Re: [TLS] Call for acceptance on multi-stapling

Yoav Nir <ynir@checkpoint.com> Tue, 24 April 2012 18:14 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EE1D21F87C1 for <tls@ietfa.amsl.com>; Tue, 24 Apr 2012 11:14:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.563
X-Spam-Level:
X-Spam-Status: No, score=-10.563 tagged_above=-999 required=5 tests=[AWL=0.036, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8lxnrwmVPkob for <tls@ietfa.amsl.com>; Tue, 24 Apr 2012 11:14:48 -0700 (PDT)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id E477821F87AE for <tls@ietf.org>; Tue, 24 Apr 2012 11:14:47 -0700 (PDT)
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id q3OIEfXX004621; Tue, 24 Apr 2012 21:14:41 +0300
X-CheckPoint: {4F96FA12-1-1B221DC2-5FFFF}
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Tue, 24 Apr 2012 21:14:39 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Nico Williams <nico@cryptonector.com>
Date: Tue, 24 Apr 2012 21:14:42 +0300
Thread-Topic: [TLS] Call for acceptance on multi-stapling
Thread-Index: Ac0iRhyCyIMU1X2EQmiNOn8i76KGiQ==
Message-ID: <C072775A-4C1B-47F5-9FF6-D2CE9CFE3978@checkpoint.com>
References: <CABcZeBNcLPfUsufqYY4xEmvHQT4nGF4hgdtB5Axn3tA9smqpcw@mail.gmail.com> <201204190356.q3J3uSbT023588@fs4113.wdf.sap.corp> <CABcZeBMK8BD690=CcFy+v3T1DHNTTJvQxEvKAz=TF=NSTv61dg@mail.gmail.com> <CAK3OfOg3Frb4kRL5_d=AKhFLSJOoGfsyJrfJm+8f6wwih98s1g@mail.gmail.com> <CABcZeBMq8d5kk8C_kfUaYU96TTx8f5K4kQNrduU-GTnrJfL6TQ@mail.gmail.com> <4F96B94B.8050900@free.fr> <CAK3OfOg9oveMLs7rQCqaYUrRpOsX679qX7dvejkzo=2NYWoNgA@mail.gmail.com>
In-Reply-To: <CAK3OfOg9oveMLs7rQCqaYUrRpOsX679qX7dvejkzo=2NYWoNgA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
x-cpdlp: 115a0d4ea8f21e26f37151a9adce3c8943c1f5770a
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Call for acceptance on multi-stapling
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Apr 2012 18:14:49 -0000

Hi Nico

On Apr 24, 2012, at 5:39 PM, Nico Williams wrote:

> On Tue, Apr 24, 2012 at 9:31 AM, Jean-Marc Desperrier <jmdesp@free.fr> wrote:
>> Eric Rescorla a écrit :
>> 
>>> It's also not entirely clear that short-lived certs
>>> don't cause clients to choke. They shouldn't, but don't and shouldn't
>>> aren't always the same.
>> 
>> 
>> They make time synchronization problems at lot more acute.
>> This can be interpreted as "causing them to choke", I'd expect the scale of
>> the problem to be larger than the one with false start.
> 
> They don't have to be short-lived, just fresh.

I don't understand the distinction. If a relying party (in our case, the browser) requires that certificates are at most 24 hours old (presumably calculated by subtracting the current time from the notBefore field), what difference does it make if the notAfter field is 5 years in the future?

Yoav