Re: [TLS] OCSP Stapling confusion
Ilari Liusvaara <ilariliusvaara@welho.com> Mon, 10 December 2018 18:40 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B83E7131148 for <tls@ietfa.amsl.com>; Mon, 10 Dec 2018 10:40:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fwjTJFGgKI0D for <tls@ietfa.amsl.com>; Mon, 10 Dec 2018 10:40:22 -0800 (PST)
Received: from welho-filter2.welho.com (welho-filter2.welho.com [83.102.41.24]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 417E3127B4C for <tls@ietf.org>; Mon, 10 Dec 2018 10:40:21 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 50161D044C for <tls@ietf.org>; Mon, 10 Dec 2018 20:40:19 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id G5rZwgj3LyBu for <tls@ietf.org>; Mon, 10 Dec 2018 20:40:18 +0200 (EET)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id BB6A32308 for <tls@ietf.org>; Mon, 10 Dec 2018 20:40:17 +0200 (EET)
Date: Mon, 10 Dec 2018 20:40:17 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "tls@ietf.org" <tls@ietf.org>
Message-ID: <20181210184017.GA30264@LK-Perkele-VII>
References: <877egitcbv.fsf@fifthhorseman.net> <122F779A-6BF7-4B9F-8522-860E44C5FC00@akamai.com> <874lbltw4g.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <874lbltw4g.fsf@fifthhorseman.net>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/DUPp4c6U_osTFP40S93kxZ3hhk8>
Subject: Re: [TLS] OCSP Stapling confusion
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Dec 2018 18:40:25 -0000
On Mon, Dec 10, 2018 at 07:16:31AM -0500, Daniel Kahn Gillmor wrote: > On Mon 2018-12-10 02:24:29 +0000, Salz, Rich wrote: > >> * the status_request TLS extension doesn't provide a mechanism for > > stapling OCSP for intermediate certs. > > > > Nobody does this. There's a handful of reasons, but the end result is: nobody does this. > > I'd be interested in hearing the reasons enumerated. It seems to me > like being able to promptly revoke an intermediate certificate is a > useful bit of mechanism. is it just because we hope the major browsers > are clever and responsive enough that they'll push out a CRLset (or > equivalent) when they hear of an intermediate that is found to be > violating the BRs? One is that in baseline requirements, the maximum intermediate OCSP lifetime is 12 months(!) (compare this with the maximum end-entity OCSP lifetime, which is 7 days), which makes them pretty useless for quickly notifying of intermediate compromises when stapled. And yes, some CAs actually use those 12 month OCSP responses. As noted, all the browsers handle intermediate compromise via their own blacklisting measures (oneCRL/CRLset/Disallowed.stl/etc...) > >> So i think this is a big swirling mishmash of not-quite-compatible and > > not-quite-complete specs, especially as we think about TLS clients and > > servers that want to be interoperable with both TLS 1.2 and TLS 1.3. > > > > Yes, there are many things that could be cleared out with a BCP doc. > > I would be interested in helping with that. > > I agree that a BCP would be pretty helpful in clarifiying the state of > play, since it's currently scattered across a few docs over several > years. > > But I think i'm proposing something that is not quite just a "BCP", > since it might involve changing the semantics and extensibility of > status_request (limiting it to OCSP responses (from the authorities > found in the AIA?)) so that "TLS Feature" can actually provide > meaningful guarantees of OCSP stapling for X.509v3 certificates. > > Because right now, with all the extra (currently unused) flexibility in > status_request, it's hard to see how a client or server can meaningfully > rely on "TLS Feature" as a "must-staple" extension. The TLS feature extension looks to be woefully underspecified. Even in the one usecase it was meant to, which was this. The interpretation I took when writing some releated code was that 5 in any (including CA) TLS feature extension means OCSP stapling EE certificate is mandatory (or the EE certficate is shortlived). Just answering the extension 5 is not enough. -Ilari
- Re: [TLS] OCSP Stapling confusion Salz, Rich
- [TLS] OCSP Stapling confusion Daniel Kahn Gillmor
- Re: [TLS] OCSP Stapling confusion Daniel Kahn Gillmor
- Re: [TLS] OCSP Stapling confusion Ilari Liusvaara
- Re: [TLS] OCSP Stapling confusion Martin Thomson
- Re: [TLS] OCSP Stapling confusion Ryan Sleevi