Re: [TLS] I-D Action: draft-ietf-tls-multiple-cert-status-extension-00.txt
Sean Turner <turners@ieca.com> Sat, 26 May 2012 20:08 UTC
Return-Path: <turners@ieca.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F173521F851E for <tls@ietfa.amsl.com>; Sat, 26 May 2012 13:08:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.765
X-Spam-Level:
X-Spam-Status: No, score=-102.765 tagged_above=-999 required=5 tests=[AWL=-0.500, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id emLZxi0zWgRM for <tls@ietfa.amsl.com>; Sat, 26 May 2012 13:08:08 -0700 (PDT)
Received: from gateway01.websitewelcome.com (gateway01.websitewelcome.com [69.56.212.19]) by ietfa.amsl.com (Postfix) with ESMTP id 474BE21F851C for <tls@ietf.org>; Sat, 26 May 2012 13:08:08 -0700 (PDT)
Received: by gateway01.websitewelcome.com (Postfix, from userid 5007) id CB0C970B89113; Sat, 26 May 2012 15:08:07 -0500 (CDT)
Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway01.websitewelcome.com (Postfix) with ESMTP id C085770B890F3 for <tls@ietf.org>; Sat, 26 May 2012 15:08:07 -0500 (CDT)
Received: from [71.191.15.83] (port=45176 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from <turners@ieca.com>) id 1SYNHT-00019q-5d for tls@ietf.org; Sat, 26 May 2012 15:08:07 -0500
Message-ID: <4FC13826.9010900@ieca.com>
Date: Sat, 26 May 2012 16:08:06 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: tls@ietf.org
References: <20120509153513.11861.32080.idtracker@ietfa.amsl.com>
In-Reply-To: <20120509153513.11861.32080.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator1743.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: (thunderfish.local) [71.191.15.83]:45176
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 1
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20=
Subject: Re: [TLS] I-D Action: draft-ietf-tls-multiple-cert-status-extension-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 May 2012 20:08:09 -0000
Yngve,
Thanks for getting this posted so quickly.
A lot of my comments are about supporting both OCSP and SCVP (OCSP being
the MTI). I think it would be good to future proof this spec a bit,
because I can see somebody coming down the trail later asking for it.
0) Move the requirements terminology to s1.1. The RFC editor will move
it so you might as well do it now.
1) abstract:
OLD:
Also defined is a new method
based on the Online Certificate Status Protocol (OCSP) that servers
can use to provide status information not just about the server's own
certificate, but also the status of intermediate certificates in the
chain.
NEW:
Also defined is a new method based that servers
can use to provide status information (i.e., Online Certificate Status
Protocol and Server-Based Certificate Validation Protocol) not just
about the server's own certificate, but also the status of
intermediate certificates in the chain.
2) s1: r/such as CRLs,/such as Certificate Revocation Lists (CRLs),
3) s1: Introduce OCSP and SCVP
OLD:
Second, the current format of the extension and
requirements in the TLS protocol prevents a client from offering the
server multiple status methods.
NEW:
Second, the current format of the extension and
requirements in the TLS protocol prevents a client from
offering the server multiple status methods; there are two
defined the Online Certificate Status Protocol (OCSP)
[RFC2560] and the Server-Based Certificate Validation
Protocol [RFC5055].
4) s1: contains the following:
Many Certification Authorities are now issuing intermediate CA
certificates that not only specify a CRL Distribution Point
[RFC5280], but also a URL for OCSP [RFC2560] Certificate Status
requests.
I think it makes sense to say where they're putting the OCSP URL:
Many CAs issue intermediate CA certificates that not
only specify the publication point for their CRLs in CRL
Distribution Point [RFC5280], but also specify a URL for their
OCSP server in Authority Information Access [RFC5280].
5) s1: I'd tweak the following a bit:
OLD:
Given that client-cached CRLs are frequently out of date,
using OCSP to access up-to-date status information about
intermediate CA certificates will be of great benefit to
clients.
NEW:
Given that client-cached CRLs are frequently out of date,
clients would benefit from using OCSP to access up-to-date
status information about intermediate CA certificates.
6) s1: Some more tweaking:
OLD:
For these reasons, it will be beneficial to use the TLS server to
provide the certificate status information not just for the server
certificate, but also for the intermediate CA certificates. This
will ...
NEW:
Clients will benefit from the TLS server providing certificate
status information regardless of type not just for the server
certificate but also for the intermediate CA certificates. Combining
the status checks in to one extension will ...
7) s1: Starting to like the idea of not using must if you don't have to:
r/it must be possible for clients to/client need to
8) s1: r/TLS Protocol/TLS Protocol [RFC5246]
r/PKIX infrastructure/PKIX infrastructure [RFC5280]
r/by using/using
9) s1: (no action required) I think the introduction will be helpful
during subsequent directorate/IESG reviews because it nicely explains
why the WG thinks the extension is needed.
10) s2.2: I think we can drop the "like":
r/certificate status protocol like OCSP/certificate status protocol
(i.e., OCSP and SCVP)
11) s2.2: Add SCVP ...
OLD:
struct {
CertificateStatusType status_type;
uint16 request_length; /* Length of request field in bytes */
select (status_type) {
case ocsp: OCSPStatusRequest;
case ocsp_multi: OCSPStatusRequest;
} request;
} CertificateStatusRequestItem;
NEW:
struct {
CertificateStatusType status_type;
uint16 request_length; /* Length of request field in bytes */
select (status_type) {
case ocsp: OCSPStatusRequest;
case ocsp_multi: OCSPStatusRequest;
case scvp: SCVPStatus Request;
} request;
} CertificateStatusRequestItem;
SCVP will allow you to send multiple certs in one request so I don't
think there's need for scvp_multi - unless we want to restrict scvp to
just be one and have a scvp_multi for more than one.
OLD:
enum { ocsp(1), ocsp_multi(YY), (255) } CertificateStatusType;
NEW:
enum { ocsp(1), ocsp_multi(YY), scvp (AA), (255)
} CertificateStatusType;
struct {
ResponderID responder_id_list<0..2^16-1>;
Extensions request_extensions;
} SCVPStatusRequest;
Going with the though that we'd send the same type of information in,
but this might be a bit simple minded.
Obviously a bunch of text is needed for this too, but I figure I'd hold
up here while we decide if this is the right approach.
12) s2.2/6: r/CCITT/ITU
For these I guess maybe move the X.690 reference earlier to the first
occurrence or just put it everywhere:
s2.2: r/DER encoding/DER [ITU.X.690.2002] encoding
s2.2: r/are DER-encoded ASN.1 types/
are DER-encoded [ITU.X.690.2002] ASN.1 types
13) s4.1: I'd add the following motherhood and apple pie:
The security considerations of [RFC2560] to OCSP requests
and responses.
spt
- [TLS] I-D Action: draft-ietf-tls-multiple-cert-st… internet-drafts
- Re: [TLS] I-D Action: draft-ietf-tls-multiple-cer… Sean Turner
- Re: [TLS] I-D Action: draft-ietf-tls-multiple-cer… Sean Turner
- [TLS] CRL Stapling? (was Re: I-D Action: draft-ie… Rob Stradling
- Re: [TLS] CRL Stapling? (was Re: I-D Action: draf… Martin Rex
- Re: [TLS] CRL Stapling? (was Re: I-D Action: draf… Eric Rescorla
- Re: [TLS] CRL Stapling? (was Re: I-D Action: draf… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] CRL Stapling? (was Re: I-D Action: draf… Jean-Marc Desperrier
- Re: [TLS] CRL Stapling? (was Re: I-D Action: draf… Martin Rex
- Re: [TLS] CRL Stapling? (was Re: I-D Action: draf… Geoffrey Keating
- Re: [TLS] CRL Stapling? (was Re: I-D Action: draf… Yngve Nysaeter Pettersen