[TLS] CRL Stapling? (was Re: I-D Action: draft-ietf-tls-multiple-cert-status-extension-00.txt)
Rob Stradling <rob.stradling@comodo.com> Thu, 31 May 2012 11:13 UTC
Return-Path: <rob.stradling@comodo.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FE6C21F8631 for <tls@ietfa.amsl.com>; Thu, 31 May 2012 04:13:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WxoVuw1fjSvI for <tls@ietfa.amsl.com>; Thu, 31 May 2012 04:13:15 -0700 (PDT)
Received: from mmmail2.mcr.colo.comodoca.net (mdfw.comodoca.net [91.209.196.68]) by ietfa.amsl.com (Postfix) with ESMTP id 7FE4721F853E for <tls@ietf.org>; Thu, 31 May 2012 04:13:15 -0700 (PDT)
Received: (qmail 28572 invoked from network); 31 May 2012 11:13:14 -0000
Received: from ian1.brad.office.comodo.net (HELO ian.brad.office.comodo.net) (192.168.0.201) by mail.colo.comodoca.net with ESMTPS (DHE-RSA-AES256-SHA encrypted); 31 May 2012 11:13:14 -0000
Received: (qmail 29173 invoked by uid 1000); 31 May 2012 11:13:13 -0000
Received: from nigel.brad.office.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (CAMELLIA256-SHA encrypted) ESMTPSA; Thu, 31 May 2012 12:13:13 +0100
Message-ID: <4FC75249.3050805@comodo.com>
Date: Thu, 31 May 2012 12:13:13 +0100
From: Rob Stradling <rob.stradling@comodo.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.4) Gecko/20120421 Thunderbird/10.0.4
MIME-Version: 1.0
To: Yngve Nysaeter Pettersen <yngve@opera.com>
References: <20120509153513.11861.32080.idtracker@ietfa.amsl.com>
In-Reply-To: <20120509153513.11861.32080.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: [TLS] CRL Stapling? (was Re: I-D Action: draft-ietf-tls-multiple-cert-status-extension-00.txt)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 May 2012 11:13:16 -0000
Yngve, IIRC, when Opera does an online revocation check, it currently checks CRLs for intermediate CA certificates and OCSP for end-entity certificates. This makes sense because: - CRLs covering intermediate CA certificates tend to be roughly the same size (sometimes smaller!) as the equivalent OCSP Responses (since it's quite rare for intermediate CA certificates to be revoked). - Possessing a current CRL means you won't have to do an online revocation check if you encounter another certificate issued by the same issuer. How would you feel about updating the multi-stapling I-D so that it permits CRLs to be stapled (with a note to implementers that they should only staple CRLs that are deemed to be "small enough")? Simply adding something like "case crl_multi: CRLList;" to your definition of CertificateStatus.response would be problematic, because it would require the server to staple a (potentially huge!) CRL for the end-entity certificate too. So... How about changing the scope of the multi-stapling I-D so that it *only* covers the intermediate CA certificate(s) in the chain? With this approach, an end-entity OCSP Response could be stapled using the RFC6066 TLS extension, and the intermediate CRL(s) could be stapled using the new multi-stapling TLS extension. (End-entity certificate stapling is already defined in RFC6066 and this existing TLS extension is already supported by many clients and servers. So why not make the multi-stapling TLS extension complement it, rather than replace it?) On 09/05/12 16:35, internet-drafts@ietf.org wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Transport Layer Security Working Group of the IETF. > > Title : The TLS Multiple Certificate Status Request Extension > Author(s) : Yngve N. Pettersen > Filename : draft-ietf-tls-multiple-cert-status-extension-00.txt > Pages : 9 > Date : 2012-05-09 > > This document defines the Transport Layer Security (TLS) Certificate > Status Version 2 Extension to allow clients to specify and support > multiple certificate status methods. Also defined is a new method > based on the Online Certificate Status Protocol (OCSP) that servers > can use to provide status information not just about the server's own > certificate, but also the status of intermediate certificates in the > chain. > > > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-ietf-tls-multiple-cert-status-extension-00.txt > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > This Internet-Draft can be retrieved at: > ftp://ftp.ietf.org/internet-drafts/draft-ietf-tls-multiple-cert-status-extension-00.txt > > The IETF datatracker page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-ietf-tls-multiple-cert-status-extension/ > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online
- [TLS] I-D Action: draft-ietf-tls-multiple-cert-st… internet-drafts
- Re: [TLS] I-D Action: draft-ietf-tls-multiple-cer… Sean Turner
- Re: [TLS] I-D Action: draft-ietf-tls-multiple-cer… Sean Turner
- [TLS] CRL Stapling? (was Re: I-D Action: draft-ie… Rob Stradling
- Re: [TLS] CRL Stapling? (was Re: I-D Action: draf… Martin Rex
- Re: [TLS] CRL Stapling? (was Re: I-D Action: draf… Eric Rescorla
- Re: [TLS] CRL Stapling? (was Re: I-D Action: draf… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] CRL Stapling? (was Re: I-D Action: draf… Jean-Marc Desperrier
- Re: [TLS] CRL Stapling? (was Re: I-D Action: draf… Martin Rex
- Re: [TLS] CRL Stapling? (was Re: I-D Action: draf… Geoffrey Keating
- Re: [TLS] CRL Stapling? (was Re: I-D Action: draf… Yngve Nysaeter Pettersen