IETF Logo Mail Archive

Re: [TLS] Status of X.509v3 TLS Feature Extension?

Watson Ladd <watsonbladd@gmail.com> Mon, 28 April 2014 14:41 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0F5B1A063C for <tls@ietfa.amsl.com>; Mon, 28 Apr 2014 07:41:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oFK0Xmgd1-jw for <tls@ietfa.amsl.com>; Mon, 28 Apr 2014 07:41:01 -0700 (PDT)
Received: from mail-yk0-x233.google.com (mail-yk0-x233.google.com [IPv6:2607:f8b0:4002:c07::233]) by ietfa.amsl.com (Postfix) with ESMTP id 4FB1A1A0564 for <tls@ietf.org>; Mon, 28 Apr 2014 07:41:01 -0700 (PDT)
Received: by mail-yk0-f179.google.com with SMTP id 9so1797109ykp.10 for <tls@ietf.org>; Mon, 28 Apr 2014 07:41:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=nb/VI6hxU0w5Hfgta49XS/NKbCaWS6q02DaaKpMa7Go=; b=n+kstE7SuiPqoPy5vi72/506uwxnO1eldvDBJL8NtcshZUdB4RbBQv2L0wWdubQadQ KxDFYf1U9P9tOOwGl4t2X49z2iqmaIMfnCMC35IWzjPLOXO6t35d76pB41a07U63cSS9 8+44+Q+UrZMf0dZMwPpp0D5lTbVHUMCisU3FPEeKq4nmsgErsGgYXJVSzBaZNyYA5w9S Xz7yrTuuf3ZQOXohSv2tPIXNCjM2PwBpqS2c2p338ieHn29mSzCgUdJ8NaGP7Sr5QgtU rLpF0IIv5Y9gaba48lGWeqGG4apUdbjJLO/f6hspTKPlq7/ri93qP4eVdLMDkYEpasBO OIQw==
MIME-Version: 1.0
X-Received: by 10.236.179.162 with SMTP id h22mr3297955yhm.107.1398696060175; Mon, 28 Apr 2014 07:41:00 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Mon, 28 Apr 2014 07:41:00 -0700 (PDT)
In-Reply-To: <20140428142029.GT27883@mournblade.imrryr.org>
References: <CA+aixj_i8XF2buDNMOp2=_Z0XzT3R4uGfxJtjoGt-_PButSggw@mail.gmail.com> <CA+cU71=FtZfzGktLhLz_j99mQ=LVbd0kzz0ZyGbewQUS0ouEGA@mail.gmail.com> <535E353A.9030008@comodo.com> <20140428142029.GT27883@mournblade.imrryr.org>
Date: Mon, 28 Apr 2014 07:41:00 -0700
Message-ID: <CACsn0cnDg8kqM5DNNcUGOdwr=BfjCm_gZOS0MiJT+tqQq_0z8g@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/7PebFo4u4WLcSnIlmU3sYNHHUjs
Subject: Re: [TLS] Status of X.509v3 TLS Feature Extension?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Apr 2014 14:41:02 -0000

On Mon, Apr 28, 2014 at 7:20 AM, Viktor Dukhovni
<viktor1dane@dukhovni.org> wrote:
> On Mon, Apr 28, 2014 at 12:02:18PM +0100, Rob Stradling wrote:
>
>> AIUI, PHB intends to progress the tls-feature draft just as soon as IANA
>> allocates an OID for the new certificate extension.  It's not dead, just
>> resting.
>
> OCSP stapling gives no indication of when a verifier is to consider
> a particular status response to be stale.  Without any indication
> of how often a server is supposed to provide a (more) fresh response,
> it is not clear that OSCP stapling enforcement can be implemented
> scalably in an interoperable manner, with servers obtaining and
> stapling new OCSP responses before clients decide that the extant
> response is too old.

That can be easily fixed by adding a field to the OCSP response, or
more easily by adding the duration of the response to the relevant
OCSP stapling document. I think 24-48 hours ought to be the right
range, but I don't have any strong feeling for why. People with more
clue should weigh in.

Sincerely,
Watson Ladd
>
> --
>         Viktor.
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email