[TLS] OCSP Stapling support mandatory in TLS 1.3?
Phillip Hallam-Baker <hallam@gmail.com> Fri, 08 November 2013 17:57 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B0E511E8229 for <tls@ietfa.amsl.com>; Fri, 8 Nov 2013 09:57:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.489
X-Spam-Level:
X-Spam-Status: No, score=-2.489 tagged_above=-999 required=5 tests=[AWL=0.110, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OViIVMfT9mLc for <tls@ietfa.amsl.com>; Fri, 8 Nov 2013 09:57:00 -0800 (PST)
Received: from mail-la0-x22c.google.com (mail-la0-x22c.google.com [IPv6:2a00:1450:4010:c03::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 519D711E8225 for <tls@ietf.org>; Fri, 8 Nov 2013 09:57:00 -0800 (PST)
Received: by mail-la0-f44.google.com with SMTP id er20so2034521lab.31 for <tls@ietf.org>; Fri, 08 Nov 2013 09:56:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=O77n22meqOR4AXtcnxIgy3LIu21I1IOFgcxnqvsH7kY=; b=TWSqYGoec4Rsf99tk5OVHBE9xcwmzIWKh9/l10rFmnqWhGhmBg6fYywCuNTFt+Xuj0 8A/20O+MCQ8wPpxNdo2sdGZ67Rr5uic2ldFRnjMrzEtlnaJn9qd7gp9q7niS7NrWP8uL 2M/WSrp8W2zUwnpic9QVz4T3PrQdFr1r1b3+wzS36EUJR7vlEn0g8ooaJj167Y58nNVP jcPTWOHb+D2RByz92kDgJJZEn6sa6KyRgqoTw+PTMIuUmq0gFA6HpYMozHIgy3ZLVsFR FsuNU4R1l0ndSXqlRGO1EcyfUHoaaArMnvWihmhPzSF8wU6921j2odBTdqDc9QeHlRl+ tf0Q==
MIME-Version: 1.0
X-Received: by 10.152.6.169 with SMTP id c9mr11810335laa.28.1383933419273; Fri, 08 Nov 2013 09:56:59 -0800 (PST)
Received: by 10.112.46.98 with HTTP; Fri, 8 Nov 2013 09:56:59 -0800 (PST)
Date: Fri, 08 Nov 2013 09:56:59 -0800
Message-ID: <CAMm+Lwgjx2yTArspC4u5=WOh6HQ+DMgq85aqR1H+KJs4UkF3jQ@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="089e01493c06d942dc04eaae1bb6"
Subject: [TLS] OCSP Stapling support mandatory in TLS 1.3?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Nov 2013 17:57:02 -0000
I would like to use the TLS 1.3 update to require support for a number of functions that are desperately needed but currently difficult to use due to patchy support. Which is kind of what the point of a version upgrade is. Chief on my list of 'must have' features is stapling support. All the servers I have surveyed for WPKOPS support stapling. What I would like to see is that a server always staple if there is an OCSP distribution point advertised. What I would settle for is that the server MUST understand the 'MUST STAPLE' flag in a certificate and if it is present, provide the stapled responses. http://tools.ietf.org/html/draft-hallambaker-tlsfeature-02 The advantage of this approach is that it means much less confusion for our customers. It is easier for them to check that they support TLS 1.3 than to look at server versions (which we might not know about if it is a less used server or some CDN thing). -- Website: http://hallambaker.com/
- [TLS] OCSP Stapling support mandatory in TLS 1.3? Phillip Hallam-Baker