Re: [TLS] OCSP Stapling in RFC 6066
mrex@sap.com (Martin Rex) Thu, 12 February 2015 18:51 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55C251A1B59 for <tls@ietfa.amsl.com>; Thu, 12 Feb 2015 10:51:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.551
X-Spam-Level:
X-Spam-Status: No, score=-6.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fOAcHyRfRMkL for <tls@ietfa.amsl.com>; Thu, 12 Feb 2015 10:51:29 -0800 (PST)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEF1E1A1B56 for <tls@ietf.org>; Thu, 12 Feb 2015 10:51:28 -0800 (PST)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id BA1F54497E; Thu, 12 Feb 2015 19:51:23 +0100 (CET)
X-purgate-ID: 152705::1423767087-000007DF-0BA2EA2F/0/0
X-purgate-size: 2071
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 89FEA45456; Thu, 12 Feb 2015 19:51:23 +0100 (CET)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 81BA01B19A; Thu, 12 Feb 2015 19:51:23 +0100 (CET)
In-Reply-To: <54DC9533.7070101@wizmail.org>
To: Jeremy Harris <jgh@wizmail.org>
Date: Thu, 12 Feb 2015 19:51:23 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20150212185123.81BA01B19A@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/CxtymmUE9NBw8fMs15yINocbIy8>
Cc: tls@ietf.org
Subject: Re: [TLS] OCSP Stapling in RFC 6066
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Feb 2015 18:51:31 -0000
Jeremy Harris wrote: > Fries, Steffen wrote: >> I've got a question to the OCSP stapling approach described in RFC 6066 > > Why not jump directly to an RFC 6961 analogue? Your observation is correct that the rfc6066 OCSP extension is limited to a single OCSP response for the server certificate, whereas the TLS extension defined in rfc6961 allows for multiple OCSP responses, including OCSP responses for CA certificates in the certificate chain of the server. But there are a number of differences in the server and client authentication that make these two TLS extensions (or their approach) a bad fit for client certificate authentication. For the server certificate, the Server's decision/choice for a specific server certificate happens (or at least can happen) while the server evaluates the TLS protocol options proposed in ClientHello and composed the ServerHello response _after_ making the selections of TLS protocol options. So when the server composes the ServerHelloExtensions it knows which server certificate it is going to use and can insert the respective OCSP responses into ServerHello. The situation is substantially different for the client, who has to include all TLS protocol options that are up for negotation upfront in ClientHello(Extensions). At this point, the client does not know whether the server is going to request a client certificate at all, nor does the client know, which list of trusted certification_authorities or which algorithms the server supports and is going to select/request. So the approach for conveying OCSP responses for the client certificate from the client to the server should probably be on the second batch of handshake messages from client to server in a full TLS handshake, such as using a "TLS Handshake Message for Supplemental Data" (rfc4680). I agree that the rfc4680 approach is more code to implement, but such an approach would not break when the client has more than one client certificates or additional client certificates other than X.509. -Martin
- [TLS] OCSP Stapling in RFC 6066 Fries, Steffen
- Re: [TLS] OCSP Stapling in RFC 6066 Salz, Rich
- Re: [TLS] OCSP Stapling in RFC 6066 Fries, Steffen
- Re: [TLS] OCSP Stapling in RFC 6066 Jeremy Harris
- Re: [TLS] OCSP Stapling in RFC 6066 Martin Rex
- Re: [TLS] OCSP Stapling in RFC 6066 Fries, Steffen
- Re: [TLS] OCSP Stapling in RFC 6066 Jeremy Harris