IETF Logo Mail Archive

Re: [TLS] OCSP must staple

Yoav Nir <ynir.ietf@gmail.com> Sun, 15 June 2014 08:12 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99F071B2BA6 for <tls@ietfa.amsl.com>; Sun, 15 Jun 2014 01:12:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vs6tsW_uDVQP for <tls@ietfa.amsl.com>; Sun, 15 Jun 2014 01:12:18 -0700 (PDT)
Received: from mail-wg0-x22c.google.com (mail-wg0-x22c.google.com [IPv6:2a00:1450:400c:c00::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D9B11B2B8C for <tls@ietf.org>; Sun, 15 Jun 2014 01:12:18 -0700 (PDT)
Received: by mail-wg0-f44.google.com with SMTP id x13so4242524wgg.15 for <tls@ietf.org>; Sun, 15 Jun 2014 01:12:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=XbDwNMzRqkfLRHcQ7GSXEgR0y1efot6eiIubTEDETUE=; b=d4ItR7DLZ0bhXLF9YwWUaRrmvJp5bQ0ydcNT/Usrs3Z8/UPoXuqY2bWcxrJQ8zfMw/ fclPzJB+VI4PF2jmzN9+xqfeUF9o7pwxYSMEtvzqMLSZVjFI+rOck9HZEtTdV4IZCeO5 knHnsoHI+ct3fx6pGd9rj6SmUc6VsDi8hTfS8OvYD01skYh7jtr/Ck8bvq32shmfvdC7 +aQGO4pK4JtCqBrRTSFQjGC5jUpM8NVfivFw0ypmGR6VeAJZZBZE4tACPQ4E6fwzxGb2 B/bejtThyGq+vjlbO/p3AG8goutIWg2cP/eTrr12OHkQYSjFsGrK5FDRjo8hm2a7U9Ud E0Ug==
X-Received: by 10.194.240.129 with SMTP id wa1mr18246611wjc.11.1402819936730; Sun, 15 Jun 2014 01:12:16 -0700 (PDT)
Received: from [172.24.249.169] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id ej2sm13278114wjd.21.2014.06.15.01.12.15 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 15 Jun 2014 01:12:15 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_5D7B71FB-3082-4291-943F-AAE6748BD773"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <6407EEB5-E138-4B50-83D1-D68E1DC8E5EE@gmail.com>
Date: Sun, 15 Jun 2014 11:12:11 +0300
Message-Id: <6E86C545-58F9-4741-9563-7E2E7C8E0DA8@gmail.com>
References: <20140528184735.GA20602@roeckx.be> <097101cf7aa7$17f960a0$47ec21e0$@digicert.com> <4AA8E7B7-A19D-4E65-AF18-C4D02A513652@ieca.com> <538EF79B.3000506@cs.tcd.ie> <CAMm+LwgTnva9jJgVfkaOZ1qP0Rk3w-mFfepnubosgtrCEARv=g@mail.gmail.com> <539069CC.5010304@cs.tcd.ie> <5390B1D6.5010105@nthpermutation.com> <CAFewVt6Pr8yjV8EbYLp1HQJfYMgq2LJMt4uQqZWKChR6p12Wtg@mail.gmail.com> <5390CA45.1050504@nthpermutation.com> <CAFewVt6qfqHW2Df=aXhmo-Fucvn_PUzM8NVQV-aYiH9Ttfhjmw@mail.gmail.com> <9E3DB9FD-2691-4CED-90A9-A024D7A4F4BA@gmail.com> <CAFewVt7YbTz9_NwBt_FDLpPog5sUGsE5GMYOgaZaJXCDkfOL5w@mail.gmail.com> <49B8F9EA-40C6-442D-9E7E-2B09E42CDCC1@gmail.com> <CAFewVt7naEVVVFsKLFK_pDSjw=N4K+ghNPEZDP41kvaL6OVbcg@mail.gmail.com> <6407EEB5-E138-4B50-83D1-D68E1DC8E5EE@gmail.com>
To: Brian Smith <brian@briansmith.org>
X-Mailer: Apple Mail (2.1878.2)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/mSN2hvYIF-SbsAEglXn1f0TZlPw
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] OCSP must staple
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Jun 2014 08:12:20 -0000

On Jun 13, 2014, at 7:52 AM, Yoav Nir <ynir.ietf@gmail.com> wrote:

> 
> On Jun 13, 2014, at 2:44 AM, Brian Smith <brian@briansmith.org> wrote:
> 
>> On Thu, Jun 12, 2014 at 2:45 PM, Yoav Nir <ynir.ietf@gmail.com> wrote:
>> 
>> On Jun 12, 2014, at 9:21 PM, Brian Smith <brian@briansmith.org> wrote:
>>> Thanks for sharing that information. Does your product copy all the certificate policies from the original certificate into the forged certificate? If your product doesn't copy certificate policies it doesn't understand, then there wouldn't be an interop issue with your product and the use of certificate policies for Must-Staple, even if your product doesn't generate short-lived certificates.
>> 
>> IIRC we don’t copy certificate policies at all, but I could be wrong. 
>> 
>>  It would be great to get a more definitive confirmation of that, not just from you, but from other vendors of similar products.
> 
> The weekend for us is Friday+Saturday, so I’ll only be able to check this only on Sunday.

OK. Now I’ve had a chance to check this, and we don’t copy any of the policy extensions. We copy BasicConstraints, KU EKU and SubjectAltNames. That’s it.

Other vendors may be doing other things.

Yoav

v2.23.0 | Report a Bug | By Email