IETF Logo Mail Archive

Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 08 March 2021 03:51 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5CD83A2387 for <tls@ietfa.amsl.com>; Sun, 7 Mar 2021 19:51:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AJBaZKnfXnNy for <tls@ietfa.amsl.com>; Sun, 7 Mar 2021 19:51:39 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 717EA3A2386 for <tls@ietf.org>; Sun, 7 Mar 2021 19:51:39 -0800 (PST)
Received: from [192.168.1.177] (unknown [192.168.1.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 72E5AC8DC1 for <tls@ietf.org>; Sun, 7 Mar 2021 22:51:38 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <1615175116899.77667@cs.auckland.ac.nz>
Date: Mon, 08 Mar 2021 01:51:37 -0200
Content-Transfer-Encoding: quoted-printable
Reply-To: IETF TLS WG <tls@ietf.org>
Message-Id: <603B3756-1A94-4A22-AFDE-8E3FC776D448@dukhovni.org>
References: <CACsn0cmmKdR0-82DjrYZD5_CaF2bqwHnj07dM+Bnd-2aupU5QQ@mail.gmail.com> <CABcZeBP8wdmbO8DQPZ8e5CDZ76ioe3vzaJ+7YtQ74XZzcuxHmg@mail.gmail.com> <20210306061124.GY30153@localhost> <1615013752661.15146@cs.auckland.ac.nz> <20210306211036.GZ30153@localhost> <1615111060736.9067@cs.auckland.ac.nz> <20210307223534.GB30153@localhost> <12CE99EA-C55C-4327-A4DF-80734E6F1459@ll.mit.edu> <YEVqToCtAMgT3Swu@straasha.imrryr.org> <1615173682710.74632@cs.auckland.ac.nz> <20210308033123.GC25665@akamai.com> <1615175116899.77667@cs.auckland.ac.nz>
To: IETF TLS WG <tls@ietf.org>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/pObRYYjtJqWLuGq2-Y33AYs-vxE>
Subject: Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Mar 2021 03:51:41 -0000

> On Mar 8, 2021, at 1:45 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
> 
> Not that "never" since it would break a lot of things, but some time far
> enough in the future that you don't have to worry about it.

The cert generator I cobbled together for the OpenSSL test-suite
generates 100-year certs.  These work well, and should outlast
the lifetime of the library...  Lord help civilization, if it
is still using C for critical software in ~100 years.

(Before that, some older certs used in the build had in fact expired).

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email