IETF Logo Mail Archive

Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections

John Mattsson <john.mattsson@ericsson.com> Fri, 05 March 2021 17:01 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18C3D3A284A for <tls@ietfa.amsl.com>; Fri, 5 Mar 2021 09:01:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.349
X-Spam-Level:
X-Spam-Status: No, score=-2.349 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rCliGLo1o09Z for <tls@ietfa.amsl.com>; Fri, 5 Mar 2021 09:01:09 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2075.outbound.protection.outlook.com [40.107.22.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D3C23A281C for <tls@ietf.org>; Fri, 5 Mar 2021 09:01:09 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eeodKP/5CevjSsORYbtcUFgUlcUwb9sKiwfZkiCS/QXL26v6+1F4rEKIQCbfn8O7mI318bcRPt8fzk2gqL018J8BbLzJn4eALBWC2vFztzhB/pEIei9e/QDK25XfjmS4F5XmMjFjN0qyV2Pg/vy44p/ZxdiAU8xo9YvrLR7d11tYucoqcVFsXeI6gt7equPHeSTBbOGKM88lUGK+FP5ir68FkTJJ1hACfIkL2VRroe+vt7qkDQ7SvuQnQ8G3Cb6qQdI87MKGileN0EgcYvkTZg8NlVQ9fdU9viHwWLK+7y6bQiGsISttiBbMZ8oRjNibgwS3k3bDslh8ze3VMgWiyA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WpUwcnt2Pu0ABPWheiJLpkqVq/NmaRukMrFCDmG/e9w=; b=lB+7RnuOVISD+deLcvEhbdzfIjp8298fe5AQTFrwg231CqTwEF99nhF0ob7Tu79ISb4JJYut4KKWgh2030/+XTkNTHzvPrX8e7Uu7qiibloDKLjPs352bGo2LgpEOUGMvF+2sSMjQ6G5cLgC+5uD0XiQw+2RkXjIz90RxbNAPnKbzzLBB4+4Rpf1hecTZyTxHl538nsa2kTZ+Ob5/laIdBqQ0tlovpby913DH+dUGVovYInD3toZI6Ll8FX8kSxjYW9c/a8gB785ZLgh0F7c9uY3Zf900038FfdALMx7VVIC0zS69oQiRcBv3jn1VDJ7M8NqgQUkXvQND2qTrSjMJg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WpUwcnt2Pu0ABPWheiJLpkqVq/NmaRukMrFCDmG/e9w=; b=dWlK3cWKVFTGuaY2/4TN3nWGxgA+UyUlpBGWkh4K9It9jVXRCaq8b8zEJQ0Pzaz4rUp+EM795uqarvG+WMZPiCXUGk/6bLuzt6ua5s3nzkChz2pob9gK5xth/OILdFFM2HDutEBWo1IOv5KMpV8pjcDroHrSXyP7yQri6e6NulU=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by HE1PR0702MB3546.eurprd07.prod.outlook.com (2603:10a6:7:8d::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.9; Fri, 5 Mar 2021 17:01:04 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::69ab:83ff:dd6e:3536]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::69ab:83ff:dd6e:3536%4]) with mapi id 15.20.3912.023; Fri, 5 Mar 2021 17:01:04 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "Fries, Steffen" <steffen.fries@siemens.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
Thread-Index: AQHXEeEgKe23eiCLoE+KwrPix1Q1lQ==
Date: Fri, 05 Mar 2021 17:01:04 +0000
Message-ID: <DE27E5E0-4AB9-4B53-92F6-1057015A8F6C@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.46.21021202
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2021-03-05T14:01:51Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=2a9d2f85-5cab-4baa-b804-c5b74d531675; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0
authentication-results: siemens.com; dkim=none (message not signed) header.d=none;siemens.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a244ad56-ece5-425b-7aaf-08d8dff842f3
x-ms-traffictypediagnostic: HE1PR0702MB3546:
x-microsoft-antispam-prvs: <HE1PR0702MB35466F38BD6893ED7365D31689969@HE1PR0702MB3546.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: SzBmnWStQ4SzlbTUPkmpy9IqSvFwWrwf1ETw8Kv8V8bAx9Wob0pKZB/sGlF0mqfZWVwtquP5QubNkFJdxDkWL9VKeWnyezpJc1I8+ieIrA5bipVWmgTIlw9jQYIKDgF7trc2pgfrDafCeuhCTz3ltaJqxmpRdbWi48wLCUc0mxQeENXEbcIbr6aUo2EoQYmIdarNZ2HgcV46yy/1v7h+OFWfqzUOF6SYokNSJ3pfZGtlL+cSMnTj+BaTYOCO1ssUX4NbL6I8Y8dOWaoOgv3j+/UYiVLCaqZFq/0hPE3tFJ+6rzUedjLKFN9tzT/O2q9N8RZrfInNA5ZdI+mXzz6B17HJsSVLORjeeTA/lehLdF9IjMdCuYZkJRhVrGcZaq6uL+y0WNsKpmY9t2Ng7YS0j4wNNyMgf0FSVgsWzy0Dl874+LskAig/Y3QsTpDY+P3SHUoFmVWt7joEqFlMmJLth61YPuo5KtvjLnzYltW1oQ5PxdNXKaF2T5UuiVNIlT4E59ALbpecmJILzDQJ1Vc/wGof+fa4dHvnPuYso+x8xBROiHgdoGIC9Ttu/UCsMY7f0calMVUS+4LBbOrCUE3NCwBLBGL3Yotv8/sY0E9EC0eIRvNWve30pQdL7gVnJRczhi5dNAgdAK9T06oWRfgPVrlghVpZIb8zxX2QWpDg0Hib/B5KQSvY+pCVjYckHbq/Zumw0zXqU8fc5zg3bq0fiA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(136003)(396003)(346002)(39860400002)(366004)(6512007)(8676002)(8936002)(6506007)(36756003)(478600001)(2616005)(110136005)(86362001)(966005)(316002)(5660300002)(64756008)(71200400001)(66446008)(26005)(76116006)(66556008)(66946007)(186003)(83380400001)(2906002)(44832011)(66476007)(6486002)(53546011)(33656002)(219973002)(557034005)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: uUJH4K3QhW0bEmzEzvur/YHvjZSkkvA8M8aKYAQx8e/cBpuoaCJp5DeB+k6FhNTpbN3aw+kMTudCxaphkoBryQ37FINYkTrCLqhLqVLvcrpTB1gVBSycHHPenku2rIl4/YqRhotUrDOvHwdbfmVt1rvDNeGOdkmFjoYbg9nyPaodBT37HU0aOz1WAcHWEUugIRg7HJGBboObzLIL6Pk8Gz2ysVPlre2jp8ItwksnsTLqy10ILc83AADltSd0ACO0m121bTPXt3gt/3sNoKWsemQdEb7WvFxcgIorpc4ua/AZxJooEv66y9ffPXx5GJryN0+QVi3p3JUEDnyjyiWx4TkZFtDM0BL/xdCTb7XrXRrMC0W51spqYMNdD89AjvF/59LIg3WD09ZaNyquHguSuDqng3VOf+RR3m82PDY/kUyQungsy8h7aOG8Ai04Tnki7/CjyevEVuFMU4NFexElqm4+e3ARPvCmxMYH/kWASb2i4Nd7T33K5D+RCU6H7Ou9Aps6aVejwiY/OiIhHsTAaqRzDeVi4BdyuMTa4i2rv4joq/tx2lFqbpGBUD2LC4Qne5oNXD+Nad5+tL4ZvvutdOX6wJvaXP2Fxf8sDqTa0hi4vaAZI3CGCrHbhafu7bfdcS7jVXWtgo+FINCqrNWubsjREw1OK2hH4ifMxBXQxajzuguwfkNZq9eKrHGk+UAPCzqPgN+nSL1vqHL5qmmazOcDj8DLIZDTMoAc49kuoZWCgVVpfrvI7nHZps3vTg2QsIEPH2QVV7PgS91Pas17lYFf2KJFDgqVvoiCR0qetF+JkPOJvZojfs0qrGqiARBw3BhMLOwpiVShSigtetGVmw48CZih51lKnvel6fBRwLkE4EHogERWYCU4jTLodQFVmNTZOOiE2Xhq8HEzH/WQcr2mpTfd7P5JXWzQH6snXumFBS6s5EVFSgPfx/9y/epSHUe7Xh7Gf8ikGLDB8d6fG8KGici2ENL3b70ubNyGPnUyzk8jQ+xHXvmluxdJS5KhQX4Y6z+m/9Hb/QU9AyuS5gzgf5cAjXKPVebuKWWuLl5dfeVphespo8agOACl0JUgue0HFo/zCK5uYOg01NIGnqP0dB5Tq6+3AqYKizJrXYNeBv7daTpfouJ1WyULAafTaVJ+jA8qdyjVwpUaOHq/vEKYtbbTecXc47WqGYdIK6ya0c3VDz+LaCAQBa0ToppjgfkvfD3AWkAYRiBMS4NA7oA2dsei8FuENajH8BB6T08/urgaO8lVJCcLUsCHB05WBqPSDeXdn4ivoGY8vr9Yv6XNPS3kzomX470ml4uP7j6F12DQ4rVfWHK3tJjCgHS9
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <19D52973900607429DAFB2DCC6E5DD71@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a244ad56-ece5-425b-7aaf-08d8dff842f3
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2021 17:01:04.0391 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: nZ10tSOqcIV/CJAWyDf34+sNu1NjiqVmj37spXtj8gEZtKnK4C/D/prcCdEmAGQZfB4JG1UCo84YAwMfqkDsFf6/C957v0ai5ET/li7i/G0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3546
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/QpBRZx2cSYxp1NoyZ-IcWAWnmMI>
Subject: Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Mar 2021 17:01:11 -0000

Hi,

I asked a very similar question a couple of weeks ago. Good to know that other people have similar problems.
https://mailarchive.ietf.org/arch/msg/tls/bo-_9gbNqNAlyzs2Opv16hLwt2k/

Cheers,
John


-----Original Message-----
From: TLS <tls-bounces@ietf.org> on behalf of "Fries, Steffen" <steffen.fries@siemens.com>
Date: Friday, 5 March 2021 at 15:02
To: "TLS@ietf.org" <tls@ietf.org>
Subject: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections

Hello all

I've got a question regarding application of TLS 1.3 to protect long lasting  connections. Specifically on the trigger to perform a revocation check for the utilized certificates in the handshake. 

The background is that for the securing TCP based communication in power system automation we defined the application of TLS in IEC 62351-3. The document specifies how to use TLS v1.2 in this environment. As some of the connections are rather long lasting connections, the document defines the usage of TLS session renegotiation at least every 24 hours to update the session key material on one hand and to enforce the certificate verification from both sides (TLS is always used with mutual authentication) including the revocation check. The 24 hours were motivated by an expected CRL update once a day. 

As TLS 1.3 is available the consequent next step is the consideration also for power system automation. In TLS 1.3 session renegotiation is not available anymore. The session key update can easily be addressed by the post-handshake messages. For performing a certificate based authentication during the session I understood one could use the post-handshake authentication approach. But this seems to be available only for a client side authentication. Is there any option in TLS to also enforce a server side authentication during an ongoing session?  Again, the reason for a certificate based authentication is to have a trigger for the revocation check of the certificates used in the initial handshake. If post-handshake certificate based authentication is not supported in TLS 1.3, it would require to have a separate mechanism/process that checks the revocation state of the certificates utilized in the initial handshake. 

Hence the question if there is a feature in TLS 1.3, which would provide the functionality to invoke a mutual certificate based authentication.

Best regards
Steffen

--
Steffen Fries
Siemens AG

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email