Re: [TLS] [pkix] Possible revocation delay issue with TLS stapling

"Santosh Chokhani" <SChokhani@cygnacom.com> Mon, 29 March 2010 13:33 UTC

Return-Path: <SChokhani@cygnacom.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6CE853A68C7; Mon, 29 Mar 2010 06:33:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.169
X-Spam-Level:
X-Spam-Status: No, score=-5.169 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, J_CHICKENPOX_54=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XKUeboV+ez9t; Mon, 29 Mar 2010 06:33:05 -0700 (PDT)
Received: from mail151.messagelabs.com (mail151.messagelabs.com [216.82.253.3]) by core3.amsl.com (Postfix) with SMTP id 5F5743A68D8; Mon, 29 Mar 2010 06:32:14 -0700 (PDT)
X-VirusChecked: Checked
X-Env-Sender: SChokhani@cygnacom.com
X-Msg-Ref: server-12.tower-151.messagelabs.com!1269869560!12485038!1
X-StarScan-Version: 6.2.4; banners=-,-,-
X-Originating-IP: [65.242.48.13]
Received: (qmail 25701 invoked from network); 29 Mar 2010 13:32:41 -0000
Received: from unknown (HELO scygexch1.cygnacom.com) (65.242.48.13) by server-12.tower-151.messagelabs.com with SMTP; 29 Mar 2010 13:32:41 -0000
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Mon, 29 Mar 2010 09:32:40 -0400
Message-ID: <FAD1CF17F2A45B43ADE04E140BA83D48F3619B@scygexch1.cygnacom.com>
In-Reply-To: <17FD76C1ECD0AB49817637E21809ABF907FAA70D21@IMCMBX2.MITRE.ORG>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [pkix] [TLS] Possible revocation delay issue with TLS stapling
Thread-Index: AcrNJELWdGl6HQe1QWadRJUYSf2+KACGl9MgAAC4LcA=
References: <op.u95kjftmkvaitl@lessa-ii> <20100326181716.GG21244@Sun.COM> <17FD76C1ECD0AB49817637E21809ABF907FAA70D21@IMCMBX2.MITRE.ORG>
From: "Santosh Chokhani" <SChokhani@cygnacom.com>
To: "Miller, Timothy J." <tmiller@mitre.org>, "Nicolas Williams" <Nicolas.Williams@sun.com>, "Yngve N. Pettersen" <yngve@opera.com>
Cc: pkix@ietf.org, tls@ietf.org
Subject: Re: [TLS] [pkix] Possible revocation delay issue with TLS stapling
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Mar 2010 13:33:06 -0000

Tim,

In TLS model, the client's authorization check is basically checking the
server certificate DNS name against the expected DNS name.  I doubt
browser model will go beyond that.

Basically, the revocation freshness issue discussed in this thread is
not unique to TLS Server going rogue, except that a rogue server no
longer requires DNS poisoning assistance.

I do not think there is any change needed to the OCSP Specs either,
albeit 2560 could stand some clarification in the area of client side
processing.

The TLS folks may want to provide some guidance on CAs issuing server
certificates in terms of CRL next update field values and recommend to
the browsers to warn the user or deny the session if the revocation
information is past the next update field.

> -----Original Message-----
> From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On 
> Behalf Of Miller, Timothy J.
> Sent: Monday, March 29, 2010 9:03 AM
> To: 'Nicolas Williams'; Yngve N. Pettersen
> Cc: pkix@ietf.org; tls@ietf.org
> Subject: Re: [pkix] [TLS] Possible revocation delay issue 
> with TLS stapling
> 
> A possible 'fix' to the revocation window problem has always 
> been shorter certificate validity periods.  This has its own costs.
> 
> IMHO, however, timeliness revocation isn't the problem.  
> Experience with real world PKIs shows that sometimes 
> revocation simply doesn't happen.  The CA may not be 
> available, the incident may never get reported, or the system 
> may simply fail in any of a dozen different ways up to and 
> including lost database transactions.  Don't think it doesn't happen.
> 
> In short, relying on revocation to deny access may not be a 
> good idea, at least for some systems.  Since the usual goal 
> of authentication is to enable authorization, it can be safer 
> to rely on the authorization system--i.e., revoke the 
> account, remove the account's privileges, or invalidate the 
> mapping between the shouldn't-be-used-any-more key and the 
> account.  This is where X.509 gets in trouble; X.509 binds 
> keys to names, and names are strongly (and naturally) mapped 
> to accounts, so under X.509 the ways in which an 
> authorization system can break the key-to-account mapping are 
> very limited.  (The alternative--binding names to keys--has 
> it's own set of problems, naturally.  They're different from 
> X.509's, though.)
> 
> Either way, PKI authentication isn't enough by itself.  You 
> need an equivalent authorization infrastructure to really 
> make things work.
> 
> -- Tim
> 
> 
> >-----Original Message-----
> >From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] 
> On Behalf Of 
> >Nicolas Williams
> >Sent: Friday, March 26, 2010 1:17 PM
> >To: Yngve N. Pettersen
> >Cc: pkix@ietf.org; tls@ietf.org
> >Subject: Re: [pkix] [TLS] Possible revocation delay issue with TLS 
> >stapling
> >
> >[Why not pile on?  I think there's an angle not covered.]
> >
> >As others have pointed out this is nothing new, nor special 
> about OCSP 
> >versus CRLs, and they have pointed out the workaround for 
> RPs that care.
> >
> >The more interesting point, I think, is that instantaneous 
> revocation 
> >is like password synchronization: hard.  You can get down to 
> a window 
> >of minutes.  But instantaneous revocation?  I don't believe that's 
> >feasible in real world deployments.  Also, revoking certs is 
> not enough 
> >if you want instantaneous revocation!  You'd also want to 
> slam existing 
> >connections, and yet we have no protocol for doing that.
> >
> >However, quick revocation has much higher costs than quick password 
> >synchronization.  That's because making it possible to revoke certs 
> >quickly means making more frequent use of online infrastructure, and 
> >more frequent validation of signatures, whereas with 
> password synch you 
> >need only push changes as quickly as possible to a relatively few 
> >servers.  Nowadays that extra cost may be in the noise, but it's not 
> >nothing, and it's the reason that we have the ability to have OCSP 
> >responses without nonces.
> >
> >Think of OCSP as a Kerberos-like ticketing facility, with certs+OCSP 
> >being like TGTs with long renewable lifetimes (corresponding to the 
> >certs' notAfter) but short lifetimes (corresponding to OCSP response 
> >freshness requirements / nextUpdate).  If you care about quick 
> >revocation then you can just tune down the OCSP response freshness 
> >requirements such that they fall within a time window whose size is 
> >comparable to the time needed for revocation notices to 
> reach all the 
> >relevant OCSP responders.  The trick is to find just the 
> right setting.
> >
> >Nico
> >--
> >_______________________________________________
> >pkix mailing list
> >pkix@ietf.org
> >https://www.ietf.org/mailman/listinfo/pkix
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix
>