IETF Logo Mail Archive

Re: [TLS] New version of Multiple OCSP mode of Certificate Status extension

"Yngve Nysaeter Pettersen" <yngve@opera.com> Wed, 04 August 2010 14:40 UTC

Return-Path: <yngve@opera.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B55413A685E; Wed, 4 Aug 2010 07:40:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.166
X-Spam-Level:
X-Spam-Status: No, score=-6.166 tagged_above=-999 required=5 tests=[AWL=0.433, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ezdH0DHwzgOF; Wed, 4 Aug 2010 07:40:25 -0700 (PDT)
Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by core3.amsl.com (Postfix) with ESMTP id E888E3A6848; Wed, 4 Aug 2010 07:40:22 -0700 (PDT)
Received: from killashandra.oslo.osa (pat-tdc.opera.com [213.236.208.22]) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id o74EeUQ1013267 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 4 Aug 2010 14:40:32 GMT
Content-Type: text/plain; charset="iso-8859-15"; format="flowed"; delsp="yes"
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
References: <E1OgKhk-0006UP-Fe@wintermute02.cs.auckland.ac.nz>
Date: Wed, 04 Aug 2010 16:40:07 +0200
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
From: Yngve Nysaeter Pettersen <yngve@opera.com>
Organization: Opera Software
Message-ID: <op.vgw4c5afvqd7e2@killashandra.oslo.osa>
In-Reply-To: <E1OgKhk-0006UP-Fe@wintermute02.cs.auckland.ac.nz>
User-Agent: Opera Mail/10.54 (Win32)
Cc: pkix@ietf.org, tls@ietf.org
Subject: Re: [TLS] New version of Multiple OCSP mode of Certificate Status extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: yngve@opera.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Aug 2010 14:40:34 -0000

On Tue, 03 Aug 2010 18:51:04 +0200, Peter Gutmann  
<pgut001@cs.auckland.ac.nz> wrote:

> "Yngve Nysaeter Pettersen" <yngve@opera.com> writes:
>
>> AFAIK, currently all the major browsers check for OCSP for the site
>> certificates (IE for Vista and later, XP requires a preference change  
>> IIRC),
>> I am not quite sure about CRLs, but checking intermediates is a  
>> requirement
>> for Extended Validation verification. I didn't see any need to  
>> distinguish
>> the cases, so we check CRLs for all certificates that identify them  
>> (and if
>> one certificate have a CRL defined, we require them for all certificates
>> below the Root, except the ones we check OCSP for, or we remove the  
>> padlock)
>
> How does this impact availability?  This would make the effective  
> availability
> of a site the same as that of the least reliable CRL/OCSP server in the  
> chain.
> Do you block on all the certs checking out, or perform it in a background
> thread?  Again, blocking would make the response time of the site the  
> same as
> that of the slowest-responding CRL/OCSP server in the chain.

Opera has a 15-20 second timeout for such operations, as well as AIA  
intermediate CA cert retrieval, and if the timeout is triggers the URL is  
marked as "don't use" for a few hours, so the delay will be on the first  
request only.

There are requirements in the Extended Validation guidelines for being  
able to download revocation responses within a few seconds even for low  
bandwidths.

The cases where we have run into trouble have been caused by OCSP/CRL  
responders that have been specified with HTTPS URLs (rather than HTTP) and  
where the TLS certificate of the responder referenced the same revocation  
resource (an example of this have been CAcert.org), which causes a bit of  
a trouble when you suspend all other connections to that specific server  
while negotiating a session (to avoid negotiating multiple sessions for  
the same server). We have currently "solved" this problem by immediately  
failing such loops (which does not affect the revocation request)

>> The optimization benefits for my proposals, is that the client need to  
>> check
>> fewer online revocation resources than before, and they will preferably  
>> be
>> more up to date, in the best case it does not have to check any online
>> resources since the server provided them all.
>
> What about having public CA certs contains a special indicator in them  
> to tell
> apps that they're revocation-proof and there's no need to check CRLs and
> whatnot, since they'll never be revoked?  That would speed up checking  
> quite a
> bit.

That would cause problems if the key is compromised

-- 
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer		     Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 23 69 32 60              Fax:    +47 23 69 24 01
********************************************************************

v2.23.0 | Report a Bug | By Email