IETF Logo Mail Archive

Re: [TLS] Fwd: New Version Notification for draft-pettersen-tls-ext-multiple-ocsp-03.txt

Sean Turner <turners@ieca.com> Mon, 09 April 2012 21:37 UTC

Return-Path: <turners@ieca.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1ED7921F87F3 for <tls@ietfa.amsl.com>; Mon, 9 Apr 2012 14:37:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.932
X-Spam-Level:
X-Spam-Status: No, score=-102.932 tagged_above=-999 required=5 tests=[AWL=-0.667, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bdTyILQsAi8D for <tls@ietfa.amsl.com>; Mon, 9 Apr 2012 14:37:12 -0700 (PDT)
Received: from gateway14.websitewelcome.com (gateway14.websitewelcome.com [69.93.179.25]) by ietfa.amsl.com (Postfix) with ESMTP id 4ACF921F8780 for <tls@ietf.org>; Mon, 9 Apr 2012 14:37:12 -0700 (PDT)
Received: by gateway14.websitewelcome.com (Postfix, from userid 5007) id A78F02B38C39D; Mon, 9 Apr 2012 16:37:11 -0500 (CDT)
Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway14.websitewelcome.com (Postfix) with ESMTP id 9A1552B38C37D for <tls@ietf.org>; Mon, 9 Apr 2012 16:37:11 -0500 (CDT)
Received: from [71.191.0.197] (port=42017 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <turners@ieca.com>) id 1SHMGs-0002lA-NW; Mon, 09 Apr 2012 16:37:11 -0500
Message-ID: <4F835685.5060103@ieca.com>
Date: Mon, 09 Apr 2012 17:37:09 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
References: <20120306124950.6304.36237.idtracker@ietfa.amsl.com> <op.waq2hefjqrq7tp@acorna.invalid.invalid>
In-Reply-To: <op.waq2hefjqrq7tp@acorna.invalid.invalid>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator1743.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: pool-71-191-0-197.washdc.east.verizon.net (thunderfish.local) [71.191.0.197]:42017
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 1
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20=
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Fwd: New Version Notification for draft-pettersen-tls-ext-multiple-ocsp-03.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Apr 2012 21:37:13 -0000

<no hat>

Yngve,

Here are some comments on the draft (hopefully this will encourage 
others to also read it):

1. The Abstract contains the following:

  This document introduces a replacement of the TLS Certificate Status
  Extension to allow clients to specify and support multiple
  certificate status methods.

I know somebody will get to the word "replacement" and start asking 
whether this draft should update 6066.  I don't think that's the intent 
you're just defining a new extension so it should just say that:

  This document defines the TLS Certificate Status Version 2
  Extension to allow clients to specify and support multiple
  certificate status methods.

2. Abstract: Expand OCSP and TLS.

3. Abstract: r/Also being introduced/Also defined

4. The RFC editor will move the "requirements language" paragraph to the 
main body so you might as well do it now.  Move it to s1.1.

5. The copy right notice section contains the pre-5378 paragraph, but 
the draft first appeared after 5378 was published.  Is there some bits 
in here that are copied from 5246 or somewhere else?  If not, then you 
can delete that para.

6. s1: r/Transport Layer Security/Transport Layer Security (TLS)

7. s1: I don't think you need to try to slip in the comparison to other 
methods.  I think it's implied.

OLD:

  The benefits of this extension include a reduced number
  of roundtrips and network delays for the client to verify the status
  of the server's certificate using other retrieval methods and a
  reduced load on the certificate issuer's status response servers,
  thus solving a problem that can become significant when the issued
  certificate is presented by a frequently visited server.

NEW:

  The benefits of this extension include a reduced number
  of roundtrips and network delays for the client to verify the status
  of the server's certificate and a
  reduced load on the certificate issuer's status response servers,
  thus solving a problem that can become significant when the issued
  certificate is presented by a frequently visited server.

8. s1: wordy ;)

OLD:

  There are two problems with the existing Certificate Status extension
  as it is currently defined.

NEW:

  There are two problems with the existing Certificate Status extension.

9. s1: Just some tweaking (two whichs read a little odd):

OLD:

  First, it does not provide functionality
  to request the status information about intermediate CA certificates,
  which means the client has to request this through other retrieval
  methods, such as CRLs, which can cause significant delays when the
  revocation list has to be refreshed.

NEW:

  First, it does not provide functionality
  to request the status information about intermediate Certification
  Authority (CA) certificates,
  which means the client has to request status information through other
  methods, such as CRLs, thus adding additional delay.

10. s1: r/Certificate Authorities/Certification Authorities X2

11. s1: r/Point[RFC5280]/Point [RFC5280]

12. s1: In the following I think the point is just for client-cached 
CRLS because most that responders I know about are fed by a CRL.

OLD:

  Given
  that CRLs, particularly those cached by the client, are frequently
  less up to date than is possible for an OCSP responder, using OCSP to
  access up-to-date status information about intermediate CA
  certificates will be of great benefit to clients.

NEW:

  Given
  that client-cached CRLs are frequently out of date, using OCSP to
  access up-to-date status information about intermediate CA
  certificates will be of great benefit to clients.

13. s1: I guess I'd tweak the following a bit:

OLD:

  The author is aware that the cost of providing this bandwidth
  just for site certificates has been a concern to some CAs,
  particularly the smaller ones, and it follows naturally that doubling
  or tripling this cost could be problematic for the CAs.  The author
  is also aware of at least one case when OCSP requests for a single
  high-traffic site caused significant network problems for the issuing
  CA.

NEW:

  CAs should be aware that there is a cost associated with providing
  bandwidth to support OCSP.  There are cases where OCSP requests for a
  single
  high-traffic site caused significant network problems for the issuing
  CA.

14. s1: r/multiple, OCSP mode/multiple-OCSP method

15. s2.1: r/The extension added by this/The extension defined by this

16.: s2.1: Just trying to avoid the questions about whether this draft 
updates 6066: r/which is updated with this value/which uses the 
following value

17. s2.2: So OCSP is definitely used a lot more than SCVP, but it is the 
other status protocol.  Should we just add it now?

18. s2.2: Need a normative reference for DER.  Use the x680/x690 
references from 5246.

19. s2.2: The nonce extension encoding is being fixed.  I sure hope 
it'll get done sooner rather than later.  Note that the bis draft does 
define the encoding as an OCTET STRING so it's aligned.

20. Hmmm should this draft reference draft-ietf-pkix-rfc2560bis instead 
of RFC 2560?

21. s2.2: r/[RFC2560]) ./[RFC2560]).

22. s2.2: r/that is,/That is,

23. s.2.2: Why the MUST NOT here:

  The list MAY
  contain fewer OCSP responses than there were certificates in the
  Certificate handshake message, but there MUST NOT be more responses
  than there were certificates in the list

spt

</no hat>

On 3/6/12 8:01 AM, Yngve N. Pettersen (Developer Opera Software ASA) wrote:
>
> FYI
>
> <http://www.ietf.org/id/draft-pettersen-tls-ext-multiple-ocsp-03.txt>
>
> ------- Forwarded message -------
> From: internet-drafts@ietf.org
> To: yngve@opera.com
> Cc:
> Subject: New Version Notification for
> draft-pettersen-tls-ext-multiple-ocsp-03.txt
> Date: Tue, 06 Mar 2012 13:49:50 +0100
>
> A new version of I-D, draft-pettersen-tls-ext-multiple-ocsp-03.txt has
> been successfully submitted by Yngve N. Pettersen and posted to the IETF
> repository.
>
> Filename: draft-pettersen-tls-ext-multiple-ocsp
> Revision: 03
> Title: Adding Multiple TLS Certificate Status Extension requests
> Creation date: 2012-03-06
> WG ID: Individual Submission
> Number of pages: 9
>
> Abstract:
> This document introduces a replacement of the TLS Certificate Status
> Extension to allow clients to specify and support multiple
> certificate status methods. Also being introduced is a new OCSP-
> based method that servers can use to provide status information not
> just about the server&#39;s own certificate, but also the status of
> intermediate certificates in the chain.
>
>
>
>
>
> The IETF Secretariat
>
>

v2.23.0 | Report a Bug | By Email