On OCSP, TNs, and Privacy Richard Barnes
- Re: [stir] On OCSP, TNs, and Privacy Henning Schulzrinne
- Re: [stir] On OCSP, TNs, and Privacy Gorman, Pierce A [CTO]
- Re: [stir] On OCSP, TNs, and Privacy Henning Schulzrinne
- Re: [stir] On OCSP, TNs, and Privacy PFAUTZ, PENN L
- Re: [stir] On OCSP, TNs, and Privacy Henning Schulzrinne
- Re: [stir] On OCSP, TNs, and Privacy DOLLY, MARTIN C
- Re: [stir] On OCSP, TNs, and Privacy Gorman, Pierce A [CTO]
- Re: [stir] On OCSP, TNs, and Privacy Henning Schulzrinne
- Re: [stir] On OCSP, TNs, and Privacy Dwight, Timothy M (Tim)
- Re: [stir] On OCSP, TNs, and Privacy Richard Barnes
- Re: [stir] On OCSP, TNs, and Privacy Richard Shockey
- Re: [stir] On OCSP, TNs, and Privacy Richard Shockey
- Re: [stir] On OCSP, TNs, and Privacy Alex Bobotek
- Re: [stir] On OCSP, TNs, and Privacy Richard Barnes
- Re: [stir] On OCSP, TNs, and Privacy Richard Shockey
- Re: [stir] On OCSP, TNs, and Privacy Richard Barnes
- Re: [stir] On OCSP, TNs, and Privacy PFAUTZ, PENN L
- Re: [stir] On OCSP, TNs, and Privacy Chris Wendt
- Re: [stir] On OCSP, TNs, and Privacy Richard Barnes
- Re: [stir] On OCSP, TNs, and Privacy Henning Schulzrinne
- Re: [stir] On OCSP, TNs, and Privacy Henning Schulzrinne
- Re: [stir] On OCSP, TNs, and Privacy Chris Wendt
- Re: [stir] On OCSP, TNs, and Privacy Chris Wendt
- Re: [stir] On OCSP, TNs, and Privacy Richard Barnes
- Re: [stir] On OCSP, TNs, and Privacy Chris Wendt
- Re: [stir] On OCSP, TNs, and Privacy Richard Shockey
- Re: [stir] On OCSP, TNs, and Privacy Gorman, Pierce A [CTO]
- Re: [stir] On OCSP, TNs, and Privacy Stephen Farrell
- Re: [stir] On OCSP, TNs, and Privacy Richard Barnes
- Re: [stir] On OCSP, TNs, and Privacy Gorman, Pierce A [CTO]
- Re: [stir] On OCSP, TNs, and Privacy Alex Bobotek
- Re: [stir] On OCSP, TNs, and Privacy Gorman, Pierce A [CTO]
- Re: [stir] On OCSP, TNs, and Privacy Peterson, Jon
- Re: [stir] On OCSP, TNs, and Privacy Richard Shockey
- Re: [stir] On OCSP, TNs, and Privacy Peterson, Jon
- Re: [stir] On OCSP, TNs, and Privacy Henning Schulzrinne
- Re: [stir] On OCSP, TNs, and Privacy Gorman, Pierce A [CTO]
- Re: [stir] On OCSP, TNs, and Privacy Richard Shockey
- Re: [stir] On OCSP, TNs, and Privacy Alex Bobotek
- Re: [stir] On OCSP, TNs, and Privacy DOLLY, MARTIN C
- Re: [stir] On OCSP, TNs, and Privacy Gorman, Pierce A [CTO]
- Re: [stir] On OCSP, TNs, and Privacy Henning Schulzrinne
- Re: [stir] On OCSP, TNs, and Privacy Gorman, Pierce A [CTO]
- Re: [stir] On OCSP, TNs, and Privacy Gorman, Pierce A [CTO]
- Re: [stir] On OCSP, TNs, and Privacy Henning Schulzrinne
- Re: [stir] On OCSP, TNs, and Privacy Gorman, Pierce A [CTO]
- Re: [stir] On OCSP, TNs, and Privacy Henning Schulzrinne
- Re: [stir] On OCSP, TNs, and Privacy Henning Schulzrinne
- Re: [stir] On OCSP, TNs, and Privacy Gorman, Pierce A [CTO]