Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
Peter Gutmann <pgut001@cs.auckland.ac.nz> Sat, 06 March 2021 06:56 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D7983A144A for <tls@ietfa.amsl.com>; Fri, 5 Mar 2021 22:56:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.917
X-Spam-Level:
X-Spam-Status: No, score=-0.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, PDS_BAD_THREAD_QP_64=1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZhkBAWjel7Hu for <tls@ietfa.amsl.com>; Fri, 5 Mar 2021 22:56:04 -0800 (PST)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [180.189.28.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A37FD3A1448 for <tls@ietf.org>; Fri, 5 Mar 2021 22:56:03 -0800 (PST)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01lp2175.outbound.protection.outlook.com [104.47.71.175]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-87-mcYWk44eM7GWb2YbTksg0g-1; Sat, 06 Mar 2021 17:55:58 +1100
X-MC-Unique: mcYWk44eM7GWb2YbTksg0g-1
Received: from SG2PR06CA0196.apcprd06.prod.outlook.com (2603:1096:4:1::28) by MEAPR01MB3590.ausprd01.prod.outlook.com (2603:10c6:220::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3890.19; Sat, 6 Mar 2021 06:55:56 +0000
Received: from SG2APC01FT003.eop-APC01.prod.protection.outlook.com (2603:1096:4:1:cafe::bd) by SG2PR06CA0196.outlook.office365.com (2603:1096:4:1::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17 via Frontend Transport; Sat, 6 Mar 2021 06:55:55 +0000
X-MS-Exchange-Authentication-Results: spf=none (sender IP is 130.216.95.208) smtp.mailfrom=cs.auckland.ac.nz; dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=cs.auckland.ac.nz
Received: from uxcn13-ogg-c.UoA.auckland.ac.nz (130.216.95.208) by SG2APC01FT003.mail.protection.outlook.com (10.152.250.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3912.19 via Frontend Transport; Sat, 6 Mar 2021 06:55:54 +0000
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) by uxcn13-ogg-c.UoA.auckland.ac.nz (10.6.2.4) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sat, 6 Mar 2021 19:55:52 +1300
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::207a:c7e4:28d9:e2fe]) by uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::207a:c7e4:28d9:e2fe%14]) with mapi id 15.00.1497.012; Sat, 6 Mar 2021 19:55:52 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Nico Williams <nico@cryptonector.com>, Eric Rescorla <ekr@rtfm.com>
CC: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, TLS List <tls@ietf.org>
Thread-Topic: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
Thread-Index: AQHXEeEgKe23eiCLoE+KwrPix1Q1lap0ziCAgAAS0wCAAA9lAIAAVjGAgABa2YCAAOWiuA==
Date: Sat, 06 Mar 2021 06:55:52 +0000
Message-ID: <1615013752661.15146@cs.auckland.ac.nz>
References: <DE27E5E0-4AB9-4B53-92F6-1057015A8F6C@ericsson.com> <20210305173516.GV30153@localhost> <701E874C-EA40-47FD-A4E4-C4C595E96337@ericsson.com> <CACsn0cmmKdR0-82DjrYZD5_CaF2bqwHnj07dM+Bnd-2aupU5QQ@mail.gmail.com> <CABcZeBP8wdmbO8DQPZ8e5CDZ76ioe3vzaJ+7YtQ74XZzcuxHmg@mail.gmail.com>, <20210306061124.GY30153@localhost>
In-Reply-To: <20210306061124.GY30153@localhost>
Accept-Language: en-NZ, en-GB, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 8e588cf7-5140-4aa0-fb5b-08d8e06ce325
X-MS-TrafficTypeDiagnostic: MEAPR01MB3590:
X-Microsoft-Antispam-PRVS: <MEAPR01MB359046C85737FA44D0D91AD7EE959@MEAPR01MB3590.ausprd01.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:4714
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0
X-Microsoft-Antispam-Message-Info: M0p+sYH54fjX+ZMGavQA+l+cUD/Y6lI+X8yUQR8kQJ22Vn3ChmIS3qItDQr5IuxM+4ZPNu3CkCl14B1Gi5X6+yuo3DRJ/15yiO/IxvDru+PVahudUt0tXAAfYQN+QudWPx6IOvCwJyQ2Zmu8KRZIsl8khrDo5LvOeyaBchmGcbeBLKFRdNKSuMAqx6cCfsYLPXrP0e2rsC3iIBj6i9U4StV4Rv2T74Sj/i9OrY2xlu3SmjikmaN/+SpO93ufJTMokymv+RJ9ABBsT3q+i9LLzKZm8o883pisGBrv/9PaWO6f2Wl5AdMtNs90v1qXoLPZhzv1thsgOWS5y+kE5BJo/kCkf10+Js9eRu+Po2irlJuQ7oXSm+9k497sX+gOPz8fmMyFma/cjKIRPmV+xx5P+xT6xhAju63zW0aoVcyxrDuutJTfxS3I/gV3P0zXebWfE8NNo7TL8fYEaWewA9tMAiA1tBpcImrpLULmsc/lTqLe6dtt1PNGua5DcrAchHpZMgaDXt8Y6nzS6NlFxBrucOc6bDwuEmEA7qPxQJGAKirlSDSsng46dVkHrExkKiP+NYrc/GXIH0PWB04GtZrBGv94o8wlLqlIDPWg9uAjdim+MskBGvJp2nOkraCs2/ng1oHbaRp8VwUvk1gXECH36j/jUYrmHqj/Cq0dq2U/95RkTqaq1Tf3k2ewJ2VsA5tq
X-Forefront-Antispam-Report: CIP:130.216.95.208; CTRY:NZ; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:uxcn13-ogg-c.UoA.auckland.ac.nz; PTR:natgate1-1.auckland.ac.nz; CAT:NONE; SFS:(4636009)(396003)(39860400002)(136003)(376002)(346002)(46966006)(36840700001)(8676002)(83380400001)(356005)(82310400003)(478600001)(86362001)(7636003)(36860700001)(336012)(26005)(54906003)(2906002)(36906005)(316002)(186003)(47076005)(786003)(82740400003)(5660300002)(110136005)(70586007)(70206006)(4326008)(2616005)(4744005)(8936002)(219973002); DIR:OUT; SFP:1101
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Mar 2021 06:55:54.2013 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 8e588cf7-5140-4aa0-fb5b-08d8e06ce325
X-MS-Exchange-CrossTenant-Id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=d1b36e95-0d50-42e9-958f-b63fa906beaa; Ip=[130.216.95.208]; Helo=[uxcn13-ogg-c.UoA.auckland.ac.nz]
X-MS-Exchange-CrossTenant-AuthSource: SG2APC01FT003.eop-APC01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MEAPR01MB3590
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CAU17A13 smtp.mailfrom=pgut001@cs.auckland.ac.nz
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jX4tmrMZq7aUoy12IoAdGmiT9yM>
Subject: Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Mar 2021 06:56:05 -0000
Nico Williams <nico@cryptonector.com> writes: >I've seen 5 day server certificates in use. For IEC-62351 work you're far more likely to see certificates issued with an expiry date of never, because the last thing you want is your power grid to be taken offline due to a cert someone forgot to renew. In terms of CRL updates the situation is similar, the spec may say you need to check once every X time interval but in practice you forget to perform the check in case it takes your grid offline. Or set a flag saying "cert revoked" and continue anyway, I've seen both. The 24-hour thing sounds like someone's checkbox requirement rather than anything practically useful, or usable. Peter.
- [TLS] Question to TLS 1.3 and certificate revocat… Fries, Steffen
- Re: [TLS] Question to TLS 1.3 and certificate rev… John Mattsson
- Re: [TLS] Question to TLS 1.3 and certificate rev… Salz, Rich
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… John Mattsson
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Watson Ladd
- Re: [TLS] Question to TLS 1.3 and certificate rev… Eric Rescorla
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Peter Gutmann
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Hannes Tschofenig
- Re: [TLS] Question to TLS 1.3 and certificate rev… Peter Gutmann
- Re: [TLS] Question to TLS 1.3 and certificate rev… Graham Bartlett
- Re: [TLS] Question to TLS 1.3 and certificate rev… Deb Cooley
- Re: [TLS] Question to TLS 1.3 and certificate rev… Graham Bartlett
- Re: [TLS] Question to TLS 1.3 and certificate rev… Hannes Tschofenig
- Re: [TLS] Question to TLS 1.3 and certificate rev… Hannes Tschofenig
- Re: [TLS] Question to TLS 1.3 and certificate rev… Benjamin Kaduk
- Re: [TLS] Question to TLS 1.3 and certificate rev… Graham Bartlett
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Question to TLS 1.3 and certificate rev… Peter Gutmann
- Re: [TLS] Question to TLS 1.3 and certificate rev… Benjamin Kaduk
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Peter Gutmann
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Olle E. Johansson
- Re: [TLS] Question to TLS 1.3 and certificate rev… Fries, Steffen
- Re: [TLS] Question to TLS 1.3 and certificate rev… Salz, Rich
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Fries, Steffen
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Jonathan Hoyland
- Re: [TLS] Question to TLS 1.3 and certificate rev… Fries, Steffen
- Re: [TLS] Question to TLS 1.3 and certificate rev… Fries, Steffen
- Re: [TLS] Question to TLS 1.3 and certificate rev… Jonathan Hoyland