Re: [TLS] OCSP must staple

Kurt Roeckx <kurt@roeckx.be> Thu, 12 June 2014 18:39 UTC

Return-Path: <kurt@roeckx.be>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A149C1B2812 for <tls@ietfa.amsl.com>; Thu, 12 Jun 2014 11:39:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eygtcJ6FHLrH for <tls@ietfa.amsl.com>; Thu, 12 Jun 2014 11:39:42 -0700 (PDT)
Received: from defiant.e-webshops.eu (defiant.e-webshops.eu [82.146.122.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4957E1B280F for <tls@ietf.org>; Thu, 12 Jun 2014 11:39:42 -0700 (PDT)
Received: from intrepid.roeckx.be (localhost [127.0.0.1]) by defiant.e-webshops.eu (Postfix) with ESMTP id 187981C20D6; Thu, 12 Jun 2014 20:39:40 +0200 (CEST)
Received: by intrepid.roeckx.be (Postfix, from userid 1000) id 6A92A1FE00FF; Thu, 12 Jun 2014 20:39:38 +0200 (CEST)
Date: Thu, 12 Jun 2014 20:39:38 +0200
From: Kurt Roeckx <kurt@roeckx.be>
To: Yoav Nir <ynir.ietf@gmail.com>
Message-ID: <20140612183938.GA8147@roeckx.be>
References: <097101cf7aa7$17f960a0$47ec21e0$@digicert.com> <4AA8E7B7-A19D-4E65-AF18-C4D02A513652@ieca.com> <538EF79B.3000506@cs.tcd.ie> <CAMm+LwgTnva9jJgVfkaOZ1qP0Rk3w-mFfepnubosgtrCEARv=g@mail.gmail.com> <539069CC.5010304@cs.tcd.ie> <5390B1D6.5010105@nthpermutation.com> <CAFewVt6Pr8yjV8EbYLp1HQJfYMgq2LJMt4uQqZWKChR6p12Wtg@mail.gmail.com> <5390CA45.1050504@nthpermutation.com> <CAFewVt6qfqHW2Df=aXhmo-Fucvn_PUzM8NVQV-aYiH9Ttfhjmw@mail.gmail.com> <9E3DB9FD-2691-4CED-90A9-A024D7A4F4BA@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <9E3DB9FD-2691-4CED-90A9-A024D7A4F4BA@gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/TxaGI3niZZLaqGfZ8WEz61zfRk8
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] OCSP must staple
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jun 2014 18:39:44 -0000

On Thu, Jun 12, 2014 at 12:02:40PM +0300, Yoav Nir wrote:
> Hi, Brian
> 
> Interesting stuff. Also good to hear that it's easy to implement, although mileages vary.
> 
> Regarding TLS proxies, I can give my perspective, as I work for one vendor. 
> 
> <hat type="vendor" status="on">
> Our fake certificates contain the DNs and alternate names from the original certificate. We don't copy over any extensions that we don't understand. The same is also true of TLS - we don't copy extensions we don't know. That is what allows our proxy to gracefully downgrade HTTP/2 or SPDY clients and gateways to HTTP/1.
> As for dates, these *are* copied from the original certificate, the reason is that this makes the client behavior similar to whatever it is with the original certificate. We did consider making the certificates short-lived, but decided against it. 
> </hat>

I'm wondering if it also strips things it doesn't know but are
marked critical.


Kurt