IETF Logo Mail Archive

Re: [TLS] New version of Multiple OCSP mode of Certificate Status extension

Adam Langley <agl@google.com> Wed, 28 July 2010 14:53 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B06D43A681F; Wed, 28 Jul 2010 07:53:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.977
X-Spam-Level:
X-Spam-Status: No, score=-101.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s8GXY6r007AI; Wed, 28 Jul 2010 07:53:32 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id 84AA23A687F; Wed, 28 Jul 2010 07:53:32 -0700 (PDT)
Received: from kpbe17.cbf.corp.google.com (kpbe17.cbf.corp.google.com [172.25.105.81]) by smtp-out.google.com with ESMTP id o6SErraM019626; Wed, 28 Jul 2010 07:53:53 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1280328834; bh=pbluzHRttVnJob5XnOlJoc4ThH4=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=drSYLdFosT7TUPXQuI1akAp0cL5ep/wEKO4HTPpz3GJkaAVDBnbESOkbm+Sg0D0+d WUuhMVZgTibXlwFq9NiWA==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:x-system-of-record; b=DxxYOPi4bYElyoEuKl+sINydNg2g7ehB4D7WlkI3f6BqzUH+npjT1Ylk36AK0JuIb MO95j2VZclalAwpJhoPUA==
Received: from gwaa20 (gwaa20.prod.google.com [10.200.27.20]) by kpbe17.cbf.corp.google.com with ESMTP id o6SErmEg021023; Wed, 28 Jul 2010 07:53:49 -0700
Received: by gwaa20 with SMTP id a20so930998gwa.9 for <multiple recipients>; Wed, 28 Jul 2010 07:53:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.150.210.10 with SMTP id i10mr3241738ybg.96.1280328828450; Wed, 28 Jul 2010 07:53:48 -0700 (PDT)
Received: by 10.231.142.32 with HTTP; Wed, 28 Jul 2010 07:53:47 -0700 (PDT)
In-Reply-To: <op.vghzp61ivqd7e2@killashandra.oslo.osa>
References: <op.u87n4tthqrq7tp@acorna> <op.vghzp61ivqd7e2@killashandra.oslo.osa>
Date: Wed, 28 Jul 2010 10:53:47 -0400
Message-ID: <AANLkTikh0EL0DygFFKC8L-Z406C_HsfatVSbti_Ur9x9@mail.gmail.com>
From: Adam Langley <agl@google.com>
To: yngve@opera.com
Content-Type: text/plain; charset="UTF-8"
X-System-Of-Record: true
Cc: "pkix@ietf.org" <pkix@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] New version of Multiple OCSP mode of Certificate Status extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jul 2010 14:53:33 -0000

On Tue, Jul 27, 2010 at 6:35 AM, Yngve Nysaeter Pettersen
<yngve@opera.com> wrote:
> Based on the ongoing PKIX discussion about an update of OCSP, I (finally)
> realized the the problem my multiple-ocsp TLS extension is designed to fix
> can be fixed in another way, by adding an OCSP extension instead.

I would welcome not having to change TLS to support multiple OCSP responses.

However, with TLS changes, we can deploy without any action on the
part of the OCSP responders. That makes it a possibility. If we are
beholden to updating the responders then I fear that it'll never
happen.

AGL

v2.23.0 | Report a Bug | By Email