IETF Logo Mail Archive

[TLS] Status of X.509v3 TLS Feature Extension?

Klemens Baum <klemensbaum@gmail.com> Thu, 24 April 2014 19:56 UTC

Return-Path: <klemensbaum@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88B041A0389 for <tls@ietfa.amsl.com>; Thu, 24 Apr 2014 12:56:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EQJAtjtw0GKe for <tls@ietfa.amsl.com>; Thu, 24 Apr 2014 12:55:59 -0700 (PDT)
Received: from mail-ob0-x230.google.com (mail-ob0-x230.google.com [IPv6:2607:f8b0:4003:c01::230]) by ietfa.amsl.com (Postfix) with ESMTP id BE7411A037A for <tls@ietf.org>; Thu, 24 Apr 2014 12:55:59 -0700 (PDT)
Received: by mail-ob0-f176.google.com with SMTP id wp4so3224338obc.35 for <tls@ietf.org>; Thu, 24 Apr 2014 12:55:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=ZJ8dXL5WdpsC7J/XA8jEUnfs12Ms0oKNu2Jq3x2hO5I=; b=FAcE/fK7Q3N3wAacat+/XJzI/VDMU7up0cVECRh3uuqRKQ5HpO9FKkKzgDWLOFSuV0 RyP4wyWDIP4EFgqdrqPzqajNw4wdq+jzpWQooGn9DPZtZ51F0KKmFbPn/sAJqxPQ/tZk gYJk/27QNOf+Ocx/Rjcjup4t/KzNJOkjyU3/THia7L2b90upo5e9b/rkvJdql8w+Bnur dEz4mCFYtcUc6H5WToy8EeH7WHvwsiN1NJ/DJmVGyxg9KqJRz8995BstYNdha/zJXxns A5R4uq81L9d1VQK62GpNOAo29OO0WpeqkS+Am8GXIPoJ/4aY619b/Lp2lnOILflV6Ib+ /o8w==
MIME-Version: 1.0
X-Received: by 10.60.77.35 with SMTP id p3mr3167722oew.46.1398369353500; Thu, 24 Apr 2014 12:55:53 -0700 (PDT)
Received: by 10.182.81.73 with HTTP; Thu, 24 Apr 2014 12:55:53 -0700 (PDT)
Date: Thu, 24 Apr 2014 21:55:53 +0200
Message-ID: <CA+aixj_i8XF2buDNMOp2=_Z0XzT3R4uGfxJtjoGt-_PButSggw@mail.gmail.com>
From: Klemens Baum <klemensbaum@gmail.com>
To: tls@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/1BXcezHANteoXyHKINRg49smKoQ
X-Mailman-Approved-At: Sat, 26 Apr 2014 08:06:12 -0700
Subject: [TLS] Status of X.509v3 TLS Feature Extension?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Apr 2014 19:56:01 -0000

After the whole Heartbleed incident, it has become obvious that the
current mechanisms for Certificate Revocation are inadequately
enforced by clients.

To combat the issue, it would seem desirable for a security-conscious
server operator to be able to require the use of OCSP stapling on a
per-certificate basis. There was already an Internet-Draft (now
expired) for an X.509v3 extension which would provide this feature:
https://datatracker.ietf.org/doc/draft-hallambaker-tlsfeature/

Clients supporting the extension could display an enhanced security
indicator (e.g. "Certificate Status: Not revoked") for certificates
carrying the extension which pass validation, which would also
motivate more widespread adoption of OCSP stapling in favor of CRLs
and client-initiated OCSP requests.

Since the draft looked very promising, I suggest that it should be
unexpired. If anyone with the authority to do so agrees, please submit
a request for resurrection per the guidelines at
http://www.ietf.org/ietf-ftp/1id-guidelines.txt.

A few minor clarifications may still be needed so that it can be
quickly implemented by major browsers and the CAs:

- The tls-feature OID is currently specified with a value of { id-pe 1
}, which corresponds to 1.3.6.1.5.5.7.1.1 (authorityInfoAccess, itself
already an X.509v3 extension). Surely a new OID in the
pkix.privateExtension arc will need to be allocated by IANA and if
this is the case, it should be noted in the section "IANA
Considerations".

Please share your opinions!

v2.23.0 | Report a Bug | By Email