Re: [TLS] New version of the TLS feature draft
Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 22 September 2014 22:45 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FB631A6F39 for <tls@ietfa.amsl.com>; Mon, 22 Sep 2014 15:45:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_40=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cs-CQgZsfnwa for <tls@ietfa.amsl.com>; Mon, 22 Sep 2014 15:45:40 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 068411A6F34 for <tls@ietf.org>; Mon, 22 Sep 2014 15:45:40 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id E1D7F2AAC74; Mon, 22 Sep 2014 22:45:38 +0000 (UTC)
Date: Mon, 22 Sep 2014 22:45:38 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20140922224538.GH13254@mournblade.imrryr.org>
References: <CAMm+Lwis74P+H1tiG+beRwqfejkRUrjwt82OLpPokJ0jRx_S8w@mail.gmail.com> <1409931283.1731.16.camel@dhcp-2-127.brq.redhat.com> <CA+cU71kRu2bWAtBvBCKNL29pvq=Hnj2Mx70yecS8NBTy_Aj=2A@mail.gmail.com> <1411032333.18523.18.camel@dhcp-2-127.brq.redhat.com> <CAMm+Lwj+n9HVCBToUYeS+FLctq+pTG99i+EeAmtThPq0AyJtvg@mail.gmail.com> <1411051138.18523.42.camel@dhcp-2-127.brq.redhat.com> <CAMm+Lwhx6uLmkn7sVshDNmjjHUiCyb6vL+zUiFsredcBtNAEmw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAMm+Lwhx6uLmkn7sVshDNmjjHUiCyb6vL+zUiFsredcBtNAEmw@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/QIAvY_wJxyi4kb9V6QAKM4I-SlE
Subject: Re: [TLS] New version of the TLS feature draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Sep 2014 22:45:41 -0000
On Mon, Sep 22, 2014 at 03:10:53PM -0400, Phillip Hallam-Baker wrote: > >> Given that we currently have a situation where the vast majority of > >> Web browsers are not PKIX compliant and ignore revocation information > >> completely and Web browsers are only one PKIX application, I don't > >> think it is appropriate to use a MUST here to direct how invalid > >> status is handled. > > > > Maybe not, but it makes sense to define what is valid and invalid. > > The problem statement of this draft as you set it is to close a door on > > a "downgrade" attack where no OCSP response is sent. However, if you > > don't define what is a secure connection to a server that supports OCSP > > status request, how can you claim to fix an attack? > > The draft is designed to allow the client to close the door on the > downgrade attack. That meets the problem statement, I think. I strongly agree, but perhaps we should provide a more detailed answer... Yes of course the draft can't mandate that the client must fail, since as you note the client might be doing opportunistic STARTTLS, and the TLS session should be established in that case, even if stapled data is missing or expired. Therefore, the TLS library cannot unconditionally enforce the requirements of the draft by shutting down the connection or the like. However the TLS library can and should signal a failure to verify the peer certificate chain. Clients that proceed despite such failure can continue to establish the session, while clients that want an authenticated peer may elect to abort the TLS session, or to complete it and then gracefully perform an application-level abort, ... So there is room to say that servers that fail to present an expected sufficiently fresh stapled OCSP response MUST NOT be considered to have a valid certificate chain. What happens after that is up to the application. Such a statement would help library implementors do the right thing, (signal verification failure) and avoid both inadvertently ignoring the problem as well as over-reaction that might needlessly degrade opportunistic clients to cleartext. -- Viktor.
- [TLS] New version of the TLS feature draft Phillip Hallam-Baker
- Re: [TLS] New version of the TLS feature draft Nikos Mavrogiannopoulos
- Re: [TLS] New version of the TLS feature draft Tom Ritter
- Re: [TLS] New version of the TLS feature draft Nikos Mavrogiannopoulos
- Re: [TLS] New version of the TLS feature draft Nikos Mavrogiannopoulos
- Re: [TLS] New version of the TLS feature draft Phillip Hallam-Baker
- Re: [TLS] New version of the TLS feature draft Phillip Hallam-Baker
- Re: [TLS] New version of the TLS feature draft Viktor Dukhovni
- Re: [TLS] [pkix] New version of the TLS feature d… Dr. Massimiliano Pala