Re: [TLS] comments on draft-ietf-tls-tls13-19
Ryan Sleevi <ryan-ietftls@sleevi.com> Sun, 23 April 2017 16:01 UTC
Return-Path: <ryan-ietftls@sleevi.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0EFA120227 for <tls@ietfa.amsl.com>; Sun, 23 Apr 2017 09:01:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_SPAM=0.5, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sleevi.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9v4ZVHygqGqg for <tls@ietfa.amsl.com>; Sun, 23 Apr 2017 09:01:12 -0700 (PDT)
Received: from homiemail-a74.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89A8B12420B for <tls@ietf.org>; Sun, 23 Apr 2017 09:01:12 -0700 (PDT)
Received: from homiemail-a74.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a74.g.dreamhost.com (Postfix) with ESMTP id 8B0A0A00491F for <tls@ietf.org>; Sun, 23 Apr 2017 09:01:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc :content-type; s=sleevi.com; bh=wAVnqGuObT/imm32n/Cpcso0wfM=; b= XKTARr/JaPqIGHE8e89nBHElNVW0lmK4isSH6yoqMKjcVz/ZEjA5LRGhJl/MvF65 fJDfhYEWMmrYrxlUdOGJC7+Pe45wGGhUcdoJqE2ykczfp33uflWj70SwZ2meG1XW xT/XdXJOocWWapqM7bRmwwv6lRF3brBLIAmqoP3NXwc=
Received: from mail-lf0-f46.google.com (mail-lf0-f46.google.com [209.85.215.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: ryan@sleevi.com) by homiemail-a74.g.dreamhost.com (Postfix) with ESMTPSA id 54B0FA00491E for <tls@ietf.org>; Sun, 23 Apr 2017 09:01:11 -0700 (PDT)
Received: by mail-lf0-f46.google.com with SMTP id 88so63280912lfr.0 for <tls@ietf.org>; Sun, 23 Apr 2017 09:01:11 -0700 (PDT)
X-Gm-Message-State: AN3rC/7MIruhZZFOIRfj9Yyonlyqr8CnX5FCSIvXjCkMy30kN1M3gzeW 9rNVD0Ups52LuHjeuUUz81ylvW0z0A==
X-Received: by 10.46.21.12 with SMTP id s12mr7779151ljd.47.1492963269157; Sun, 23 Apr 2017 09:01:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.165.67 with HTTP; Sun, 23 Apr 2017 09:01:08 -0700 (PDT)
In-Reply-To: <20170423103442.GA16936@LK-Perkele-V2.elisa-laajakaista.fi>
References: <1490797726.28079.18.camel@redhat.com> <1490797957.28079.20.camel@redhat.com> <CABcZeBMCZrVKM959F3ycKN_WAky2NAZTy9OOetnC+KJAj3L+Pw@mail.gmail.com> <1492786351.14070.2.camel@redhat.com> <CABcZeBOe4-yEW8r15fsOtHJbQrnqGJ6oUaGYjoUwYS0MQE-rHQ@mail.gmail.com> <20170422120017.GA4201@LK-Perkele-V2.elisa-laajakaista.fi> <20170422214205.bxu5whfqzy5kshsw@roeckx.be> <20170423103442.GA16936@LK-Perkele-V2.elisa-laajakaista.fi>
From: Ryan Sleevi <ryan-ietftls@sleevi.com>
Date: Sun, 23 Apr 2017 12:01:08 -0400
X-Gmail-Original-Message-ID: <CAErg=HEt9fvL1y2fdcYBPj-0geuMKepvDnPJWK=AJ_omCYMiyA@mail.gmail.com>
Message-ID: <CAErg=HEt9fvL1y2fdcYBPj-0geuMKepvDnPJWK=AJ_omCYMiyA@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: Kurt Roeckx <kurt@roeckx.be>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="f403045f76aa52325a054dd7992c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/fgjrGjczTU45-TuTxQgszYbZPuw>
Subject: Re: [TLS] comments on draft-ietf-tls-tls13-19
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Apr 2017 16:01:14 -0000
On Sun, Apr 23, 2017 at 6:34 AM, Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > > I meant if anyone has seen a OCSP response from "public" CA lately that > lacks NextUpdate. > Why would it matter? Are you suggesting we determine what should be part of TLS based on what CAs are doing? That's going to be sadness all around :) > And the 12 month update interval for intermediates is IMO just crazy, > and won't work properly in TLS 1.3, now that multistaple is pretty much > a baseline feature. > I have no desire to support multistaple within Chrome. That it's specified is great, but I believe multistaple is, for the general _browser_ case, unnecessary. That's not to say it's not useful in other venues or in specialized cases, which is the only reason I haven't complained here. > Looking at those rules, 7 day default would still work fine with 4 day > issue frequency. And 7 days also seems to be the limit for various > kinds caching (e.g. tickets, subcerts, etc...) that circumvent > revocation in various drafts and specs. > Again, that's public CAs. There are more participants in the ecosystem than that. I don't think it's necessary or appropriate to set an upperbound based on the Baseline Requirements. For that matter, I don't believe it's necessary or appropriate to set an upperbound in TLS at all. > > > As for what the TLS library I have written does if OCSP staple lacks > NextUpdate, it outright causes handshake failure and fatal alert. > So far, the preference on our end has been for a TLS library that doesn't have to have deeply-ingrained knowledge of the PKI, including OCSP, and instead treat these as separate layers. This PR necessitates that awareness by force of spec, and as such, makes it either unnecessarily difficult to implement or simply unlikely to be implemented. Given that stapling "issues" exist even without stapling, it does seem an unnecessary reach to include within the spec.
- Re: [TLS] comments on draft-ietf-tls-tls13-19 Ilari Liusvaara
- Re: [TLS] comments on draft-ietf-tls-tls13-19 Eric Rescorla
- Re: [TLS] comments on draft-ietf-tls-tls13-19 Eric Rescorla
- Re: [TLS] comments on draft-ietf-tls-tls13-19 Ilari Liusvaara
- Re: [TLS] comments on draft-ietf-tls-tls13-19 Eric Rescorla
- Re: [TLS] comments on draft-ietf-tls-tls13-19 Nikos Mavrogiannopoulos
- Re: [TLS] comments on draft-ietf-tls-tls13-19 Ryan Sleevi
- Re: [TLS] comments on draft-ietf-tls-tls13-19 Kurt Roeckx
- Re: [TLS] comments on draft-ietf-tls-tls13-19 Geoffrey Keating
- Re: [TLS] comments on draft-ietf-tls-tls13-19 Kurt Roeckx
- Re: [TLS] comments on draft-ietf-tls-tls13-19 Ilari Liusvaara
- Re: [TLS] comments on draft-ietf-tls-tls13-19 Ryan Sleevi
- Re: [TLS] comments on draft-ietf-tls-tls13-19 Ilari Liusvaara
- Re: [TLS] comments on draft-ietf-tls-tls13-19 Brian Smith
- Re: [TLS] comments on draft-ietf-tls-tls13-19 Nikos Mavrogiannopoulos
- Re: [TLS] comments on draft-ietf-tls-tls13-19 Ryan Sleevi
- Re: [TLS] comments on draft-ietf-tls-tls13-19 Salz, Rich
- Re: [TLS] comments on draft-ietf-tls-tls13-19 Eric Rescorla
- Re: [TLS] comments on draft-ietf-tls-tls13-19 Nikos Mavrogiannopoulos
- Re: [TLS] comments on draft-ietf-tls-tls13-19 Ryan Sleevi
- [TLS] comments on draft-ietf-tls-tls13-19 Nikos Mavrogiannopoulos
- Re: [TLS] comments on draft-ietf-tls-tls13-19 Nikos Mavrogiannopoulos