Re: [TLS] OCSP Must Staple

Tom Ritter <tom@ritter.vg> Wed, 23 October 2013 15:58 UTC

Return-Path: <tom@ritter.vg>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7F7111E80E7 for <tls@ietfa.amsl.com>; Wed, 23 Oct 2013 08:58:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E7bV7PAVUr7X for <tls@ietfa.amsl.com>; Wed, 23 Oct 2013 08:58:39 -0700 (PDT)
Received: from mail-pa0-x22f.google.com (mail-pa0-x22f.google.com [IPv6:2607:f8b0:400e:c03::22f]) by ietfa.amsl.com (Postfix) with ESMTP id BF1F611E8391 for <tls@ietf.org>; Wed, 23 Oct 2013 08:58:38 -0700 (PDT)
Received: by mail-pa0-f47.google.com with SMTP id lf10so1146764pab.34 for <tls@ietf.org>; Wed, 23 Oct 2013 08:58:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=4s2oVeKkARiJq3PeA3RtXCIQ+6kwuUGkmevFvh4hU8U=; b=QMuLuaCbUesTzNOlZs6IpwcvlCdK/5HtDazsLbgYuGY5nw7MwBsFVdxsgOM+EIx/Md KxCjt3dDSd6aVBegOxjwEVdiKwbo2/htit4j62HomJz96VdeB32iRH4zZ0q2iqjrvXdk Tq9ywvGjXTdMe5aUmDaCLDpAnOIv81Lgm+f5Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=4s2oVeKkARiJq3PeA3RtXCIQ+6kwuUGkmevFvh4hU8U=; b=jLNXafDcJH7bDrPgRU9m8wtcddeJNJpgZCGEjH5T46t9nO2g4sIiu1KRaoFYMv2qIi tiF08nu1o+NgFDzM+VfcsPDNtI36GDNoUuCpcYsRg71PGt9CsQEloZJ6imcCDyN+cxnm PLyzJ2iMZ6qdvD8alYUG6HD5CgE8m9/X/PQxBemnIDWisvcjao9nAT7WPebQFTb3R55m UHXx6zOsqoyHM+PC1EEv29kVEdOBlzFOcKDnMBcUoOaMdyzhKjMqW4NF9v/daBMn4hyp 7NOY648TsasJhxkgYcgSsKVGprYlj3uRNGuJR9sKOksYowGNzNP47gap8tjPKHCJ7Rbs Dc3A==
X-Gm-Message-State: ALoCoQm4fRZ37VRZ1aqqypnzh2NdGxQ9DO8ldOkYwgRz4M5rYW5vz/zXHfi3KKyfWxkHj8t7sPCJ
X-Received: by 10.68.131.70 with SMTP id ok6mr2417811pbb.126.1382543916943; Wed, 23 Oct 2013 08:58:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.129.3 with HTTP; Wed, 23 Oct 2013 08:58:11 -0700 (PDT)
In-Reply-To: <CAMm+LwhG9FVEhRBUO5EqKUzGGLb3h3ZzxzgJobrAborn6Me83w@mail.gmail.com>
References: <CAMm+LwhG9FVEhRBUO5EqKUzGGLb3h3ZzxzgJobrAborn6Me83w@mail.gmail.com>
From: Tom Ritter <tom@ritter.vg>
Date: Wed, 23 Oct 2013 11:58:11 -0400
Message-ID: <CA+cU71nnf6-bPbQ-=OBHf2txttO0Ev3hfNwMc57aByZj=m0LnQ@mail.gmail.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] OCSP Must Staple
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Oct 2013 15:58:39 -0000

I support this.  I would also like to seek to have it added to the
HTTP Strict Transport Security header as an option (same as
includeSubdomains), so that it can pin to the domain as well as the
certificate - although that may need to wait until this is
standardized and identifiers solidified.

-tom