IETF Logo Mail Archive

Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections

Deb Cooley <debcooley1@gmail.com> Sun, 07 March 2021 11:52 UTC

Return-Path: <debcooley1@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABE183A1195 for <tls@ietfa.amsl.com>; Sun, 7 Mar 2021 03:52:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Level:
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 71J_xLYJlcE6 for <tls@ietfa.amsl.com>; Sun, 7 Mar 2021 03:52:55 -0800 (PST)
Received: from mail-ot1-x335.google.com (mail-ot1-x335.google.com [IPv6:2607:f8b0:4864:20::335]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EAFA3A1190 for <tls@ietf.org>; Sun, 7 Mar 2021 03:52:55 -0800 (PST)
Received: by mail-ot1-x335.google.com with SMTP id 75so3205611otn.4 for <tls@ietf.org>; Sun, 07 Mar 2021 03:52:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5xUQK0k0n67sbhCskQM0VNES0iEAsiuhbMweJ56Qjws=; b=kqQBcrg8dX/xCwBb8r/uaVUH9kPpiYL93L3XQByDN7Q6k2D21zjb8VYtMDFUG8qwzc ryM/JSaVlPXbm3xJkGu8eo2uhX20v6VWHOdaMAv7AwSA7GDn4jaf07VOoWRgWAavQ7wL bZ9AlbgaxtffGD1KRfywQMAah6c7O5puHhMMkzxZI7XMAicMquDCPQWApGmnHsdG15NG uRzrJtvLHB6/rhTnGt8eKNnq4ylmRfG1cgnGKLM/Ycy+LXgqmW8G2WKacigrBekG77Tj JA8rV9kVK4VkZuJWuabrpehO5CWXsc+MSKWq3cb/Uo4XLAAH+udXQb0zhwhll2B8AiIf 33Dg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5xUQK0k0n67sbhCskQM0VNES0iEAsiuhbMweJ56Qjws=; b=ZETSiktgnAPgCu+ZBY572y6xVCnlPzGk5B9JI9uH9gdyYrZbD5e7zt/Hq4qXCq6rzW C4HlsYNuDhaEZZaN1DDUUBtm1cgRnFhpdSJ9U3YVn717fm1k7x99Mkv0gLR2DD9b4V70 PGeNsPhsUNLaCtAxrJj0bEvadvGuX588UjLBXOU7rMKc70RLVE+O93bfvjnRYUtwuQsD pT76e0R83simY5k2jeNsgZo2WU4Hu9rzqSIMkfs2Mb25zo0GedZQvJJkCAzkCLnXy3Co jU35Z+81UNtDHZQlP1o+MDBi6kmbgOZmPDB7UvcjyQir/8fJyNgydbNDPTEPbtzOJdcx cZ4Q==
X-Gm-Message-State: AOAM532uOfAy8vtUAUJcjmlwRJidpxfctEssHt2XZ/I5UQxNt3fPdlMk si8Sg26V3HolNd+55Qq8HdGhmvP5Ni7DW50eV1fJhjVy3g==
X-Google-Smtp-Source: ABdhPJwv7zTMQTRKqzLCYPJ3kKEqq3Ir2+LP4xMQZvqt/TO+1piHSSvZVJuwUK7Rszb8J0euNXMbfGkKiEOBs8f+bhY=
X-Received: by 2002:a05:6830:14cc:: with SMTP id t12mr15821344otq.109.1615117974014; Sun, 07 Mar 2021 03:52:54 -0800 (PST)
MIME-Version: 1.0
References: <DE27E5E0-4AB9-4B53-92F6-1057015A8F6C@ericsson.com> <20210305173516.GV30153@localhost> <701E874C-EA40-47FD-A4E4-C4C595E96337@ericsson.com> <CACsn0cmmKdR0-82DjrYZD5_CaF2bqwHnj07dM+Bnd-2aupU5QQ@mail.gmail.com> <CABcZeBP8wdmbO8DQPZ8e5CDZ76ioe3vzaJ+7YtQ74XZzcuxHmg@mail.gmail.com> <20210306061124.GY30153@localhost> <1615013752661.15146@cs.auckland.ac.nz> <20210306211036.GZ30153@localhost> <1615111060736.9067@cs.auckland.ac.nz> <CAO4D2DN=kbUtSs=7GqDPibpDeJjL4GO7OWa22wbBHvNJeQU66A@mail.gmail.com>
In-Reply-To: <CAO4D2DN=kbUtSs=7GqDPibpDeJjL4GO7OWa22wbBHvNJeQU66A@mail.gmail.com>
From: Deb Cooley <debcooley1@gmail.com>
Date: Sun, 07 Mar 2021 06:52:42 -0500
Message-ID: <CAGgd1Od3EfNAt0ZOpe-N+2t34U7bG5Za4j_abcy_4OX2si0gSw@mail.gmail.com>
To: TLS List <tls@ietf.org>
Cc: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, "Cooley, Dorothy E" <decoole@nsa.gov>
Content-Type: multipart/alternative; boundary="0000000000001c8eb405bcf0f543"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/8Dng-rr58icJmm1O-ZiHl7Yx9pw>
Subject: Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Mar 2021 11:52:58 -0000

So we can break this down into 2 categories:

expiry
revocation

for both clients and servers.

Expiry:  for the server/client.  I suspect this is mostly a 'don't care',
except in the case where a certificate *should* be revoked after it is
expired (nobody does that, right?).  Is this worth addressing?  I suspect
not.

Revocation:  The RP* can check this whenever it desires.  If one has
designed a long lived connection, then the RP needs to handle it.  Does
TLS, the protocol need to handle it?  Don't know.

Short lived certificates:  I think these are a good idea.  And if one does
this, rekey/renewal early and often is the way to prevent breakage.
IMHO....




On Sun, Mar 7, 2021 at 6:16 AM Graham Bartlett <graham.ietf@gmail.com>
wrote:

> Hi
>
> I have a fair amount of hands on experience with IPsec VPNs, and many
> organisations look to use TLS in a similar manner.
>
> To give you an example of where you might look to perform a regular
> revocation check on long lived connections;
>
> Solution with many remote devices (think remote access, so phones,
> laptops, IoT devices etc)
> A remote device is compromised, on the gateway there could be 1000s of
> devices connected.
> I've found that most vendor solutions aren't geared up for an admin to
> easily determine the compromised device and prevent this reconnecting. Most
> organisations have a disconnect between the SOC, PKI team and the team that
> manages the remote access gateway, getting a process that'll involve all 3
> teams usually doesn't work.
>
> I've found that the best method to prevent the device from connecting is
> for the certificate to be revoked, the CRL refreshed and then a
> re-authentication performed on all active connections.
>
> I'm not as familiar with TLS as I am IPsec, but hope that this explains
> a scenario where I feel re-authentication would be very valuable.
>
> cheers
>
> On Sun, Mar 7, 2021 at 9:58 AM Peter Gutmann <pgut001@cs.auckland.ac.nz>
> wrote:
>
>> Nico Williams <nico@cryptonector.com> writes:
>>
>> >When expirations are short, you will not forget to renew.  That's part
>> of the
>> >point of short-lived certificates.
>>
>> So instead of getting one chance a year for your control system to break
>> itself if the renewal fails, you get hundreds of them?
>>
>> Peter.
>>
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email