IETF Logo Mail Archive

Re: [TLS] Status of X.509v3 TLS Feature Extension?

Viktor Dukhovni <viktor1dane@dukhovni.org> Mon, 28 April 2014 15:10 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5CD51A0A38 for <tls@ietfa.amsl.com>; Mon, 28 Apr 2014 08:10:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JeH4NA2YvU1b for <tls@ietfa.amsl.com>; Mon, 28 Apr 2014 08:10:58 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 7FB9E1A6F0F for <tls@ietf.org>; Mon, 28 Apr 2014 08:10:54 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 3B8662AB0DD; Mon, 28 Apr 2014 15:10:53 +0000 (UTC)
Date: Mon, 28 Apr 2014 15:10:53 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20140428151053.GV27883@mournblade.imrryr.org>
References: <CA+aixj_i8XF2buDNMOp2=_Z0XzT3R4uGfxJtjoGt-_PButSggw@mail.gmail.com> <CA+cU71=FtZfzGktLhLz_j99mQ=LVbd0kzz0ZyGbewQUS0ouEGA@mail.gmail.com> <535E353A.9030008@comodo.com> <20140428142029.GT27883@mournblade.imrryr.org> <2A0EFB9C05D0164E98F19BB0AF3708C7120C61F59F@USMBX1.msg.corp.akamai.com> <20140428145250.GU27883@mournblade.imrryr.org> <2A0EFB9C05D0164E98F19BB0AF3708C7120C61F5D0@USMBX1.msg.corp.akamai.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C7120C61F5D0@USMBX1.msg.corp.akamai.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/-CrJc1VvGPVEP6hxqrHwkVroMZc
Subject: Re: [TLS] Status of X.509v3 TLS Feature Extension?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Apr 2014 15:10:59 -0000

On Mon, Apr 28, 2014 at 10:57:50AM -0400, Salz, Rich wrote:

> Those are all really good questions, but seem to me that they're
> a matter of local trust policy and not policy that should be nailed
> down in an RFC.  Do you disagree?

If the protocol is to fail closed (as is I think suggested by the
extension) then it must be possible to implement it interoperably,
in which case these questions should have answers.  As it stands,
I don't see how one would implement an interoperable fail-closed
client and server for OCSP stapling.

Current client implementations probably just set a fixed generous
upper bound, but there is no reason to expect that all CAs produce
new CRLs or new OCSP responses within the arbitrarily locally
selected maximum time.  Nor is it clear that servers obtain new
OCSP responses in a timely manner, and how much extra time to give
them to allow for adverse conditions.

For example a DDoS of a CAs OCSP responder may last longer than
the "[thisUpdate, nextUpdate]" interval, how long is long enough
to allow a CA to recover and for servers to obtain new stapled
responses?  How often should servers retry (don't want the servers
trying to get overdue updates perpetuating the DDoS)?

The protocol looks under-specified to me.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email