Re: [TLS] OCSP Stapling in RFC 6066

"Fries, Steffen" <> Fri, 13 February 2015 09:58 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 3B3431A6EE8 for <>; Fri, 13 Feb 2015 01:58:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.55
X-Spam-Status: No, score=-6.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JoRmO6NYmMis for <>; Fri, 13 Feb 2015 01:58:09 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 256301A3B9B for <>; Fri, 13 Feb 2015 01:58:08 -0800 (PST)
Received: from (localhost []) by (8.14.3/8.14.3) with ESMTP id t1D9w72T028225; Fri, 13 Feb 2015 10:58:07 +0100
Received: from ( []) by (8.14.3/8.14.3) with ESMTP id t1D9w6uI001033 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 13 Feb 2015 10:58:06 +0100
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Fri, 13 Feb 2015 10:58:06 +0100
Received: from ([]) by ([]) with mapi id 14.03.0224.002; Fri, 13 Feb 2015 10:58:05 +0100
From: "Fries, Steffen" <>
To: "" <>, Jeremy Harris <>
Thread-Topic: [TLS] OCSP Stapling in RFC 6066
Thread-Index: AQHQRvTzrFnZEWirmUqJHUTKVUgpb5zuUh8A
Date: Fri, 13 Feb 2015 09:58:05 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] OCSP Stapling in RFC 6066
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 13 Feb 2015 09:58:12 -0000

Martin, Jeremy,

to be frank, I checked RC 6961 before but did not mention it in my initial request. I did not see the option to also use the extension to transmit the OCSP information for the client certificate. Hence the question regarding applying the extension via the generic extensions mechanism. 

I see Martins point with the order of information sent, as when applied to the single TLS handshake, the client would have to know he has to authenticated using his certificate before getting the request from the server side for client authentication. This would be probably not such a problem for the target environment as here mutual authentication is always required. But for the generic approach your proposal using RFC 4680 looks promising, as in the second round the client could attach his OCSP responses to the ClientHello. But as you said, it comes with the burden of a second run of the handshake. 
There is some asymmetry, as the server basically sends his certificate and also the OCSP response(s) in his ServerHello message, while the client sends his certificate with the second handshake message, while extensions are defined for the ClientHello. But I would not see an easier way for now. 


-----Original Message-----
From: TLS [] On Behalf Of Martin Rex
Sent: Donnerstag, 12. Februar 2015 19:51
To: Jeremy Harris
Subject: Re: [TLS] OCSP Stapling in RFC 6066

Jeremy Harris wrote:
> Fries, Steffen wrote:
>> I've got a question to the OCSP stapling approach described in RFC 
>> 6066
> Why not jump directly to an RFC 6961 analogue?

Your observation is correct that the rfc6066 OCSP extension is limited to a single OCSP response for the server certificate, whereas the TLS extension defined in rfc6961 allows for multiple OCSP responses, including OCSP responses for CA certificates in the certificate chain of the server.

But there are a number of differences in the server and client authentication that make these two TLS extensions (or their approach) a bad fit for client certificate authentication.

For the server certificate, the Server's decision/choice for a specific server certificate happens (or at least can happen) while the server evaluates the TLS protocol options proposed in ClientHello and composed the ServerHello response _after_ making the selections of TLS protocol options.  So when the server composes the ServerHelloExtensions it knows which server certificate it is going to use and can insert the respective OCSP responses into ServerHello.

The situation is substantially different for the client, who has to include all TLS protocol options that are up for negotation upfront in ClientHello(Extensions).  At this point, the client does not know whether the server is going to request a client certificate at all, nor does the client know, which list of trusted certification_authorities or which algorithms the server supports and is going to select/request.

So the approach for conveying OCSP responses for the client certificate from the client to the server should probably be on the second batch of handshake messages from client to server in a full TLS handshake, such as using a "TLS Handshake Message for Supplemental Data" (rfc4680).
I agree that the rfc4680 approach is more code to implement, but such an approach would not break when the client has more than one client certificates or additional client certificates other than X.509.


TLS mailing list