IETF Logo Mail Archive

Re: [therightkey] Proposal for working on PKIX revocation open issues

Ben Laurie <benl@google.com> Mon, 17 November 2014 15:52 UTC

Return-Path: <benl@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0AE81A6FEA for <therightkey@ietfa.amsl.com>; Mon, 17 Nov 2014 07:52:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.972
X-Spam-Level:
X-Spam-Status: No, score=-1.972 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ODhoQKv13FUy for <therightkey@ietfa.amsl.com>; Mon, 17 Nov 2014 07:52:49 -0800 (PST)
Received: from mail-qg0-x233.google.com (mail-qg0-x233.google.com [IPv6:2607:f8b0:400d:c04::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8F2B1A6FFA for <therightkey@ietf.org>; Mon, 17 Nov 2014 07:52:49 -0800 (PST)
Received: by mail-qg0-f51.google.com with SMTP id l89so853778qgf.38 for <therightkey@ietf.org>; Mon, 17 Nov 2014 07:52:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:references:from:date:message-id:subject:to :content-type; bh=hWczGDn9geTcKYSQwNSTKEIA5pvNWHJsF0mVkSM9SiM=; b=FsLO1Ko/0TxNjnRh3wvt3x0GImTH3t2rZqzLrBOhnp7NVPW6J34YaFgiqQk5HRYqHb U2NBWIRUkqjjTZdYqVMQR38hgmMZ3cOxlrxuL+ECr8joacpWgU1SsuAap7Sal7a9FQXt nFhxjb3/7aRl292q/PHlFOmX+i09CQ8SFXjtPP2XF9hYo/6N82TEgzIMY95VRdTZvVfm byVrxrKAW8+HR5PJeMO/O7wZpZoildEHivyYh4VJD7Yd/eRqJyLK36bCRUbk3FV40xBF zJpGelednHn4czQjyngKLrGSVoj2pBrm83XuSgJETWSFArt53h4CmL3TwNHB5vO7pagr 4Yww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:from:date:message-id :subject:to:content-type; bh=hWczGDn9geTcKYSQwNSTKEIA5pvNWHJsF0mVkSM9SiM=; b=VO4swQPr1Nb0Tlek6Gh2725wg11A6BMD9VdGzi7tw6jVCHT2evRF35Igj9XKQD8zvv ZhXHg/EWjpYrXrhUsyO5EarRy/arPnkpZ+FKo64oCF+0Bpotz2uG8hlpkG/pMUSVDseq grV0734R+IgXthKgAh66j3IPC17hM8V6nm9bPgTgFHRQ+6fWuz5cFyAN9J42+8N51sHL NJHG+QSDP2aGg8MvQxeRQlf+GwvcjPOl5JUNAvo4ddW9jC8efOLKey/JsXcfENIpjZ0f Wi6iHQKgY+iaZnuVBPa6mV8YwgWHEN+vxGG5Sm2eQebov7ekBTKWE7GFAJYJxz2y+Qoa qAbA==
X-Gm-Message-State: ALoCoQnvDRSmCfY1AHYRThLxh10M26LtbPfPSe3spsKtPLslMz2MY48UO1p3uyloUgf7aoE0l9Rc
X-Received: by 10.224.136.194 with SMTP id s2mr7976695qat.82.1416239568632; Mon, 17 Nov 2014 07:52:48 -0800 (PST)
MIME-Version: 1.0
References: <5466AF87.2050307@gmail.com>
From: Ben Laurie <benl@google.com>
Date: Mon, 17 Nov 2014 15:52:48 +0000
Message-ID: <CABrd9SQkXK99ski74A8EyqHDptBsVs_aN6117Br8NyuPhYAa_Q@mail.gmail.com>
To: "Dr. Massimiliano Pala" <massimiliano.pala@gmail.com>, therightkey@ietf.org, "pkix@ietf.org" <pkix@ietf.org>
Content-Type: multipart/alternative; boundary="001a11c2d8e26862ab05080ff842"
Archived-At: http://mailarchive.ietf.org/arch/msg/therightkey/KQ96gT87yNtR_88F8wlNztrEESs
Subject: Re: [therightkey] Proposal for working on PKIX revocation open issues
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Nov 2014 15:52:52 -0000

On Sat Nov 15 2014 at 1:42:31 AM Dr. Massimiliano Pala <
massimiliano.pala@gmail.com> wrote:

> Dear PKIX Enthusiasts,
>
> Although great work has been done in the past... 20 years.. (?) on
> providing very good protocols in the PKIX work, I think that we all
> agree that we still have some unresolved issues. In particular, the
> revocation is still a hot topic (especially for online environments)
> could use improvement over the current status of things. In particular,
> by looking at current specifications, some work is needed to address
> concerns especially in non-web environments.
>
> For example, current specifications about OCSP stapling do not address
> the case of client authentication (which is a widespread use case
> outside the web environment) or, again, defining some new transport
> protocols for delivering OCSP responses which might reduce operational
> costs for revocation service providers.
>
> After proposing the idea to Stephen Farrell and Kathleen Moriarty, we
> would like to know if there might be interests in participating in
> updating the status of the current revocation mechanisms for PKIX. This
> said, the scope of the work I am proposing is very limited. Specifically:
>
> (a) Defining new transport protocols for revocation information
> availability (e.g., OCSP over DNS or OCSP over LDAP)
> (b) (Possibly) defining a more lightweight revocation mechanisms (e.g.
> Lightweight Revocation Tokens)
> (c) (Possibly) helping other working groups to revise and update how
> revocation information are provided (e.g., the client authentication case)
> (d) (Possibly) introducing privacy consideration when it comes to
> revocation checking
>

FWIW, we (Google) are interested in doing the same thing for revocation
that CT does for certs - i.e. providing a verifiable log/map of revocation
status.

Not sure if that fits into your remit above (on the face of it, it does
not).


>
> Because of these considerations, I am proposing to start a conversation
> - for now, Stephen and Kathleen suggested we use (or "abuse") the "The
> Right Key" mailing list to see if there might be enough interest in the
> work from implementers to address these issues. I know that we (OpenCA)
> are interested in implementing these features, and we would like that
> the work would be standardized.
>
> At minimal, I would like (a) to happen. This could be achieved in 6
> months (and we might not even need to meet). (b) and (c) are also
> desirable in order to provide better support for non-browsers and small
> devices (AFAIK, some work might be relevant for DICE). (d) is something
> that we should, I think, all be mindful and at least some considerations
> should be provided. The scope of the work, however, will be limited to
> revocation.
>
> Please, if you are interested and would like to start the discussion,
> post your opinion on therightkey@ietf.org - also, please, circulate this
> proposal to anybody who might be interested in collaborating on this issue.
>
> Please also note that we did decide not to use the pkix@ietf.org mailing
> list because we thought therightkey@ietf.org might provide a more active
> pool of implementors.
>
> Looking forward to receive all your inputs and start working on the topics.
>
> Cheers,
> Max
>
>
> _______________________________________________
> therightkey mailing list
> therightkey@ietf.org
> https://www.ietf.org/mailman/listinfo/therightkey
>

v2.23.0 | Report a Bug | By Email