Re: [TLS] OCSP must staple

Brian Smith <brian@briansmith.org> Thu, 12 June 2014 23:44 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9266A1A02EF for <tls@ietfa.amsl.com>; Thu, 12 Jun 2014 16:44:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Ke4oyY6mzsO for <tls@ietfa.amsl.com>; Thu, 12 Jun 2014 16:44:29 -0700 (PDT)
Received: from mail-qc0-f171.google.com (mail-qc0-f171.google.com [209.85.216.171]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 423AC1A02ED for <tls@ietf.org>; Thu, 12 Jun 2014 16:44:29 -0700 (PDT)
Received: by mail-qc0-f171.google.com with SMTP id w7so3160009qcr.16 for <tls@ietf.org>; Thu, 12 Jun 2014 16:44:28 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=jjznSraPgxE0Si4JXrT5hkmz5nyImuqPunkABJU6WzI=; b=J62KWkV3GUmtxxj/m10SYTVEAhO3G1+gjgFMwN0AU+1qLJdkwfQgn/+fAE/Kjll4nd ux9PI1DyPZJWGeN+EDFwCDp+Q+2+BpejEQEP4MDs3n5e7hZp5uOoQM1ndssQVY83T4hI SVrPTxpEQbnL8qYbXRzX34SnkZvPWydWVKJ/FGRUMH6/E2v+M8kHwRAn5m+7drNGz+Cl uxlKNm4ffJArYozGLM07jXDsepgIsy2wTq0iAqH3izWo3O8iDYiylHRuqtrkFtRhINmO +E5um0OejylOmQ9URW9Pv/z574s/yL928LZgY64JJ82yCvKPpRzRmOQcJumayyDa8P9M JM2Q==
X-Gm-Message-State: ALoCoQkJckGgO/udoUypunNJbmBB4S9aeGQWFHT+1s/P+CIGNHy4w+I+q6sAQu4weocy2l4a4FTr
MIME-Version: 1.0
X-Received: by 10.224.55.130 with SMTP id u2mr65891994qag.67.1402616668372; Thu, 12 Jun 2014 16:44:28 -0700 (PDT)
Received: by 10.224.212.3 with HTTP; Thu, 12 Jun 2014 16:44:28 -0700 (PDT)
In-Reply-To: <49B8F9EA-40C6-442D-9E7E-2B09E42CDCC1@gmail.com>
References: <20140528184735.GA20602@roeckx.be> <097101cf7aa7$17f960a0$47ec21e0$@digicert.com> <4AA8E7B7-A19D-4E65-AF18-C4D02A513652@ieca.com> <538EF79B.3000506@cs.tcd.ie> <CAMm+LwgTnva9jJgVfkaOZ1qP0Rk3w-mFfepnubosgtrCEARv=g@mail.gmail.com> <539069CC.5010304@cs.tcd.ie> <5390B1D6.5010105@nthpermutation.com> <CAFewVt6Pr8yjV8EbYLp1HQJfYMgq2LJMt4uQqZWKChR6p12Wtg@mail.gmail.com> <5390CA45.1050504@nthpermutation.com> <CAFewVt6qfqHW2Df=aXhmo-Fucvn_PUzM8NVQV-aYiH9Ttfhjmw@mail.gmail.com> <9E3DB9FD-2691-4CED-90A9-A024D7A4F4BA@gmail.com> <CAFewVt7YbTz9_NwBt_FDLpPog5sUGsE5GMYOgaZaJXCDkfOL5w@mail.gmail.com> <49B8F9EA-40C6-442D-9E7E-2B09E42CDCC1@gmail.com>
Date: Thu, 12 Jun 2014 16:44:28 -0700
Message-ID: <CAFewVt7naEVVVFsKLFK_pDSjw=N4K+ghNPEZDP41kvaL6OVbcg@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: multipart/alternative; boundary=047d7bdc878446796604fbac2404
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/QRY3XoXZRsU4OJVaEhOmiW1Epbw
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] OCSP must staple
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jun 2014 23:44:31 -0000

On Thu, Jun 12, 2014 at 2:45 PM, Yoav Nir <ynir.ietf@gmail.com> wrote:

>
> On Jun 12, 2014, at 9:21 PM, Brian Smith <brian@briansmith.org> wrote:
>
> Thanks for sharing that information. Does your product copy all the
> certificate policies from the original certificate into the forged
> certificate? If your product doesn't copy certificate policies it doesn't
> understand, then there wouldn't be an interop issue with your product and
> the use of certificate policies for Must-Staple, even if your product
> doesn't generate short-lived certificates.
>
> IIRC we don’t copy certificate policies at all, but I could be wrong.
>

 It would be great to get a more definitive confirmation of that, not just
from you, but from other vendors of similar products.

The thing is, a browser like Mozilla has to work with many different
> interceptors around, so there might be one that does copy all extensions,
> but doesn’t make short-lived certificates.
>

I agree there probably is one that is especially problematic like that.
But, it seems like we should actually find such a problematic one deployed
before we start limiting the usefulness of the feature to accommodate it.

Cheers,
Brian