IETF Logo Mail Archive

Re: [TLS] Status of X.509v3 TLS Feature Extension?

Rob Stradling <rob.stradling@comodo.com> Mon, 28 April 2014 11:02 UTC

Return-Path: <rob.stradling@comodo.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 229131A09BF for <tls@ietfa.amsl.com>; Mon, 28 Apr 2014 04:02:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.609
X-Spam-Level:
X-Spam-Status: No, score=0.609 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HELO_MISMATCH_NET=0.611, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DS3w5LtUc4Dv for <tls@ietfa.amsl.com>; Mon, 28 Apr 2014 04:02:31 -0700 (PDT)
Received: from ian.brad.office.comodo.net (eth5.brad-fw.brad.office.ccanet.co.uk [178.255.87.226]) by ietfa.amsl.com (Postfix) with ESMTP id 77B881A09A9 for <tls@ietf.org>; Mon, 28 Apr 2014 04:02:20 -0700 (PDT)
Received: (qmail 26792 invoked by uid 1000); 28 Apr 2014 11:02:18 -0000
Received: from nigel.brad.office.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (AES128-SHA encrypted) ESMTPSA; Mon, 28 Apr 2014 12:02:18 +0100
Message-ID: <535E353A.9030008@comodo.com>
Date: Mon, 28 Apr 2014 12:02:18 +0100
From: Rob Stradling <rob.stradling@comodo.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Tom Ritter <tom@ritter.vg>, Klemens Baum <klemensbaum@gmail.com>
References: <CA+aixj_i8XF2buDNMOp2=_Z0XzT3R4uGfxJtjoGt-_PButSggw@mail.gmail.com> <CA+cU71=FtZfzGktLhLz_j99mQ=LVbd0kzz0ZyGbewQUS0ouEGA@mail.gmail.com>
In-Reply-To: <CA+cU71=FtZfzGktLhLz_j99mQ=LVbd0kzz0ZyGbewQUS0ouEGA@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/-6Fgb949dicegQUza1_NBNjW2Ws
Cc: "tls@ietf.org" <tls@ietf.org>, Phillip Hallam-Baker <philliph@comodo.com>
Subject: Re: [TLS] Status of X.509v3 TLS Feature Extension?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Apr 2014 11:02:35 -0000

On 27/04/14 13:07, Tom Ritter wrote:
> There isn't much gain in requiring it on a per-certificate basis, but
> on a host basis it makes a lot more sense. (Not that putting it on a
> cert is bad, just insufficient.)  There were a couple ideas for making
> this a header here:
> http://www.ietf.org/mail-archive/web/tls/current/msg10351.html I too
> would like Must Staple to come back.

AIUI, PHB intends to progress the tls-feature draft just as soon as IANA 
allocates an OID for the new certificate extension.  It's not dead, just 
resting.

An OID allocation request was submitted well over a year ago.  The 
reason for the delay is that following the shutdown of the PKIX WG, 
control of the PKIX OID registry is being transferred to IANA.  IINM, 
the transfer is still not yet complete.

> -tom
>
> On 24 April 2014 15:55, Klemens Baum <klemensbaum@gmail.com> wrote:
>> After the whole Heartbleed incident, it has become obvious that the
>> current mechanisms for Certificate Revocation are inadequately
>> enforced by clients.
>>
>> To combat the issue, it would seem desirable for a security-conscious
>> server operator to be able to require the use of OCSP stapling on a
>> per-certificate basis. There was already an Internet-Draft (now
>> expired) for an X.509v3 extension which would provide this feature:
>> https://datatracker.ietf.org/doc/draft-hallambaker-tlsfeature/
>>
>> Clients supporting the extension could display an enhanced security
>> indicator (e.g. "Certificate Status: Not revoked") for certificates
>> carrying the extension which pass validation, which would also
>> motivate more widespread adoption of OCSP stapling in favor of CRLs
>> and client-initiated OCSP requests.
>>
>> Since the draft looked very promising, I suggest that it should be
>> unexpired. If anyone with the authority to do so agrees, please submit
>> a request for resurrection per the guidelines at
>> http://www.ietf.org/ietf-ftp/1id-guidelines.txt.
>>
>> A few minor clarifications may still be needed so that it can be
>> quickly implemented by major browsers and the CAs:
>>
>> - The tls-feature OID is currently specified with a value of { id-pe 1
>> }, which corresponds to 1.3.6.1.5.5.7.1.1 (authorityInfoAccess, itself
>> already an X.509v3 extension). Surely a new OID in the
>> pkix.privateExtension arc will need to be allocated by IANA and if
>> this is the case, it should be noted in the section "IANA
>> Considerations".
>>
>> Please share your opinions!

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

v2.23.0 | Report a Bug | By Email