[TLS] OCSP Must Staple
Phillip Hallam-Baker <hallam@gmail.com> Wed, 23 October 2013 13:46 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39C2C11E818A for <tls@ietfa.amsl.com>; Wed, 23 Oct 2013 06:46:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[AWL=0.151, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TJoCv0W9gYtE for <tls@ietfa.amsl.com>; Wed, 23 Oct 2013 06:46:19 -0700 (PDT)
Received: from mail-lb0-x22e.google.com (mail-lb0-x22e.google.com [IPv6:2a00:1450:4010:c04::22e]) by ietfa.amsl.com (Postfix) with ESMTP id E27B111E81B0 for <tls@ietf.org>; Wed, 23 Oct 2013 06:46:06 -0700 (PDT)
Received: by mail-lb0-f174.google.com with SMTP id q8so530951lbi.19 for <tls@ietf.org>; Wed, 23 Oct 2013 06:46:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=juzXtodRK9S0ahkop8MlXGLmKgrRm2zsbvt7QIpBzz8=; b=A4h6S77RA6uMbXkLiyQxQUFUqrzJRWGoquPxKszVcNFKvLbv12qnwix1CL8lQyPVXH eK2C3lkPoYTc0sIj3gexSHLotQDjVbUTMLC7vWiWb/3O9e9CNzP/12KZ50F4xvU1vyX/ 8ytLEYTEXjVTG+0qBJQH/l5a9UUHED30X2QINx8dyHUfy8/rkD0+LBvVA+eB1HfQDPb8 4RW6cWafdWBGo45GEDsH/8SdZVGcZ4s+qI7HvjVGSKeueqbSqqYvlkbNVLWj75eHSyTO pszPW+KJYVbOvjORehd/64oHgdnKMD1Njwiz1HOFeoVjQSLRiHpA7YYfjZ8nOMKFG2FG UFWg==
MIME-Version: 1.0
X-Received: by 10.152.116.82 with SMTP id ju18mr139613lab.54.1382535965904; Wed, 23 Oct 2013 06:46:05 -0700 (PDT)
Received: by 10.112.148.165 with HTTP; Wed, 23 Oct 2013 06:46:05 -0700 (PDT)
Date: Wed, 23 Oct 2013 09:46:05 -0400
Message-ID: <CAMm+LwhG9FVEhRBUO5EqKUzGGLb3h3ZzxzgJobrAborn6Me83w@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a11c26e142315b804e968bd50"
Subject: [TLS] OCSP Must Staple
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Oct 2013 13:46:36 -0000
We have been discussing MUST staple for quite some time. The ADs would like to know if there is support for adding this feature to certificates. The draft I wrote is designed to be agile so that it covers all new OCSP stapling like ideas rather than just being a one off. But it is pretty simple: http://tools.ietf.org/html/draft-hallambaker-tlsfeature-02 The advantage of MUST staple is that if a client receives a TLS cert chain with MUST Staple and no OCSP token then it can refuse the connection and hard fail rather than attempting to retrieve the token and soft failing. This allows for a performance improvement and a security improvement. -- Website: http://hallambaker.com/
- [TLS] OCSP Must Staple Phillip Hallam-Baker
- Re: [TLS] OCSP Must Staple Tom Ritter
- Re: [TLS] OCSP Must Staple Alexey Melnikov
- Re: [TLS] OCSP Must Staple Brian Smith