IETF Logo Mail Archive

Re: [TLS] draft-ietf-tls-cached-info-14

"Yngve N. Pettersen" <yngve@spec-work.net> Wed, 10 April 2013 15:14 UTC

Return-Path: <yngve@spec-work.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E0F021F989B for <tls@ietfa.amsl.com>; Wed, 10 Apr 2013 08:14:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l9cXpj-ZMXCD for <tls@ietfa.amsl.com>; Wed, 10 Apr 2013 08:14:54 -0700 (PDT)
Received: from smtp.domeneshop.no (smtp.domeneshop.no [194.63.252.54]) by ietfa.amsl.com (Postfix) with ESMTP id A396E21F989C for <tls@ietf.org>; Wed, 10 Apr 2013 08:14:53 -0700 (PDT)
Received: from 239.171.251.212.customer.cdi.no ([212.251.171.239]:50560 helo=killashandra.invalid.invalid) by smtp.domeneshop.no with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <yngve@spec-work.net>) id 1UPwjc-00039Y-35; Wed, 10 Apr 2013 17:14:52 +0200
Content-Type: text/plain; charset="iso-8859-15"; format="flowed"; delsp="yes"
To: Rob Stradling <rob.stradling@comodo.com>
References: <2C078811-2A81-4B37-82F0-FAD94A7395BD@gmx.net> <51547C0C.20806@ieca.com> <A3EEC7FB-665B-4543-8D42-A997100506E5@gmx.net> <5154B4C9.1070405@comodo.com> <5096AB41-02FD-4E01-A78E-BEF272181F42@gmx.net> <5162C154.1010202@comodo.com> <op.wu76e6o73dfyax@killashandra.invalid.invalid> <5163200D.2030300@comodo.com> <op.wu8nh01v3dfyax@killashandra.invalid.invalid> <51646709.4030803@comodo.com> <op.wvakl2sk3dfyax@killashandra.invalid.invalid> <097601ce3574$f4495c50$dcdc14f0$@ditenity.com> <51656C00.8030200@comodo.com> <op.wvbvjwm73dfyax@killashandra.invalid.invalid> <5165757B.50109@comodo.com>
Date: Wed, 10 Apr 2013 17:14:48 +0200
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Yngve N. Pettersen" <yngve@spec-work.net>
Message-ID: <op.wvbzay2g3dfyax@killashandra.invalid.invalid>
In-Reply-To: <5165757B.50109@comodo.com>
User-Agent: Opera Mail/12.15 (Win32)
Cc: tls@ietf.org
Subject: Re: [TLS] draft-ietf-tls-cached-info-14
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2013 15:14:55 -0000

On Wed, 10 Apr 2013 16:21:47 +0200, Rob Stradling  
<rob.stradling@comodo.com> wrote:

> On 10/04/13 14:53, Yngve N. Pettersen wrote:
>> Hi,
>>
>> Please keep in mind that the certificate chain sequence can be changed
>> at any time. Any mechanism used would need to take that into  
>> consideration.
>
> It can be changed at any time on the server side, but we're talking  
> about the certificate chain sequence that the client received and cached  
> at a particular point in time.
>
>> Therefore, such a solution would have to link it to the fingerprint of
>> the chain of stapled responses. However, once you provide that
>> information you don't need a boolean value to indicate which responses
>> you have and that are valid, because the server will already have that
>> information.
>
> Isn't this exactly what Hannes proposed a couple of weeks ago?
>
> https://github.com/hannestschofenig/tschofenig-ids/blob/master/tls-cached-info/draft-ietf-tls-cached-info-15.txt

In this case I am talking about the boolean flag proposal and how it would  
indicate to a server which responses it have, and particularly how to  
avoid confusion when/if the certificate chain is updated by the server.

>> It might be conceivable to link the information to the fingerprint of
>> the certificate chain and then use the bools, but that would actually
>> require (a few) more bytes on the wire than indicating the fingerprint
>> of the stapled response list (although: one could get past that by
>> linking the stapled list with the entry for cached certificates, but I
>> think that would complicate matters more than is necessary to save a few
>> bytes; particularly if the client for some reason is not caching the
>> certificate chain).
>>
>> On Wed, 10 Apr 2013 15:41:20 +0200, Rob Stradling
>> <rob.stradling@comodo.com> wrote:
>>
>>> On 09/04/13 23:52, Piyush Jain wrote:
>>>> I'm having a basic problem understanding OCSPResponse cachedinfo
>>>> object and
>>>> the need to obtain the latest cert_status from the server.
>>>>
>>>> Why does a TLS client care if it has the same OCSP responses (for
>>>> server and
>>>> any intermediate certificate) as the TLS server, as long as it has  
>>>> some
>>>> valid OCSP responses for those certificates? IMO, all the client
>>>> cares about
>>>> is the fact that it can build a valid status checked path to the  
>>>> locally
>>>> configured trust anchor.
>>>>
>>>> So the only thing that the client needs to tell the server is the
>>>> list of
>>>> certificates for which it needs the status (either because the status
>>>> in the
>>>> cache expired or because it never got the status from this or other
>>>> server).
>>>> This can be communicated easily through a list of Boolean values. The
>>>> position of the value corresponds to the position of certificate in  
>>>> the
>>>> certificate chain and the value indicates if the client wants the
>>>> server to
>>>> include the status of corresponding cert.
>>>> This makes the cached info object for OCSP responses much smaller
>>>> compared
>>>> to the representation that uses hash and also allows the clients to
>>>> make use
>>>> of locally cached OCSP responses irrespective of where they came from.
>>>
>>> Thanks Piyush.  I think that a "list of Boolean values" for requesting
>>> cert statuses is a much better idea.  :-)
>>>
>>> When you say "The position of the value corresponds to the position of
>>> certificate in the certificate chain", I presume you're referring to
>>> the CachedObject(s) of type "certificate_chain" that the client sends.
>>>
>>> If a client were to send >1 CachedObjects of type "certificate_chain"
>>> and >1 "list of Boolean values" CachedObjects, there could be
>>> ambiguity over which "certificate_chain" is paired with which "list of
>>> Boolean values".
>>>
>>> Would we simply say that the CachedObject(s) of these two types must
>>> be sent in the same order?
>>> Or would we need to squeeze the "list of Boolean values" into the
>>> "certificate_chain" CachedObject type somehow?
>>>
>>>> -Piyush
>>>>
>>>>> -----Original Message-----
>>>>> From: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] On Behalf Of
>>>>> Yngve N. Pettersen
>>>>> Sent: Tuesday, April 09, 2013 2:00 PM
>>>>> To: Rob Stradling
>>>>> Cc: tls@ietf.org
>>>>> Subject: Re: [TLS] draft-ietf-tls-cached-info-14
>>>>>
>>>>> On Tue, 09 Apr 2013 21:07:53 +0200, Rob Stradling
>>>>> <rob.stradling@comodo.com> wrote:
>>>>>
>>>>>> On 08/04/13 21:07, Yngve N. Pettersen wrote:
>>>>>> <snip>
>>>>>>>> Example:
>>>>>>>>     - Client visits https://www.google.com and
>>>>>>>> https://mail.google.com, each for the first time ever, and caches
>>>>>>>> the certificate chains and OCSP Responses for the End-entity and
>>>>>>>> Intermediate certs.  Client observes that the same "Google  
>>>>>>>> Internet
>>>>>>>> Authority" Intermediate is used in both cases.
>>>>>>>>     - A while later, client performs another full handshake to
>>>>>>>> https://www.google.com and gets back a different OCSP Response
>>>>> (with
>>>>>>>> a more recent thisUpdate value) for the same Intermediate cert.
>>>>>>>>     - A while later, client performs another full handshake to
>>>>>>>> https://mail.google.com.  It sends the CachedObject for the
>>>>>>>> Intermediate OCSP Response that https://www.google.com just
>>>>>>>> returned, because it knows that this OCSP Response is relevant for
>>>>>>>> the Intermediate cert that https://mail.google.com used last time
>>>>>>>> the client connected to it, and because this OCSP Response is the
>>>>>>>> freshest one that the client has available.
>>>>>>>
>>>>>>> What about www.co.uk and bank.co.uk?
>>>>>>>
>>>>>>> Such things get complicated very fast, which is why we had to  
>>>>>>> develop
>>>>>>> the public suffix list.
>>>>>>>
>>>>>>> Please, let us stay way, way, *way* out of that particular thorny
>>>>>>> area.
>>>>>>
>>>>>> If the End-entity certs at https://www.co.uk and https://bank.co.uk
>>>>>> are both issued by the same Intermediate, then what's the problem?
>>>>>> Why are the domain names even relevant when deciding whether or not
>>>>>> it's "safe" for the client to send an Intermediate cert's OCSP
>>>>>> Response that a different server provided?
>>>>>
>>>>> Tip: If domain names are irrelevant, make sure they do not carry
>>>>> meaning
>>>> in
>>>>> the discussion, particularly when combined with the word "safe".  
>>>>> Might
>>>>> confuse things.
>>>>>
>>>>>> I agree that my proposal should be rejected _if_ the consensus is  
>>>>>> that
>>>>>> it adds too much extra complexity.  But IMHO the more bytes on the
>>>>>> wire we can save, the more chance there is that Multi-Stapling +
>>>>>> Cached-Info will actually get deployed widely.
>>>>>
>>>>> The concept still assumes that server1 and server2 will have same
>>>>> binary
>>>>> response R for certificate X at time T, even if the client have
>>>>> previously
>>>> only
>>>>> seen R from server1, and instead seen response S from server2.
>>>>>
>>>>> If, at time T both R and S are valid, but R is valid longer than S,
>>>>> which
>>>> should
>>>>> be indicated to server2? If both, that means more (unnecessary)
>>>>> bytes on
>>>>> the wire, particularly if you have more than 2 servers (e.g. 200)
>>>>> with the
>>>> same
>>>>> (issuer) certificate, each with binary different valid responses.
>>>>>
>>>>> What if the client indicates R to server2 and leaves out S, but  
>>>>> server2
>>>> does
>>>>> not have R (and might get response Q if it requested an update)? Most
>>>> likely
>>>>> server2 would then resend response S. Result: unnecessary bytes on  
>>>>> the
>>>>> wire.
>>>>>
>>>>> Personally, I think it is better to assume that the OCSP responses
>>>>> kept by
>>>> two
>>>>> servers are different, even if they are signed by the same issuer. It
>>>> might be
>>>>> that servers in different geographical areas connect to different  
>>>>> OCSP
>>>>> responders which have responses generated at different times (or who
>>>>> generate on-the-fly responses).
>>>>>
>>>>> As mentioned above, the potential problems becomes even more
>>>>> pronounced if you are dealing with hundreds or thousands of servers
>>>>> (as we
>>>>> would likely do with servers using Comodo issued certificates, for
>>>> example).
>>>>>
>>>>> My advice: Keep cache lists for each server separate from the lists
>>>>> used
>>>> for
>>>>> other servers. That does not mean that the client cannot optimize
>>>>> storage
>>>> by
>>>>> combining the storage for each entry in the list, though. There is  
>>>>> too
>>>> much
>>>>> chance of guessing wrong about what the server should know based on
>>>>> what
>>>>> the client knows.
>>>>>
>>>>> --
>>>>> Sincerely,
>>>>> Yngve N. Pettersen
>>>>>
>>>>> Using Opera's mail client: http://www.opera.com/mail/
>>>>> _______________________________________________
>>>>> TLS mailing list
>>>>> TLS@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/tls
>>>>
>>>>
>>>
>>
>>
>


-- 
Sincerely,
Yngve N. Pettersen

Using Opera's mail client: http://www.opera.com/mail/

v2.23.0 | Report a Bug | By Email