Re: [TLS] OCSP must staple

Geoffrey Keating <> Mon, 09 June 2014 18:16 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 2611B1A029B for <>; Mon, 9 Jun 2014 11:16:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kKLkCffth8_n for <>; Mon, 9 Jun 2014 11:16:43 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3D82A1A029A for <>; Mon, 9 Jun 2014 11:16:43 -0700 (PDT)
Received: by (Postfix, from userid 501) id B30EE33D190; Mon, 9 Jun 2014 18:16:42 +0000 (UTC)
Sender: geoffk@localhost.localdomain
To: Kyle Hamilton <>
References: <097101cf7aa7$17f960a0$47ec21e0$> <> <> <> <> <> <> <> <> <> <> <> <155f01cf82ce$7cfa8360$76ef8a20$> <> <>
From: Geoffrey Keating <>
Date: 09 Jun 2014 11:16:42 -0700
In-Reply-To: <>
Message-ID: <m2r42yuewl.fsf@localhost.localdomain>
Lines: 19
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.4
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: Re: [TLS] OCSP must staple
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 09 Jun 2014 18:16:45 -0000

Kyle Hamilton <> writes:

> On the other hand, I think that relying on a stapled response is perhaps
> shortsighted, as it potentially opens a window of vulnerability.  Say
> the OCSP response is valid for 7 days (the maximum time that EV cert
> OCSP responses can be valid for): if the cert is revoked on day 2,
> that's still 5 and change days of potential validity.  This is the kind
> of vulnerability that clients can use the OCSP nonce extension to
> protect themselves from, but it only works if it's used and queried from
> the OCSP responder by the client itself.  Thus, the proposal to prevent
> clients from checking OCSP from the source in the presence of an "OCSP
> must staple" extension is harmful to user security and thus wrong-minded.

I think a CA that supports OCSP with nonces would probably not be
using 'must staple'.  However very few do so and so there are no
clients that I know of that actually require a nonce in the reply; and
the OCSP protocol doesn't distinguish between 'you sent a nonce but I
will not reply with one' and 'you did not send a nonce', so the effect
is that nonces do not practically contribute to OCSP security.