IETF Logo Mail Archive

Re: [TLS] New version of Multiple OCSP mode of Certificate Status extension

"Yngve Nysaeter Pettersen" <yngve@opera.com> Mon, 02 August 2010 13:32 UTC

Return-Path: <yngve@opera.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E385A3A6AE4; Mon, 2 Aug 2010 06:32:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.299
X-Spam-Level:
X-Spam-Status: No, score=-5.299 tagged_above=-999 required=5 tests=[AWL=-1.300, BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qEhmm6uCPyW8; Mon, 2 Aug 2010 06:32:08 -0700 (PDT)
Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by core3.amsl.com (Postfix) with ESMTP id D5A6D3A68ED; Mon, 2 Aug 2010 06:32:01 -0700 (PDT)
Received: from killashandra.oslo.osa (pat-tdc.opera.com [213.236.208.22]) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id o72DWCtG001599 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 2 Aug 2010 13:32:13 GMT
Content-Type: text/plain; charset="iso-8859-15"; format="flowed"; delsp="yes"
To: agl@google.com, Brian Smith <brian@briansmith.org>
References: <op.u87n4tthqrq7tp@acorna> <op.vghzp61ivqd7e2@killashandra.oslo.osa> <AANLkTikh0EL0DygFFKC8L-Z406C_HsfatVSbti_Ur9x9@mail.gmail.com> <002101cb2e98$60d77230$22865690$@briansmith.org>
Date: Mon, 02 Aug 2010 15:31:42 +0200
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
From: Yngve Nysaeter Pettersen <yngve@opera.com>
Organization: Opera Software
Message-ID: <op.vgtbu4wmvqd7e2@killashandra.oslo.osa>
In-Reply-To: <002101cb2e98$60d77230$22865690$@briansmith.org>
User-Agent: Opera Mail/10.54 (Win32)
Cc: pkix@ietf.org, tls@ietf.org
Subject: Re: [TLS] New version of Multiple OCSP mode of Certificate Status extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: yngve@opera.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Aug 2010 13:32:11 -0000

On Wed, 28 Jul 2010 23:03:44 +0200, Brian Smith <brian@briansmith.org>  
wrote:

> Adam Langley wrote:
>> On Tue, Jul 27, 2010 at 6:35 AM, Yngve Nysaeter Pettersen
>> <yngve@opera.com> wrote:
>> > Based on the ongoing PKIX discussion about an update of OCSP, I
>> > (finally) realized the the problem my multiple-ocsp TLS extension is
>> > designed to fix can be fixed in another way, by adding an OCSP
>> > extension instead.
>>
>> I would welcome not having to change TLS to support multiple
>> OCSP responses.
>>
>> However, with TLS changes, we can deploy without any action on
>> the part of the OCSP responders. That makes it a possibility. If we
>> are beholden to updating the responders then I fear that it'll never
>> happen.
>
> Plus, it is a privacy issue. If you rely on the CAs to provide this
> extension in their OCSP responses, then any CAs that want OCSP traffic  
> (for
> user tracking) can just omit the OCSP extension. The multiple OCSP method
> lets the server improve the user's privacy without any cooperation from  
> the
> CAs involved.

This issue will not be any different from the current situation; When they  
check OCSP, clients only check the site certificate. If they check  
revocation for intermediates they use CRLs. In fact, for Opera's part, we  
retrieve CRLs while verifying the certificate, OCSP after the certificate  
has been checked, so CRLs are more "dangerous" from that perspective.

As for your MITM scenario, if the intention is to detect which computers  
access a certain site, then the attacker will already have that  
information when he performs the MITM attack.

Opera does not send or accept cookies in OCSP/CRL requests, so there would  
be no extra information available.

> (Most TLS clients issue their OCSP requests before they've
> authenticated the server's Certificate and (lack of) CertificateStatus
> messages, so while a CA wouldn't be able to force clients to make the  
> OCSP
> requests, a MiTM can still force them to do so. This could be prevented
> by moving the CertificateStatus and CertificateRequest before the
> ServerKeyExchange, and making the ServerKeyExchange signature work like  
> the
> CertificateVerify signature, hashing all the prior handshake messages.  
> This
> is something that should be considered for extensions like Snap Start  
> that
> modify the structure of the handshake, and for the next versions of TLS).
>
> Regards,
> Brian
>


-- 
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer		     Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 23 69 32 60              Fax:    +47 23 69 24 01
********************************************************************

v2.23.0 | Report a Bug | By Email