IETF Logo Mail Archive

Re: [TLS] Status of X.509v3 TLS Feature Extension?

Adam Langley <agl@google.com> Tue, 29 April 2014 21:10 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 075511A0984 for <tls@ietfa.amsl.com>; Tue, 29 Apr 2014 14:10:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.03
X-Spam-Level:
X-Spam-Status: No, score=-2.03 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tMOXo3LTpY8k for <tls@ietfa.amsl.com>; Tue, 29 Apr 2014 14:09:58 -0700 (PDT)
Received: from mail-ve0-x22d.google.com (mail-ve0-x22d.google.com [IPv6:2607:f8b0:400c:c01::22d]) by ietfa.amsl.com (Postfix) with ESMTP id 1AC241A096E for <tls@ietf.org>; Tue, 29 Apr 2014 14:09:58 -0700 (PDT)
Received: by mail-ve0-f173.google.com with SMTP id pa12so60471veb.18 for <tls@ietf.org>; Tue, 29 Apr 2014 14:09:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=O0IROCNgJ4YlE2HQ13zieGNCdfrpl2ifA9mEOIEzIAM=; b=ptCt5jO3ZsoEjDdAxCv6m0FahwHk0T0tbOg49ThXOgihWiJr3bpI+xtG12Jr3PHhtU ZobmvCfUDXGHqL4z/i7igGSFI9dKa7+Sa0bQo6e3oqq5i/dtZ/2J/24sXC/J9izM4IJI Y+QBQShjnSsl0C/6c0AtESOtxoJXR63ZeDlR8Zh65TLufJsF4mzsf3pgM4qVgsKyXLAK EjGMWUdpw8sp79cm8ckffe8oWsw6Vb1SsfwISo/byf98PCnGRu8gsmwOlj4ur3QcjjOT hpq+niiD9Mad7AfIXBGYneQAWauM/xyoF/toG1BlHvz0f6x74o2+eVzmsOAF6f38fTG7 HpPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=O0IROCNgJ4YlE2HQ13zieGNCdfrpl2ifA9mEOIEzIAM=; b=E9ThP4zN/XrkkMltU1yf2E0xI5PVLOeeyUZdx/ownJfO51OlfNP5lYpVeeycn8+WtJ /ZgYpBShUYmsl6MVPiqBZh4zbEqoIwJ2VCWSNdZmU6xIPUfZrj61VLGOxFTm6w6Ng04U 8GOPLvLdML5pGfk6+jyetvgWZWvgFMR6hwKql9EYMmzVZGGwffUSqxYqo0sNhNAP8be4 cZL7l8Ls39qkfkicV9S+egw5iDTL3XskNf6cPWna/QcTyuzSIUGzVte1D66ib7mq1TyY U5iWLRvZbsRaLZ8wx3USWdXNpR54ipgPDJ7rGFei8FmMtRCSWVD6m5X0Itwh/AB8IvX7 7G/A==
X-Gm-Message-State: ALoCoQnwVsXkE4VAHeEIrNeoVQGdhhPkQLPjEEe7w66OznQd17SEB8bOuC9fTWJVS81LHeXuHF6iHtKf6am9DSDNvfLi+dj2Hn/glVXNHjmXmpE8jTDclnKVmFWWDtxui4ZfCFic+WtvrrVi8pKuesKBiEa/BBbJ2obo5kDyWqsh4quqnBYux6rUZ4V3VXoDM2D/SFcUC5/7
X-Received: by 10.58.23.6 with SMTP id i6mr225269vef.12.1398805796733; Tue, 29 Apr 2014 14:09:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.98.225 with HTTP; Tue, 29 Apr 2014 14:09:36 -0700 (PDT)
In-Reply-To: <CF855F95.39E86%paul@marvell.com>
References: <2A0EFB9C05D0164E98F19BB0AF3708C7120C61F669@USMBX1.msg.corp.akamai.com> <20140428180218.C805D1ACE1@ld9781.wdf.sap.corp> <m2r44hw86f.fsf@localhost.localdomain> <CF855F95.39E86%paul@marvell.com>
From: Adam Langley <agl@google.com>
Date: Tue, 29 Apr 2014 14:09:36 -0700
Message-ID: <CAL9PXLzCOyi2eWF39+oj0uEFWoU4muYBNm3hRYuZ-vepPxgN+A@mail.gmail.com>
To: Paul Lambert <paul@marvell.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/3bJM10BXQLVoIQnYMuqX8JM5RPk
Cc: Geoffrey Keating <geoffk@geoffk.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Status of X.509v3 TLS Feature Extension?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Apr 2014 21:10:04 -0000

On Tue, Apr 29, 2014 at 1:57 PM, Paul Lambert <paul@marvell.com> wrote:
> Yes.  This is critical.  Implementations currently do not support
> OCSP stapling for intermediaries. Just fielded a system and we
> Ended up not being able to support business models with more
> than one level of usable hierarchy.  Stapling  is not useable
> now for multi-level hierarchies.

It might well be that Must Staple is best done for just the leaf and
that pushed CRLs are used for intermediate revocations. That's the
deployment model that I think is mostly likely.

As for Chrome's support: it's tough because we use different libraries
on different platforms (CAPI on Windows, OS X's library there and NSS
in other places). We also have a lot happening with our switch to
OpenSSL. So, while we would like to support Must Staple, that is
currently delaying it. Hopefully Firefox can beat us to it.


Cheers

AGL

v2.23.0 | Report a Bug | By Email