IETF Logo Mail Archive

Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections

Peter Gutmann <pgut001@cs.auckland.ac.nz> Sat, 06 March 2021 06:56 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D7983A144A for <tls@ietfa.amsl.com>; Fri, 5 Mar 2021 22:56:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.917
X-Spam-Level:
X-Spam-Status: No, score=-0.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, PDS_BAD_THREAD_QP_64=1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZhkBAWjel7Hu for <tls@ietfa.amsl.com>; Fri, 5 Mar 2021 22:56:04 -0800 (PST)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [180.189.28.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A37FD3A1448 for <tls@ietf.org>; Fri, 5 Mar 2021 22:56:03 -0800 (PST)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01lp2175.outbound.protection.outlook.com [104.47.71.175]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-87-mcYWk44eM7GWb2YbTksg0g-1; Sat, 06 Mar 2021 17:55:58 +1100
X-MC-Unique: mcYWk44eM7GWb2YbTksg0g-1
Received: from SG2PR06CA0196.apcprd06.prod.outlook.com (2603:1096:4:1::28) by MEAPR01MB3590.ausprd01.prod.outlook.com (2603:10c6:220::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3890.19; Sat, 6 Mar 2021 06:55:56 +0000
Received: from SG2APC01FT003.eop-APC01.prod.protection.outlook.com (2603:1096:4:1:cafe::bd) by SG2PR06CA0196.outlook.office365.com (2603:1096:4:1::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17 via Frontend Transport; Sat, 6 Mar 2021 06:55:55 +0000
X-MS-Exchange-Authentication-Results: spf=none (sender IP is 130.216.95.208) smtp.mailfrom=cs.auckland.ac.nz; dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=cs.auckland.ac.nz
Received: from uxcn13-ogg-c.UoA.auckland.ac.nz (130.216.95.208) by SG2APC01FT003.mail.protection.outlook.com (10.152.250.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3912.19 via Frontend Transport; Sat, 6 Mar 2021 06:55:54 +0000
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) by uxcn13-ogg-c.UoA.auckland.ac.nz (10.6.2.4) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sat, 6 Mar 2021 19:55:52 +1300
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::207a:c7e4:28d9:e2fe]) by uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::207a:c7e4:28d9:e2fe%14]) with mapi id 15.00.1497.012; Sat, 6 Mar 2021 19:55:52 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Nico Williams <nico@cryptonector.com>, Eric Rescorla <ekr@rtfm.com>
CC: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, TLS List <tls@ietf.org>
Thread-Topic: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
Thread-Index: AQHXEeEgKe23eiCLoE+KwrPix1Q1lap0ziCAgAAS0wCAAA9lAIAAVjGAgABa2YCAAOWiuA==
Date: Sat, 06 Mar 2021 06:55:52 +0000
Message-ID: <1615013752661.15146@cs.auckland.ac.nz>
References: <DE27E5E0-4AB9-4B53-92F6-1057015A8F6C@ericsson.com> <20210305173516.GV30153@localhost> <701E874C-EA40-47FD-A4E4-C4C595E96337@ericsson.com> <CACsn0cmmKdR0-82DjrYZD5_CaF2bqwHnj07dM+Bnd-2aupU5QQ@mail.gmail.com> <CABcZeBP8wdmbO8DQPZ8e5CDZ76ioe3vzaJ+7YtQ74XZzcuxHmg@mail.gmail.com>, <20210306061124.GY30153@localhost>
In-Reply-To: <20210306061124.GY30153@localhost>
Accept-Language: en-NZ, en-GB, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 8e588cf7-5140-4aa0-fb5b-08d8e06ce325
X-MS-TrafficTypeDiagnostic: MEAPR01MB3590:
X-Microsoft-Antispam-PRVS: <MEAPR01MB359046C85737FA44D0D91AD7EE959@MEAPR01MB3590.ausprd01.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:4714
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0
X-Microsoft-Antispam-Message-Info: M0p+sYH54fjX+ZMGavQA+l+cUD/Y6lI+X8yUQR8kQJ22Vn3ChmIS3qItDQr5IuxM+4ZPNu3CkCl14B1Gi5X6+yuo3DRJ/15yiO/IxvDru+PVahudUt0tXAAfYQN+QudWPx6IOvCwJyQ2Zmu8KRZIsl8khrDo5LvOeyaBchmGcbeBLKFRdNKSuMAqx6cCfsYLPXrP0e2rsC3iIBj6i9U4StV4Rv2T74Sj/i9OrY2xlu3SmjikmaN/+SpO93ufJTMokymv+RJ9ABBsT3q+i9LLzKZm8o883pisGBrv/9PaWO6f2Wl5AdMtNs90v1qXoLPZhzv1thsgOWS5y+kE5BJo/kCkf10+Js9eRu+Po2irlJuQ7oXSm+9k497sX+gOPz8fmMyFma/cjKIRPmV+xx5P+xT6xhAju63zW0aoVcyxrDuutJTfxS3I/gV3P0zXebWfE8NNo7TL8fYEaWewA9tMAiA1tBpcImrpLULmsc/lTqLe6dtt1PNGua5DcrAchHpZMgaDXt8Y6nzS6NlFxBrucOc6bDwuEmEA7qPxQJGAKirlSDSsng46dVkHrExkKiP+NYrc/GXIH0PWB04GtZrBGv94o8wlLqlIDPWg9uAjdim+MskBGvJp2nOkraCs2/ng1oHbaRp8VwUvk1gXECH36j/jUYrmHqj/Cq0dq2U/95RkTqaq1Tf3k2ewJ2VsA5tq
X-Forefront-Antispam-Report: CIP:130.216.95.208; CTRY:NZ; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:uxcn13-ogg-c.UoA.auckland.ac.nz; PTR:natgate1-1.auckland.ac.nz; CAT:NONE; SFS:(4636009)(396003)(39860400002)(136003)(376002)(346002)(46966006)(36840700001)(8676002)(83380400001)(356005)(82310400003)(478600001)(86362001)(7636003)(36860700001)(336012)(26005)(54906003)(2906002)(36906005)(316002)(186003)(47076005)(786003)(82740400003)(5660300002)(110136005)(70586007)(70206006)(4326008)(2616005)(4744005)(8936002)(219973002); DIR:OUT; SFP:1101
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Mar 2021 06:55:54.2013 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 8e588cf7-5140-4aa0-fb5b-08d8e06ce325
X-MS-Exchange-CrossTenant-Id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d1b36e95-0d50-42e9-958f-b63fa906beaa; Ip=[130.216.95.208]; Helo=[uxcn13-ogg-c.UoA.auckland.ac.nz]
X-MS-Exchange-CrossTenant-AuthSource: SG2APC01FT003.eop-APC01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MEAPR01MB3590
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CAU17A13 smtp.mailfrom=pgut001@cs.auckland.ac.nz
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jX4tmrMZq7aUoy12IoAdGmiT9yM>
Subject: Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Mar 2021 06:56:05 -0000

Nico Williams <nico@cryptonector.com> writes:

>I've seen 5 day server certificates in use.  

For IEC-62351 work you're far more likely to see certificates issued with an
expiry date of never, because the last thing you want is your power grid to be
taken offline due to a cert someone forgot to renew.

In terms of CRL updates the situation is similar, the spec may say you need to
check once every X time interval but in practice you forget to perform the
check in case it takes your grid offline.  Or set a flag saying "cert revoked"
and continue anyway, I've seen both.  The 24-hour thing sounds like someone's
checkbox requirement rather than anything practically useful, or usable.

Peter.

v2.23.0 | Report a Bug | By Email