Re: [TLS] OCSP must staple

Michael StJohns <> Thu, 05 June 2014 18:07 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id D2F681A0144 for <>; Thu, 5 Jun 2014 11:07:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UMjBb6BFQLEo for <>; Thu, 5 Jun 2014 11:07:09 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C5A861A01A0 for <>; Thu, 5 Jun 2014 11:07:08 -0700 (PDT)
Received: by with SMTP id k15so1607110qaq.40 for <>; Thu, 05 Jun 2014 11:07:01 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=K3ckpkFB1YvsLU4WUYOVN5tiK17oJCONuN+sj0KOfjM=; b=cz3Z2skxlI5s9vvjTiwGuaBQsMg19NgVj8tQcG74Mgop/IOn4tpE+GjqCjtz2DfMHn TRQUxg4j/Q2/c5zKRssBH1LKQCNsLAJH79WlvEeqVGrn7gFqrwccMFqc95Ua3/42/8Ct VvFU58rZU7J5A+pOHay6Hpe0kz6iSTUFaZoS1eDaWXRaf7LUIVkjou6AR5JJ+4wlQ1I2 9gh3TrQ3Lvk7TVuUsRz0dxQqDHp6ypTbumRWIrBAxta6wEFz7TrhgUWV37mPqUcg0wr9 zcEu6MV+OnSotnISzUknG9J/BiDzRCpIySLzY4QbOfRs921pnfaNZYT9xOW571XytvGa mrDQ==
X-Gm-Message-State: ALoCoQmVviH8GBHl2ghpBgOFUJpa8qyAr2DGAkW5C/hwMPuX03VYyCndNlhFQCUWUX4BGXYp1A9O
X-Received: by with SMTP id l9mr19686542qay.34.1401991621737; Thu, 05 Jun 2014 11:07:01 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id b7sm10528844qae.32.2014. for <> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 05 Jun 2014 11:07:01 -0700 (PDT)
Message-ID: <>
Date: Thu, 05 Jun 2014 14:07:18 -0400
From: Michael StJohns <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
References: <> <097101cf7aa7$17f960a0$47ec21e0$> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] OCSP must staple
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 05 Jun 2014 18:07:24 -0000

Hi -

The note by Brian Smith made me take a second look at From the 
list chatter, I thought it was pretty much a standard CA extension.  I 
didn't realize that PHB had defined it as a transitive (i.e. if the CA 
has it, then it applies all the way down the chain) extension, rather 
than just a simple one-off application.

Given the above, I would reject the document and suggest instead that 
this use the CertificatePolicies extension.

Two ways of doing this:


1) Define a policy OID for each TLS feature - the set is pretty small 
right now and I don't see it growing all that much.  This is probably 
the right approach and doesn't require anything more than a description 
of the OID and the related policy processing.

or Second

1) Define a policy OID for TLS Features
2) Define a PolicyQualifier OID for a FeatureIds qualifier
3) Define "FeatureIds ::= SEQUENCE of TlsFeatures"
4) Define "TlsFeatures ::= INTEGER { feature1 (1), feature2(2), ...}

This is more flexible, but seems to violate the spirit of RFC5280, 
section - the "RECOMMENDS" items.

Doing it one of the above ways doesn't require modification to the cert 
path building logic (which isn't fully specified in the draft and should 
be).  The first also - mostly - doesn't require changes to code that 
build certificates which means it could enter production on the cert 
side much quicker.


On 6/5/2014 8:59 AM, Stephen Farrell wrote:
> Hiya,
> On 05/06/14 13:40, Phillip Hallam-Baker wrote:
>> By which I simply mean, lets make get people to actually read that
>> particular draft rather than start a cabal. So if we give folks a week
>> and then we can go forward with the document shepherd?
> Sure works for me. Can you try recruit a shepherd?
> I'll do an AD review in any case before I start IETF LC and will
> post a copy of that here. If other folks have comments I guess
> send those here or to PHB and me. I'd be happy to get a couple
> of mails saying "read it, its ready" after Phill's done his
> tweaks as well btw.
> Cheers,
> S.
> _______________________________________________
> TLS mailing list