Re: [TLS] Call for acceptance on multi-stapling
Jean-Marc Desperrier <jmdesp@free.fr> Tue, 24 April 2012 14:59 UTC
Return-Path: <jmdesp@free.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08A9721F8855 for <tls@ietfa.amsl.com>; Tue, 24 Apr 2012 07:59:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.274
X-Spam-Level:
X-Spam-Status: No, score=-2.274 tagged_above=-999 required=5 tests=[AWL=0.325, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vEPncyxYDhek for <tls@ietfa.amsl.com>; Tue, 24 Apr 2012 07:59:08 -0700 (PDT)
Received: from smtp4-g21.free.fr (smtp4-g21.free.fr [IPv6:2a01:e0c:1:1599::13]) by ietfa.amsl.com (Postfix) with ESMTP id BFFF021F87F4 for <tls@ietf.org>; Tue, 24 Apr 2012 07:59:06 -0700 (PDT)
Received: from [172.30.24.38] (host.104.92.68.195.rev.coltfrance.com [195.68.92.104]) (Authenticated sender: jmdesp) by smtp4-g21.free.fr (Postfix) with ESMTPA id 740444C81AA; Tue, 24 Apr 2012 16:59:00 +0200 (CEST)
Message-ID: <4F96BFB1.1040209@free.fr>
Date: Tue, 24 Apr 2012 16:58:57 +0200
From: Jean-Marc Desperrier <jmdesp@free.fr>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120322 Firefox/12.0 SeaMonkey/2.9
MIME-Version: 1.0
To: Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
References: <CABcZeBOz6T6mb5Hy9jfhRHkWxusccGmr2vjrah9aRTBC2kCmuQ@mail.gmail.com>
In-Reply-To: <CABcZeBOz6T6mb5Hy9jfhRHkWxusccGmr2vjrah9aRTBC2kCmuQ@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Subject: Re: [TLS] Call for acceptance on multi-stapling
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Apr 2012 14:59:09 -0000
Eric Rescorla a écrit : > WG members, > > At the meeting in Paris there was broad consensus to adopt Yngve's > TLS Multi-Stapling draft > (http://www.ietf.org/id/draft-pettersen-tls-ext-multiple-ocsp-03.txt). > > The WG chairs would like to confirm this consensus. Please send any > comments by Wednesday April 25. I support this as a working group item. I also think the proposal would gain from allowing the OCSPResponseList to contain ARLs (authority revocation list) and not only OCSP token. In my opinion, the cost is not big for the implementation, and they are real use cases, but this I mean a *lot* of deployed PKI that do not implement OCSP for intermediate certificates, but have an ARL available that is the same size, or smaller, than an OCSP token would be. On another hand, I believe the ResponderID thing is not worth the effort. In RFC2560, option 1 of 4.2.2.2 (locally configured responder) only works in a mutually agreed private context. Option 2 and 3 (responder same as CA, responder with the id-ad-ocspSigning EKU) are the only one that work in a public context (and for example are mandated in the Mozilla policy) and they do not need this ResponderID thing. Only option 1 would use it, when there's an ambiguity about which responder this specific client trusts, but then outside of multi-status there would be no way to get the same functionality with RFC2560. So, including it seems to me to be implementation pain for extremely small and specific advantage.
- [TLS] Call for acceptance on multi-stapling Eric Rescorla
- Re: [TLS] Call for acceptance on multi-stapling =JeffH
- Re: [TLS] Call for acceptance on multi-stapling Kyle Hamilton
- Re: [TLS] Call for acceptance on multi-stapling Martin Rex
- Re: [TLS] Call for acceptance on multi-stapling peter.robinson
- Re: [TLS] Call for acceptance on multi-stapling Nico Williams
- Re: [TLS] Call for acceptance on multi-stapling Martin Rex
- Re: [TLS] Call for acceptance on multi-stapling Eric Rescorla
- Re: [TLS] Call for acceptance on multi-stapling Nico Williams
- Re: [TLS] Call for acceptance on multi-stapling Martin Rex
- Re: [TLS] Call for acceptance on multi-stapling Eric Rescorla
- Re: [TLS] Call for acceptance on multi-stapling Nico Williams
- Re: [TLS] Call for acceptance on multi-stapling Martin Rex
- Re: [TLS] Call for acceptance on multi-stapling Martin Rex
- Re: [TLS] Call for acceptance on multi-stapling Nico Williams
- Re: [TLS] Call for acceptance on multi-stapling Nico Williams
- Re: [TLS] Call for acceptance on multi-stapling Nico Williams
- Re: [TLS] Call for acceptance on multi-stapling Eric Rescorla
- Re: [TLS] Call for acceptance on multi-stapling Nico Williams
- Re: [TLS] Call for acceptance on multi-stapling Eric Rescorla
- Re: [TLS] Call for acceptance on multi-stapling Ryan Sleevi
- Re: [TLS] Call for acceptance on multi-stapling Adam Langley
- Re: [TLS] Call for acceptance on multi-stapling Tom Ritter
- Re: [TLS] Call for acceptance on multi-stapling Nico Williams
- Re: [TLS] Call for acceptance on multi-stapling Martin Rex
- Re: [TLS] Call for acceptance on multi-stapling Eric Rescorla
- Re: [TLS] Call for acceptance on multi-stapling Nico Williams
- Re: [TLS] Call for acceptance on multi-stapling Geoffrey Keating
- Re: [TLS] Call for acceptance on multi-stapling Tom Ritter
- Re: [TLS] Call for acceptance on multi-stapling Martin Rex
- Re: [TLS] Call for acceptance on multi-stapling Michael D'Errico
- Re: [TLS] Call for acceptance on multi-stapling Marsh Ray
- Re: [TLS] Call for acceptance on multi-stapling Martin Rex
- Re: [TLS] Call for acceptance on multi-stapling Nico Williams
- Re: [TLS] Call for acceptance on multi-stapling Marsh Ray
- Re: [TLS] Call for acceptance on multi-stapling Adam Langley
- Re: [TLS] Call for acceptance on multi-stapling Nico Williams
- Re: [TLS] Call for acceptance on multi-stapling Martin Rex
- Re: [TLS] Call for acceptance on multi-stapling Martin Rex
- Re: [TLS] Call for acceptance on multi-stapling Adam Langley
- Re: [TLS] Call for acceptance on multi-stapling Eric Rescorla
- Re: [TLS] Call for acceptance on multi-stapling Marsh Ray
- Re: [TLS] Call for acceptance on multi-stapling Eric Rescorla
- Re: [TLS] Call for acceptance on multi-stapling Martin Rex
- Re: [TLS] Call for acceptance on multi-stapling Martin Rex
- Re: [TLS] Call for acceptance on multi-stapling Nikos Mavrogiannopoulos
- Re: [TLS] Call for acceptance on multi-stapling Adam Langley
- Re: [TLS] Call for acceptance on multi-stapling Martin Rex
- Re: [TLS] Call for acceptance on multi-stapling Jean-Marc Desperrier
- Re: [TLS] Call for acceptance on multi-stapling Nico Williams
- Re: [TLS] Call for acceptance on multi-stapling Jean-Marc Desperrier
- Re: [TLS] Call for acceptance on multi-stapling Yoav Nir
- Re: [TLS] Call for acceptance on multi-stapling Nico Williams
- Re: [TLS] Call for acceptance on multi-stapling Eric Rescorla
- Re: [TLS] Call for acceptance on multi-stapling Yingxian Wang