IETF Logo Mail Archive

Re: [TLS] New version of Multiple OCSP mode of Certificate Status extension

"Brian Smith" <brian@briansmith.org> Mon, 02 August 2010 16:57 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E13523A67AE; Mon, 2 Aug 2010 09:57:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.632
X-Spam-Level:
X-Spam-Status: No, score=-1.632 tagged_above=-999 required=5 tests=[AWL=0.967, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8GD20VUz0M9v; Mon, 2 Aug 2010 09:57:22 -0700 (PDT)
Received: from mxout-08.mxes.net (mxout-08.mxes.net [216.86.168.183]) by core3.amsl.com (Postfix) with ESMTP id 945973A657C; Mon, 2 Aug 2010 09:57:22 -0700 (PDT)
Received: from T60 (unknown [98.200.150.199]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 158FC509DB; Mon, 2 Aug 2010 12:57:48 -0400 (EDT)
From: Brian Smith <brian@briansmith.org>
To: yngve@opera.com
References: <op.u87n4tthqrq7tp@acorna> <op.vghzp61ivqd7e2@killashandra.oslo.osa> <AANLkTikh0EL0DygFFKC8L-Z406C_HsfatVSbti_Ur9x9@mail.gmail.com> <002101cb2e98$60d77230$22865690$@briansmith.org> <op.vgtbu4wmvqd7e2@killashandra.oslo.osa>
In-Reply-To: <op.vgtbu4wmvqd7e2@killashandra.oslo.osa>
Date: Mon, 02 Aug 2010 11:57:46 -0500
Message-ID: <008301cb3263$d61ee090$825ca1b0$@briansmith.org>
X-Mailer: Microsoft Outlook 14.0
MIME-Version: 1.0
Thread-Index: AQLMt6AH1k71n+68rUsiHq+hip1tpwGaMZvQAZA7Rw8DAkQgowGy1NntAV86fH0=
Content-Language: en-us
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_007E_01CB3239.EC02EB10"
Cc: pkix@ietf.org, tls@ietf.org
Subject: Re: [TLS] New version of Multiple OCSP mode of Certificate Status extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Aug 2010 16:57:24 -0000

Yngve Nysaeter Pettersen wrote:
> On Wed, 28 Jul 2010 23:03:44 +0200, Brian Smith <brian@briansmith.org>
> wrote:
> > Plus, it is a privacy issue. If you rely on the CAs to provide this
> > extension in their OCSP responses, then any CAs that want OCSP traffic
> > (for user tracking) can just omit the OCSP extension. The multiple OCSP
> > method lets the server improve the user's privacy without any
cooperation
> > from the CAs involved.
> 
> This issue will not be any different from the current situation; When they
> check OCSP, clients only check the site certificate. If they check
> revocation for intermediates they use CRLs. In fact, for Opera's part, we
> retrieve CRLs while verifying the certificate, OCSP after the certificate
> has been checked, so CRLs are more "dangerous" from that perspective.

Right. What I am saying is that your proposed extension would improve on the
current situation.

> As for your MITM scenario, if the intention is to detect which computers
> access a certain site, then the attacker will already have that
> information when he performs the MITM attack.

That is true, but often the case where Eve tells Malory that Alice did
something is less problematic than the case where Eve tricks Alice into
telling Malory herself. This would be the case when the MiTM is exploiting a
vulnerability in a web browser's OCSP and/or CRL processing. But even purely
a matter of privacy, it is something that should be avoided whenever
practical.

> Opera does not send or accept cookies in OCSP/CRL requests, so there would
> be no extra information available.

It still discloses information about the user's software (browser, operating
system, and some HTTP/TLS/networking settings), information about the user's
hardware, information about the user's location (via GEO-IP targeting),
information about the site that the user is trying to contact, the time at
which the user is attempting to contact the server. Over time, the CA can
build a profile of a user--including often his employer and/or home address,
possibly even uniquely identifying the user by name--simply using
information included in "anonymous" OCSP/CRL requests. The more certificates
the CA manages, the better a profile it can build of the user, more quickly.


Consequently, anything that can prevent the user from making OCSP and CRL
requests to the CA will be a significant privacy-enhancing improvement.

Regards,
Brian

v2.23.0 | Report a Bug | By Email