IETF Logo Mail Archive

Re: [TLS] Status of X.509v3 TLS Feature Extension?

Paul Lambert <paul@marvell.com> Tue, 29 April 2014 20:56 UTC

Return-Path: <paul@marvell.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F05781A03FC for <tls@ietfa.amsl.com>; Tue, 29 Apr 2014 13:56:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.267
X-Spam-Level:
X-Spam-Status: No, score=-2.267 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O_5Qe9VRgjjX for <tls@ietfa.amsl.com>; Tue, 29 Apr 2014 13:56:25 -0700 (PDT)
Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by ietfa.amsl.com (Postfix) with ESMTP id 56CF81A09BE for <tls@ietf.org>; Tue, 29 Apr 2014 13:56:25 -0700 (PDT)
Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.14.5/8.14.5) with SMTP id s3TKu9rh024640; Tue, 29 Apr 2014 13:56:22 -0700
Received: from sc-owa04.marvell.com ([199.233.58.150]) by mx0b-0016f401.pphosted.com with ESMTP id 1khmr8exvk-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Tue, 29 Apr 2014 13:56:21 -0700
Received: from SC-vEXCH2.marvell.com ([10.93.76.134]) by SC-OWA04.marvell.com ([fe80::e56e:83a7:9eef:b5a1%16]) with mapi; Tue, 29 Apr 2014 13:56:21 -0700
From: Paul Lambert <paul@marvell.com>
To: Geoffrey Keating <geoffk@geoffk.org>, "mrex@sap.com" <mrex@sap.com>
Date: Tue, 29 Apr 2014 13:57:25 -0700
Thread-Topic: [TLS] Status of X.509v3 TLS Feature Extension?
Thread-Index: Ac9j7XjeLi8uLImPT2u/e4yfm9LuuQ==
Message-ID: <CF855F95.39E86%paul@marvell.com>
References: <2A0EFB9C05D0164E98F19BB0AF3708C7120C61F669@USMBX1.msg.corp.akamai.com> <20140428180218.C805D1ACE1@ld9781.wdf.sap.corp> <m2r44hw86f.fsf@localhost.localdomain>
In-Reply-To: <m2r44hw86f.fsf@localhost.localdomain>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.1.140326
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.96, 1.0.14, 0.0.0000 definitions=2014-04-29_05:2014-04-29, 2014-04-29, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1404290283
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/2BZSxjr02zVjPfrv013CEqp4vgg
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Status of X.509v3 TLS Feature Extension?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Apr 2014 20:56:34 -0000

On 4/28/14, 12:44 PM, "Geoffrey Keating" <geoffk@geoffk.org> wrote:

>mrex@sap.com (Martin Rex) writes:
>
>> Processing multiple OCSP responses from the TLS multiple certificate
>>status
>> extension will also be interesting for TLS client that essentially throw
>> away everything but the Server certificate from the Server's TLS
>>Certificate
>> handshake message and perform a new path discovery, because the
>>resulting
>> path may be different from the one that was sent by the server.
>
>This is only a problem if the new path discovery might use
>certificates which weren't sent from the server (built-in
>intermediates or ones fetched from the web), for which of course the
>server won't have sent OCSP responses.  Another way to put this is
>that the server needs to send all necessary intermediates for OCSP
>stapling to work properly.

Yes.  This is critical.  Implementations currently do not support
OCSP stapling for intermediaries. Just fielded a system and we
Ended up not being able to support business models with more
than one level of usable hierarchy.  Stapling  is not useable
now for multi-level hierarchies.

Paul



>
>_______________________________________________
>TLS mailing list
>TLS@ietf.org
>https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email