IETF Logo Mail Archive

Re: [TLS] Status of X.509v3 TLS Feature Extension?

mrex@sap.com (Martin Rex) Mon, 28 April 2014 17:42 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FBC71A6F9B for <tls@ietfa.amsl.com>; Mon, 28 Apr 2014 10:42:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.952
X-Spam-Level:
X-Spam-Status: No, score=-5.952 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, J_CHICKENPOX_34=0.6, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tSR08KuB796P for <tls@ietfa.amsl.com>; Mon, 28 Apr 2014 10:42:43 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 5A3C11A6F54 for <tls@ietf.org>; Mon, 28 Apr 2014 10:42:43 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id s3SHge1l020259 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <tls@ietf.org>; Mon, 28 Apr 2014 19:42:41 +0200 (MEST)
In-Reply-To: <20140428162459.GZ27883@mournblade.imrryr.org>
To: tls@ietf.org
Date: Mon, 28 Apr 2014 19:42:40 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20140428174240.E04D21ACE1@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/PunuYoWXlGm6dbxGrGYEF6Ja7lM
Subject: Re: [TLS] Status of X.509v3 TLS Feature Extension?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Apr 2014 17:42:45 -0000

Viktor Dukhovni wrote:
>
>Salz, Rich wrote:
>> 
>> Well RFC 6066 says "only one OCSP response may be sent" and while
>> RFC 2560 allows multiple answers, it says that they are a "response
>> for each of the certificates in the request."  Since the server's
>> SSL cert is implied by 6066, and since there is no other way to
>> specify additional certs, then the answer to your questions would
>> be "just the leaf."
> 
> Which leaves the intermediate CAs out of scope...  I plan to continue
> to treat CRLs, OCSP and OCSP stapling as variants of the emperor's
> new clothes.

There exist 2 different TLS extension for OCSP responses.

Old Single OCSP response:  rfc6066 (originally defined in rfc3546)

New Multiple OCSP responses: rfc6961 

https://tools.ietf.org/html/rfc6961


>>Viktor Dukhovni wrote:
>>> 
>>> What's the point if it does not fail-closed?  The client insists
>>> that the server provide an OCSP response, but then does not validate
>>> it (some notion of freshness is surely part of validation, but no
>>> freshness algorithm is indicated).

With fail-closed you probably mean "fail-hard"?

EV certs seem to be able to provide a benefit without "fail-hard".

It is difficult to define a global/universal guaranteed service
quality for the OCSP responder service of the CA, and it is
difficult to define a minimum service quality for the server,
in which time an admin will notice and fix a problem with the
OCSP response refreshing of his server.

It is really a client-side local policy issue.  The client could
also perform OCSP request itself for the server's cert (chain),
whenever it does not consider the server's response "fresh enough".


There are two possible "attack" scenarios:

(1) the attacker steals (or breaks) the server's real key&cert,
    so that the Certificate extension will indicate whatever the
    original admin requested when he purchased the certificate

(2) the attacker manages to subvert the RA process of a public CA
    and gets a different cert without the certificate extension issued.

A fail-hard on the certificate extension can not protect you from (2).


-Martin

v2.23.0 | Report a Bug | By Email