Re: [TLS] OCSP must staple
Kyle Hamilton <aerowolf@gmail.com> Mon, 09 June 2014 07:24 UTC
Return-Path: <aerowolf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBFAC1A0004 for <tls@ietfa.amsl.com>; Mon, 9 Jun 2014 00:24:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t3Zl2O9bT1sU for <tls@ietfa.amsl.com>; Mon, 9 Jun 2014 00:24:31 -0700 (PDT)
Received: from mail-pa0-x22c.google.com (mail-pa0-x22c.google.com [IPv6:2607:f8b0:400e:c03::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B559D1A0002 for <tls@ietf.org>; Mon, 9 Jun 2014 00:24:31 -0700 (PDT)
Received: by mail-pa0-f44.google.com with SMTP id bj1so465289pad.3 for <tls@ietf.org>; Mon, 09 Jun 2014 00:24:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type; bh=Ie+hEHO94QcEG/lWun7qpf7xsM0LNezl1H7N87YkXKg=; b=p9/FixMc4zWlHSuJ+41m9y9nYsgtzSBR/hUtpq7OUVf+wYhgDHAKVP+HxsY15IAa+/ yIUFZd9hB5Agm7iucNV14ESHMj7iaxqnMlVKGdltyNIc+PHXxkZLK5JzgB5pynB1pjdC IYM+N61KXfXjBm2fOrs4ba8hMuS3n3/v2FNwnGe2sMjFBq+LJApzO4kpB5afKuQEdf/8 ShJBcOk7Q50QDO2Gm0yseDczZuRaBzf1CxbiZryux7hEsNjwx+Abpbo+ZxLFRGOcBgwY jsXa9FA/G15CfVJGWD/hr1tAbmUOlqpsvlRzVkEvTZv85p0YC4tWbkCSw5dTmKcPd1dC ITuw==
X-Received: by 10.66.219.6 with SMTP id pk6mr2951891pac.9.1402298671433; Mon, 09 Jun 2014 00:24:31 -0700 (PDT)
Received: from [192.168.254.10] (ip70-189-237-85.lv.lv.cox.net. [70.189.237.85]) by mx.google.com with ESMTPSA id ak1sm62300932pbc.58.2014.06.09.00.24.29 for <tls@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 09 Jun 2014 00:24:30 -0700 (PDT)
Message-ID: <5395612C.4080705@gmail.com>
Date: Mon, 09 Jun 2014 00:24:28 -0700
From: Kyle Hamilton <aerowolf@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: tls@ietf.org
References: <CAFewVt4p4rJ738Yo=XQm6T_jyvG3TnJsSQ5HDZDrqAkyNDa7tg@mail.gmail.com> <20140605173223.GK27883@mournblade.imrryr.org> <20140607164945.GA23329@roeckx.be> <20140607170619.GC27883@mournblade.imrryr.org> <2A0EFB9C05D0164E98F19BB0AF3708C7130F434F7A@USMBX1.msg.corp.akamai.com> <20140607184737.GD27883@mournblade.imrryr.org> <2A0EFB9C05D0164E98F19BB0AF3708C7130F434F7D@USMBX1.msg.corp.akamai.com> <155f01cf82ce$7cfa8360$76ef8a20$@digicert.com> <2A0EFB9C05D0164E98F19BB0AF3708C7130F434FB5@USMBX1.msg.corp.akamai.com> <539549A8.1040008@gmail.com> <20140609055414.GP27883@mournblade.imrryr.org>
In-Reply-To: <20140609055414.GP27883@mournblade.imrryr.org>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms080609000309080704020203"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/JpiiBO8f2_fF7dOMn0doL0E4PgA
Subject: Re: [TLS] OCSP must staple
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jun 2014 07:24:33 -0000
On 6/8/2014 10:54 PM, Viktor Dukhovni wrote: > On Sun, Jun 08, 2014 at 10:44:08PM -0700, Kyle Hamilton wrote: > >> On the other hand, I think that relying on a stapled response is perhaps >> shortsighted, as it potentially opens a window of vulnerability. Say >> the OCSP response is valid for 7 days (the maximum time that EV cert >> OCSP responses can be valid for) > The CA may well generate new CRLs (and associated OCSP responder > state) once every 7 days. Otherwise the OCSP response TTL should > be shorter, we should address the "right" problem. My assumption is that a new OCSP response SHALL be generated when the certificate's status changes, because it is up to the CA to provide authoritative information about records held by the CA. In other words, by not generating a new OCSP response when a certificate is revoked, the CA becomes complicit to any fraud done with that certificate until the old OCSP response expires. And, this completely ignores OCSP capacity to request a signature over a nonce. > That said there is no "right" upper bound for revocation latency. > Whatever "acceptable" limit you set, someone will always present > an argument along the lines of: >> if the cert is revoked on day 2, >> that's still 5 and change days of potential validity. This is the kind >> of vulnerability that clients can use the OCSP nonce extension to >> protect themselves from, but it only works if it's used and queried from >> the OCSP responder by the client itself. Thus, the proposal to prevent >> clients from checking OCSP from the source in the presence of an "OCSP >> must staple" extension is harmful to user security and thus wrong-minded. > One must be willing to accept some risk, and buy certificates from a > CA whose OCSP response validity interval poses an acceptable risk. One must also be able to set the level of risk that they accept. You're saying that there is a legal way that this can be taken out of their hands by the CA or by "common practice". The specifications appear to permit a means by which this risk can be short-circuited; however, you're asserting that "one must be willing to accept some risk", and thus apparently applying a "MUST NOT attempt to reduce risk beyond the CA's normally-provided limits" requirement. > We can debate whether 7 days for EV certs is too long or not, and > whether it should be adjusted down to 2 days or 2 hours, but the > fundamental problem remains, and is independent of "must staple". I used EV certificates only as an example. (I do believe that 7 days for EV is "too long", but that's beside the point.) I do agree that the fundamental problem remains, but the reason I don't see that it's independent of "must staple" is in light of your earlier assertion that "Well, the server was supposed to have stapled, so the OCSP server could in principle (knowing the server's certificate requires stapling) refuse to provide an unstapled response." in explanation of Yoaf Nir's query (paraphrased) "if the client tries the OCSP server on a must-staple certificate, will the OCSP server reject them?" Hypothetically speaking, that kind of back-end manipulation of "you can only have this much assurance" would make me not want to do business with anyone who insists on doing business with that CA; but, chances are (particularly for CAs for larger sites) I would quite often be forced to. I wish we had a means to present multiple certificate chains terminating in multiple end-entity certificates of multiple keys, all of which signed the single key presented and evidenced by the TLS peer. That way, any individual CA's policy to limit one's ability to reduce one's risk would be mitigated by the policies of other CAs that the site might decide to hire. But this has now gone far afield from "must staple". -Kyle H
- [TLS] OCSP must staple Kurt Roeckx
- Re: [TLS] OCSP must staple Jeremy Rowley
- Re: [TLS] OCSP must staple Sean Turner
- Re: [TLS] OCSP must staple Stephen Farrell
- Re: [TLS] OCSP must staple Stephen Farrell
- Re: [TLS] OCSP must staple Brian Smith
- Re: [TLS] OCSP must staple Tom Ritter
- Re: [TLS] OCSP must staple Viktor Dukhovni
- Re: [TLS] OCSP must staple Salz, Rich
- Re: [TLS] OCSP must staple Michael StJohns
- Re: [TLS] OCSP must staple Brian Smith
- Re: [TLS] OCSP must staple Michael StJohns
- Re: [TLS] OCSP must staple Phillip Hallam-Baker
- Re: [TLS] OCSP must staple Kurt Roeckx
- Re: [TLS] OCSP must staple Viktor Dukhovni
- Re: [TLS] OCSP must staple Kurt Roeckx
- Re: [TLS] OCSP must staple Salz, Rich
- Re: [TLS] OCSP must staple Viktor Dukhovni
- Re: [TLS] OCSP must staple Salz, Rich
- Re: [TLS] OCSP must staple Jeremy Rowley
- Re: [TLS] OCSP must staple Yoav Nir
- Re: [TLS] OCSP must staple Tom Ritter
- Re: [TLS] OCSP must staple Viktor Dukhovni
- Re: [TLS] OCSP must staple Peter Bowen
- Re: [TLS] OCSP must staple Tom Ritter
- Re: [TLS] OCSP must staple Salz, Rich
- Re: [TLS] OCSP must staple Ryan Sleevi
- Re: [TLS] OCSP must staple Kyle Hamilton
- Re: [TLS] OCSP must staple Viktor Dukhovni
- Re: [TLS] OCSP must staple Yoav Nir
- Re: [TLS] OCSP must staple Kyle Hamilton
- Re: [TLS] OCSP must staple Geoffrey Keating
- Re: [TLS] OCSP must staple Jeremy Rowley
- Re: [TLS] OCSP must staple Brian Smith
- Re: [TLS] OCSP must staple Adam Langley
- Re: [TLS] OCSP must staple Yoav Nir
- Re: [TLS] OCSP must staple Brian Smith
- Re: [TLS] OCSP must staple Kurt Roeckx
- Re: [TLS] OCSP must staple Brian Smith
- Re: [TLS] OCSP must staple Yoav Nir
- Re: [TLS] OCSP must staple Yoav Nir
- Re: [TLS] OCSP must staple Brian Smith
- Re: [TLS] OCSP must staple Yoav Nir
- Re: [TLS] OCSP must staple Rob Stradling
- Re: [TLS] OCSP must staple Yoav Nir