Re: [TLS] OCSP must staple

Geoffrey Keating <geoffk@geoffk.org> Mon, 09 June 2014 18:16 UTC

Return-Path: <geoffk@geoffk.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2611B1A029B for <tls@ietfa.amsl.com>; Mon, 9 Jun 2014 11:16:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kKLkCffth8_n for <tls@ietfa.amsl.com>; Mon, 9 Jun 2014 11:16:43 -0700 (PDT)
Received: from dragaera.releasedominatrix.com (dragaera.releasedominatrix.com [216.129.105.14]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D82A1A029A for <tls@ietf.org>; Mon, 9 Jun 2014 11:16:43 -0700 (PDT)
Received: by dragaera.releasedominatrix.com (Postfix, from userid 501) id B30EE33D190; Mon, 9 Jun 2014 18:16:42 +0000 (UTC)
Sender: geoffk@localhost.localdomain
To: Kyle Hamilton <aerowolf@gmail.com>
References: <097101cf7aa7$17f960a0$47ec21e0$@digicert.com> <4AA8E7B7-A19D-4E65-AF18-C4D02A513652@ieca.com> <538EF79B.3000506@cs.tcd.ie> <CAMm+LwgTnva9jJgVfkaOZ1qP0Rk3w-mFfepnubosgtrCEARv=g@mail.gmail.com> <539069CC.5010304@cs.tcd.ie> <CAFewVt4p4rJ738Yo=XQm6T_jyvG3TnJsSQ5HDZDrqAkyNDa7tg@mail.gmail.com> <20140605173223.GK27883@mournblade.imrryr.org> <20140607164945.GA23329@roeckx.be> <20140607170619.GC27883@mournblade.imrryr.org> <2A0EFB9C05D0164E98F19BB0AF3708C7130F434F7A@USMBX1.msg.corp.akamai.com> <20140607184737.GD27883@mournblade.imrryr.org> <2A0EFB9C05D0164E98F19BB0AF3708C7130F434F7D@USMBX1.msg.corp.akamai.com> <155f01cf82ce$7cfa8360$76ef8a20$@digicert.com> <2A0EFB9C05D0164E98F19BB0AF3708C7130F434FB5@USMBX1.msg.corp.akamai.com> <539549A8.1040008@gmail.com>
From: Geoffrey Keating <geoffk@geoffk.org>
Date: 09 Jun 2014 11:16:42 -0700
In-Reply-To: <539549A8.1040008@gmail.com>
Message-ID: <m2r42yuewl.fsf@localhost.localdomain>
Lines: 19
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.4
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/4lQvQyjxN5uDYtqfLc0rBvwo-H8
Cc: tls@ietf.org
Subject: Re: [TLS] OCSP must staple
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jun 2014 18:16:45 -0000

Kyle Hamilton <aerowolf@gmail.com> writes:

> On the other hand, I think that relying on a stapled response is perhaps
> shortsighted, as it potentially opens a window of vulnerability.  Say
> the OCSP response is valid for 7 days (the maximum time that EV cert
> OCSP responses can be valid for): if the cert is revoked on day 2,
> that's still 5 and change days of potential validity.  This is the kind
> of vulnerability that clients can use the OCSP nonce extension to
> protect themselves from, but it only works if it's used and queried from
> the OCSP responder by the client itself.  Thus, the proposal to prevent
> clients from checking OCSP from the source in the presence of an "OCSP
> must staple" extension is harmful to user security and thus wrong-minded.

I think a CA that supports OCSP with nonces would probably not be
using 'must staple'.  However very few do so and so there are no
clients that I know of that actually require a nonce in the reply; and
the OCSP protocol doesn't distinguish between 'you sent a nonce but I
will not reply with one' and 'you did not send a nonce', so the effect
is that nonces do not practically contribute to OCSP security.