IETF Logo Mail Archive

Re: [TLS] CRL Stapling? (was Re: I-D Action: draft-ietf-tls-multiple-cert-status-extension-00.txt)

Geoffrey Keating <geoffk@geoffk.org> Wed, 13 June 2012 21:16 UTC

Return-Path: <geoffk@geoffk.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC72A11E8099 for <tls@ietfa.amsl.com>; Wed, 13 Jun 2012 14:16:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D9800-aeNdBF for <tls@ietfa.amsl.com>; Wed, 13 Jun 2012 14:16:44 -0700 (PDT)
Received: from dragaera.releasedominatrix.com (dragaera.releasedominatrix.com [216.129.118.138]) by ietfa.amsl.com (Postfix) with ESMTP id 638CE11E8097 for <tls@ietf.org>; Wed, 13 Jun 2012 14:16:44 -0700 (PDT)
Received: by dragaera.releasedominatrix.com (Postfix, from userid 501) id 55A7B33D0BE; Wed, 13 Jun 2012 21:16:43 +0000 (UTC)
Sender: geoffk@localhost.localdomain
To: Jean-Marc Desperrier <jmdesp@free.fr>
References: <20120509153513.11861.32080.idtracker@ietfa.amsl.com> <4FC75249.3050805@comodo.com> <op.wfdji1xiqrq7tp@acorna.invalid.invalid> <4FD75734.5030809@free.fr>
From: Geoffrey Keating <geoffk@geoffk.org>
Date: Wed, 13 Jun 2012 14:16:43 -0700
In-Reply-To: <4FD75734.5030809@free.fr>
Message-ID: <m262auyksk.fsf@localhost.localdomain>
Lines: 33
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.4
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: tls@ietf.org
Subject: Re: [TLS] CRL Stapling? (was Re: I-D Action: draft-ietf-tls-multiple-cert-status-extension-00.txt)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jun 2012 21:16:45 -0000

Jean-Marc Desperrier <jmdesp@free.fr> writes:

> On 04/06/2012 06:31, Yngve N. Pettersen (Developer Opera Software ASA)
> wrote:
> > Like Martin Rex, I am concerned that this would significantly
> > increase the complexity of the system:
> >  - The servers would have to download both, and then decide which to use.
> Not necessarily, the extension is still very useful if the servers
> systematically downloads the OCSP where available, and CRL when the
> intermediate CA have no OCSP. Or has been initially configured to do
> only one of the two.
> 
> The biggest problem with the OCSP only mode is that in many cases
> intermediate CA do not have OCSP responders, so that in practice,
> either the client doesn't check intermediate levels, or it will still
> have to do several network requests when using multi.

Although most intermediate CAs don't have OCSP responders, the
intermediate certificates most commonly used on the Internet do.

That is to say, when I look at intermediate certificates visible on
the Internet, unexpired and signed by the CAs recognised by OS X, I
see only about 25% have OCSP responders named (321 out of 1256).  But,
when counting them by the number of IP addresses which send the
certificate, the numbers reverse and 74% of the certificates sent
(2071453 out of 2813712) have OCSP responders named.

These numbers should only improve in the future, as the CABforum
baseline requirements require new intermediate CAs to have OCSP
responders.

So, I wouldn't put a lot of effort into making CRLs more efficient in
situations where OCSP can be used instead.

v2.23.0 | Report a Bug | By Email