IETF Logo Mail Archive

Re: [TLS] Status of X.509v3 TLS Feature Extension?

Viktor Dukhovni <viktor1dane@dukhovni.org> Mon, 28 April 2014 15:47 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D17C81A04C5 for <tls@ietfa.amsl.com>; Mon, 28 Apr 2014 08:47:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id almPV5Zacuwj for <tls@ietfa.amsl.com>; Mon, 28 Apr 2014 08:47:44 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 417211A0352 for <tls@ietf.org>; Mon, 28 Apr 2014 08:47:44 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 98EE52AB0DD; Mon, 28 Apr 2014 15:47:42 +0000 (UTC)
Date: Mon, 28 Apr 2014 15:47:42 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20140428154742.GW27883@mournblade.imrryr.org>
References: <CA+aixj_i8XF2buDNMOp2=_Z0XzT3R4uGfxJtjoGt-_PButSggw@mail.gmail.com> <CA+cU71=FtZfzGktLhLz_j99mQ=LVbd0kzz0ZyGbewQUS0ouEGA@mail.gmail.com> <535E353A.9030008@comodo.com> <20140428142029.GT27883@mournblade.imrryr.org> <2A0EFB9C05D0164E98F19BB0AF3708C7120C61F59F@USMBX1.msg.corp.akamai.com> <20140428145250.GU27883@mournblade.imrryr.org> <2A0EFB9C05D0164E98F19BB0AF3708C7120C61F5D0@USMBX1.msg.corp.akamai.com> <20140428151053.GV27883@mournblade.imrryr.org> <2A0EFB9C05D0164E98F19BB0AF3708C7120C61F625@USMBX1.msg.corp.akamai.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C7120C61F625@USMBX1.msg.corp.akamai.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/C0pQG4Hnpj2M5CkIu4ldzWk9dKc
Subject: Re: [TLS] Status of X.509v3 TLS Feature Extension?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Apr 2014 15:47:46 -0000

On Mon, Apr 28, 2014 at 11:34:02AM -0400, Salz, Rich wrote:

> > The protocol looks under-specified to me.
> 
> I don't read it as fail-closed; there is no definition of "satisfactory" at the end of section eight, and the server is free to not send an OCSP response.
> 
> If you consider it to be not fail-closed, are your concerns lessened?

What's the point if it does not fail-closed?  The client insists
that the server provide an OCSP response, but then does not validate
it (some notion of freshness is surely part of validation, but no
freshness algorithm is indicated).

Does the server have to provide OCSP responses for every intermediate
CA in the chain?  Or just for the leaf certificate?  Or only for
the leaf certificate and those intermediate CAs whose certificates
happen to include the proposed TLS feature extension?

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email