Re: [TLS] OCSP Stapling confusion
Martin Thomson <martin.thomson@gmail.com> Tue, 11 December 2018 00:50 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E460130FB5 for <tls@ietfa.amsl.com>; Mon, 10 Dec 2018 16:50:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zvekmp1z3LDQ for <tls@ietfa.amsl.com>; Mon, 10 Dec 2018 16:50:46 -0800 (PST)
Received: from mail-ot1-x32c.google.com (mail-ot1-x32c.google.com [IPv6:2607:f8b0:4864:20::32c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16F2B13133B for <tls@ietf.org>; Mon, 10 Dec 2018 16:50:46 -0800 (PST)
Received: by mail-ot1-x32c.google.com with SMTP id 32so12351611ota.12 for <tls@ietf.org>; Mon, 10 Dec 2018 16:50:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wo/VLYVgXERJTdTB/7UKh4fWe+xJml2hDR4jWgjuydU=; b=vaJikTivkhXVBHgVCd1LnL3BMsK3oFKNN8f4kJn2xCcS9g18UNzrudjYnXyzppsF8+ ufEWFtCxkj/U8YQia4HWLzLD3+r2W9QMdkuO4qVRurwRqRlaHK7dvBgNlEJf1GFVCgbs BHMtdDWx2BRcp2cnUkKyT1qtnNY2vYOHnO6ay2TXHKVOe+1Z8kxOlFAEGetxTW3o+7KG yZbcLKPMAj0cjuOoAwGVAFvpEhINA9R1aMXqlzB2EniBam17PbsUWkSrZPD7wTWOhpIQ luCvviwnmRJVyM57Oihy4hJFnS61jUjTCoQ3IlLevIDWXfve3/kARm1PaDg+1LuJ06v9 6ItQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wo/VLYVgXERJTdTB/7UKh4fWe+xJml2hDR4jWgjuydU=; b=jaU19eTtAgAz254Ron1z2EQyoLnAfGVJ7QZ2Cel4nHt928lG/+RdQt0D7eOKFpMYCX 4v7DmzclykEHzzWgS4h0KZV40wXOmXR2u6GwFmsa3zZi4t0hMc+VVo5ti/Egr4Z0hycO ynwatRb1PKwgdOugOBSpp0WyEABMDjxmF5z30CbkKIDIIx1sc8jKs0iRg/bu0BZkJwXy ZTZa55ViA9n6Zi1NcErYQW7lzQouYWzG+lWPDeNHoPitlvb4953hnEazPcUNcvmFohAq GtKS5fCvRrop3E2bsi6bi9qS6gaKWM1ve64F4wvxgXEJtiSv1dvc9Oa6AVI1PgD8AcuX QtrA==
X-Gm-Message-State: AA+aEWYwauLFHd0VY5iLSbn16ggGlH0Ox/E3MP2v8ZAkUhGYHYUIGRWO RlllepRzbbk+Q4TVoMh8EuJxUe5T1RAOggcZUBXWSA==
X-Google-Smtp-Source: AFSGD/UipmhVMjTQxdlZKzZxs1fsLaE146QXEF1qd6rDm7CZrzX+KnzsvYScx1LMgsDpSHcmOc27j34+J4gY7RRp3vE=
X-Received: by 2002:a05:6830:165a:: with SMTP id h26mr5144236otr.299.1544489445262; Mon, 10 Dec 2018 16:50:45 -0800 (PST)
MIME-Version: 1.0
References: <877egitcbv.fsf@fifthhorseman.net> <122F779A-6BF7-4B9F-8522-860E44C5FC00@akamai.com> <874lbltw4g.fsf@fifthhorseman.net>
In-Reply-To: <874lbltw4g.fsf@fifthhorseman.net>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 11 Dec 2018 11:50:34 +1100
Message-ID: <CABkgnnU0KwEQ0O8AAeFszc6j1S=V5=+MYSn0ka5zAGEDUdtRCw@mail.gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: "Salz, Rich" <rsalz@akamai.com>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/YafnV3dmhY3K6T1s2N8Xfa1NQbU>
Subject: Re: [TLS] OCSP Stapling confusion
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Dec 2018 00:50:49 -0000
On Tue, Dec 11, 2018 at 1:03 AM Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote: > I'd be interested in hearing the reasons enumerated. It seems to me > like being able to promptly revoke an intermediate certificate is a > useful bit of mechanism. is it just because we hope the major browsers > are clever and responsive enough that they'll push out a CRLset (or > equivalent) when they hear of an intermediate that is found to be > violating the BRs? Yeah, from the browser side of things, we tend to rush out updates when an intermediate is revoked. I don't think that there is any reason we would prevent stapling in TLS 1.3, other than the extensions being hard to plumb through. NSS throws them away and doesn't have an API surface for exposing the information. It's fairly tricky getting all this stuff where it is needed.
- Re: [TLS] OCSP Stapling confusion Salz, Rich
- [TLS] OCSP Stapling confusion Daniel Kahn Gillmor
- Re: [TLS] OCSP Stapling confusion Daniel Kahn Gillmor
- Re: [TLS] OCSP Stapling confusion Ilari Liusvaara
- Re: [TLS] OCSP Stapling confusion Martin Thomson
- Re: [TLS] OCSP Stapling confusion Ryan Sleevi