Re: [TLS] OCSP must staple

Adam Langley <agl@google.com> Wed, 11 June 2014 23:10 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B35241B28B5 for <tls@ietfa.amsl.com>; Wed, 11 Jun 2014 16:10:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.03
X-Spam-Level:
X-Spam-Status: No, score=-2.03 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mL771pt9Vjhd for <tls@ietfa.amsl.com>; Wed, 11 Jun 2014 16:10:50 -0700 (PDT)
Received: from mail-vc0-x230.google.com (mail-vc0-x230.google.com [IPv6:2607:f8b0:400c:c03::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D88011B28D2 for <tls@ietf.org>; Wed, 11 Jun 2014 16:10:49 -0700 (PDT)
Received: by mail-vc0-f176.google.com with SMTP id ik5so6914vcb.35 for <tls@ietf.org>; Wed, 11 Jun 2014 16:10:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=JB03FP7xFv/ovtXYdidckGZa2rnswbVhVzkqyxUao7I=; b=ApUJ8vANcoIrIg9wZXYUpN726eK+D8ZlbQ++KOVt4E+E+J8HPTwE268SeTbQ7OvEoK Xp4wOa5R81UBP+bvqYR1dswF+mdPQZo+kGVVi21VxLS2n9kmveDUnFxq9dz8sySnIuQG x+Dwb9T0TdaggiKdumKpdIoiOrOIiQnjIl/oRdmkN+pbpIP5xVRafBHfU8CbJXMBlD9x h+IHXwZc1CF5XXnEI3RgYcCc71s7DZPc7zKFkQ6dxFMJCpZxiU8QdaSNFWuym8BozWmr +Q1HvW4bOWblXBak4fwh+G63vAoHV7dca2gYgvYqTrnovuIsVh1t+9EmCnSt6hCPosWp VCUQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=JB03FP7xFv/ovtXYdidckGZa2rnswbVhVzkqyxUao7I=; b=KZAG522VoIsLVHe/ei+TSzQoKVfgtIl6M0aWagUbtaXecVrJStfFFnFgiWZlfdBjze 8RoamNrR9ZGkCDm4P5QG4mOX/G/EP68D3IQshP3kvqzmUlpY/gb7SHRjlXGn2oKNjm2q FOxcbjgMqI1wu9gdaCbGBArb9BwkHSmNbvUv8pJbWUvnb9ncUfDIXFOd1V0hjHA2ZGJk orAuHBpNFw/wWmOEag4QMCf2bCrJpWWU9H8mO25dAFeenVTTTSSF2g2d0aWPZ5NpRzn0 1HksE5Ugd8J5WR0dGkmKL5ioeiHjm6N3A7x4Xo2Q55T2V6XHhv8y3cIXvDVSA9up1UuC t9IQ==
X-Gm-Message-State: ALoCoQlArTQfWNQeRxbMMc8TNR0giruAWLuOl2Xr/OkVVdH6d3VX5oQW0t07AgAMGmVbsPEBDo+R
X-Received: by 10.53.12.229 with SMTP id et5mr5234863vdd.32.1402528247986; Wed, 11 Jun 2014 16:10:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.179.1 with HTTP; Wed, 11 Jun 2014 16:10:26 -0700 (PDT)
In-Reply-To: <CAFewVt6qfqHW2Df=aXhmo-Fucvn_PUzM8NVQV-aYiH9Ttfhjmw@mail.gmail.com>
References: <20140528184735.GA20602@roeckx.be> <097101cf7aa7$17f960a0$47ec21e0$@digicert.com> <4AA8E7B7-A19D-4E65-AF18-C4D02A513652@ieca.com> <538EF79B.3000506@cs.tcd.ie> <CAMm+LwgTnva9jJgVfkaOZ1qP0Rk3w-mFfepnubosgtrCEARv=g@mail.gmail.com> <539069CC.5010304@cs.tcd.ie> <5390B1D6.5010105@nthpermutation.com> <CAFewVt6Pr8yjV8EbYLp1HQJfYMgq2LJMt4uQqZWKChR6p12Wtg@mail.gmail.com> <5390CA45.1050504@nthpermutation.com> <CAFewVt6qfqHW2Df=aXhmo-Fucvn_PUzM8NVQV-aYiH9Ttfhjmw@mail.gmail.com>
From: Adam Langley <agl@google.com>
Date: Wed, 11 Jun 2014 16:10:26 -0700
Message-ID: <CAL9PXLynTNZ2LSLFVBb_aqAvYSnqfBAH6gp6Wt=WmzNBXg9orw@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/JDqthfMVAlzK7rDvaruqnyaV7uQ
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] OCSP must staple
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jun 2014 23:10:51 -0000

On Wed, Jun 11, 2014 at 3:49 PM, Brian Smith <brian@briansmith.org> wrote:
> * TLS intercepting proxies cause trouble.

In Chrome (and, I assume, Firefox) there's the concept of a
"non-public root" - i.e. a CA root that the user has installed. When
one is used on a connection we disable pinning. We could also disable
Must Staple.


Cheers

AGL