Re: [TLS] Status of X.509v3 TLS Feature Extension?
Watson Ladd <watsonbladd@gmail.com> Mon, 28 April 2014 14:41 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0F5B1A063C for <tls@ietfa.amsl.com>; Mon, 28 Apr 2014 07:41:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oFK0Xmgd1-jw for <tls@ietfa.amsl.com>; Mon, 28 Apr 2014 07:41:01 -0700 (PDT)
Received: from mail-yk0-x233.google.com (mail-yk0-x233.google.com [IPv6:2607:f8b0:4002:c07::233]) by ietfa.amsl.com (Postfix) with ESMTP id 4FB1A1A0564 for <tls@ietf.org>; Mon, 28 Apr 2014 07:41:01 -0700 (PDT)
Received: by mail-yk0-f179.google.com with SMTP id 9so1797109ykp.10 for <tls@ietf.org>; Mon, 28 Apr 2014 07:41:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=nb/VI6hxU0w5Hfgta49XS/NKbCaWS6q02DaaKpMa7Go=; b=n+kstE7SuiPqoPy5vi72/506uwxnO1eldvDBJL8NtcshZUdB4RbBQv2L0wWdubQadQ KxDFYf1U9P9tOOwGl4t2X49z2iqmaIMfnCMC35IWzjPLOXO6t35d76pB41a07U63cSS9 8+44+Q+UrZMf0dZMwPpp0D5lTbVHUMCisU3FPEeKq4nmsgErsGgYXJVSzBaZNyYA5w9S Xz7yrTuuf3ZQOXohSv2tPIXNCjM2PwBpqS2c2p338ieHn29mSzCgUdJ8NaGP7Sr5QgtU rLpF0IIv5Y9gaba48lGWeqGG4apUdbjJLO/f6hspTKPlq7/ri93qP4eVdLMDkYEpasBO OIQw==
MIME-Version: 1.0
X-Received: by 10.236.179.162 with SMTP id h22mr3297955yhm.107.1398696060175; Mon, 28 Apr 2014 07:41:00 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Mon, 28 Apr 2014 07:41:00 -0700 (PDT)
In-Reply-To: <20140428142029.GT27883@mournblade.imrryr.org>
References: <CA+aixj_i8XF2buDNMOp2=_Z0XzT3R4uGfxJtjoGt-_PButSggw@mail.gmail.com> <CA+cU71=FtZfzGktLhLz_j99mQ=LVbd0kzz0ZyGbewQUS0ouEGA@mail.gmail.com> <535E353A.9030008@comodo.com> <20140428142029.GT27883@mournblade.imrryr.org>
Date: Mon, 28 Apr 2014 07:41:00 -0700
Message-ID: <CACsn0cnDg8kqM5DNNcUGOdwr=BfjCm_gZOS0MiJT+tqQq_0z8g@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/7PebFo4u4WLcSnIlmU3sYNHHUjs
Subject: Re: [TLS] Status of X.509v3 TLS Feature Extension?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Apr 2014 14:41:02 -0000
On Mon, Apr 28, 2014 at 7:20 AM, Viktor Dukhovni <viktor1dane@dukhovni.org> wrote: > On Mon, Apr 28, 2014 at 12:02:18PM +0100, Rob Stradling wrote: > >> AIUI, PHB intends to progress the tls-feature draft just as soon as IANA >> allocates an OID for the new certificate extension. It's not dead, just >> resting. > > OCSP stapling gives no indication of when a verifier is to consider > a particular status response to be stale. Without any indication > of how often a server is supposed to provide a (more) fresh response, > it is not clear that OSCP stapling enforcement can be implemented > scalably in an interoperable manner, with servers obtaining and > stapling new OCSP responses before clients decide that the extant > response is too old. That can be easily fixed by adding a field to the OCSP response, or more easily by adding the duration of the response to the relevant OCSP stapling document. I think 24-48 hours ought to be the right range, but I don't have any strong feeling for why. People with more clue should weigh in. Sincerely, Watson Ladd > > -- > Viktor. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [TLS] Status of X.509v3 TLS Feature Extension? Klemens Baum
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Tom Ritter
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Rob Stradling
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Salz, Rich
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Rob Stradling
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Russ Housley
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Viktor Dukhovni
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Salz, Rich
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Watson Ladd
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Viktor Dukhovni
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Salz, Rich
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Viktor Dukhovni
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Salz, Rich
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Viktor Dukhovni
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Salz, Rich
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Viktor Dukhovni
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Nico Williams
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Adam Langley
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Martin Rex
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Martin Rex
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Stephen Checkoway
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Geoffrey Keating
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Peter Gutmann
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Stephen Checkoway
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Nico Williams
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Nico Williams
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Geoffrey Keating
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Rob Stradling
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Phillip Hallam-Baker
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Rob Stradling
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Paul Lambert
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Adam Langley
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Nico Williams
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Adam Langley
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Salz, Rich
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Nico Williams
- Re: [TLS] Status of X.509v3 TLS Feature Extension? Phillip Hallam-Baker