Re: [TLS] Status of X.509v3 TLS Feature Extension?
Nico Williams <nico@cryptonector.com> Tue, 29 April 2014 21:57 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50B681A09D8 for <tls@ietfa.amsl.com>; Tue, 29 Apr 2014 14:57:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.044
X-Spam-Level:
X-Spam-Status: No, score=-1.044 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fQ893u8FOsFF for <tls@ietfa.amsl.com>; Tue, 29 Apr 2014 14:57:55 -0700 (PDT)
Received: from homiemail-a87.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id A94141A09A9 for <tls@ietf.org>; Tue, 29 Apr 2014 14:57:55 -0700 (PDT)
Received: from homiemail-a87.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a87.g.dreamhost.com (Postfix) with ESMTP id 9402B26C05E for <tls@ietf.org>; Tue, 29 Apr 2014 14:57:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=ztvdjSWf9eVAMTTLqGHO T8fHKGM=; b=sykK73yb4Vm50zDq4KLEOwomyZ0IAjvAIsfwt2LsvtlWAbkEbEKF d62Me9g97rvhnYJ46a7vjgGbxmTXzJHYyXYNcXprUxcwd9XOAaqApW93jFYBARru FsppiwdBL4f0/Ek/tRzeSGb46j7aAeg7UsUl8C3gAQzZ/9IIr5jDyXo=
Received: from mail-we0-f172.google.com (mail-we0-f172.google.com [74.125.82.172]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a87.g.dreamhost.com (Postfix) with ESMTPSA id 446CB26C05B for <tls@ietf.org>; Tue, 29 Apr 2014 14:57:54 -0700 (PDT)
Received: by mail-we0-f172.google.com with SMTP id u57so856296wes.17 for <tls@ietf.org>; Tue, 29 Apr 2014 14:57:52 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.194.57.38 with SMTP id f6mr257584wjq.59.1398808672746; Tue, 29 Apr 2014 14:57:52 -0700 (PDT)
Received: by 10.216.29.200 with HTTP; Tue, 29 Apr 2014 14:57:52 -0700 (PDT)
In-Reply-To: <CAL9PXLw5=wUsWBFGdFOPumXP4qJJx91_8Z7H0gjFvzWd4wAObA@mail.gmail.com>
References: <2A0EFB9C05D0164E98F19BB0AF3708C7120C61F669@USMBX1.msg.corp.akamai.com> <20140428180218.C805D1ACE1@ld9781.wdf.sap.corp> <m2r44hw86f.fsf@localhost.localdomain> <CF855F95.39E86%paul@marvell.com> <CAL9PXLzCOyi2eWF39+oj0uEFWoU4muYBNm3hRYuZ-vepPxgN+A@mail.gmail.com> <CAK3OfOj+1Lm1fAGY8OYauE8LhTSCNoAo6bHYsy11=NSUmGTmCQ@mail.gmail.com> <CAL9PXLw5=wUsWBFGdFOPumXP4qJJx91_8Z7H0gjFvzWd4wAObA@mail.gmail.com>
Date: Tue, 29 Apr 2014 16:57:52 -0500
Message-ID: <CAK3OfOj-EPqdn8Bmn8qHpE06DtL74cvNU1hB1OD6CBg34wO5qw@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Adam Langley <agl@google.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/5rSbKvI6w75erjtAX2zWCMxqe_w
Cc: Geoffrey Keating <geoffk@geoffk.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Status of X.509v3 TLS Feature Extension?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Apr 2014 21:57:56 -0000
On Tue, Apr 29, 2014 at 4:25 PM, Adam Langley <agl@google.com> wrote: > On Tue, Apr 29, 2014 at 2:22 PM, Nico Williams <nico@cryptonector.com> wrote: >> Why couldn't that work? There'd be a need to cache OCSP Responses for >> intermediates, sure. What else? > > That's totally viable, I'm just suggesting that revocations of > intermediates are very rare and generally involve browser pushes in > any case. So the effort of getting a server that does multi-stapling > over just stapling, and of shipping the extra OCSP responses in every > handshake, might well win out. I think it would be quiet reasonable > for a site to have Must Staple just for the leaf certificate. I suspect that for intermediates closer to the server it'll be best to staple responses. For intermediates closer to the root issuer it'll be best to deal with pushing. We have to consider environments where long cert paths are involved, and where network connectivity isn't universal. Of course, in bridged PKIs the RPs have to handle revocation checking for part of the cert path anyways. I think the right thing to do may well be to implement full stapling but configure partial stapling as appropriate: a) stapled OCSP checking on the client side b) CRL checking / push on the client side c) full _and_ partial OCSP stapling on server sides d) server admins need to configure stapling (and refreshing) of whatever length of the server cert chains is appropriate, from the leaf towards the root. Nico --
- [TLS] Status of X.509v3 TLS Feature Extension? Klemens Baum
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Tom Ritter
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Rob Stradling
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Salz, Rich
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Rob Stradling
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Russ Housley
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Viktor Dukhovni
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Salz, Rich
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Watson Ladd
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Viktor Dukhovni
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Salz, Rich
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Viktor Dukhovni
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Salz, Rich
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Viktor Dukhovni
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Salz, Rich
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Viktor Dukhovni
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Nico Williams
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Adam Langley
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Martin Rex
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Martin Rex
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Stephen Checkoway
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Geoffrey Keating
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Peter Gutmann
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Stephen Checkoway
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Nico Williams
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Nico Williams
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Geoffrey Keating
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Rob Stradling
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Phillip Hallam-Baker
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Rob Stradling
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Paul Lambert
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Adam Langley
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Nico Williams
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Adam Langley
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Salz, Rich
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Nico Williams
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Phillip Hallam-Baker