Re: [TLS] OCSP in RFC7525bis - summary of the discussion
Yaron Sheffer <yaronf.ietf@gmail.com> Thu, 27 January 2022 21:45 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0AAC3A1221; Thu, 27 Jan 2022 13:45:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uDNRT9x_Cm4y; Thu, 27 Jan 2022 13:45:16 -0800 (PST)
Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92B493A121F; Thu, 27 Jan 2022 13:45:16 -0800 (PST)
Received: by mail-io1-xd29.google.com with SMTP id q204so5381791iod.8; Thu, 27 Jan 2022 13:45:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=user-agent:date:subject:from:to:message-id:thread-topic :mime-version:content-transfer-encoding; bh=cGKcI8PFfmW9g2GKC/9RlZgmQDkDsOcrI9hAUuFgKCY=; b=WeWVln+vD1bi+058EcXhSnhrCZ72wTsmhDToUhTY8V3/dH9PDPXzHlAIOirhkO1iD/ xi9wKva/OVr2P7lrOjQEZm9laweXObD8CHG8GVG4Zk+b+aJphaFoxVcH4F07Am7jH7SP X9jo1WVJfnOIMutkNxsjYjCkRjjo6GuWVOMTwb+Hs0FmkgqNhXNPyw3vRDzasaE2M/uR +tEvWE/hpbVkeJ0RVUF+bvx9GLg1nAkmNFh8fesmMcDQ0QNH606E7gJzO4RRsH+2oB3t X52c4pwTbSNP5H5ycNJspMS6b0z/nJsP31f6sp0fsJCwCyHzYxpwvIeYhjvkaIxk5x1b QoyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:user-agent:date:subject:from:to:message-id :thread-topic:mime-version:content-transfer-encoding; bh=cGKcI8PFfmW9g2GKC/9RlZgmQDkDsOcrI9hAUuFgKCY=; b=alew8IQ991gQIUlnoOlZDkbGOUlNpZrwtqZT07GTGIylLmizzRF8UykBowIcd/XV+H 0/JR8J6OmNlxlLrmfZGV5lHhRM9TNpTATuklD7nmKdogr/o2KXa7DUMp3zTExxb/9bYL s3ua0FaGxiEu407fj8DUkFvQDGqaSvNpapbyBE2nQe3kjDkws0Wzgp0XX/KgigYoP0Jr K3Um9NuQbnPR2zKRMepa2I5qgSRZKx6z610+pJolOEClJakbclPxm3y3cW9rqYfTarDM f2hl/nsGxg00EGU6PUBxLkYppFxRm8Zj0YRVH/CCTPq/nXwisCgpIfEALMhe3GCQZYjt IS2g==
X-Gm-Message-State: AOAM532er/f7JMmbmRAPPpsRCirWqWGjFhXd9S9SpVX9yWPTJ3TOJ8mu JxeMofEqJ6f6MFt0XFd+FsUb95spk6g=
X-Google-Smtp-Source: ABdhPJzVPTslcfQTc6UT3S6ILYOo6d4oBYLRpMGRhuYkE4xzFIk/0tLJ6QSEJbY2W9DrB0kI6aEzRg==
X-Received: by 2002:a02:b611:: with SMTP id h17mr2961883jam.197.1643319914810; Thu, 27 Jan 2022 13:45:14 -0800 (PST)
Received: from [192.168.68.108] (IGLD-84-229-146-220.inter.net.il. [84.229.146.220]) by smtp.gmail.com with ESMTPSA id 8sm13620591ilq.14.2022.01.27.13.45.13 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 27 Jan 2022 13:45:14 -0800 (PST)
User-Agent: Microsoft-MacOutlook/16.57.22011101
Date: Thu, 27 Jan 2022 23:45:11 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: "uta@ietf.org" <uta@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Message-ID: <F3E4E365-F73D-44C9-AEB1-C2EB36D2C207@gmail.com>
Thread-Topic: OCSP in RFC7525bis - summary of the discussion
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/qV3P3Vf1ZH2S9CqcXBk7YreqKO4>
Subject: Re: [TLS] OCSP in RFC7525bis - summary of the discussion
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jan 2022 21:45:21 -0000
Thank you all for the lively and far reaching discussion on revocation and OCSP. Let me summarize how the authors of RFC7525-bis read the consensus - UTA WG chairs, please chime in if you disagree.
There seems to be consensus that applications should be able to handle certificate revocation. There is (weaker) consensus that OCSP is the preferred solution, and no consensus at all about the technical details. For example, clients failing hard is not in consensus - but neither is the opposite.
So our plan moving forward is to essentially keep the new text on OCSP [1] and add a reference to RFC 7633 (the certificate must-staple extension). But only as a MAY. In addition, we will add a MUST requirement to perform (some kind of) revocation checking.
If you have not read the Pull Request, please note that it's a significant change over RFC7525, e.g. 6961 is no longer recommended.
There was some back and forth about DNSSEC, short-lived certs, CAA and CT as mitigating controls, but we don't see them as clearly in scope of the document.
Thanks,
Yaron
[1] https://github.com/yaronf/I-D/pull/279/files
---
From: Yaron Sheffer <yaronf.ietf@gmail.com>
Date: Wednesday, January 19, 2022 at 16:57
To: "uta@ietf.org" <uta@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Subject: OCSP in RFC7525bis
Hi,
RFC 7525 (the TLS BCP) has a section [1] with “weak” recommendations to use OCSP and OCSP stapling. We are changing these recommendations [2] in view of OCSP stapling in TLS 1.3 and the obsolescence of RFC 6961.
But this raises a larger question: many client-side implementations soft-fail if they don’t get an OCSP response within the handshake, i.e. they just ignore the problem. As far as we understand, this makes OCSP stapling completely ineffective for what it’s trying to solve.
So for the new BCP, we have three options:
- Add a SHOULD-level requirement (for TLS 1.3 implementations, possibly also TLS 1.2 implementations) to fail the handshake if the OCSP response is missing or invalid. (As far as we can tell, RFC 8446 is silent on this.)
- Remove the whole discussion of OCSP, saying that in its current form it’s not adding value.
- Maintain the status quo, where many people implement OCSP on the server side, but clients rarely benefit.
We would be grateful for feedback based on implementation experience. In particular if you have quantitative data on the use or quality of OCSP that’s more recent than Chung18 [3], that would be very useful.
Thanks,
Peter, Thomas and Yaron
PS: apologies for cross-posting.
[1] https://datatracker.ietf.org/doc/html/rfc7525#section-6.5
[2] https://github.com/yaronf/I-D/pull/279/files
[3] https://cbw.sh/static/pdf/chung-imc18.pdf
- Re: [TLS] OCSP in RFC7525bis - summary of the dis… Yaron Sheffer
- Re: [TLS] OCSP in RFC7525bis - summary of the dis… Viktor Dukhovni