Re: [stir] On OCSP, TNs, and Privacy
Chris Wendt <chris-ietf@chriswendt.net> Wed, 29 July 2015 01:57 UTC
Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B34D1B3155 for <stir@ietfa.amsl.com>; Tue, 28 Jul 2015 18:57:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RXo8tdqSpJq3 for <stir@ietfa.amsl.com>; Tue, 28 Jul 2015 18:57:12 -0700 (PDT)
Received: from mail-qg0-f49.google.com (mail-qg0-f49.google.com [209.85.192.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DE581B3156 for <stir@ietf.org>; Tue, 28 Jul 2015 18:57:12 -0700 (PDT)
Received: by qged69 with SMTP id d69so85298305qge.0 for <stir@ietf.org>; Tue, 28 Jul 2015 18:57:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=XjioblF4sBq6+9v2Ph0jmyRS5qUjvaw8lco/f6gwsQY=; b=IisAaHcOs+ntEyZGPfJ9NtxChCb4pxcXruj90kn/J0Vl9xVsJIfNuD4qxZYkRjRob2 C8GsCKF249AYvljYWeq7EWzc79Srjvndh1NhZsYXue1EFaJ+5Gc7tHARiFxFLiacVDiF hrgMNHAzo8SOuLEXf9Idxd9PW4W4zMJZlD11uVq5vm1m5MaEzJEBkp4oz3dCReJ8HeBE bHGbofBMheThck0v3y80cd+PESXsQanXRHJTdA4ibjEV09njYvJ1GRCyM/MS1ufEV/NC fuvYyWFkqcVHRr6N9h9YK6vb//Uc+stkqx2JdclGIEKV89M7Ypn+hUBE8aEXAjQWj578 gXQw==
X-Gm-Message-State: ALoCoQnTh1HHDtlDrH/24yDPit2lKR6tNwmFMyX1z7i2Xlx2ej/KaThkUEcdPWZSEOGXGHW0sF2D
X-Received: by 10.140.89.197 with SMTP id v63mr54375008qgd.97.1438135031308; Tue, 28 Jul 2015 18:57:11 -0700 (PDT)
Received: from ?IPv6:2601:41:c101:9364:992:3ba9:dca8:7b2d? ([2601:41:c101:9364:992:3ba9:dca8:7b2d]) by smtp.gmail.com with ESMTPSA id d8sm12624627qka.21.2015.07.28.18.57.09 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 28 Jul 2015 18:57:10 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\))
From: Chris Wendt <chris-ietf@chriswendt.net>
In-Reply-To: <CAL02cgRgxvAsAw7Ag164e8pir6=jNrLNqONoXudtLM-PpZZR_g@mail.gmail.com>
Date: Tue, 28 Jul 2015 21:57:07 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <A5B03B6C-533E-437B-BBE3-37A39847FD8F@chriswendt.net>
References: <CAL02cgS_5HrsbeK13T=j31j101hOuSxpjzzRKT93_2zze1xuAg@mail.gmail.com> <BAFABE68-20A7-4C91-9F15-E33E3D5379B5@brianrosen.net> <4B1956260CD29F4A9622F00322FE0531011D3D1D5043@BOBO1A.bobotek.net> <8bcb891a0db145d6882b17374210fd21@PLSWE13M08.ad.sprint.com> <CAL02cgTiZnLxpmcHb57f31NEFcLu-XY=hRQ-5jrsn11x6mtZBQ@mail.gmail.com> <0f678e7a59904ae5b2a2dabce1a4e0a2@PLSWE13M08.ad.sprint.com> <CY1PR09MB06343E53B0B396964D6EF811EA8D0@CY1PR09MB0634.namprd09.prod.outlook.com> <38726EDA2109264987B45E29E758C4D60586269A@MISOUT7MSGUSRDD.ITServices.sbc.com> <CY1PR09MB0634E8BB71B6A01765E77D23EA8D0@CY1PR09MB0634.namprd09.prod.outlook.com> <8C8D48CD-F4A8-4160-A5A7-594DF61A9B60@chriswendt.net> <CAL02cgR9+PLs0YmqRFMMEH1drbMVjdk4icuT-sy3wirV435HJw@mail.gmail.com> <DA49BB1B-868E-4745-9B18-034923895A5A@chriswendt.net> <CAL02cgRgxvAsAw7Ag164e8pir6=jNrLNqONoXudtLM-PpZZR_g@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
X-Mailer: Apple Mail (2.2102)
Archived-At: <http://mailarchive.ietf.org/arch/msg/stir/R4CL0-E548hjDurZLFHtH1YrLDs>
Cc: "stir@ietf.org" <stir@ietf.org>, "Gorman, Pierce A [CTO]" <Pierce.Gorman@sprint.com>, "PFAUTZ, PENN L" <pp3129@att.com>, Henning Schulzrinne <Henning.Schulzrinne@fcc.gov>
Subject: Re: [stir] On OCSP, TNs, and Privacy
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2015 01:57:16 -0000
Depends on your perspective. I would suspect we would both agree that “phones querying the numbering authority registry" is not the problem statement we are working towards, for very different reasons. > On Jul 28, 2015, at 9:51 PM, Richard Barnes <rlb@ipv.sx> wrote: > > On Tue, Jul 28, 2015 at 9:43 PM, Chris Wendt <chris-ietf@chriswendt.net> wrote: >> Henning discussed an example at the modern meeting. Gossip based >> distributed mechanisms can be used. >> >> I’m curious what you mean by unbounded, in terms of numbers? >> 1k/10k/100k/1M? > > How many phones are there out there? "end systems must be able to > validate the source identity information." > > >> DNS is a much more brute force mechanism for a distributed system but yet it >> propagates things pretty quickly globally. >> >> 4474bis if i remember correctly even mentions the fact that we will need to >> store multiple historical certificate records and references (maybe 2 is >> enough in practice) in order to mitigate delays in propagation of new >> certificates. >> >> I don’t see the issue. > > The point is that when my phone gets a call it needs to be able to > verify the caller's authorization. The Identity-Info signature binds > the call to the caller's public key. So the my phone needs to verify > that the public key is authorized. > > If I understand you correctly, you're proposing that my phone needs to > sync down a giant database of which public keys are authorized for > which numbers, or it needs to call out to some registry it trusts, > which needs to be online all the time. > > Those both seem far worse than my phone just having to look up a > certificate, or verify one that was included in the INVITE directly. > The only cost of on the signer side is that the signer has to pick the > right cert to send, which, as I said before, is just a hash table > lookup. > > --Richard > >> >> >> On Jul 28, 2015, at 9:30 PM, Richard Barnes <rlb@ipv.sx> wrote: >> >> On Tue, Jul 28, 2015 at 9:22 PM, Chris Wendt <chris-ietf@chriswendt.net> >> wrote: >> >> If the registry is distributed, and the certificate dip is local to the >> provider, the numbering authority isn’t in the middle of each call, one of >> the points we are advocating in general, in terms of making this scalable >> and “deployable”. >> >> >> Do you happen to have a good standard technology on hand for >> synchronizing a database across a potentially unbounded set of >> signers/verifiers? I don't think we can assume that that set of >> actors is limited to the set of "providers", for any definition of >> that term. For so it is written in RFC 7340: >> >> """ >> Generation: Intermediaries as well as end systems must be able to >> generate the source identity information. >> >> Validation: Intermediaries as well as end systems must be able to >> validate the source identity information. >> """ >> >> If you're going to meet that requirement, I think your distributed >> registry ends up looking far more complex than just passing around >> certificates. >> >> Of course, if you're just talking about a signer looking up what cert >> it should use, then we agree; that's just what I meant when I said >> that managing multiple certs is just a hash table lookup. >> >> --Richard >> >> >> >> >> On Jul 28, 2015, at 3:27 PM, Henning Schulzrinne >> <Henning.Schulzrinne@fcc.gov> wrote: >> >> That was certainly one of the models that have been discussed in the past. >> Particularly for small carriers, this would likely reduce the operational >> impact to a configuration option in the SBC. >> >> The disadvantage of this model is caller privacy: If the cert is stored at a >> numbering authority, it would be easy for that authority to know which >> carrier is receiving calls from whom. (It's not the complete meta data since >> it's lacking the callee information.) >> >> However, unless the TN-to-LRN (in the US) mapping is cached, this "leak" >> already exists today. >> >> -----Original Message----- >> From: PFAUTZ, PENN L [mailto:pp3129@att.com] >> Sent: Tuesday, July 28, 2015 3:14 PM >> To: Henning Schulzrinne <Henning.Schulzrinne@fcc.gov>; Gorman, Pierce A >> [CTO] <Pierce.Gorman@sprint.com> >> Cc: stir@ietf.org >> Subject: RE: [stir] On OCSP, TNs, and Privacy >> >> Forgive me but my reptile brain keeps whispering in my ear that this would >> be a lot easier if we simply had a numbering registry, whether distributed >> or centralized - like we need anyway for at least for number portability - >> that also contained the public keys. No tedious mucking about in cyberspace >> with certs, CRLs, or OCSP. >> >> >> >> -----Original Message----- >> From: stir [mailto:stir-bounces@ietf.org] On Behalf Of Henning Schulzrinne >> Sent: Tuesday, July 28, 2015 10:24 AM >> To: Gorman, Pierce A [CTO] >> Cc: stir@ietf.org >> Subject: Re: [stir] On OCSP, TNs, and Privacy >> >> In the US alone, we have about 4000 carriers. Managing the reputation of >> that many entities, reliably (i.e., without making false positive/negative >> mistakes) seems a whole lot more manual effort than storing bags of bits. >> Storage and automation is cheap, human judgement and dealing with mistakes >> is expensive. >> >> Obviously, nothing in the architecture prevents wildcard certificates. >> >> -----Original Message----- >> From: stir [mailto:stir-bounces@ietf.org] On Behalf Of Gorman, Pierce A >> [CTO] >> Sent: Tuesday, July 28, 2015 10:14 AM >> To: Richard Barnes <rlb@ipv.sx> >> Cc: stir@ietf.org; Alex Bobotek <alex@bobotek.net>; Brian Rosen >> <br@brianrosen.net> >> Subject: Re: [stir] On OCSP, TNs, and Privacy >> >> I thought the discussion was on key/cert management. I'm asking if I >> understood the suggestion to minimize requirements. How is that off topic? >> >> Best regards, >> >> >> Pierce Gorman >> Core Network Planning >> O: 913-439-4368 >> pierce.gorman@sprint.com >> >> >> -----Original Message----- >> From: Richard Barnes [mailto:rlb@ipv.sx] >> Sent: July 28, 2015 9:12 AM >> To: Gorman, Pierce A [CTO] <Pierce.Gorman@sprint.com> >> Cc: Alex Bobotek <alex@bobotek.net>; Brian Rosen <br@brianrosen.net>; >> stir@ietf.org >> Subject: Re: [stir] On OCSP, TNs, and Privacy >> >> On Tue, Jul 28, 2015 at 9:51 AM, Gorman, Pierce A [CTO] >> <Pierce.Gorman@sprint.com> wrote: >> >> "Large scale certificate management is expensive, and TN-specific >> certificates are unneeded for securing calls placed by parties who choose to >> place calls through a single reputable telephone service provider." >> >> Are you saying that for "on-net" calls, STIR methodology is unnecessary? >> >> >> This seems a little off-topic for this list. >> >> --Richard >> >> >> Best regards, >> >> >> Pierce Gorman >> Core Network Planning >> O: 913-439-4368 >> pierce.gorman@sprint.com >> >> >> -----Original Message----- >> From: Alex Bobotek [mailto:alex@bobotek.net] >> Sent: July 27, 2015 11:36 PM >> To: Brian Rosen <br@brianrosen.net>; Richard Barnes <rlb@ipv.sx> >> Cc: stir@ietf.org >> Subject: Re: [stir] On OCSP, TNs, and Privacy >> >> What motivation would a carrier have to choose any model other than carrier >> signing using one of a very limited set of carrier-owned keys? Large scale >> certificate management is expensive, and TN-specific certificates are >> unneeded for securing calls placed by parties who choose to place calls >> through a single reputable telephone service provider. Anyone can get many >> certificates, even a free ones anonymously from some issuers. It is >> typically a combination of the strength of the end-user authentication >> performed by the service provider (or certificate issuer in a >> provider-agnostic model) and the identity's history that are most useful in >> security. >> >> If we're trying to secure the current telephone system, DNS-like key >> repositories a la DKIM or perhaps a small number (compared to the number of >> TNs) of certificates are far more practical. >> >> Regards, >> >> Alex >> >> -----Original Message----- >> From: stir [mailto:stir-bounces@ietf.org] On Behalf Of Brian Rosen >> Sent: Monday, July 27, 2015 7:40 PM >> To: Richard Barnes <rlb@ipv.sx> >> Cc: stir@ietf.org >> Subject: Re: [stir] On OCSP, TNs, and Privacy >> >> What this means in practice is that it’s TN per cert. >> >> I wouldn’t say that it’s impossible for a carrier to maintain dozens >> of copies of millions of private keys securely, but it’s hard. You >> need multiple copies because you have multiple elements that can >> initiate a call, and you don’t want to depend on a centralized >> resource to do something as basic as create a call. >> >> I think it’s hard enough that REQUIRING cert per TN is not acceptable. >> >> Folks with more intimate knowledge of carrier SIP infrastructure >> might have more insight than I do. It may be acceptable to have a >> centralized resource to manage millions of keys. >> >> Brian >> >> On Jul 27, 2015, at 6:13 PM, Richard Barnes <rlb@ipv.sx> wrote: >> >> After the STIR meeting in Prague, Henning and I spent a few minutes >> talking through options for revocation checking and certificate >> scoping, and I think we have a better idea of what the optimal >> solution looks like. Some notes are below, and some slides with >> pictures attached. >> >> tl;dr: We should: >> * Keep TNs in certificates and not bother with any OCSP extensions >> * Require Identity-Info to include OCSP responses for all certs in >> the chain >> >> >> # Background: Revocation in the web PKI >> >> In an HTTPS transaction, the HTTPS server provides the client with >> a certificate, and it can optionally include an OCSP response ("staple" >> it to the transaction). >> >> A certificate contains a validity interval, a key, and some names/TNs. >> An OCSP responses contains a validity interval, a certificate ID >> (i.e., a hash), and a status (good/revoked/unknown). In the web >> PKI, certificates are required to be no more than 39 months long, >> and OCSP responses no more than 10 days. >> >> Ideally, a client only considers a certificate valid if it is >> accompanied by an OCSP response. In practice, this is not always >> possible; because OCSP queries fail around 3% of the time, browsers >> can't require OCSP. This operational fact will be important below, >> but we will continue to have scoping cert lifetimes as an objective. >> >> In the web PKI, there are basically three revocation checking modalities: >> >> 1. Live OCSP checking [RFC6069] >> 2. OCSP stapling / must_staple [RFC6066, >> draft-hallambaker-tlsfeature] 3. Short-lived certificates (~OCSP >> lifetime) >> >> (The last of these is relatively novel, and has not been deployed. >> Neither has must-staple. But they're both pretty trivial, and >> could be folded into a STIR architecture pretty easily.) >> >> Right now, about 90% of TLS transactions use live OCSP, and about 10%. >> CAs and browsers dearly want the world to move toward stapled OCSP >> or short-lived certs, because these reduces latency and improve the >> quality of revocation information. >> >> Revocation for CA certificates is currently done by having browsers >> download a list from a centralized server, since there's no way to >> staple more than one OCSP response. That solution works OK for the >> web, but if I were designing something de novo, I would probably >> use multi-stapling as well. >> >> >> # Applying this experience to STIR >> >> Most of the below appear to be desired properties by the WG: >> >> * Verifier neeeds to know that a cert is valid for a specific >> number >> * Scoped cert lifetime: Limit certs to ~1week lifetime (by OCSP if >> issued longer) >> * Caller privacy: Don't report what calls someone receives to a >> central server >> * Carrier privacy: Don't allow a third party to figure out all the >> numbers a carrier holds >> * Minimize the rate at which the CA has to sign things >> * Tolerate outages at the CA >> >> I'm going to assume for now that we will not do live OCSP. It >> violates the caller privacy requirement, and as discussed above, it >> just sucks operationally. So STIR should require OCSP to be sent >> in "stapled" form, which probably means sending it in Identity-Info. >> And while we're at it, we should also do "multi-stapling" -- send >> an OCSP response for CA certs as well. >> >> So if we consider a server with 50k TNs / blocks, that leaves us >> with basically 3 options: >> >> 1. 50k short-lived certs (no OCSP) >> 2. 50k long-lived certs scoped to TNs + generic OCSP 3. 1 >> long-lived cert not scoped to TN (or a few loosely scoped) + OCSP >> with TN info >> >> (As I didn't quite get to say in the meeting, regardless of the >> approach, you have to have 50k of *something*.) Of these, it seems >> like the preference order is 2 > 1 > 3. >> >> Option 3 is bad from several perspectives: >> * Putting TN info in the OCSP response enables someone to trawl for >> numbers unless you access-control the OCSP server, so you inherit a >> requirement to do that. >> * With the rate of churn in number assignments, you're probably >> going to have to update the long-lived cert pretty frequently anyway. >> * Putting TN-specific stuff in certs is better than putting it in >> OCSP. As bad as X.509 libraries can be, OCSP libraries are much >> worse. >> >> Option 1 is mainly bad from the perspective of CA load and outages. >> With Option 2, if the CA goes down, client can continue to use the >> long-lived cert and just not bother doing OCSP (vs. tolerating an >> expired cert). Slightly cleaner. Plus, there's a lot more >> experience caching OCSP than new certs. OCSP signing can also be >> delegated, so you can have the recurring operation done by a lower-risk key. >> >> Option 2 should be pretty easy to automate. You can probably >> re-use tooling for OCSP stapling that has already been developed >> for use with HTTPS. If you're a big box signing for a bunch of >> numbers, you do need to select the right cert and OCSP response for >> a given call, but that's a pretty simple lookup table. >> <STIR.pptx>_______________________________________________ >> stir mailing list >> stir@ietf.org >> https://www.ietf.org/mailman/listinfo/stir >> >> >> _______________________________________________ >> stir mailing list >> stir@ietf.org >> https://www.ietf.org/mailman/listinfo/stir >> >> >> ________________________________ >> >> This e-mail may contain Sprint proprietary information intended for the sole >> use of the recipient(s). Any use by others is prohibited. If you are not the >> intended recipient, please contact the sender and delete all copies of the >> message. >> >> >> ________________________________ >> >> This e-mail may contain Sprint proprietary information intended for the sole >> use of the recipient(s). Any use by others is prohibited. If you are not the >> intended recipient, please contact the sender and delete all copies of the >> message. >> _______________________________________________ >> stir mailing list >> stir@ietf.org >> https://www.ietf.org/mailman/listinfo/stir >> _______________________________________________ >> stir mailing list >> stir@ietf.org >> https://www.ietf.org/mailman/listinfo/stir >> _______________________________________________ >> stir mailing list >> stir@ietf.org >> https://www.ietf.org/mailman/listinfo/stir >> >> >> _______________________________________________ >> stir mailing list >> stir@ietf.org >> https://www.ietf.org/mailman/listinfo/stir >> >>
- [stir] On OCSP, TNs, and Privacy Richard Barnes
- Re: [stir] On OCSP, TNs, and Privacy Brian Rosen
- Re: [stir] On OCSP, TNs, and Privacy Alex Bobotek
- [stir] CRTC: Empowering Canadians to protect them… Caron, Guy (A162859)
- Re: [stir] On OCSP, TNs, and Privacy Richard Barnes
- Re: [stir] On OCSP, TNs, and Privacy Richard Barnes
- Re: [stir] On OCSP, TNs, and Privacy Patrick Tarpey
- Re: [stir] On OCSP, TNs, and Privacy Richard Barnes
- Re: [stir] On OCSP, TNs, and Privacy Henning Schulzrinne
- Re: [stir] On OCSP, TNs, and Privacy Gorman, Pierce A [CTO]
- Re: [stir] On OCSP, TNs, and Privacy Richard Barnes
- Re: [stir] On OCSP, TNs, and Privacy Henning Schulzrinne
- Re: [stir] On OCSP, TNs, and Privacy Gorman, Pierce A [CTO]
- Re: [stir] On OCSP, TNs, and Privacy Henning Schulzrinne
- Re: [stir] On OCSP, TNs, and Privacy PFAUTZ, PENN L
- Re: [stir] On OCSP, TNs, and Privacy Henning Schulzrinne
- Re: [stir] On OCSP, TNs, and Privacy DOLLY, MARTIN C
- Re: [stir] On OCSP, TNs, and Privacy Gorman, Pierce A [CTO]
- Re: [stir] On OCSP, TNs, and Privacy Henning Schulzrinne
- Re: [stir] On OCSP, TNs, and Privacy Dwight, Timothy M (Tim)
- Re: [stir] On OCSP, TNs, and Privacy Richard Barnes
- Re: [stir] On OCSP, TNs, and Privacy Richard Shockey
- Re: [stir] On OCSP, TNs, and Privacy Richard Shockey
- Re: [stir] On OCSP, TNs, and Privacy Alex Bobotek
- Re: [stir] On OCSP, TNs, and Privacy Richard Barnes
- Re: [stir] On OCSP, TNs, and Privacy Richard Shockey
- Re: [stir] On OCSP, TNs, and Privacy Richard Barnes
- Re: [stir] On OCSP, TNs, and Privacy PFAUTZ, PENN L
- Re: [stir] On OCSP, TNs, and Privacy Chris Wendt
- Re: [stir] On OCSP, TNs, and Privacy Richard Barnes
- Re: [stir] On OCSP, TNs, and Privacy Henning Schulzrinne
- Re: [stir] On OCSP, TNs, and Privacy Henning Schulzrinne
- Re: [stir] On OCSP, TNs, and Privacy Chris Wendt
- Re: [stir] On OCSP, TNs, and Privacy Chris Wendt
- Re: [stir] On OCSP, TNs, and Privacy Richard Barnes
- Re: [stir] On OCSP, TNs, and Privacy Chris Wendt
- Re: [stir] On OCSP, TNs, and Privacy Richard Shockey
- Re: [stir] On OCSP, TNs, and Privacy Gorman, Pierce A [CTO]
- Re: [stir] On OCSP, TNs, and Privacy Stephen Farrell
- Re: [stir] On OCSP, TNs, and Privacy Richard Barnes
- Re: [stir] On OCSP, TNs, and Privacy Gorman, Pierce A [CTO]
- Re: [stir] On OCSP, TNs, and Privacy Alex Bobotek
- Re: [stir] On OCSP, TNs, and Privacy Gorman, Pierce A [CTO]
- Re: [stir] On OCSP, TNs, and Privacy Peterson, Jon
- Re: [stir] On OCSP, TNs, and Privacy Richard Shockey
- Re: [stir] On OCSP, TNs, and Privacy Peterson, Jon
- Re: [stir] On OCSP, TNs, and Privacy Henning Schulzrinne
- Re: [stir] On OCSP, TNs, and Privacy Gorman, Pierce A [CTO]
- Re: [stir] On OCSP, TNs, and Privacy Richard Shockey
- Re: [stir] On OCSP, TNs, and Privacy Alex Bobotek
- Re: [stir] On OCSP, TNs, and Privacy DOLLY, MARTIN C
- Re: [stir] On OCSP, TNs, and Privacy Gorman, Pierce A [CTO]
- Re: [stir] On OCSP, TNs, and Privacy Henning Schulzrinne
- Re: [stir] On OCSP, TNs, and Privacy Gorman, Pierce A [CTO]
- Re: [stir] On OCSP, TNs, and Privacy Gorman, Pierce A [CTO]
- Re: [stir] On OCSP, TNs, and Privacy Henning Schulzrinne
- Re: [stir] On OCSP, TNs, and Privacy Gorman, Pierce A [CTO]
- Re: [stir] On OCSP, TNs, and Privacy Henning Schulzrinne
- Re: [stir] On OCSP, TNs, and Privacy Henning Schulzrinne
- Re: [stir] On OCSP, TNs, and Privacy Gorman, Pierce A [CTO]