IETF Logo Mail Archive

Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Sun, 07 March 2021 15:51 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EFC23A1828 for <tls@ietfa.amsl.com>; Sun, 7 Mar 2021 07:51:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.101
X-Spam-Level: *
X-Spam-Status: No, score=1.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RAND_MKTG_HEADER=3, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=RrH5foBV; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=RrH5foBV
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dQG7N0CX-daU for <tls@ietfa.amsl.com>; Sun, 7 Mar 2021 07:51:03 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80078.outbound.protection.outlook.com [40.107.8.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C34263A1825 for <tls@ietf.org>; Sun, 7 Mar 2021 07:51:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wxa4YpcOfDmpB58VwkJtwyRDmhVEsQ2gkl+sjZqkSVA=; b=RrH5foBV++0NsXmVRQY1E43BSL/+A7+IfU2X5Eb1olhwqUn2VSXlNOrraxCl/9wsCzbcPzwf4T+OnVXpI9e7NcIDX2QxePqm9scnsbOsLSwDAeNiGD0UmDU+suT4SDjL7lSuH6/FrKYtIBta+0WzyYVH9NHeSoOSENFI0qUr6bQ=
Received: from DB6PR0802CA0042.eurprd08.prod.outlook.com (2603:10a6:4:a3::28) by PR3PR08MB5564.eurprd08.prod.outlook.com (2603:10a6:102:87::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17; Sun, 7 Mar 2021 15:50:59 +0000
Received: from DB5EUR03FT011.eop-EUR03.prod.protection.outlook.com (2603:10a6:4:a3:cafe::cf) by DB6PR0802CA0042.outlook.office365.com (2603:10a6:4:a3::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17 via Frontend Transport; Sun, 7 Mar 2021 15:50:59 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT011.mail.protection.outlook.com (10.152.20.95) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17 via Frontend Transport; Sun, 7 Mar 2021 15:50:59 +0000
Received: ("Tessian outbound 54df20dfd071:v71"); Sun, 07 Mar 2021 15:50:59 +0000
X-CR-MTA-TID: 64aa7808
Received: from 23c2edfe83a5.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 7B705DC9-B1E7-4688-83A1-19D88D2C43D2.1; Sun, 07 Mar 2021 15:50:54 +0000
Received: from EUR05-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 23c2edfe83a5.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Sun, 07 Mar 2021 15:50:54 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IkvpJjZpgbwLLlbhYOKxTXqvfm6vJc5GgRixtD9iaFodnpfqgT8cSgmk3Hp5LK5QMaTIknikVs6PXTw0L5gOnfJzJCgzO7+b8XF+0y6P4WHScw7gdwPBYg99HaYfKdCTXHLmcMlOUca0gdo4DOdHgtiLJctNJbyCBiUK0ei1kON08GKxbk2/VsVUZxNbZV+RKxyT7jXm7lzSQD9Izpf+LGq0VvgBMg6N+56ujcTu1WXAiXmBWkBnndTh3GxVVALXFOINcmqlGZfuw+sF9PX/uHa96v+J/GDqT03WxE3bvjXNOPHsA7wIQoNCpUx5UfzNodDKPKLNXo8EnB3xq6Hsig==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wxa4YpcOfDmpB58VwkJtwyRDmhVEsQ2gkl+sjZqkSVA=; b=oPdOodfu4MDkEFDsj8mFk5la3ELekFk0zc5XUI5u0Xz/NtsrHSImQtI2UQSlt9n/nJfiqziJeKMa7yF70hsv92L0nh/teXkYP9DI+oKRPqvnnL+KsLS7JqDDhWsoPwRE7kM+RPLMfSOyOy9dc9guB/lYmnFOeY1Plfi6V9YL2jFzuZHLkZ/MpXWD1nIYM2Ewzs9zhEpLqTiwSDRaatamA0ChUDPZDF9dBGRthp1ukLDooMk2u+SR+f5xz2VvV1yEnoqmu8eCiAR8jLgovo5NaNuMyxnKiUtp9TfG37QrBQtEJfReEWahmx5gEbrajy0CLPeAiHMwgoTaLfZnkB8ZLw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wxa4YpcOfDmpB58VwkJtwyRDmhVEsQ2gkl+sjZqkSVA=; b=RrH5foBV++0NsXmVRQY1E43BSL/+A7+IfU2X5Eb1olhwqUn2VSXlNOrraxCl/9wsCzbcPzwf4T+OnVXpI9e7NcIDX2QxePqm9scnsbOsLSwDAeNiGD0UmDU+suT4SDjL7lSuH6/FrKYtIBta+0WzyYVH9NHeSoOSENFI0qUr6bQ=
Received: from VI1PR08MB2639.eurprd08.prod.outlook.com (2603:10a6:802:25::13) by VI1PR08MB4301.eurprd08.prod.outlook.com (2603:10a6:803:f7::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17; Sun, 7 Mar 2021 15:50:51 +0000
Received: from VI1PR08MB2639.eurprd08.prod.outlook.com ([fe80::f004:92db:341e:9d6b]) by VI1PR08MB2639.eurprd08.prod.outlook.com ([fe80::f004:92db:341e:9d6b%7]) with mapi id 15.20.3890.037; Sun, 7 Mar 2021 15:50:51 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Graham Bartlett <graham.ietf@gmail.com>, Deb Cooley <debcooley1@gmail.com>
CC: "Cooley, Dorothy E" <decoole@nsa.gov>, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, TLS List <tls@ietf.org>
Thread-Topic: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
Thread-Index: AQHXEeEgKe23eiCLoE+KwrPix1Q1lap1qA2AgAAjloD///6jAIAAVjGAgABa2YCAAAxsAIAA7tCAgADWUACAABXAgIAACmQAgAAGVwCAADjB0A==
Date: Sun, 07 Mar 2021 15:50:51 +0000
Message-ID: <VI1PR08MB2639BF2C1121306C7702A231FA949@VI1PR08MB2639.eurprd08.prod.outlook.com>
References: <DE27E5E0-4AB9-4B53-92F6-1057015A8F6C@ericsson.com> <20210305173516.GV30153@localhost> <701E874C-EA40-47FD-A4E4-C4C595E96337@ericsson.com> <CACsn0cmmKdR0-82DjrYZD5_CaF2bqwHnj07dM+Bnd-2aupU5QQ@mail.gmail.com> <CABcZeBP8wdmbO8DQPZ8e5CDZ76ioe3vzaJ+7YtQ74XZzcuxHmg@mail.gmail.com> <20210306061124.GY30153@localhost> <1615013752661.15146@cs.auckland.ac.nz> <20210306211036.GZ30153@localhost> <1615111060736.9067@cs.auckland.ac.nz> <CAO4D2DN=kbUtSs=7GqDPibpDeJjL4GO7OWa22wbBHvNJeQU66A@mail.gmail.com> <CAGgd1Od3EfNAt0ZOpe-N+2t34U7bG5Za4j_abcy_4OX2si0gSw@mail.gmail.com> <CAO4D2DOQVJzQxn87mFQk=oFvY_JG4rcKB5RSFqW2vZRE2jYGzA@mail.gmail.com>
In-Reply-To: <CAO4D2DOQVJzQxn87mFQk=oFvY_JG4rcKB5RSFqW2vZRE2jYGzA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 68297E078D63144F9FFB2EF4496ABD3A.0
x-checkrecipientchecked: true
Authentication-Results-Original: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=arm.com;
x-originating-ip: [80.92.115.86]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: ce5365a2-b16a-489a-6e44-08d8e180cd92
x-ms-traffictypediagnostic: VI1PR08MB4301:|PR3PR08MB5564:
X-Microsoft-Antispam-PRVS: <PR3PR08MB556481BAB6B850167C3A8FC3FA949@PR3PR08MB5564.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: 8if7jeHlr7wEQtwQygbvncK1UN68TzENtOxaOlF1ejZalBHaoLDWdtMdKELcAGRZdt4ZjUgr97uo1b+0HKt+NJe0m2WdRVbPvlv7JMKFvVLrLWGRBVAauVDy7ugp/4Og17sD5IN0W9/GUMiXxqUSFA+AEx1qK+YrAFKJos/JG5BqJj48T94btA+/mFN/mx6acLhgk518Hzv/b9TwJdcWrj4XtIiy326c0CD4k7lHwP9v2OWWii76y+7P9EZpeGW13FI3hgFSWBLGomtFqAPDGv7ggPfKsN265qDfsGfmSHJyc/fPQzzu7r18JyDex9tReL9oxgySrP6Mmgj+ZPO/1+sc5j6+57XJWFXSqBiLJs8Tkj00FQIoYL1Y6gMwiIzJwl3mfJVrrOyvi+5gVoB2IwU2mq3GOVMuEAlZ9RCaTwIt5/QdAj8C/cqm3XwdAKWsSOrRomw6NUQvxsctQB1HwJTT8kvcwUNTHoZ5rvE+QRKNIXQp8JpLMX39JW8mlsF1QYirh/fRWCti1ENaD68KRnXYi+VW4e69hrkLgiy7JEsv/G0Dnk8uLwLQwP1t+KoXC2pN+26kuKJ8fRRB1DxLcSduNKty8SbS62nbytQcwlg0FwqOXb53GIZJ2JyBQBuCHryf8TAxRfX0g2dWcKAl1g==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR08MB2639.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(136003)(39860400002)(366004)(346002)(396003)(71200400001)(33656002)(55016002)(110136005)(54906003)(478600001)(9686003)(2906002)(5660300002)(4326008)(66476007)(76116006)(66556008)(64756008)(66946007)(8676002)(83380400001)(186003)(52536014)(166002)(8936002)(316002)(966005)(6506007)(66446008)(53546011)(26005)(86362001)(7696005)(219973002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 3rJgWENYY+ETMPdSRDk8qR+ZSDN0oYJlNILJklGizVrGl+MHA2q93BeGUfaE4LmPEo0fSZyEqZXirkkfNa2x0hVoZXWQgVm7wFEo/9XJgYOoRsShY26XCInb4k7qrDrfOC7Np1AAGzgVFxz1kUFrECLKSUDhyr0uThBzYGmfkm3LrvQxdv945UeSk9PT7UFJhZblzuKOY1AZvhOBTwm0NHEo9ZRKy19Dw2EBQcqsN5pikMYtuLKAbcDtOk7j6MlLXfpSXEZVZ3dGmfZQbO3JMae2Jn/toeQZMI4yINrGIGaZ+kDjqIfY2uBF69tLo09pgFE9wSAPudy8+B6e5+SHja4cd3BKig+RzdBD0YEWSxfj4boQHBIPea1OBpIdAXRKdNHFpL/dKfKYR65+GX/MA6h4alNzsnc76geztZ2+Q/+R1Aqsh8uK86DpS+C0wLA4003Y7WXtZUGIPjpdJ2V1aTanakHuU1e9HNRv2JBKZKm8h13Ir5SRuGlv0AmDta9ZEWHyC0FkYE9AcAgtl/jOUh1H+hMs1HCWoN10Fc9ttx2809bOOxCLKos/JtGvQnQbr2eJEMYdu9fqBA+zaa+my9/WgqAbnFcP31/1lic1X4AmTx9eAeevwl2UVwH6ji2nbc8pHD5Si4itl7vpGyNwV0AH/2kXXJZcuX01QdlLVLy91VgQbUKB6VKIgYCC3QoI93tVOJYjK/aagagJUtAqKMZiTbpo9pk+hDt+RyADQ9txWASn09V8FSj8FfNA9L50AygauPN2novlBLVKUbleZVvkMHroZSLjC6GiMSvP6Zl4yAxeAWKmeDenJkMQd6Q4ZtWj4qfwhebuZG5rySesDv9+cdnHJZTLXcKfSieH8OT6m0f+ySb0IXN3VoJjBhH90YhPQXIwFMHpJtWpSoEwYPxzqmc5B38uXUhP0kOfYQyjvJ/1O3Goo6NLayr2cSnqZ4cuL9P5ikRlfHAyxSHjfonUzcmDTFI1f5vCmmzH7dESqHFZbso6TpOdrwrjbwQeAxOiSyE3+BstJkiVSXfZnmYVFVJNEHXYJjDsodGbcXN/eo2Axc+OcXD0qeOnjH/D7Z0n8U+3+YB6VQYdfONpfyhOenK/bAEqZMfb+8pqKm81Zo1oFRYTBMTlzODs1HlIeOnoKXMmNap+pluPDYElZjok50qPQETCrSxhao85p3Lf0bIR8skSliszaiEti6sSGbvFZ31P1MjY1td0R+omwkzBV6b4hSwnzzIrr5EGt24NAuRkCnqEccbujEErX9ol3l8cXURQC6VuIbLlMyevtTvKYJTEDY0ChHXNi5T/zbg=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_VI1PR08MB2639BF2C1121306C7702A231FA949VI1PR08MB2639eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB4301
Original-Authentication-Results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT011.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: 77c59869-123a-444b-1482-08d8e180c8a7
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: MMyPyIcpwn5aDI5e5b3R8soz/9pXdEpzjpvzX6L5vDdgWgNKaB5+43ebA5cO4jkvNO7QjM84ldacUldbgl4RRJl+Kx0NMXFioJ3+my+dwcEoHyoz1ezP39tMvvIIde6XfEe00hRzqYQFn0MkspN/kyLLk/ogM/jEL8Z1iAxLIoj9uwxxkgJz3jYsf9gH8e76AA9SwFy++W1crYQb3NNO7h+/iVOUkGfBaEBjaY/Z2ST5V+ZnoL1+3eE1ViU2HDwdnNO4DhHf0sJ7IWG3q1VXbpjAvAYyEAhC8pqz/ItXyjfuHsDiKtWi2SfPCHeqjsaKZXhaQVS2smgLCimlMQ/WtWP6WoF1fVm7MCAMrXFrjqKDZuqzw1QE3mN3l9cNi1AHIgp7TKaBqhNrYIgmqGlytsxLuA4dBoPykC2dwQxi2KuTeghHRc4kqJVxkA2xtWR8X9VTtIZQZJ3Skg48E4IzdTRx5UEwnHqzXnI1N2QXJqaRcWPjdOyvPMt4Ws2y+P1gl034nb+IxZgWInhzkhMkUCc3HhdGGpAd/PNQslbKQ6glcpm7HySgqP8ZfmzaAUqcsqJNVu/0GgePyodoe7orzQfR7ALnjcW99iNGZYNcyG45fmjdrD2heHvcBsoeJtMAXg1TYyRsFOF6rKC73Gxj7cln+jZFtClVgd6n+fMvPzXHgOv5xYCzPOLr28Vwrx/NpLRNSzXiPARd5RuYTPSJzdFVv0sKcUGDv3cQpJPcAPWXj+mEi+CTSIyxoT5Y6P32
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(346002)(39860400002)(376002)(136003)(396003)(46966006)(36840700001)(52536014)(55016002)(82310400003)(336012)(83380400001)(36860700001)(186003)(53546011)(966005)(33964004)(70206006)(9686003)(7696005)(70586007)(6506007)(478600001)(26005)(8936002)(8676002)(110136005)(166002)(4326008)(81166007)(47076005)(54906003)(5660300002)(356005)(82740400003)(2906002)(86362001)(33656002)(316002)(219973002); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Mar 2021 15:50:59.3844 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: ce5365a2-b16a-489a-6e44-08d8e180cd92
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: DB5EUR03FT011.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3PR08MB5564
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/8lm9U1uNTMQ87XYCXyWvLMy9k-0>
Subject: Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Mar 2021 15:51:10 -0000

Graham, Deb,


  *   'Expiry:  for the server/client.  I suspect this is mostly a 'don't care', except in the case where a certificate *should* be revoked after it is expired (nobody does that, right?).  Is this worth addressing?  I suspect not.'

I agree.



  *   I would imagine that the implementation would pull the session down once the certificate expires, so the session only lasts for the lifetime of the certificate.

Agree. I guess this case rarely happens because short-lived certificates are not so short lived after all.



  *   Revocation:  The RP* can check this whenever it desires.  If one has designed a long lived connection, then the RP needs to handle it.  Does TLS, the protocol need to handle it?  Don't know.

I don’t see a need for TLS to do something.


  *   Short lived certificates:  I think these are a good idea.  And if one does this, rekey/renewal early and often is the way to prevent breakage.  IMHO....

I would imagine that the change of certificate will trigger a new handshake. If only the client-side certificate changes on a regular basis then I could imagine the Post handshake authentication to be quite useful.

Ciao
Hannes

On Sun, Mar 7, 2021 at 11:53 AM Deb Cooley <debcooley1@gmail.com<mailto:debcooley1@gmail.com>> wrote:
So we can break this down into 2 categories:

expiry
revocation

for both clients and servers.

Expiry:  for the server/client.  I suspect this is mostly a 'don't care', except in the case where a certificate *should* be revoked after it is expired (nobody does that, right?).  Is this worth addressing?  I suspect not.

Revocation:  The RP* can check this whenever it desires.  If one has designed a long lived connection, then the RP needs to handle it.  Does TLS, the protocol need to handle it?  Don't know.

Short lived certificates:  I think these are a good idea.  And if one does this, rekey/renewal early and often is the way to prevent breakage.  IMHO....




On Sun, Mar 7, 2021 at 6:16 AM Graham Bartlett <graham.ietf@gmail.com<mailto:graham.ietf@gmail.com>> wrote:
Hi

I have a fair amount of hands on experience with IPsec VPNs, and many organisations look to use TLS in a similar manner.

To give you an example of where you might look to perform a regular revocation check on long lived connections;

Solution with many remote devices (think remote access, so phones, laptops, IoT devices etc)
A remote device is compromised, on the gateway there could be 1000s of devices connected.
I've found that most vendor solutions aren't geared up for an admin to easily determine the compromised device and prevent this reconnecting. Most organisations have a disconnect between the SOC, PKI team and the team that manages the remote access gateway, getting a process that'll involve all 3 teams usually doesn't work.

I've found that the best method to prevent the device from connecting is for the certificate to be revoked, the CRL refreshed and then a re-authentication performed on all active connections.

I'm not as familiar with TLS as I am IPsec, but hope that this explains a scenario where I feel re-authentication would be very valuable.

cheers

On Sun, Mar 7, 2021 at 9:58 AM Peter Gutmann <pgut001@cs.auckland.ac.nz<mailto:pgut001@cs.auckland.ac.nz>> wrote:
Nico Williams <nico@cryptonector.com<mailto:nico@cryptonector.com>> writes:

>When expirations are short, you will not forget to renew.  That's part of the
>point of short-lived certificates.

So instead of getting one chance a year for your control system to break
itself if the renewal fails, you get hundreds of them?

Peter.


_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email