IETF Logo Mail Archive

Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections

Peter Gutmann <pgut001@cs.auckland.ac.nz> Mon, 08 March 2021 03:45 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5DF73A236A for <tls@ietfa.amsl.com>; Sun, 7 Mar 2021 19:45:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.917
X-Spam-Level:
X-Spam-Status: No, score=-1.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iu0MDUCNEdC8 for <tls@ietfa.amsl.com>; Sun, 7 Mar 2021 19:45:30 -0800 (PST)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [180.189.28.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 506D53A2369 for <tls@ietf.org>; Sun, 7 Mar 2021 19:45:30 -0800 (PST)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01lp2176.outbound.protection.outlook.com [104.47.71.176]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-59-S012_-SHMCadnwuaQ0DiRQ-1; Mon, 08 Mar 2021 14:45:25 +1100
X-MC-Unique: S012_-SHMCadnwuaQ0DiRQ-1
Received: from PS2P216CA0068.KORP216.PROD.OUTLOOK.COM (2603:1096:300:18::30) by ME2PR01MB5089.ausprd01.prod.outlook.com (2603:10c6:220:4a::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17; Mon, 8 Mar 2021 03:45:19 +0000
Received: from PU1APC01FT039.eop-APC01.prod.protection.outlook.com (2603:1096:300:18:cafe::c4) by PS2P216CA0068.outlook.office365.com (2603:1096:300:18::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17 via Frontend Transport; Mon, 8 Mar 2021 03:45:19 +0000
X-MS-Exchange-Authentication-Results: spf=none (sender IP is 130.216.95.208) smtp.mailfrom=cs.auckland.ac.nz; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cs.auckland.ac.nz
Received: from uxcn13-ogg-e.UoA.auckland.ac.nz (130.216.95.208) by PU1APC01FT039.mail.protection.outlook.com (10.152.253.127) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3912.19 via Frontend Transport; Mon, 8 Mar 2021 03:45:18 +0000
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) by uxcn13-ogg-e.UoA.auckland.ac.nz (10.6.2.8) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 8 Mar 2021 16:45:17 +1300
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::207a:c7e4:28d9:e2fe]) by uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::207a:c7e4:28d9:e2fe%14]) with mapi id 15.00.1497.012; Mon, 8 Mar 2021 16:45:16 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Benjamin Kaduk <bkaduk@akamai.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
Thread-Index: AQHXEeEgKe23eiCLoE+KwrPix1Q1lap0ziCAgAAS0wCAAA9lAIAAVjGAgABa2YCAAOWiuIAAFZqAgAGvzff///pFgIAADFyAgAAMyACAAQ9hHP//KiIAgADde0M=
Date: Mon, 08 Mar 2021 03:45:16 +0000
Message-ID: <1615175116899.77667@cs.auckland.ac.nz>
References: <CACsn0cmmKdR0-82DjrYZD5_CaF2bqwHnj07dM+Bnd-2aupU5QQ@mail.gmail.com> <CABcZeBP8wdmbO8DQPZ8e5CDZ76ioe3vzaJ+7YtQ74XZzcuxHmg@mail.gmail.com> <20210306061124.GY30153@localhost> <1615013752661.15146@cs.auckland.ac.nz> <20210306211036.GZ30153@localhost> <1615111060736.9067@cs.auckland.ac.nz> <20210307223534.GB30153@localhost> <12CE99EA-C55C-4327-A4DF-80734E6F1459@ll.mit.edu> <YEVqToCtAMgT3Swu@straasha.imrryr.org> <1615173682710.74632@cs.auckland.ac.nz>,<20210308033123.GC25665@akamai.com>
In-Reply-To: <20210308033123.GC25665@akamai.com>
Accept-Language: en-NZ, en-GB, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: bd367a16-35f6-418e-7ab6-08d8e1e497fb
X-MS-TrafficTypeDiagnostic: ME2PR01MB5089:
X-Microsoft-Antispam-PRVS: <ME2PR01MB5089261E7ADD136DD9E9FB04EE939@ME2PR01MB5089.ausprd01.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:8273
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0
X-Microsoft-Antispam-Message-Info: a0nlqVCfVsVNfyJwp6lHPYJI2YdTcdMePzD7VZy1Jc2Faxxc/t2dS16lF7MwOBa2wLX0s5E6+S6PEi/wilEcxWOFYPJnCjjs/QExqYi+G0+jAV/j6G+2Qkuve4AhvAjtlrrJmRZjSwgL5m+vOZEPOHoAZEJTOmd3AN0+LgUI3W2TLFnwnCRs9C+HBDJHfr2p2uTWRZdB3aWDMr34xCro/72tnNnk9GSd5UqQboliy2vhemu56s/GdhjKzfXlVc55iqw6OFrBFGUjikg3mdg5BzCxIfcY8kVziileJiqRFH9xvCbmEg0quuDIPx2sYh2HgabQwSLHWtlZEnuqC00yMjoJ3RtSTLr1nV1UrMiHIOrzCOdzH/hIglf+7vEWoOL7/kpjRfkCCWkChuEgKXCww36tndP1Z/1sM0QuLt6xLepQYslJX4DqdQPFblPNGaxdCPhvr0zO3bVUupz+6UQWI47wW0HLaWMOsKucV7ZFhL5qda47GpI/BrGP5K6tsv+NHr1x633ykL9NrjAuz7g5e00fH3XXEZes4JhKlYXr7dNIDpzQE/QFvbz8LrnfARy3A7spZbl8wcGyOIFB2o0m68ldyazhJqi/NUISzu4npEwfSvrZKuE/EQtUiNfPmN8cHYlYkXOabWJcHJPX/gUvgvAkzlgfDdhmEntSCiQHF/bmlFkB4WOoVG/dSMrYyUjE
X-Forefront-Antispam-Report: CIP:130.216.95.208; CTRY:NZ; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:uxcn13-ogg-e.UoA.auckland.ac.nz; PTR:natgate1-1.auckland.ac.nz; CAT:NONE; SFS:(4636009)(136003)(396003)(346002)(376002)(39860400002)(46966006)(36840700001)(356005)(26005)(5660300002)(36860700001)(47076005)(82740400003)(8936002)(8676002)(70586007)(70206006)(786003)(2616005)(316002)(6916009)(478600001)(4326008)(7636003)(86362001)(36906005)(186003)(2906002)(4744005)(82310400003)(83380400001)(336012)(219973002); DIR:OUT; SFP:1101
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Mar 2021 03:45:18.7460 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: bd367a16-35f6-418e-7ab6-08d8e1e497fb
X-MS-Exchange-CrossTenant-Id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d1b36e95-0d50-42e9-958f-b63fa906beaa; Ip=[130.216.95.208]; Helo=[uxcn13-ogg-e.UoA.auckland.ac.nz]
X-MS-Exchange-CrossTenant-AuthSource: PU1APC01FT039.eop-APC01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: ME2PR01MB5089
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Pknv3yaSVOARrw_AJ50-q4TK9Ew>
Subject: Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Mar 2021 03:45:33 -0000

Benjamin Kaduk <bkaduk@akamai.com> writes:

>Just to confirm: the scenario you're using to contrast to the one described
>by Viktor (and Nico) is a scenarios in which the certificates expire at
>"never" (99991231235959Z)?

Not that "never" since it would break a lot of things, but some time far
enough in the future that you don't have to worry about it.  14 January 2038
was one I've seen used, but that was at a point when 2038 was still 20+ years
away and the equipment might have been expected to be EOL'd by then.  Not sure
what's being used now that the time to Y2038 is a lot less than the lifetime
of the equipment.

Peter.

v2.23.0 | Report a Bug | By Email