Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Sun, 07 March 2021 23:48 UTC
Return-Path: <prvs=2700599727=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CAD23A1F1F; Sun, 7 Mar 2021 15:48:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mnQOkVk8E7PK; Sun, 7 Mar 2021 15:48:07 -0800 (PST)
Received: from llmx3.ll.mit.edu (LLMX3.LL.MIT.EDU [129.55.12.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C01523A1F1E; Sun, 7 Mar 2021 15:48:07 -0800 (PST)
Received: from LLE2K16-HYBRD01.mitll.ad.local (LLE2K16-HYBRD01.mitll.ad.local) by llmx3.ll.mit.edu (unknown) with ESMTPS id 127Nlp10017266; Sun, 7 Mar 2021 18:47:51 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=JFVnvJvvj6xfdg2CZ6WKjXn+kR841M9Bn1M7UZCqv/DtZCg/NbNSoIfe+HBxhtlcs3qgDq29YoxDqMV03wr1ziI5X4JNX0syYKmx1BMd/OR1l35PYm8xfM+hIi8caVWaTr4VDiKKUbwZ36JXtjCkFMcNvvvr0fSnk1bamq79ADoGIMSZXA7z24dFn1E3TgTsb4yqZ2mcbibtV9Yz9SIEI0h4m/776ahehdTfUyvecPGEK+tZi0d5mhz9a8e92d3srKViUsfdeRmg7VvBuHB80Ig/lET+YR3x2pO4FumpIB2o0dFcRODDDvkc/0eibRRY0xURwBiew71SsxaKwKNWwg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qv/yUP4vmuy1lY7/zBGu7VyhYK+44617o1CQfDwcBAQ=; b=jJX8HCd7Bwt1tjWBo3lYXKRDCgKxinuiuwIjD7QL5qrAtv9JPp4DQVynDYJkS6VpwzvjmSW/8fONIYZlzb8pURkZZ/SDCGFGhWXsHxAQRN3qbZB6p+5AbmaqsDyaWril69o1t+B72scxOpBb5sZ1rB/IjQccHbNEOZ5O4LOsqzgLkN66w28hbCjAX2b1yrkKz+oERrMQtofL8vIm8EhdmkXi8qCoF90IxoxaQzx+yPd0fvpT4QQvWOCvrAqZSG/n4z02TZAGzEXcFttasLc1xN6ve2qKdav0WH0aJpT04tBOcSwhb8LTvv/AGK2VN/NrZI0H6XQ7AfmTM27/q5H69g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Nico Williams <nico@cryptonector.com>
CC: Peter Gutmann <pgut001@cs.auckland.ac.nz>, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, TLS List <tls@ietf.org>
Thread-Topic: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
Thread-Index: AQHXEeEgKe23eiCLoE+KwrPix1Q1lap1qA2AgAAjloD///6jAIAAVjGAgABa2YCAAAxsAIAA7tCAgADWUACAANPCgP//uIkAgABZ5wD//63nAA==
Date: Sun, 07 Mar 2021 23:47:45 +0000
Message-ID: <63BDDF29-1E45-4D08-B549-E2C4982939E7@ll.mit.edu>
References: <20210305173516.GV30153@localhost> <701E874C-EA40-47FD-A4E4-C4C595E96337@ericsson.com> <CACsn0cmmKdR0-82DjrYZD5_CaF2bqwHnj07dM+Bnd-2aupU5QQ@mail.gmail.com> <CABcZeBP8wdmbO8DQPZ8e5CDZ76ioe3vzaJ+7YtQ74XZzcuxHmg@mail.gmail.com> <20210306061124.GY30153@localhost> <1615013752661.15146@cs.auckland.ac.nz> <20210306211036.GZ30153@localhost> <1615111060736.9067@cs.auckland.ac.nz> <20210307223534.GB30153@localhost> <12CE99EA-C55C-4327-A4DF-80734E6F1459@ll.mit.edu> <20210307234133.GD30153@localhost>
In-Reply-To: <20210307234133.GD30153@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.45.21011103
authentication-results: cryptonector.com; dkim=none (message not signed) header.d=none;cryptonector.com; dmarc=none action=none header.from=ll.mit.edu;
x-originating-ip: [129.55.200.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: fa979aa0-5ec4-4f57-71e0-08d8e1c3686d
x-ms-traffictypediagnostic: DM3P110MB0508:
x-microsoft-antispam-prvs: <DM3P110MB05081D025DC9D098974B5F6890949@DM3P110MB0508.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:529;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: EFe6BlYnfbW/5srU6exMm1TgAd2RP+KPUO1+NCXz+2a2RJ6yLUAGORnKzH2LEUyBJdMb+W4F7hWpGk+ludCTxfrGJGov2aFjg2LyGO1/LVG9tZuI0LlIW+nEEoBgzWTpVtvsblW9A3hRKNTD760j50xGG8UPLrcaw6HuPQM+0eQ0NBqFA4Z/SexvIA/M0GzPdlk85mqnewmoEwdPau0ywQ59cotB299QkfVhSB4heC1R7oHzPE2ZEif+ptCIe6yZFug6lyt4Bu7b7bw0G/Tqmnnh3ieH/LJs0v3PpRPMbav+z4dcFBCpQh3Du3s5rlo1S5UrImUw6qQN9MBlsB9dLqWmNUH9OlxRJCWSEcJiCwvdRIl4PvJq1cLV+BmsfFf6nBsPUFfl3gZNizxPynOcCVTYP1/vGLdnOuLtYrD8wt3ZDK/5s04khJTgvnPlTpL2IHpmzBoYkinHfJm8iVaPZLoFTmbkJYcRnXNJ1RukWOUHmQmoD47YER9xKKWJiFkxQP5UAc0ADpPyj/kDmS4lKNrBKquUkgWkZvLX1tanFxcwjVBbMUMBDNEx2+atytoz4uwzVOT8wFtusIkVb0ZXrxHaRK7rxkpsh55XVNjGrdA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM3P110MB0475.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(396003)(346002)(366004)(136003)(39840400004)(376002)(66946007)(66476007)(66556008)(76116006)(5660300002)(8676002)(86362001)(8936002)(66446008)(66616009)(6916009)(99936003)(316002)(71200400001)(54906003)(478600001)(4326008)(6512007)(75432002)(4744005)(26005)(64756008)(2906002)(6486002)(186003)(6506007)(2616005)(33656002)(219973002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: UaB1FJxcT9G/pPnkm/9Xa3LxFaDDvoKM/o4X/wTyBTd2XJeWyGOyjJmD7fhdWn1TSsvx79eNKFLp0KbW3Y0YIiU4LOBif0pIpLulrrauWER3+YSIw6cs2LzZWPqamZc2LyJga7KUEz66AYCvDuf0mN7jOtu+iv7YyIFJaCYi9Fr806s6jWOMisrZpAuZ8rRqTUWFjsH9KcOirsz+9ZuTcmj8aZtlSKFwza5Ub1xxoGoDejMi845YWMsgYeV5bwpHlEjjASe9h1jPkAJPtt1HdWGI2XOnbKajkV9xCanDTYohRdePBsCO45Di94oUx3dE4T1DGKYuWnFbaw9BKzeFzjdM1wmi6J8nRjjqd63cEiQ5PclTbMyXrBYxHBfhU2Q6EwpUeRP48OFbmy+LQcZ9va7kv/TNtHQx0ZYKxT5qYD63au8fnX/JknWjOkus3pPLI7sORj4Yntgtmv9IU3IMI7a3FlmNb1GDs6X7HCed9jbbRXfDqZExuY1JcyDq7zLPML86ZFQkxM4Tg/lzC9NZJkQzQSiawL6k6r3x4rWc01Q9v84PqSlrUHvW3NnBbfhCVwBrhhzxxUWelw8DUMtmXfP8BK73feeqE7cpdB+p4vgHhspvEtwh90+as5xx1yiOQYqh/GtgZcgfee3I9stlPI4iN3cH7aW4HoW7IjIxM8d5Ju/zlH3LPUEoUqPyexRF5GXjB4GbaEFJ+ZJyAcpVExozZ/8nOUkzK5N1jSS9Bp8e4pR2DGavHJFg/nNiU7n+s79dE6lPr8NrCiuqKv6raa5N5c6l5V6bmLvnYqgOYLJzRSBmU1EmIuYS+JP1ZkUqYarFVWGfD/bdzE61SAZrWTnTqG3XOgyzvhcTSApbhYOyxWUTKRXHQIRMaADP44tClrQnpGChJRknwabcl7rM+kS+c8EZZGayqq/SYJKPVOfGsufw/Znym0gr5FwlMUVsycyHH+3QQQ6da9iIqReq/zga7ySJ8dOEU/x7VTev2Nzxu5zTDS+E0qgYIfzBu8axPuvXw2eHfk/FBN0a5AyA9gga/1Y5H3P2Re6daJHtuxElzeXaNgacS6mF7yYnz5LbZQLvspREYDxZalGDZHmY47YrjyaLc5RHpHIapUfXEdeVhbDzotflgtxfBeG0fDM/FAm7M2kzclG4cx5++mi8rGpZPUXEh3JmWV72rL8MgdaT18dSg9ZxYzitL4OYWj1tSEqdbDpDVPp1pPrR+E2WWhKY5TCml9KF7hN7joL0ffaf0pBjoqU9MJn4mO0oraDi
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3697987664_437043012"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM3P110MB0475.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: fa979aa0-5ec4-4f57-71e0-08d8e1c3686d
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Mar 2021 23:47:45.8031 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: fMm6z+bfct/9TZQgbeAVQ7pVjJuL1J/crNAdE1c06FupksZmYPSvpwk0L1/zPJGV
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM3P110MB0508
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-03-07_17:2021-03-03, 2021-03-07 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2009150000 definitions=main-2103070132
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/QyXB452R3Ls-vjN03akTXLXrIe8>
Subject: Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Mar 2021 23:48:10 -0000
> > > So instead of getting one chance a year for your control system to break
> > > itself if the renewal fails, you get hundreds of them?
> >
> > Yes. Exactly. It's a human factors problem. And this solution works.
>
> With all due respect, *absolutely not*.
I'm not sure what it is you're imagining. What actually happens in the
cases I'm familiar with is . . . . .
Well-put - the point being that the cases you're familiar with do not cover the entire spectrum of use cases. Specifically, they do not match *my* operating environment.
You may claim that my environment does not represent yours. Sure, fine. Similarly, *yours does NOT represent mine*.
And let's dispose with the "you're imagining" crap, shall we? I think we've known each other long enough to be more polite. Otherwise, suit yourself.
- [TLS] Question to TLS 1.3 and certificate revocat… Fries, Steffen
- Re: [TLS] Question to TLS 1.3 and certificate rev… John Mattsson
- Re: [TLS] Question to TLS 1.3 and certificate rev… Salz, Rich
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… John Mattsson
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Watson Ladd
- Re: [TLS] Question to TLS 1.3 and certificate rev… Eric Rescorla
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Peter Gutmann
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Hannes Tschofenig
- Re: [TLS] Question to TLS 1.3 and certificate rev… Peter Gutmann
- Re: [TLS] Question to TLS 1.3 and certificate rev… Graham Bartlett
- Re: [TLS] Question to TLS 1.3 and certificate rev… Deb Cooley
- Re: [TLS] Question to TLS 1.3 and certificate rev… Graham Bartlett
- Re: [TLS] Question to TLS 1.3 and certificate rev… Hannes Tschofenig
- Re: [TLS] Question to TLS 1.3 and certificate rev… Hannes Tschofenig
- Re: [TLS] Question to TLS 1.3 and certificate rev… Benjamin Kaduk
- Re: [TLS] Question to TLS 1.3 and certificate rev… Graham Bartlett
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Question to TLS 1.3 and certificate rev… Peter Gutmann
- Re: [TLS] Question to TLS 1.3 and certificate rev… Benjamin Kaduk
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Peter Gutmann
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Olle E. Johansson
- Re: [TLS] Question to TLS 1.3 and certificate rev… Fries, Steffen
- Re: [TLS] Question to TLS 1.3 and certificate rev… Salz, Rich
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Fries, Steffen
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Jonathan Hoyland
- Re: [TLS] Question to TLS 1.3 and certificate rev… Fries, Steffen
- Re: [TLS] Question to TLS 1.3 and certificate rev… Fries, Steffen
- Re: [TLS] Question to TLS 1.3 and certificate rev… Jonathan Hoyland