IETF Logo Mail Archive

Re: [TLS] OCSP Stapling confusion

"Salz, Rich" <rsalz@akamai.com> Mon, 10 December 2018 02:24 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6C43128766 for <tls@ietfa.amsl.com>; Sun, 9 Dec 2018 18:24:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.161
X-Spam-Level:
X-Spam-Status: No, score=-4.161 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qdsaeQ50rTpv for <tls@ietfa.amsl.com>; Sun, 9 Dec 2018 18:24:33 -0800 (PST)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 711FD124BAA for <tls@ietf.org>; Sun, 9 Dec 2018 18:24:33 -0800 (PST)
Received: from pps.filterd (m0050096.ppops.net [127.0.0.1]) by m0050096.ppops.net-00190b01. (8.16.0.27/8.16.0.27) with SMTP id wBA2ME5v002873; Mon, 10 Dec 2018 02:24:31 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=bPFaI5oKbg2FMwHVe1QuDgtoDEZoCaAmLWXp5c/quQ0=; b=DPZkyjqrd2qcudDB7CawcYknb7ES0ENNyled7hKOUxXvr+Nv52YpcRmxGCASXb53fpi+ q2JKqJCJa4ldEXftQ/YRzVvC1m4j95r1uLh+woh5KOs6NzEDqpOb98VfpgSwKuGXJ5FT LK4dmZpeNzSj7Owrb0TeggUrjpOiO5k4Tetv8x2WwMBt/ax+lI+tr/9q+7gYxsX8FHK9 evll4kCtIl5XfgdCcizec+QkYfTEK7BLSAgCTZXi9oHC3CC53pK0lVrM5cVG7dPodHZU Z0no4Fx+eXIIdqQokqwbD++VQAo6c0tgHRedHCqi7dm7OaFssPabzP1lltiFYkwZbSDO +Q==
Received: from prod-mail-ppoint3 (a96-6-114-86.deploy.static.akamaitechnologies.com [96.6.114.86] (may be forged)) by m0050096.ppops.net-00190b01. with ESMTP id 2p878apksm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 10 Dec 2018 02:24:31 +0000
Received: from pps.filterd (prod-mail-ppoint3.akamai.com [127.0.0.1]) by prod-mail-ppoint3.akamai.com (8.16.0.21/8.16.0.21) with SMTP id wBA2HHGP011372; Sun, 9 Dec 2018 21:24:30 -0500
Received: from email.msg.corp.akamai.com ([172.27.27.25]) by prod-mail-ppoint3.akamai.com with ESMTP id 2p8a6geqh2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sun, 09 Dec 2018 21:24:30 -0500
Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com (172.27.27.101) by ustx2ex-dag1mb5.msg.corp.akamai.com (172.27.27.105) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Sun, 9 Dec 2018 20:24:29 -0600
Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com ([172.27.6.131]) by ustx2ex-dag1mb1.msg.corp.akamai.com ([172.27.6.131]) with mapi id 15.00.1365.000; Sun, 9 Dec 2018 20:24:29 -0600
From: "Salz, Rich" <rsalz@akamai.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] OCSP Stapling confusion
Thread-Index: AQHUkCVyyNiAeHSQ5UKF4nc1WNOvJqV3T2wA
Date: Mon, 10 Dec 2018 02:24:29 +0000
Message-ID: <122F779A-6BF7-4B9F-8522-860E44C5FC00@akamai.com>
References: <877egitcbv.fsf@fifthhorseman.net>
In-Reply-To: <877egitcbv.fsf@fifthhorseman.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.14.0.181202
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.43.252]
Content-Type: text/plain; charset="utf-8"
Content-ID: <687015C8CBD7974881FE2BFF550B3F4F@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-12-10_01:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=765 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1812100019
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-12-10_01:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=760 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1812100020
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2VYEY6RxDjX_SmphmJCf2zQWzho>
Subject: Re: [TLS] OCSP Stapling confusion
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Dec 2018 02:24:35 -0000

>     * the status_request TLS extension doesn't provide a mechanism for
       stapling OCSP for intermediate certs.
  
Nobody does this.  There's a handful of reasons, but the end result is: nobody does this.

>    So i think this is a big swirling mishmash of not-quite-compatible and
    not-quite-complete specs, especially as we think about TLS clients and
    servers that want to be interoperable with both TLS 1.2 and TLS 1.3.
  
Yes, there are many things that could be cleared out with a BCP doc.  I would be interested in helping with that.

v2.23.0 | Report a Bug | By Email