IETF Logo Mail Archive

Re: [TLS] Getting started, clock not set yet

Eric Rescorla <ekr@rtfm.com> Tue, 09 August 2022 23:13 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43E5AC157B57 for <tls@ietfa.amsl.com>; Tue, 9 Aug 2022 16:13:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.903
X-Spam-Level:
X-Spam-Status: No, score=-6.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CoUn4ncSmQTE for <tls@ietfa.amsl.com>; Tue, 9 Aug 2022 16:13:14 -0700 (PDT)
Received: from mail-il1-x12f.google.com (mail-il1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06096C159480 for <tls@ietf.org>; Tue, 9 Aug 2022 16:13:14 -0700 (PDT)
Received: by mail-il1-x12f.google.com with SMTP id l9so7397286ilq.1 for <tls@ietf.org>; Tue, 09 Aug 2022 16:13:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=tdA1SX1FtMVZM3p9rIIOzKn9onc4vFs8vHu2oKwzWz0=; b=SIBwJSpWR5qVzcHo/zz8FqcNX7McwO846YsEtWQRR+ZeR0M1RKjv0IY4OikVbTrIa+ u3+BvhGo4uljgPFM1SSRqxBDVot9QToGPsZXw8OzAkP/72ijBePG7/z+gFIGO92DNrmx aO3/DLKOaW0zKgBESxYU+ICemb3KqS4+YG3e2GA6SCB6p6sBYTFMjmYM1ZEYTjTXL/3/ ZIEvFcyg1F9GSVA8hF4HL87tW2j1s9nIUGZqKVOXzTyP311pOunQRu+BEkbTB7IyA0/h 046rlSEJsGNyX8cHLLJCioZZK1LWg/vM4osc3eDQ5DOktD99z/lM8rAdAAFW2becOj5f Pe8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=tdA1SX1FtMVZM3p9rIIOzKn9onc4vFs8vHu2oKwzWz0=; b=Cbfsbdf59edottC8Px6TeUeexi8yHhRdyTUVCNJblfFvABDa0/T2aS+/VKNFp6Smk/ 0a4lxaZ1+n4sRyFys8IsvOI1lQeO9wuwaWCDqXMlkoXmiY0UrxT7z1qbMaQnQMiVwIUr JNRnnXtxFEU/7RevYNOS2Q3KaCbunnLxBC3orXAsXUKrMdOPnfAFmF89Jfi64BkYWQvg 4nSHmOKsGPCGLB9ePItunnuoG3BpvDdNnV0kYIAxcbmi1PFR2oj0YU2fr/mQCme2330D jtKlDt8JCRYLv9EY7Kfc+bAIRArILMz4LBxX1yNw4jMHSBF0GZj6MQ9NJwBkq5lQg3bW i6lQ==
X-Gm-Message-State: ACgBeo2vGCSCgRAkXfjKEECpDkSImM1mmivj/IK/khdIL34YNPzbjDlw PjhYuM9i7d++bBHddaU1PgMWJ/qjwHP+vyBsCZDslIL01C3pLQ==
X-Google-Smtp-Source: AA6agR7M3VCyk3+OKY0jKXlyJX5BIre7lOD2rsNwiJ2w32zwbRyI29nfLHu5LIqbPkn4tC8e1DU0ZP95c+rotx06EnI=
X-Received: by 2002:a92:d606:0:b0:2dc:e2d1:b75b with SMTP id w6-20020a92d606000000b002dce2d1b75bmr11706891ilm.91.1660086793237; Tue, 09 Aug 2022 16:13:13 -0700 (PDT)
MIME-Version: 1.0
References: <20220809044037.8332328C1CA@107-137-68-211.lightspeed.sntcca.sbcglobal.net> <SY4PR01MB6251F7EDC97E18A897BC3E6CEE629@SY4PR01MB6251.ausprd01.prod.outlook.com> <CABcZeBM7Xo=yT4GDSAzRNfZYBDAyaT9yNahOuNY8YDvx1SH+Rw@mail.gmail.com> <CAChr6Sy0oLDM=HLPCVtZEZracoD0GamAzGEg0fesrXAMzpEiLA@mail.gmail.com> <CABcZeBNZxUdNTeFCEPgGwtfehV-5LgV86QOXBi+Nqn2A0d6WUA@mail.gmail.com> <CAChr6SyJ=5bcEtMZXpfM=0UsixR0P7111nV0onksYeedSVF_KA@mail.gmail.com> <CABcZeBPvJx1G5da8ceyYBxuxHv6NYFSD_L0Y=cLCf-1cFwweww@mail.gmail.com> <20220809230826.GW3579@akamai.com>
In-Reply-To: <20220809230826.GW3579@akamai.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 09 Aug 2022 16:12:37 -0700
Message-ID: <CABcZeBMELWTRC9Ox9zjNRJ+bcy=rFV7zWi-skZKs81ncTcKG0g@mail.gmail.com>
To: Benjamin Kaduk <bkaduk@akamai.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009b8fdd05e5d71326"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/CiFkk0pkiO7A4IIQy9yRkVZBLQc>
Subject: Re: [TLS] Getting started, clock not set yet
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Aug 2022 23:13:18 -0000

n Tue, Aug 9, 2022 at 4:08 PM Benjamin Kaduk <bkaduk@akamai.com> wrote:

> On Tue, Aug 09, 2022 at 03:59:01PM -0700, Eric Rescorla wrote:
> >
> > Be that as it may, the browsers generally require conformance to the BRs
> > (see, for
> > instance
> >
> https://urldefense.com/v3/__https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/__;!!GjvTz_vk!UPmxyrKmaL10wJG8moM9lRB_dy37NNBtZYo3xVxxNx1_6JSsjXC25--ngicIeypX3KAVLzA$
>
> > S 2.3,
> >
> https://urldefense.com/v3/__https://www.chromium.org/Home/chromium-security/root-ca-policy/__;!!GjvTz_vk!UPmxyrKmaL10wJG8moM9lRB_dy37NNBtZYo3xVxxNx1_6JSsjXC25--ngicIeypXz_sK-Pc$
>  S 1)
> > so what the BRs say is relevant in this discussion.
>
> While it seems almost inevitable that the Web PKI will be used for some
> deployments of NTS, it also seems that NTS as a protocol is quite
> untethered to
> browser behavior or the Web PKI.  So while I agree that the CABF BRs are
> relevant, they probably ought not be treated as the sole authority.
>

Fair enough. I would make several points:

1. Peter's message was not qualified to NTS. He wrote
"For commercial CAs, the expiry time is a billing mechanism, not a security
mechanism. "

So I was attempting to respond to the bigger picture.

2. It seems quite likely that many of the NTS certificates will be from
WebPKI CAs,
just because that's what's easy to get, and so you can't count on them
providing
revocation after expiry.

3. Are you aware of some other set of rules for certificate issuance that
require
revocation after the certificate has expired?

-Ekr

v2.23.0 | Report a Bug | By Email