Re: [TLS] Fwd: New Version Notification for draft-pettersen-tls-ext-multiple-ocsp-03.txt
Sean Turner <turners@ieca.com> Mon, 09 April 2012 21:37 UTC
Return-Path: <turners@ieca.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1ED7921F87F3 for <tls@ietfa.amsl.com>; Mon, 9 Apr 2012 14:37:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.932
X-Spam-Level:
X-Spam-Status: No, score=-102.932 tagged_above=-999 required=5 tests=[AWL=-0.667, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bdTyILQsAi8D for <tls@ietfa.amsl.com>; Mon, 9 Apr 2012 14:37:12 -0700 (PDT)
Received: from gateway14.websitewelcome.com (gateway14.websitewelcome.com [69.93.179.25]) by ietfa.amsl.com (Postfix) with ESMTP id 4ACF921F8780 for <tls@ietf.org>; Mon, 9 Apr 2012 14:37:12 -0700 (PDT)
Received: by gateway14.websitewelcome.com (Postfix, from userid 5007) id A78F02B38C39D; Mon, 9 Apr 2012 16:37:11 -0500 (CDT)
Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway14.websitewelcome.com (Postfix) with ESMTP id 9A1552B38C37D for <tls@ietf.org>; Mon, 9 Apr 2012 16:37:11 -0500 (CDT)
Received: from [71.191.0.197] (port=42017 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <turners@ieca.com>) id 1SHMGs-0002lA-NW; Mon, 09 Apr 2012 16:37:11 -0500
Message-ID: <4F835685.5060103@ieca.com>
Date: Mon, 09 Apr 2012 17:37:09 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
References: <20120306124950.6304.36237.idtracker@ietfa.amsl.com> <op.waq2hefjqrq7tp@acorna.invalid.invalid>
In-Reply-To: <op.waq2hefjqrq7tp@acorna.invalid.invalid>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator1743.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: pool-71-191-0-197.washdc.east.verizon.net (thunderfish.local) [71.191.0.197]:42017
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 1
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20=
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Fwd: New Version Notification for draft-pettersen-tls-ext-multiple-ocsp-03.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Apr 2012 21:37:13 -0000
<no hat> Yngve, Here are some comments on the draft (hopefully this will encourage others to also read it): 1. The Abstract contains the following: This document introduces a replacement of the TLS Certificate Status Extension to allow clients to specify and support multiple certificate status methods. I know somebody will get to the word "replacement" and start asking whether this draft should update 6066. I don't think that's the intent you're just defining a new extension so it should just say that: This document defines the TLS Certificate Status Version 2 Extension to allow clients to specify and support multiple certificate status methods. 2. Abstract: Expand OCSP and TLS. 3. Abstract: r/Also being introduced/Also defined 4. The RFC editor will move the "requirements language" paragraph to the main body so you might as well do it now. Move it to s1.1. 5. The copy right notice section contains the pre-5378 paragraph, but the draft first appeared after 5378 was published. Is there some bits in here that are copied from 5246 or somewhere else? If not, then you can delete that para. 6. s1: r/Transport Layer Security/Transport Layer Security (TLS) 7. s1: I don't think you need to try to slip in the comparison to other methods. I think it's implied. OLD: The benefits of this extension include a reduced number of roundtrips and network delays for the client to verify the status of the server's certificate using other retrieval methods and a reduced load on the certificate issuer's status response servers, thus solving a problem that can become significant when the issued certificate is presented by a frequently visited server. NEW: The benefits of this extension include a reduced number of roundtrips and network delays for the client to verify the status of the server's certificate and a reduced load on the certificate issuer's status response servers, thus solving a problem that can become significant when the issued certificate is presented by a frequently visited server. 8. s1: wordy ;) OLD: There are two problems with the existing Certificate Status extension as it is currently defined. NEW: There are two problems with the existing Certificate Status extension. 9. s1: Just some tweaking (two whichs read a little odd): OLD: First, it does not provide functionality to request the status information about intermediate CA certificates, which means the client has to request this through other retrieval methods, such as CRLs, which can cause significant delays when the revocation list has to be refreshed. NEW: First, it does not provide functionality to request the status information about intermediate Certification Authority (CA) certificates, which means the client has to request status information through other methods, such as CRLs, thus adding additional delay. 10. s1: r/Certificate Authorities/Certification Authorities X2 11. s1: r/Point[RFC5280]/Point [RFC5280] 12. s1: In the following I think the point is just for client-cached CRLS because most that responders I know about are fed by a CRL. OLD: Given that CRLs, particularly those cached by the client, are frequently less up to date than is possible for an OCSP responder, using OCSP to access up-to-date status information about intermediate CA certificates will be of great benefit to clients. NEW: Given that client-cached CRLs are frequently out of date, using OCSP to access up-to-date status information about intermediate CA certificates will be of great benefit to clients. 13. s1: I guess I'd tweak the following a bit: OLD: The author is aware that the cost of providing this bandwidth just for site certificates has been a concern to some CAs, particularly the smaller ones, and it follows naturally that doubling or tripling this cost could be problematic for the CAs. The author is also aware of at least one case when OCSP requests for a single high-traffic site caused significant network problems for the issuing CA. NEW: CAs should be aware that there is a cost associated with providing bandwidth to support OCSP. There are cases where OCSP requests for a single high-traffic site caused significant network problems for the issuing CA. 14. s1: r/multiple, OCSP mode/multiple-OCSP method 15. s2.1: r/The extension added by this/The extension defined by this 16.: s2.1: Just trying to avoid the questions about whether this draft updates 6066: r/which is updated with this value/which uses the following value 17. s2.2: So OCSP is definitely used a lot more than SCVP, but it is the other status protocol. Should we just add it now? 18. s2.2: Need a normative reference for DER. Use the x680/x690 references from 5246. 19. s2.2: The nonce extension encoding is being fixed. I sure hope it'll get done sooner rather than later. Note that the bis draft does define the encoding as an OCTET STRING so it's aligned. 20. Hmmm should this draft reference draft-ietf-pkix-rfc2560bis instead of RFC 2560? 21. s2.2: r/[RFC2560]) ./[RFC2560]). 22. s2.2: r/that is,/That is, 23. s.2.2: Why the MUST NOT here: The list MAY contain fewer OCSP responses than there were certificates in the Certificate handshake message, but there MUST NOT be more responses than there were certificates in the list spt </no hat> On 3/6/12 8:01 AM, Yngve N. Pettersen (Developer Opera Software ASA) wrote: > > FYI > > <http://www.ietf.org/id/draft-pettersen-tls-ext-multiple-ocsp-03.txt> > > ------- Forwarded message ------- > From: internet-drafts@ietf.org > To: yngve@opera.com > Cc: > Subject: New Version Notification for > draft-pettersen-tls-ext-multiple-ocsp-03.txt > Date: Tue, 06 Mar 2012 13:49:50 +0100 > > A new version of I-D, draft-pettersen-tls-ext-multiple-ocsp-03.txt has > been successfully submitted by Yngve N. Pettersen and posted to the IETF > repository. > > Filename: draft-pettersen-tls-ext-multiple-ocsp > Revision: 03 > Title: Adding Multiple TLS Certificate Status Extension requests > Creation date: 2012-03-06 > WG ID: Individual Submission > Number of pages: 9 > > Abstract: > This document introduces a replacement of the TLS Certificate Status > Extension to allow clients to specify and support multiple > certificate status methods. Also being introduced is a new OCSP- > based method that servers can use to provide status information not > just about the server's own certificate, but also the status of > intermediate certificates in the chain. > > > > > > The IETF Secretariat > >
- [TLS] Fwd: New Version Notification for draft-pet… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Fwd: New Version Notification for draft… Sean Turner
- Re: [TLS] Fwd: New Version Notification for draft… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Fwd: New Version Notification for draft… Rob Stradling
- Re: [TLS] Fwd: New Version Notification for draft… Yngve N. Pettersen (Developer Opera Software ASA)