Re: [TLS] OCSP must staple

"Jeremy Rowley" <> Mon, 09 June 2014 19:50 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id E6A831A02E3 for <>; Mon, 9 Jun 2014 12:50:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.953
X-Spam-Status: No, score=-4.953 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 55uwctNH7EhJ for <>; Mon, 9 Jun 2014 12:50:02 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id AA9871A02E2 for <>; Mon, 9 Jun 2014 12:50:02 -0700 (PDT)
Received: from JROWLEYL2 (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 3C6097FA217; Mon, 9 Jun 2014 13:50:02 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=mail; t=1402343402; bh=FjIeDvpgbwomhRbj1ueE3H33haJ7LmW9I8OuquadOLM=; h=From:To:Cc:References:In-Reply-To:Subject:Date; b=fU2cenkwBQQY9Rn2BiAzjJn8ayzcgBb8Cp2pRxT7Bju7YWYZu95iUl6t6UseWGi4d gLV9zEd+ZkLLPx+rFMJNLv54vVdwDT9+2H3ZI0lK80yHODV4eYtjzUdFM8qhyODPnq z4aYAA5seTZajHtoYUQBMPxR3q5TD5Q3pcKfQgZQ=
From: "Jeremy Rowley" <>
To: <>, "'Tom Ritter'" <>
References: <097101cf7aa7$17f960a0$47ec21e0$> <> <> <> <> <> <> <> <> <> <> <> <155f01cf82ce$7cfa8360$76ef8a20$> <> <> <>
In-Reply-To: <>
Date: Mon, 9 Jun 2014 13:50:01 -0600
Message-ID: <031701cf841c$00cab8b0$02602a10$>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJxv6HtmB9uk8Yt5wEeFHdRD1knoQEt2WjqAP+sMUYCHog9/QJH2PNTApX9AA0COSwKkwNalKqnAp4CcngB5F3w/QJ8kG4OAaygmc0CNMpOtAIE/YvOAdczQaACTQHEx5kmeskw
Content-Language: en-us
Subject: Re: [TLS] OCSP must staple
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 09 Jun 2014 19:50:05 -0000

I agree with Ryan.  In my view, if must staple is present, the server
operator is requiring a stapled response and specially requesting the client
not to communicate with the CA.  In that case, the connection should fail
instead of using a fallback. The RFC language already reflects this:

If the TLS status_request feature is specified in the TLS Feature
   extension and a TLS client specifies the status_request feature in
   the Client Hello, a server MUST return a valid OCSP token for the
   specified server's End Entity certificate in the response.

Also in Section 2:
The inclusion of a TLS feature extension advertising the
   status_request feature in the server end entity certificate permits a
   client to fail immediately if the certificate status information is
   not provided by the server.  


-----Original Message-----
From: TLS [] On Behalf Of Ryan Sleevi
Sent: Sunday, June 8, 2014 10:15 PM
To: Tom Ritter
Subject: Re: [TLS] OCSP must staple

On Sat, June 7, 2014 10:10 pm, Tom Ritter wrote:

>  While it looks some of the semantics of 'Must Staple', I think either  
> behavior could be acceptable for a client.  Either closing the 
> connection  without attempting to contact a OCSP server, or switching to a
'Hard Fail'
>  OCSP lookup.
>  I can imagine some servers deciding that they would want clients to 
> fail  if  they didn't send a staple, rather than leak the OCSP lookup 
> to the CA.  I  could imagine other servers wanting to hedge their bets 
> and have the  client  make an attempt before giving up.
>  I don't understand what you mean by the OCSP server rejcting them.

It's not really "must staple" if clients fall back to doing lookups, is it?
It's more like "should consider staple" (RFC 6919)

I would expect conforming clients to fail if must-staple is present but not
stapled. This includes ignoring OCSP cached responses, and prevents online

This interpretation is key among the reasons why Chrom{e/ium} has not
(yet) begun experimenting with must staple, since the APIs used don't offer
as much flexibility. However, that interpretation is exactly what ensures
interoperability - these sorts of "soft fallbacks" cause a number of issues,
as everyone in the TLS WG can attest to elsewhere (eg: TLS version rollback,
AIA chasing, etc)

TLS mailing list