[TLS] Status of X.509v3 TLS Feature Extension?
Klemens Baum <klemensbaum@gmail.com> Thu, 24 April 2014 19:56 UTC
Return-Path: <klemensbaum@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88B041A0389 for <tls@ietfa.amsl.com>; Thu, 24 Apr 2014 12:56:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EQJAtjtw0GKe for <tls@ietfa.amsl.com>; Thu, 24 Apr 2014 12:55:59 -0700 (PDT)
Received: from mail-ob0-x230.google.com (mail-ob0-x230.google.com [IPv6:2607:f8b0:4003:c01::230]) by ietfa.amsl.com (Postfix) with ESMTP id BE7411A037A for <tls@ietf.org>; Thu, 24 Apr 2014 12:55:59 -0700 (PDT)
Received: by mail-ob0-f176.google.com with SMTP id wp4so3224338obc.35 for <tls@ietf.org>; Thu, 24 Apr 2014 12:55:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=ZJ8dXL5WdpsC7J/XA8jEUnfs12Ms0oKNu2Jq3x2hO5I=; b=FAcE/fK7Q3N3wAacat+/XJzI/VDMU7up0cVECRh3uuqRKQ5HpO9FKkKzgDWLOFSuV0 RyP4wyWDIP4EFgqdrqPzqajNw4wdq+jzpWQooGn9DPZtZ51F0KKmFbPn/sAJqxPQ/tZk gYJk/27QNOf+Ocx/Rjcjup4t/KzNJOkjyU3/THia7L2b90upo5e9b/rkvJdql8w+Bnur dEz4mCFYtcUc6H5WToy8EeH7WHvwsiN1NJ/DJmVGyxg9KqJRz8995BstYNdha/zJXxns A5R4uq81L9d1VQK62GpNOAo29OO0WpeqkS+Am8GXIPoJ/4aY619b/Lp2lnOILflV6Ib+ /o8w==
MIME-Version: 1.0
X-Received: by 10.60.77.35 with SMTP id p3mr3167722oew.46.1398369353500; Thu, 24 Apr 2014 12:55:53 -0700 (PDT)
Received: by 10.182.81.73 with HTTP; Thu, 24 Apr 2014 12:55:53 -0700 (PDT)
Date: Thu, 24 Apr 2014 21:55:53 +0200
Message-ID: <CA+aixj_i8XF2buDNMOp2=_Z0XzT3R4uGfxJtjoGt-_PButSggw@mail.gmail.com>
From: Klemens Baum <klemensbaum@gmail.com>
To: tls@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/1BXcezHANteoXyHKINRg49smKoQ
X-Mailman-Approved-At: Sat, 26 Apr 2014 08:06:12 -0700
Subject: [TLS] Status of X.509v3 TLS Feature Extension?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Apr 2014 19:56:01 -0000
After the whole Heartbleed incident, it has become obvious that the current mechanisms for Certificate Revocation are inadequately enforced by clients. To combat the issue, it would seem desirable for a security-conscious server operator to be able to require the use of OCSP stapling on a per-certificate basis. There was already an Internet-Draft (now expired) for an X.509v3 extension which would provide this feature: https://datatracker.ietf.org/doc/draft-hallambaker-tlsfeature/ Clients supporting the extension could display an enhanced security indicator (e.g. "Certificate Status: Not revoked") for certificates carrying the extension which pass validation, which would also motivate more widespread adoption of OCSP stapling in favor of CRLs and client-initiated OCSP requests. Since the draft looked very promising, I suggest that it should be unexpired. If anyone with the authority to do so agrees, please submit a request for resurrection per the guidelines at http://www.ietf.org/ietf-ftp/1id-guidelines.txt. A few minor clarifications may still be needed so that it can be quickly implemented by major browsers and the CAs: - The tls-feature OID is currently specified with a value of { id-pe 1 }, which corresponds to 1.3.6.1.5.5.7.1.1 (authorityInfoAccess, itself already an X.509v3 extension). Surely a new OID in the pkix.privateExtension arc will need to be allocated by IANA and if this is the case, it should be noted in the section "IANA Considerations". Please share your opinions!
- [TLS] Status of X.509v3 TLS Feature Extension? Klemens Baum
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Tom Ritter
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Rob Stradling
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Salz, Rich
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Rob Stradling
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Russ Housley
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Viktor Dukhovni
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Salz, Rich
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Watson Ladd
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Viktor Dukhovni
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Salz, Rich
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Viktor Dukhovni
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Salz, Rich
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Viktor Dukhovni
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Salz, Rich
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Viktor Dukhovni
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Nico Williams
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Adam Langley
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Martin Rex
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Martin Rex
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Stephen Checkoway
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Geoffrey Keating
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Peter Gutmann
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Stephen Checkoway
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Nico Williams
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Nico Williams
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Geoffrey Keating
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Rob Stradling
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Phillip Hallam-Baker
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Rob Stradling
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Paul Lambert
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Adam Langley
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Nico Williams
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Adam Langley
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Salz, Rich
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Nico Williams
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Phillip Hallam-Baker