IETF Logo Mail Archive

Re: [therightkey] [pkix] Client-side OCSP stapling? Re: Proposal for working on PKIX revocation open issues

Massimiliano Pala <massimiliano.pala@gmail.com> Sat, 15 November 2014 08:42 UTC

Return-Path: <massimiliano.pala@gmail.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 171431A1BC4; Sat, 15 Nov 2014 00:42:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YTOgJ5wAz0my; Sat, 15 Nov 2014 00:42:06 -0800 (PST)
Received: from mail-pa0-x229.google.com (mail-pa0-x229.google.com [IPv6:2607:f8b0:400e:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA3631A19EE; Sat, 15 Nov 2014 00:42:05 -0800 (PST)
Received: by mail-pa0-f41.google.com with SMTP id rd3so4490844pab.14 for <multiple recipients>; Sat, 15 Nov 2014 00:42:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=I+hvo9+EwGWiul9XxV3uoftuA8I15I0Mwe5sLddq5ec=; b=rYrPz7Wc6O2Q99GmfyTo+sht2WnB+x69a2DkoQJ4j1hGAkwh0//Ov4TVzgEVbsqvQV bbtqnIl05xT7KHyEX36h9HG2ZDGQAaTHRp270grGwMg4NVowS+pxjnz5BvZekGbxlNWV iTZBUG+hE9LkhohWUJITaXp58dD2sJg9PT7hOXxbsy4PNyoigTJ52+UDf9iSDQOKaEvK bQwojur3oJd9PZ4AWMvBEgbRj+HFGIBQg75FFlCa+BzR+lKvf0NPSOZTh/QrNDEShWla YMfbqFV2G4pufENIq1OjNHM0kJxEjRaudU8ZCeg/KnHTM+pmLzB/97BzoE5ufji79OSk Bf6A==
X-Received: by 10.70.90.11 with SMTP id bs11mr16120172pdb.16.1416040924778; Sat, 15 Nov 2014 00:42:04 -0800 (PST)
Received: from [100.107.83.90] ([172.56.30.49]) by mx.google.com with ESMTPSA id te2sm29529809pbc.51.2014.11.15.00.42.04 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 15 Nov 2014 00:42:04 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Massimiliano Pala <massimiliano.pala@gmail.com>
X-Mailer: iPhone Mail (12B411)
In-Reply-To: <5466E08E.70103@gmail.com>
Date: Sat, 15 Nov 2014 00:42:05 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <A674E880-6D09-46F8-B38F-BFCC4B9D1AD1@gmail.com>
References: <5466AF87.2050307@gmail.com> <5466E08E.70103@gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/therightkey/I_3gG_b9NUvQvbZTW3fgGC6DSp0
Cc: "pkix@ietf.org" <pkix@ietf.org>, therightkey@ietf.org
Subject: Re: [therightkey] [pkix] Client-side OCSP stapling? Re: Proposal for working on PKIX revocation open issues
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Nov 2014 08:42:08 -0000

Thanks Anders!

Do you have any contacts for people working at that project? We might want to reach out to them as possible implementors and maybe start a conversation with them about possible requirements ? And eventually let them know about the progresses we might accomplish in the area.

Cheers,
Max

P.S.: Since Stephen and Kathleen asked me to have the conversation on The Right Key mailing list (therightkey@ietf.org), please could you send the replies only there? We should not use both therightkey and the pkix MLs :-)


> On Nov 14, 2014, at 9:11 PM, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
> 
> Since you want to do something in revocation I would like to
> describe an existing potentially global PKI-using system that
> maybe could be improved.
> 
> The EU e-passport system needs for crossborder-checking of biometrics
> a pretty elaborate PKI scheme which among many things require
> the parties to expose two public ports on the Internet; one for
> the actual communication using HTTPS[1] and another for publishing
> CRLs using HTTP.  This isn't rocket-science but it still requires
> multiple FW settings and proxies.  If OCSP responses could be
> stapled (TLS client cert auth is used), relying parties would only
> have to open a single inbound port.  Cross-border reliability would
> probably also be improved since the client (sender) wouldn't be able
> to submit any data unless its OCSP is running (the PKIs are unique
> per country).
> 
> TLS 1.3 and 2.0 are in the workings so the timing is right...
> 
> 
> Anders
> 
> 1] I might add that I believe HTTPS with client certificate auth
> is a very poor choice for cross-border communication when each party
> run their own PKI. Signed messages permit a multi-tier architecture
> and quarantining of not yet trusted messages, greatly simplifying
> operation.  BSI are experts on crypto, but n00bs on IT :-)
> 
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix

v2.23.0 | Report a Bug | By Email