Re: [TLS] OCSP must staple

Michael StJohns <msj@nthpermutation.com> Thu, 05 June 2014 19:51 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36AF71A0325 for <tls@ietfa.amsl.com>; Thu, 5 Jun 2014 12:51:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LGacqh79gFRS for <tls@ietfa.amsl.com>; Thu, 5 Jun 2014 12:51:23 -0700 (PDT)
Received: from mail-qg0-f54.google.com (mail-qg0-f54.google.com [209.85.192.54]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4B3A1A02F9 for <tls@ietf.org>; Thu, 5 Jun 2014 12:51:23 -0700 (PDT)
Received: by mail-qg0-f54.google.com with SMTP id q108so2407201qgd.41 for <tls@ietf.org>; Thu, 05 Jun 2014 12:51:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=YpewoTznkPV4PoBdMw1sQoK8ahfXZRMjfLxL42NZcsc=; b=gksDBtULqdZDzsnEdH8IV5RotC83Oi0ZiNZ4KG5rOEGK+KULOHfHoK164M+hjrkD7j E6Coan4XaKIgNMJsFoSPLEy3weLXICJl6osdOc2GbWi1QM1H9M7zAOi3Ve8ZkaHEJcin ddK1x145v2VkWAO+5TGfHzbKyOvmD/GngJ9tWP5/UyaMJc+4GBeFmdjiwWhpwGSTA/ku w82JJbbVu1S1Zq9utoFXQ39fKe3RhCD7+e5r+Gz4hvk0HoWf6XVwjJEmMaVGIwv2Cade IyMJ9wGs76QVnnlKaOnStO7L/ZnT8hM6BYOmnjAIUu032lc3wcJELMx95c21055VeXMO Kiyw==
X-Gm-Message-State: ALoCoQnuRDkES7/1LMF1AwUYTyPyk5+zAb6pfIfhnHSOWT85mFGOfvDVEjr8F1zEKAbfJpgE2RKC
X-Received: by 10.229.44.194 with SMTP id b2mr85657358qcf.0.1401997876786; Thu, 05 Jun 2014 12:51:16 -0700 (PDT)
Received: from [192.168.1.102] (c-68-34-113-195.hsd1.md.comcast.net. [68.34.113.195]) by mx.google.com with ESMTPSA id u6sm10937840qah.28.2014.06.05.12.51.16 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 05 Jun 2014 12:51:16 -0700 (PDT)
Message-ID: <5390CA45.1050504@nthpermutation.com>
Date: Thu, 05 Jun 2014 15:51:33 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Brian Smith <brian@briansmith.org>
References: <20140528184735.GA20602@roeckx.be> <097101cf7aa7$17f960a0$47ec21e0$@digicert.com> <4AA8E7B7-A19D-4E65-AF18-C4D02A513652@ieca.com> <538EF79B.3000506@cs.tcd.ie> <CAMm+LwgTnva9jJgVfkaOZ1qP0Rk3w-mFfepnubosgtrCEARv=g@mail.gmail.com> <539069CC.5010304@cs.tcd.ie> <5390B1D6.5010105@nthpermutation.com> <CAFewVt6Pr8yjV8EbYLp1HQJfYMgq2LJMt4uQqZWKChR6p12Wtg@mail.gmail.com>
In-Reply-To: <CAFewVt6Pr8yjV8EbYLp1HQJfYMgq2LJMt4uQqZWKChR6p12Wtg@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/XuH-fc2SJsyBOP4fCMxxh6mXcbw
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] OCSP must staple
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jun 2014 19:51:25 -0000

On 6/5/2014 3:12 PM, Brian Smith wrote:
> Is it really significantly easier for CAs to add new certificate 
> policies compared to adding new certificate extensions? I could see 
> how that could be the case, but I think it would be good to hear from 
> CAs about this.

Mostly the "put a policy object in the ca certificate" reduces to 
"configure the text string of the OIDs you want to include". 
https://www.openssl.org/docs/apps/x509v3_config.html#Certificate_Policies_ 
for example.

The certificate policy extension is pretty well formed, which means that 
its pretty easy to specify in configuration language (e.g. xml, 
label=value) what you want to be included rather than having to go back 
and add new ASN1 encode/decode/translate to and from string logic.  
Things like Dogtag and EJBCA support it via a gui.