Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
John Mattsson <john.mattsson@ericsson.com> Fri, 05 March 2021 17:01 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18C3D3A284A for <tls@ietfa.amsl.com>; Fri, 5 Mar 2021 09:01:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.349
X-Spam-Level:
X-Spam-Status: No, score=-2.349 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rCliGLo1o09Z for <tls@ietfa.amsl.com>; Fri, 5 Mar 2021 09:01:09 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2075.outbound.protection.outlook.com [40.107.22.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D3C23A281C for <tls@ietf.org>; Fri, 5 Mar 2021 09:01:09 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eeodKP/5CevjSsORYbtcUFgUlcUwb9sKiwfZkiCS/QXL26v6+1F4rEKIQCbfn8O7mI318bcRPt8fzk2gqL018J8BbLzJn4eALBWC2vFztzhB/pEIei9e/QDK25XfjmS4F5XmMjFjN0qyV2Pg/vy44p/ZxdiAU8xo9YvrLR7d11tYucoqcVFsXeI6gt7equPHeSTBbOGKM88lUGK+FP5ir68FkTJJ1hACfIkL2VRroe+vt7qkDQ7SvuQnQ8G3Cb6qQdI87MKGileN0EgcYvkTZg8NlVQ9fdU9viHwWLK+7y6bQiGsISttiBbMZ8oRjNibgwS3k3bDslh8ze3VMgWiyA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WpUwcnt2Pu0ABPWheiJLpkqVq/NmaRukMrFCDmG/e9w=; b=lB+7RnuOVISD+deLcvEhbdzfIjp8298fe5AQTFrwg231CqTwEF99nhF0ob7Tu79ISb4JJYut4KKWgh2030/+XTkNTHzvPrX8e7Uu7qiibloDKLjPs352bGo2LgpEOUGMvF+2sSMjQ6G5cLgC+5uD0XiQw+2RkXjIz90RxbNAPnKbzzLBB4+4Rpf1hecTZyTxHl538nsa2kTZ+Ob5/laIdBqQ0tlovpby913DH+dUGVovYInD3toZI6Ll8FX8kSxjYW9c/a8gB785ZLgh0F7c9uY3Zf900038FfdALMx7VVIC0zS69oQiRcBv3jn1VDJ7M8NqgQUkXvQND2qTrSjMJg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WpUwcnt2Pu0ABPWheiJLpkqVq/NmaRukMrFCDmG/e9w=; b=dWlK3cWKVFTGuaY2/4TN3nWGxgA+UyUlpBGWkh4K9It9jVXRCaq8b8zEJQ0Pzaz4rUp+EM795uqarvG+WMZPiCXUGk/6bLuzt6ua5s3nzkChz2pob9gK5xth/OILdFFM2HDutEBWo1IOv5KMpV8pjcDroHrSXyP7yQri6e6NulU=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by HE1PR0702MB3546.eurprd07.prod.outlook.com (2603:10a6:7:8d::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.9; Fri, 5 Mar 2021 17:01:04 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::69ab:83ff:dd6e:3536]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::69ab:83ff:dd6e:3536%4]) with mapi id 15.20.3912.023; Fri, 5 Mar 2021 17:01:04 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "Fries, Steffen" <steffen.fries@siemens.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
Thread-Index: AQHXEeEgKe23eiCLoE+KwrPix1Q1lQ==
Date: Fri, 05 Mar 2021 17:01:04 +0000
Message-ID: <DE27E5E0-4AB9-4B53-92F6-1057015A8F6C@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.46.21021202
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2021-03-05T14:01:51Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=2a9d2f85-5cab-4baa-b804-c5b74d531675; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0
authentication-results: siemens.com; dkim=none (message not signed) header.d=none;siemens.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a244ad56-ece5-425b-7aaf-08d8dff842f3
x-ms-traffictypediagnostic: HE1PR0702MB3546:
x-microsoft-antispam-prvs: <HE1PR0702MB35466F38BD6893ED7365D31689969@HE1PR0702MB3546.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: SzBmnWStQ4SzlbTUPkmpy9IqSvFwWrwf1ETw8Kv8V8bAx9Wob0pKZB/sGlF0mqfZWVwtquP5QubNkFJdxDkWL9VKeWnyezpJc1I8+ieIrA5bipVWmgTIlw9jQYIKDgF7trc2pgfrDafCeuhCTz3ltaJqxmpRdbWi48wLCUc0mxQeENXEbcIbr6aUo2EoQYmIdarNZ2HgcV46yy/1v7h+OFWfqzUOF6SYokNSJ3pfZGtlL+cSMnTj+BaTYOCO1ssUX4NbL6I8Y8dOWaoOgv3j+/UYiVLCaqZFq/0hPE3tFJ+6rzUedjLKFN9tzT/O2q9N8RZrfInNA5ZdI+mXzz6B17HJsSVLORjeeTA/lehLdF9IjMdCuYZkJRhVrGcZaq6uL+y0WNsKpmY9t2Ng7YS0j4wNNyMgf0FSVgsWzy0Dl874+LskAig/Y3QsTpDY+P3SHUoFmVWt7joEqFlMmJLth61YPuo5KtvjLnzYltW1oQ5PxdNXKaF2T5UuiVNIlT4E59ALbpecmJILzDQJ1Vc/wGof+fa4dHvnPuYso+x8xBROiHgdoGIC9Ttu/UCsMY7f0calMVUS+4LBbOrCUE3NCwBLBGL3Yotv8/sY0E9EC0eIRvNWve30pQdL7gVnJRczhi5dNAgdAK9T06oWRfgPVrlghVpZIb8zxX2QWpDg0Hib/B5KQSvY+pCVjYckHbq/Zumw0zXqU8fc5zg3bq0fiA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(136003)(396003)(346002)(39860400002)(366004)(6512007)(8676002)(8936002)(6506007)(36756003)(478600001)(2616005)(110136005)(86362001)(966005)(316002)(5660300002)(64756008)(71200400001)(66446008)(26005)(76116006)(66556008)(66946007)(186003)(83380400001)(2906002)(44832011)(66476007)(6486002)(53546011)(33656002)(219973002)(557034005)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: uUJH4K3QhW0bEmzEzvur/YHvjZSkkvA8M8aKYAQx8e/cBpuoaCJp5DeB+k6FhNTpbN3aw+kMTudCxaphkoBryQ37FINYkTrCLqhLqVLvcrpTB1gVBSycHHPenku2rIl4/YqRhotUrDOvHwdbfmVt1rvDNeGOdkmFjoYbg9nyPaodBT37HU0aOz1WAcHWEUugIRg7HJGBboObzLIL6Pk8Gz2ysVPlre2jp8ItwksnsTLqy10ILc83AADltSd0ACO0m121bTPXt3gt/3sNoKWsemQdEb7WvFxcgIorpc4ua/AZxJooEv66y9ffPXx5GJryN0+QVi3p3JUEDnyjyiWx4TkZFtDM0BL/xdCTb7XrXRrMC0W51spqYMNdD89AjvF/59LIg3WD09ZaNyquHguSuDqng3VOf+RR3m82PDY/kUyQungsy8h7aOG8Ai04Tnki7/CjyevEVuFMU4NFexElqm4+e3ARPvCmxMYH/kWASb2i4Nd7T33K5D+RCU6H7Ou9Aps6aVejwiY/OiIhHsTAaqRzDeVi4BdyuMTa4i2rv4joq/tx2lFqbpGBUD2LC4Qne5oNXD+Nad5+tL4ZvvutdOX6wJvaXP2Fxf8sDqTa0hi4vaAZI3CGCrHbhafu7bfdcS7jVXWtgo+FINCqrNWubsjREw1OK2hH4ifMxBXQxajzuguwfkNZq9eKrHGk+UAPCzqPgN+nSL1vqHL5qmmazOcDj8DLIZDTMoAc49kuoZWCgVVpfrvI7nHZps3vTg2QsIEPH2QVV7PgS91Pas17lYFf2KJFDgqVvoiCR0qetF+JkPOJvZojfs0qrGqiARBw3BhMLOwpiVShSigtetGVmw48CZih51lKnvel6fBRwLkE4EHogERWYCU4jTLodQFVmNTZOOiE2Xhq8HEzH/WQcr2mpTfd7P5JXWzQH6snXumFBS6s5EVFSgPfx/9y/epSHUe7Xh7Gf8ikGLDB8d6fG8KGici2ENL3b70ubNyGPnUyzk8jQ+xHXvmluxdJS5KhQX4Y6z+m/9Hb/QU9AyuS5gzgf5cAjXKPVebuKWWuLl5dfeVphespo8agOACl0JUgue0HFo/zCK5uYOg01NIGnqP0dB5Tq6+3AqYKizJrXYNeBv7daTpfouJ1WyULAafTaVJ+jA8qdyjVwpUaOHq/vEKYtbbTecXc47WqGYdIK6ya0c3VDz+LaCAQBa0ToppjgfkvfD3AWkAYRiBMS4NA7oA2dsei8FuENajH8BB6T08/urgaO8lVJCcLUsCHB05WBqPSDeXdn4ivoGY8vr9Yv6XNPS3kzomX470ml4uP7j6F12DQ4rVfWHK3tJjCgHS9
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <19D52973900607429DAFB2DCC6E5DD71@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a244ad56-ece5-425b-7aaf-08d8dff842f3
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2021 17:01:04.0391 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: nZ10tSOqcIV/CJAWyDf34+sNu1NjiqVmj37spXtj8gEZtKnK4C/D/prcCdEmAGQZfB4JG1UCo84YAwMfqkDsFf6/C957v0ai5ET/li7i/G0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3546
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/QpBRZx2cSYxp1NoyZ-IcWAWnmMI>
Subject: Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Mar 2021 17:01:11 -0000
Hi, I asked a very similar question a couple of weeks ago. Good to know that other people have similar problems. https://mailarchive.ietf.org/arch/msg/tls/bo-_9gbNqNAlyzs2Opv16hLwt2k/ Cheers, John -----Original Message----- From: TLS <tls-bounces@ietf.org> on behalf of "Fries, Steffen" <steffen.fries@siemens.com> Date: Friday, 5 March 2021 at 15:02 To: "TLS@ietf.org" <tls@ietf.org> Subject: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections Hello all I've got a question regarding application of TLS 1.3 to protect long lasting connections. Specifically on the trigger to perform a revocation check for the utilized certificates in the handshake. The background is that for the securing TCP based communication in power system automation we defined the application of TLS in IEC 62351-3. The document specifies how to use TLS v1.2 in this environment. As some of the connections are rather long lasting connections, the document defines the usage of TLS session renegotiation at least every 24 hours to update the session key material on one hand and to enforce the certificate verification from both sides (TLS is always used with mutual authentication) including the revocation check. The 24 hours were motivated by an expected CRL update once a day. As TLS 1.3 is available the consequent next step is the consideration also for power system automation. In TLS 1.3 session renegotiation is not available anymore. The session key update can easily be addressed by the post-handshake messages. For performing a certificate based authentication during the session I understood one could use the post-handshake authentication approach. But this seems to be available only for a client side authentication. Is there any option in TLS to also enforce a server side authentication during an ongoing session? Again, the reason for a certificate based authentication is to have a trigger for the revocation check of the certificates used in the initial handshake. If post-handshake certificate based authentication is not supported in TLS 1.3, it would require to have a separate mechanism/process that checks the revocation state of the certificates utilized in the initial handshake. Hence the question if there is a feature in TLS 1.3, which would provide the functionality to invoke a mutual certificate based authentication. Best regards Steffen -- Steffen Fries Siemens AG _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- [TLS] Question to TLS 1.3 and certificate revocat… Fries, Steffen
- Re: [TLS] Question to TLS 1.3 and certificate rev… John Mattsson
- Re: [TLS] Question to TLS 1.3 and certificate rev… Salz, Rich
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… John Mattsson
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Watson Ladd
- Re: [TLS] Question to TLS 1.3 and certificate rev… Eric Rescorla
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Peter Gutmann
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Hannes Tschofenig
- Re: [TLS] Question to TLS 1.3 and certificate rev… Peter Gutmann
- Re: [TLS] Question to TLS 1.3 and certificate rev… Graham Bartlett
- Re: [TLS] Question to TLS 1.3 and certificate rev… Deb Cooley
- Re: [TLS] Question to TLS 1.3 and certificate rev… Graham Bartlett
- Re: [TLS] Question to TLS 1.3 and certificate rev… Hannes Tschofenig
- Re: [TLS] Question to TLS 1.3 and certificate rev… Hannes Tschofenig
- Re: [TLS] Question to TLS 1.3 and certificate rev… Benjamin Kaduk
- Re: [TLS] Question to TLS 1.3 and certificate rev… Graham Bartlett
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Question to TLS 1.3 and certificate rev… Peter Gutmann
- Re: [TLS] Question to TLS 1.3 and certificate rev… Benjamin Kaduk
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Peter Gutmann
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Olle E. Johansson
- Re: [TLS] Question to TLS 1.3 and certificate rev… Fries, Steffen
- Re: [TLS] Question to TLS 1.3 and certificate rev… Salz, Rich
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Fries, Steffen
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Jonathan Hoyland
- Re: [TLS] Question to TLS 1.3 and certificate rev… Fries, Steffen
- Re: [TLS] Question to TLS 1.3 and certificate rev… Fries, Steffen
- Re: [TLS] Question to TLS 1.3 and certificate rev… Jonathan Hoyland