Re: [TLS] Fwd: New Version Notification for draft-pettersen-tls-ext-multiple-ocsp-03.txt
"Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com> Wed, 11 April 2012 14:20 UTC
Return-Path: <yngve@opera.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 480B021F858B for <tls@ietfa.amsl.com>; Wed, 11 Apr 2012 07:20:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m7PYylljftLn for <tls@ietfa.amsl.com>; Wed, 11 Apr 2012 07:20:21 -0700 (PDT)
Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by ietfa.amsl.com (Postfix) with ESMTP id 7BEA221F8582 for <tls@ietf.org>; Wed, 11 Apr 2012 07:20:21 -0700 (PDT)
Received: from acorna.oslo.osa (pat-tdc.opera.com [213.236.208.22]) (authenticated bits=0) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id q3BEKE0k005870 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 11 Apr 2012 14:20:16 GMT
Content-Type: text/plain; charset="iso-8859-15"; format="flowed"; delsp="yes"
To: Sean Turner <turners@ieca.com>
References: <20120306124950.6304.36237.idtracker@ietfa.amsl.com> <op.waq2hefjqrq7tp@acorna.invalid.invalid> <4F835685.5060103@ieca.com>
Date: Wed, 11 Apr 2012 16:20:14 +0200
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
Organization: Opera Software AS
Message-ID: <op.wclt30g0qrq7tp@acorna.oslo.osa>
In-Reply-To: <4F835685.5060103@ieca.com>
User-Agent: Opera Mail/10.63 (Win32)
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Fwd: New Version Notification for draft-pettersen-tls-ext-multiple-ocsp-03.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Apr 2012 14:20:26 -0000
Hello Sean, Thanks for these comments. Adopted most. Comments inline on the rest On Mon, 09 Apr 2012 23:37:09 +0200, Sean Turner <turners@ieca.com> wrote: > <no hat> > > Yngve, > > Here are some comments on the draft (hopefully this will encourage > others to also read it): <snip> > 4. The RFC editor will move the "requirements language" paragraph to the > main body so you might as well do it now. Move it to s1.1. The placement of that section is the default used by the xml2rfc template implemented by the XMLmind extension, as part of the "front matter" section of the file. This means that the initial location is determined by the template, and is that way for everyone using that template. non-WG: It might be that the xml2rfc extension developers and the RFC Editor should coordinate? Since the "empty" template already adds several sections, such as the Introduction and IANA sections, moving the note into the introduction section of the template might solve the issue. At present I'll leave it where it is. > 5. The copy right notice section contains the pre-5378 paragraph, but > the draft first appeared after 5378 was published. Is there some bits > in here that are copied from 5246 or somewhere else? If not, then you > can delete that para. The text is based on the relevant RFC 6066 text (taken from the draft), but that RFC is again based on RFC 4366, with only a few differences in that section. RFC 6066 also contain the same pre-5378 licensing language, so I therefore think it is necessary to include it, unless I am told otherwise by those better versed in the licensing rules. <snip> > 13. s1: I guess I'd tweak the following a bit: > > OLD: > > The author is aware that the cost of providing this bandwidth > just for site certificates has been a concern to some CAs, > particularly the smaller ones, and it follows naturally that doubling > or tripling this cost could be problematic for the CAs. The author > is also aware of at least one case when OCSP requests for a single > high-traffic site caused significant network problems for the issuing > CA. > > NEW: > > CAs should be aware that there is a cost associated with providing > bandwidth to support OCSP. There are cases where OCSP requests for a > single > high-traffic site caused significant network problems for the issuing > CA. My intention here was to make it clear who the source is. In talks with CAs the bandwidth cost have been a concern for several CAs, particularly the smaller ones. I forgot to mention this during my presentation to the WG, but recent numbers from CAs indicate that about 30% of the OCSP traffic is for intermediate CA cert status requests. There are currently two clients AFAIK, FF and Chrome, that request OCSP for intermediates. Those two make up about 40% of the browser market, so there is at least some caching benefit. I changed the text from The benefit to the issuing CA is less clear, as providing the bandwidth for the OCSP responder can be costly, especially for CAs with many subscriber sites. The author is aware that the cost of providing this bandwidth just for site certificates has been a concern to some CAs, particularly the smaller ones, and it follows naturally that doubling or tripling this cost could be problematic for the CAs. The author is also aware of at least one case when OCSP requests for a single high-traffic site caused significant network problems for the issuing CA. to The benefit to the issuing CA is less clear, as providing the bandwidth for the OCSP responder can be costly, especially for CAs with many high traffic subscriber sites, and this cost is a concern for many CAs. There are cases where OCSP requests for a single high-traffic site caused significant network problems for the issuing CA. How does that look? <snip> > 17. s2.2: So OCSP is definitely used a lot more than SCVP, but it is the > other status protocol. Should we just add it now? Could be; I am, however, unfamiliar with SCVP, but if the WG wants it added, and I am provided additional text as a starting point, then I can include it. Adding SCVP will probably require some editorial reorganization of section 2, splitting it into an overall format, an OCSP, and a SVCP subsection. > 18. s2.2: Need a normative reference for DER. Use the x680/x690 > references from 5246. Added. The "misc" citation entry had rather long names, though: CCITT.X680.2002 > 19. s2.2: The nonce extension encoding is being fixed. I sure hope > it'll get done sooner rather than later. Note that the bis draft does > define the encoding as an OCTET STRING so it's aligned. Given performance issues, as a nonce require signing of each response, most responders do not AFAIK enable support for nonces, and while Opera supported it at one time, we have since removed it. In relation to stapling using nonces would almost certainly remove most of the performance benefit. > 20. Hmmm should this draft reference draft-ietf-pkix-rfc2560bis instead > of RFC 2560? Depends on which get finished first. At present I think we should keep them separate, just to be on the safe side. If 2560bis is completed first we can update the reference then. > 21. s2.2: r/[RFC2560]) ./[RFC2560]). > > 22. s2.2: r/that is,/That is, > > 23. s.2.2: Why the MUST NOT here: > > The list MAY > contain fewer OCSP responses than there were certificates in the > Certificate handshake message, but there MUST NOT be more responses > than there were certificates in the list Strictly speaking it does not need to be MUST NOT, but I suspect that in such a case there would be something wrong about the server configuration. AT the very least, the document should define handling of such a case It could be changed to a requirement that the response must only be used to check the corresponding certificate list element, and ignore responses that does not have a corresponding certificate in the list. Requiring the sequence of the lists to match means that if certificate lists that are non-compliant, containing extra or unordered certificates, the client does not have to try to match responses to certificates (an n^2 operation). Thoughts? > spt > > </no hat> > > On 3/6/12 8:01 AM, Yngve N. Pettersen (Developer Opera Software ASA) > wrote: >> >> FYI >> >> <http://www.ietf.org/id/draft-pettersen-tls-ext-multiple-ocsp-03.txt> >> >> ------- Forwarded message ------- >> From: internet-drafts@ietf.org >> To: yngve@opera.com >> Cc: >> Subject: New Version Notification for >> draft-pettersen-tls-ext-multiple-ocsp-03.txt >> Date: Tue, 06 Mar 2012 13:49:50 +0100 >> >> A new version of I-D, draft-pettersen-tls-ext-multiple-ocsp-03.txt has >> been successfully submitted by Yngve N. Pettersen and posted to the IETF >> repository. >> >> Filename: draft-pettersen-tls-ext-multiple-ocsp >> Revision: 03 >> Title: Adding Multiple TLS Certificate Status Extension requests >> Creation date: 2012-03-06 >> WG ID: Individual Submission >> Number of pages: 9 >> >> Abstract: >> This document introduces a replacement of the TLS Certificate Status >> Extension to allow clients to specify and support multiple >> certificate status methods. Also being introduced is a new OCSP- >> based method that servers can use to provide status information not >> just about the server's own certificate, but also the status of >> intermediate certificates in the chain. >> >> >> >> >> >> The IETF Secretariat >> >> -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yngve@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 23 69 32 60 Fax: +47 23 69 24 01 ********************************************************************
- [TLS] Fwd: New Version Notification for draft-pet… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Fwd: New Version Notification for draft… Sean Turner
- Re: [TLS] Fwd: New Version Notification for draft… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Fwd: New Version Notification for draft… Rob Stradling
- Re: [TLS] Fwd: New Version Notification for draft… Yngve N. Pettersen (Developer Opera Software ASA)