IETF Logo Mail Archive

Re: [TLS] Call for acceptance on multi-stapling

Jean-Marc Desperrier <jmdesp@free.fr> Tue, 24 April 2012 14:59 UTC

Return-Path: <jmdesp@free.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08A9721F8855 for <tls@ietfa.amsl.com>; Tue, 24 Apr 2012 07:59:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.274
X-Spam-Level:
X-Spam-Status: No, score=-2.274 tagged_above=-999 required=5 tests=[AWL=0.325, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vEPncyxYDhek for <tls@ietfa.amsl.com>; Tue, 24 Apr 2012 07:59:08 -0700 (PDT)
Received: from smtp4-g21.free.fr (smtp4-g21.free.fr [IPv6:2a01:e0c:1:1599::13]) by ietfa.amsl.com (Postfix) with ESMTP id BFFF021F87F4 for <tls@ietf.org>; Tue, 24 Apr 2012 07:59:06 -0700 (PDT)
Received: from [172.30.24.38] (host.104.92.68.195.rev.coltfrance.com [195.68.92.104]) (Authenticated sender: jmdesp) by smtp4-g21.free.fr (Postfix) with ESMTPA id 740444C81AA; Tue, 24 Apr 2012 16:59:00 +0200 (CEST)
Message-ID: <4F96BFB1.1040209@free.fr>
Date: Tue, 24 Apr 2012 16:58:57 +0200
From: Jean-Marc Desperrier <jmdesp@free.fr>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120322 Firefox/12.0 SeaMonkey/2.9
MIME-Version: 1.0
To: Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
References: <CABcZeBOz6T6mb5Hy9jfhRHkWxusccGmr2vjrah9aRTBC2kCmuQ@mail.gmail.com>
In-Reply-To: <CABcZeBOz6T6mb5Hy9jfhRHkWxusccGmr2vjrah9aRTBC2kCmuQ@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Subject: Re: [TLS] Call for acceptance on multi-stapling
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Apr 2012 14:59:09 -0000

Eric Rescorla a écrit :
> WG members,
>
> At the meeting in Paris there was broad consensus to adopt Yngve's
> TLS Multi-Stapling draft
> (http://www.ietf.org/id/draft-pettersen-tls-ext-multiple-ocsp-03.txt).
>
> The WG chairs would like to confirm this consensus. Please send any
> comments by Wednesday April 25.

I support this as a working group item.

I also think the proposal would gain from allowing the OCSPResponseList 
to contain ARLs (authority revocation list) and not only OCSP token.

In my opinion, the cost is not big for the implementation, and they are 
real use cases, but this I mean a *lot* of deployed PKI that do not 
implement OCSP for intermediate certificates, but have an ARL available 
that is the same size, or smaller, than an OCSP token would be.

On another hand, I believe the ResponderID thing is not worth the effort.

In RFC2560, option 1 of 4.2.2.2 (locally configured responder) only 
works in a mutually agreed private context.
Option 2 and 3 (responder same as CA, responder with the 
id-ad-ocspSigning EKU) are the only one that work in a public context 
(and for example are mandated in the Mozilla policy) and they do not 
need this ResponderID thing.
Only option 1 would use it, when there's an ambiguity about which 
responder this specific client trusts, but then outside of multi-status 
there would be no way to get the same functionality with RFC2560.
So, including it seems to me to be implementation pain for extremely 
small and specific advantage.

v2.23.0 | Report a Bug | By Email