IETF Logo Mail Archive

Re: [TLS] TLS 1.3 and OCSP stapling

Ilari Liusvaara <ilariliusvaara@welho.com> Sat, 12 December 2015 10:46 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42A321A03D5 for <tls@ietfa.amsl.com>; Sat, 12 Dec 2015 02:46:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.31
X-Spam-Level:
X-Spam-Status: No, score=-1.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_34=0.6, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2N6_yFtGXW4q for <tls@ietfa.amsl.com>; Sat, 12 Dec 2015 02:46:04 -0800 (PST)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) by ietfa.amsl.com (Postfix) with ESMTP id 33F4F1A03A2 for <tls@ietf.org>; Sat, 12 Dec 2015 02:46:04 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id 9764C42E; Sat, 12 Dec 2015 12:46:02 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id eTBl5fKFnFe6; Sat, 12 Dec 2015 12:46:02 +0200 (EET)
Received: from LK-Perkele-V2 (87-92-35-116.bb.dnainternet.fi [87.92.35.116]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 4DC3E230D; Sat, 12 Dec 2015 12:46:02 +0200 (EET)
Date: Sat, 12 Dec 2015 12:45:58 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Martin Thomson <martin.thomson@gmail.com>
Message-ID: <20151212104558.GA6039@LK-Perkele-V2.elisa-laajakaista.fi>
References: <20151211185258.GA5451@LK-Perkele-V2.elisa-laajakaista.fi> <CABkgnnU5orJz4YRan1WT-0bMEd0WZ1d1Jow=XMG1Ru2m9H9dCQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABkgnnU5orJz4YRan1WT-0bMEd0WZ1d1Jow=XMG1Ru2m9H9dCQ@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/JifEKAiT9EEAE5Fvl8nuky59u64>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS 1.3 and OCSP stapling
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Dec 2015 10:46:06 -0000

On Sat, Dec 12, 2015 at 03:54:36PM +1100, Martin Thomson wrote:
> I think that the best way to deal with the status_request_v2 extension
> is to make it a proper part of the TLS 1.3 messages, probably
> Certificate or CertificateVerify.  This is a fairly heavily important
> extension.

If one wants to incorporate it, I would think Certificate for two
reasons:

- So CertificateVerify signs it without hacks. It is easier to analyze
  things if the only thing not covered are the signature and Finished.
- Because Certificate message is modifed anyway for authentication
  contexts (CertificateVerify is not sent if the client refuses
  authentication, and server should be able to tell which
  authentication is refused).

Something like:

struct {
	opaque certificate_request_context<0..255>
	ASN1Cert certificate_list<0..2^24-1>
	opaque wrapped_status<0..2^24-1>
} Certificate;

Where wrapped_status payload is what would be the CertificateStatus
message payload (empty if CertificateStatus would not have been
sent).


-Ilari

v2.23.0 | Report a Bug | By Email