Re: [TLS] Status of X.509v3 TLS Feature Extension?

Paul Lambert <> Tue, 29 April 2014 20:56 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id F05781A03FC for <>; Tue, 29 Apr 2014 13:56:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.267
X-Spam-Status: No, score=-2.267 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id O_5Qe9VRgjjX for <>; Tue, 29 Apr 2014 13:56:25 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 56CF81A09BE for <>; Tue, 29 Apr 2014 13:56:25 -0700 (PDT)
Received: from pps.filterd ( []) by (8.14.5/8.14.5) with SMTP id s3TKu9rh024640; Tue, 29 Apr 2014 13:56:22 -0700
Received: from ([]) by with ESMTP id 1khmr8exvk-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Tue, 29 Apr 2014 13:56:21 -0700
Received: from ([]) by ([fe80::e56e:83a7:9eef:b5a1%16]) with mapi; Tue, 29 Apr 2014 13:56:21 -0700
From: Paul Lambert <>
To: Geoffrey Keating <>, "" <>
Date: Tue, 29 Apr 2014 13:57:25 -0700
Thread-Topic: [TLS] Status of X.509v3 TLS Feature Extension?
Thread-Index: Ac9j7XjeLi8uLImPT2u/e4yfm9LuuQ==
Message-ID: <>
References: <> <> <m2r44hw86f.fsf@localhost.localdomain>
In-Reply-To: <m2r44hw86f.fsf@localhost.localdomain>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.96, 1.0.14, 0.0.0000 definitions=2014-04-29_05:2014-04-29, 2014-04-29, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1404290283
Cc: "" <>
Subject: Re: [TLS] Status of X.509v3 TLS Feature Extension?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 29 Apr 2014 20:56:34 -0000

On 4/28/14, 12:44 PM, "Geoffrey Keating" <> wrote:

> (Martin Rex) writes:
>> Processing multiple OCSP responses from the TLS multiple certificate
>> extension will also be interesting for TLS client that essentially throw
>> away everything but the Server certificate from the Server's TLS
>> handshake message and perform a new path discovery, because the
>> path may be different from the one that was sent by the server.
>This is only a problem if the new path discovery might use
>certificates which weren't sent from the server (built-in
>intermediates or ones fetched from the web), for which of course the
>server won't have sent OCSP responses.  Another way to put this is
>that the server needs to send all necessary intermediates for OCSP
>stapling to work properly.

Yes.  This is critical.  Implementations currently do not support
OCSP stapling for intermediaries. Just fielded a system and we
Ended up not being able to support business models with more
than one level of usable hierarchy.  Stapling  is not useable
now for multi-level hierarchies.


>TLS mailing list