[TLS] OCSP Must Staple

Phillip Hallam-Baker <hallam@gmail.com> Wed, 23 October 2013 13:46 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 39C2C11E818A for <tls@ietfa.amsl.com>; Wed, 23 Oct 2013 06:46:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[AWL=0.151, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id TJoCv0W9gYtE for <tls@ietfa.amsl.com>; Wed, 23 Oct 2013 06:46:19 -0700 (PDT)
Received: from mail-lb0-x22e.google.com (mail-lb0-x22e.google.com [IPv6:2a00:1450:4010:c04::22e]) by ietfa.amsl.com (Postfix) with ESMTP id E27B111E81B0 for <tls@ietf.org>; Wed, 23 Oct 2013 06:46:06 -0700 (PDT)
Received: by mail-lb0-f174.google.com with SMTP id q8so530951lbi.19 for <tls@ietf.org>; Wed, 23 Oct 2013 06:46:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=juzXtodRK9S0ahkop8MlXGLmKgrRm2zsbvt7QIpBzz8=; b=A4h6S77RA6uMbXkLiyQxQUFUqrzJRWGoquPxKszVcNFKvLbv12qnwix1CL8lQyPVXH eK2C3lkPoYTc0sIj3gexSHLotQDjVbUTMLC7vWiWb/3O9e9CNzP/12KZ50F4xvU1vyX/ 8ytLEYTEXjVTG+0qBJQH/l5a9UUHED30X2QINx8dyHUfy8/rkD0+LBvVA+eB1HfQDPb8 4RW6cWafdWBGo45GEDsH/8SdZVGcZ4s+qI7HvjVGSKeueqbSqqYvlkbNVLWj75eHSyTO pszPW+KJYVbOvjORehd/64oHgdnKMD1Njwiz1HOFeoVjQSLRiHpA7YYfjZ8nOMKFG2FG UFWg==
MIME-Version: 1.0
X-Received: by with SMTP id ju18mr139613lab.54.1382535965904; Wed, 23 Oct 2013 06:46:05 -0700 (PDT)
Received: by with HTTP; Wed, 23 Oct 2013 06:46:05 -0700 (PDT)
Date: Wed, 23 Oct 2013 09:46:05 -0400
Message-ID: <CAMm+LwhG9FVEhRBUO5EqKUzGGLb3h3ZzxzgJobrAborn6Me83w@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a11c26e142315b804e968bd50"
Subject: [TLS] OCSP Must Staple
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Oct 2013 13:46:36 -0000

We have been discussing MUST staple for quite some time. The ADs would like
to know if there is support for adding this feature to certificates.

The draft I wrote is designed to be agile so that it covers all new OCSP
stapling like ideas rather than just being a one off. But it is pretty


The advantage of MUST staple is that if a client receives a TLS cert chain
with MUST Staple and no OCSP token then it can refuse the connection and
hard fail rather than attempting to retrieve the token and soft failing.

This allows for a performance improvement and a security improvement.

Website: http://hallambaker.com/