IETF Logo Mail Archive

Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Sun, 07 March 2021 23:21 UTC

Return-Path: <prvs=2700599727=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 135813A1EAB; Sun, 7 Mar 2021 15:21:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9IrhzRTbTDh7; Sun, 7 Mar 2021 15:21:21 -0800 (PST)
Received: from llmx2.ll.mit.edu (LLMX2.LL.MIT.EDU [129.55.12.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50F3C3A1EAA; Sun, 7 Mar 2021 15:21:20 -0800 (PST)
Received: from LLE2K16-HYBRD02.mitll.ad.local (LLE2K16-HYBRD02.mitll.ad.local) by llmx2.ll.mit.edu (unknown) with ESMTPS id 127NKsuV024483; Sun, 7 Mar 2021 18:20:54 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=FuC90DfZPwybU5s33z4Ga2MJeX3uo402Nwb7EVNWib30T5ABaZR3nMTbJFlQkkbMPZXZoFZW1c5JOrj9jCHA1vVdeWlFRDXDAYM6G6JNp1WZ2tRywqeVGYG91bmKnu7s4A6YCA7fHlDoNhLWpQjMcG2XjMzohXizckvrMwrSwk42LEqwkq7tIQFT7NJev/jbA7IiumcGJejLYA09AlDXS3OzMHVEQG7qeIaPEKr2Tz1QwptKPvuPTNTNkWGOAY6TSebSNL1Eub/iUtSxtWHvFhFfCAoB3XKyjV0DUYyrQgg/9z+L0rJd+qvgsyy0JTrOK+f114G2QZM1GXVvAeUX3Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9pz1LiAnGs5mMCjn4Qk6/tnajBg/S7WOBtUuaI1/g8E=; b=inEGuFhfJiJFQXTHxp3awx5jYNwlcHC8W22oWZw2N3w7mU5NlYTzmjpMDV/U60L5XEaDHC4E4sIAdq98gN0E68IjgdKgibDWesPabpNt9imEJNLnJas810QbBjUpryZvX4q8JyEq5bnNAxK+cqRQbl1KfUShm6icJHwJaCqQ3Hpd45HHVWIGMiVCjCrIwIX2oscnrVMeBTRAweOXI7GTTf5elsK4UDwmlqY3l6DX+6vUIKiK8R6EOGS+4s9wmwr6Lr0WL0/0TH5GW90m20JPmyTeNpzHtlZLsXVt3TDgTy+ZAKP0firS2p9OmH8wk779edWICKPUhpUG/lSMFhPciA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Nico Williams <nico@cryptonector.com>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
CC: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, TLS List <tls@ietf.org>
Thread-Topic: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
Thread-Index: AQHXEeEgKe23eiCLoE+KwrPix1Q1lap1qA2AgAAjloD///6jAIAAVjGAgABa2YCAAAxsAIAA7tCAgADWUACAANPCgP//uIkA
Date: Sun, 07 Mar 2021 23:19:49 +0000
Message-ID: <12CE99EA-C55C-4327-A4DF-80734E6F1459@ll.mit.edu>
References: <DE27E5E0-4AB9-4B53-92F6-1057015A8F6C@ericsson.com> <20210305173516.GV30153@localhost> <701E874C-EA40-47FD-A4E4-C4C595E96337@ericsson.com> <CACsn0cmmKdR0-82DjrYZD5_CaF2bqwHnj07dM+Bnd-2aupU5QQ@mail.gmail.com> <CABcZeBP8wdmbO8DQPZ8e5CDZ76ioe3vzaJ+7YtQ74XZzcuxHmg@mail.gmail.com> <20210306061124.GY30153@localhost> <1615013752661.15146@cs.auckland.ac.nz> <20210306211036.GZ30153@localhost> <1615111060736.9067@cs.auckland.ac.nz> <20210307223534.GB30153@localhost>
In-Reply-To: <20210307223534.GB30153@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.45.21011103
authentication-results: cryptonector.com; dkim=none (message not signed) header.d=none;cryptonector.com; dmarc=none action=none header.from=ll.mit.edu;
x-originating-ip: [129.55.200.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ae0525fc-5bc9-497a-5278-08d8e1bf810a
x-ms-traffictypediagnostic: DM3P110MB0393:
x-microsoft-antispam-prvs: <DM3P110MB0393E442E090A016DE056FC090949@DM3P110MB0393.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:3826;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0lqJu7Uhto6QbglnmE1s4CjVPfaQxfSiRu8ZNdKxIBAgaDBwnO2aidd80WlescCj33z+ybVB/jplgIPdA3cLL5P6WqsPjXH4AVkId9yDemqOAkKT0pumid+p80OvV3eNuFMv918bliQzat3PPuwW0g6FiaX3Jvb+Cg1r65FgbGwxqu724njHcsozFaEIy/7w3NseioDHCA68iMbn1dZiyld1NpR78z9gavMwSeYu6SusYU4VaAWX8P/nTwpScL4ebbk8V5OogmwQZP8Xf8IoNUveAVUpDl9S8GqJNVaiEdmUsWSFmgOzstUTmCvlcah+Wyy0ginDymddXrQuqk98Ejtdke6pOupmq3Qg6O6oz7n/0G+X+A+Pf1eRVwrkIcivrbStMNS52XXmEeTuXFinMaD3z7yS8xgFKUFIQiVNjtI13jBZ46klRa3vP9AQUaY5uVXtwVu0bO9edFstvw5y9RMKb4ZPPxF4O0hP72YqSa2vkuqnCjTzytHdEvRe7zqkSMWyTphhmdlsuBNkr+Pd25j4BcsCpgomcVK/kDZSlpYYRxhO+qobGHxevbQ4pnbV0wP4wSNtL8kwiiTcQwcSLz/8ztZBFuNHuG+VYw4zfU/2OkqGSmt9GqkUaWhdy+HKvJtFpkeMMgbEBRYGNxUPH61/v7svX22d8uLnyeUsGNPNEMoi/BDTNNjHfBnXeD7C
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM3P110MB0475.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(39840400004)(376002)(366004)(396003)(346002)(136003)(316002)(4744005)(83380400001)(64756008)(53546011)(66476007)(478600001)(71200400001)(966005)(26005)(6506007)(186003)(66616009)(66446008)(99936003)(76116006)(5660300002)(66556008)(4326008)(2906002)(110136005)(86362001)(75432002)(6486002)(2616005)(66946007)(8936002)(33656002)(54906003)(6512007)(8676002)(219973002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: 9/48Rgo8NPOyS6L2DrJUCKgXEqRQav/B0V5tcWPKFHeN8hE9Th3bmp5DVZRl+mwaxEcAMXQ7C7Y+78DQ17v/2FotLE+AoIWcMR/zJID12o8EFxd+EsOShYflzFvTrkbXSKmH6kcyiE6ABb87NRVJubFJvct1pxOcqM53xXIyBE84me7vdCa5XA3ZwmarDcJwO0Ztzqfy16r+ko6J9V5qbtY4Ux4ri9fwK2NkdTVcGtLFJqZVnTA4cCzE/Lg/xhrmfUKdMSkIbIuGoCg1XC9hJUAdlO38V6ayLPhSqLmtwhMfHSBv9dQassQQW7b6nYqnszrpOmMBmVWDTt12hW+X+zyuqvPFqo1kjJhB7lj6sN4yvsfERUj+cnxY1ApX5ndLG6LuS+v5kGWO4o6qdNka7dEPJCTRXn8oVK1Y69gCXnXtklrsxeFv1rUNFGK1FRNqUP9TXEdpYwGl2Hsa90+4RS25nlXH2PKcO9lr4Fdpc/ljpPYE6OpKzdbysCgjlCdiXdAigfiicbcQj3gTvVJCRilbj3L/ILaTaou0p3WZ1DCdzp34cKQHdAS/mzdCtnPETEbdWj73jAf1bWiF05ay6G+mvmb6nQnyxhgRVg179xBsD0LrDE30uQE/bJ3X8n3SexzIm1R83UwW2LIwVMYqtfBonhGCRpZ5d5aFwBUHKy1ZG6OPRBXgsXjy2ewTwhpy34E0We97h40Oi2VJ4elDGV0rI8Rgi+8R7yZsdW0u1qkzkWt7TOskNK3Ks6e7kQoeJ2i1JoG8zMN8rkcSxIM3/4jcwgSTeJbay/5pGlPna7RbfPonDqXwALbALmLNjtA1bWYNUC1L8pKKixDVEAkZE8K6hOyuwjkEK9c381wNO7Kmrk51NMxhGInK3z6bx3JeuA7x9+NO3CT6oRPVi/l9DOTxyS4gdsrsTBDSelrBwkTci8PAyqvmOPVpJKSxZht1DQsYLwF4iU2kG44uxMsDkJqro7MjBwnf2rOd8W43XJ2qrymiyYdojk/lD6g+NokTtMulEMW02YQu4fM3lquDsQ3z/veC15M0Lk4unpTaYkBxIG8dUOdui7ZeyUQmxEISBKrtC7WanNvS/wMYsRxAe0tYliba3xc2ea+gRevws30w0zPRX6fCYTKYwAJiSERQEQ9MZvR+lWJfCGYPDZ3D/w6Lr945C564Sw+v6EENRXwGXpkiYzawRMM1lHXvZEWPQExsG+f5CBzgApCYDFOoy7xHkCxYCqKG2el4SM6ZLwx+QGbRMaKPFlaAOh+YyZZv
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3697985988_532139746"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM3P110MB0475.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: ae0525fc-5bc9-497a-5278-08d8e1bf810a
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Mar 2021 23:19:49.0786 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: MqyWEYtXXqW9IpBGMnlsuqvkmkpceFujdom/6g/qX1VM50POr32bnLdFulG3yPBf
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM3P110MB0393
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-03-07_17:2021-03-03, 2021-03-07 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2009150000 definitions=main-2103070129
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Z5E-X5IURDxAFt6bSom81M4xm3c>
Subject: Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Mar 2021 23:21:23 -0000

On 3/7/21, 17:36, "TLS on behalf of Nico Williams" <tls-bounces@ietf.org on behalf of nico@cryptonector.com> wrote:
>
>    On Sun, Mar 07, 2021 at 09:57:40AM +0000, Peter Gutmann wrote:
>    > Nico Williams <nico@cryptonector.com> writes:
>    > > When expirations are short, you will not forget to renew.  That's
>    > > part of the point of short-lived certificates.
>    > 
>    > So instead of getting one chance a year for your control system to break
>    > itself if the renewal fails, you get hundreds of them?
>
>    Yes.  Exactly.  It's a human factors problem.  And this solution works.

With all due respect, *absolutely not*.
    _______________________________________________
    TLS mailing list
    TLS@ietf.org
    https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email