Re: [TLS] draft-ietf-tls-cached-info-14
"Piyush Jain" <piyush@ditenity.com> Wed, 10 April 2013 16:35 UTC
Return-Path: <piyush@ditenity.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAB0521F8CC9 for <tls@ietfa.amsl.com>; Wed, 10 Apr 2013 09:35:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.29
X-Spam-Level:
X-Spam-Status: No, score=-2.29 tagged_above=-999 required=5 tests=[AWL=1.309, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A3dJOpHCsuBx for <tls@ietfa.amsl.com>; Wed, 10 Apr 2013 09:35:02 -0700 (PDT)
Received: from mail-gh0-f182.google.com (mail-gh0-f182.google.com [209.85.160.182]) by ietfa.amsl.com (Postfix) with ESMTP id 3064F21F8CA0 for <tls@ietf.org>; Wed, 10 Apr 2013 09:35:02 -0700 (PDT)
Received: by mail-gh0-f182.google.com with SMTP id z15so86249ghb.27 for <tls@ietf.org>; Wed, 10 Apr 2013 09:35:01 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-type:content-transfer-encoding :x-mailer:thread-index:content-language:x-gm-message-state; bh=yyUmB3MT/FAr3FeGkL+5F9V3ZNzjPg5g61Fmg9f2tSE=; b=iOf04NdTvpmWnogET7lsHN8mmorHClf1p8RxEyIeT3nV1m+jlfdlEm/KEZDN4lklyW BB3BvggpIaCEHKEsSj2HXqoj048502CwGpZo6oA58aaf4miYtYE+igMy18bH3g5iS0Xv Fa0hMObrcFred7qPZnQu6RQz3c+PIzlfgnbckSiNLevG7kj+1fhPo8Xj4lEc9XTACr0n k6+9SGISdO/6dWnGqQQkG06pZhIzp7CHFR4tFwo14jWnv40xwjFp9KcYBK8Aoqst/3Mf pcZC1mTc7vat0xzSk+vMzdR9a1cWWwv43wK51fb5PFDX+Nf57DwmIXoyvg/XgaBYmtwd /kCw==
X-Received: by 10.236.131.1 with SMTP id l1mr1620939yhi.21.1365611701729; Wed, 10 Apr 2013 09:35:01 -0700 (PDT)
Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id o31sm800743yhh.21.2013.04.10.09.35.00 (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 10 Apr 2013 09:35:01 -0700 (PDT)
From: Piyush Jain <piyush@ditenity.com>
To: "'Yngve N. Pettersen'" <yngve@spec-work.net>, tls@ietf.org, 'Rob Stradling' <rob.stradling@comodo.com>
References: <2C078811-2A81-4B37-82F0-FAD94A7395BD@gmx.net> <51547C0C.20806@ieca.com> <A3EEC7FB-665B-4543-8D42-A997100506E5@gmx.net> <5154B4C9.1070405@comodo.com> <5096AB41-02FD-4E01-A78E-BEF272181F42@gmx.net> <5162C154.1010202@comodo.com> <op.wu76e6o73dfyax@killashandra.invalid.invalid> <5163200D.2030300@comodo.com> <op.wu8nh01v3dfyax@killashandra.invalid.invalid> <51646709.4030803@comodo.com> <op.wvakl2sk3dfyax@killashandra.invalid.invalid> <097601ce3574$f4495c50$dcdc14f0$@ditenity.com> <51656C00.8030200@comodo.com> <op.wvbvjwm73dfyax@killashandra.invalid.invalid> <0a1801ce35fa$10283650$3078a2f0$@ditenity.com> <op.wvbza1ws3dfyax@killashandra.invalid.invalid>
In-Reply-To: <op.wvbza1ws3dfyax@killashandra.invalid.invalid>
Date: Wed, 10 Apr 2013 09:34:46 -0700
Message-ID: <0a7301ce3609$513d71f0$f3b855d0$@ditenity.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJlAb7NsstXjqmQRSHXKYXg2JOPjAHY6j2EAi7U10ICrEPZfgKTKz73AOQ2LZoBb2wfGgHhzkwPAfgjWBgCU4m1cQJXslm/AcH7iVICHlM1kgJCjcGGAZUIKUoBeJgCX5a3gTrg
Content-Language: en-us
X-Gm-Message-State: ALoCoQmPQMEGb1JW647b1V5MIfToR+c64U7VHRMqpSli2qJ2Dtx6PfSyZutOvwJqf3kGsKLpdOg/
Subject: Re: [TLS] draft-ietf-tls-cached-info-14
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2013 16:35:02 -0000
> > [Piyush] Not sure if I understood it correctly. TLS has strict > > guidelines on > > "Chain sequence" was maybe the wrong expression. The point was that the > server can change to a completely new set of certificates, including an > unrelated certificate authority. [Piyush] Agreed. However, this is usually a rare event. And the cached certificate_list and stapled OCSP responses would become invalid anyway. > > However, some server can have certificates incorrectly ordered, and that > might get fixed after a while (or it could get broken). [Piyush] It probably does not matter as long as the client is assuming the same order that it received. Please note that certificate_list cache representation is a single hash. All the client is saying is that this is the certificate list (containing certificates a,b,c,d) that I have cached and btw I don't need the status for "a" and "b" but I need the status for "c" and "d". > > > sequence of certificates in the chain. The certificate chain sequence > > would change only when the server certificate changes (or in some rare > > cases when intermediate CA's certificate rolls over). Right? If that > > happens than certificate_list cached object held by the client would > > become invalid and consequently any stapled responses associated with > > the old certificate chain would also become invalid. > > My point is that the information sent to the server about which resources are > cached need to connect the resources to what the server have, in such a way > that if the server configuration changes the server will know that it does not > have the necessary information. > [Piyush] That requirement is met. If the server configuration is changed in the way that you describe above, certificate_list cache becomes invalid and consequently the OCSP response cache becomes invalid. In other words the server will send the certificate list again and all the OCSP responses again. This would be the behavior even when you fingerprint the OCSP responses. I think it becomes more intuitive if you think about the actual goal from client's perspective. Clients need to determine the status of each certificate in the server certificate chain. They don't need to make sure that the OCSPResponses that they use to make this determination are in sync with those on the server. The way I see it stapled OCSP responses are not resources on the TLS server. TLS server is just a channel that delivers these responses to the client.
- [TLS] draft-ietf-tls-cached-info-14 Hannes Tschofenig
- Re: [TLS] draft-ietf-tls-cached-info-14 Sean Turner
- Re: [TLS] draft-ietf-tls-cached-info-14 Hannes Tschofenig
- Re: [TLS] draft-ietf-tls-cached-info-14 Sean Turner
- Re: [TLS] draft-ietf-tls-cached-info-14 Rob Stradling
- Re: [TLS] draft-ietf-tls-cached-info-14 Hannes Tschofenig
- Re: [TLS] draft-ietf-tls-cached-info-14 Yngve N. Pettersen
- Re: [TLS] draft-ietf-tls-cached-info-14 Rob Stradling
- Re: [TLS] draft-ietf-tls-cached-info-14 Yngve N. Pettersen
- Re: [TLS] draft-ietf-tls-cached-info-14 Rob Stradling
- Re: [TLS] draft-ietf-tls-cached-info-14 Yngve N. Pettersen
- Re: [TLS] draft-ietf-tls-cached-info-14 Rob Stradling
- Re: [TLS] draft-ietf-tls-cached-info-14 Piyush Jain
- Re: [TLS] draft-ietf-tls-cached-info-14 Rob Stradling
- Re: [TLS] draft-ietf-tls-cached-info-14 Rob Stradling
- Re: [TLS] draft-ietf-tls-cached-info-14 Yngve N. Pettersen
- Re: [TLS] draft-ietf-tls-cached-info-14 Piyush Jain
- Re: [TLS] draft-ietf-tls-cached-info-14 Martin Rex
- Re: [TLS] draft-ietf-tls-cached-info-14 Rob Stradling
- Re: [TLS] draft-ietf-tls-cached-info-14 Rob Stradling
- Re: [TLS] draft-ietf-tls-cached-info-14 Piyush Jain
- Re: [TLS] draft-ietf-tls-cached-info-14 Yngve N. Pettersen
- Re: [TLS] draft-ietf-tls-cached-info-14 Yngve N. Pettersen
- Re: [TLS] draft-ietf-tls-cached-info-14 Martin Rex
- Re: [TLS] draft-ietf-tls-cached-info-14 Piyush Jain
- Re: [TLS] draft-ietf-tls-cached-info-14 Piyush Jain
- Re: [TLS] draft-ietf-tls-cached-info-14 Martin Rex