Re: [TLS] New Cached info draft

Adam Langley <> Tue, 30 March 2010 15:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 179CC3A685B for <>; Tue, 30 Mar 2010 08:24:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.325
X-Spam-Status: No, score=-0.325 tagged_above=-999 required=5 tests=[AWL=0.522, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, FM_FORGED_GMAIL=0.622]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Mc51F2ZcdTQA for <>; Tue, 30 Mar 2010 08:24:19 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 378B03A67B0 for <>; Tue, 30 Mar 2010 08:24:18 -0700 (PDT)
Received: by vws9 with SMTP id 9so734553vws.31 for <>; Tue, 30 Mar 2010 08:24:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:received:message-id:subject :from:to:cc:content-type; bh=VaVAR/JwahBlL/R0empZeDGKK3ezQg35cVmcMG8/nNY=; b=B5SOF+D2SHsOG6hJodZPHAaF268TLdbtIvr2lfZlsTk9/AeWr7BIZ3QAK8t5qq50vh uzKUIgh/z+dpYkoObZzF2OzbRLPSSsS+rKlj7f/3DGZxMUfP/u63qGV291okwGEILP2R raBisQZEp5unWb4YUmLukSVCcVq8IwV3FaDVE=
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=kvBGMxuBUMWxQXXnxprJ028xGOqRgA/2G685eCzEPGn/fecCPGiNl6Rki71VwpkXIG rw1s0+Eaz2mkDERK+D+15luOAZiMJZtQ+Mp/Zrz82NgkGNtHA5EilsqzhOTtRQIsu4Fa o/QI2l72k+pcyKXHy1s73gl5jKkXvN4iI2UOY=
MIME-Version: 1.0
Received: by with HTTP; Tue, 30 Mar 2010 08:24:43 -0700 (PDT)
In-Reply-To: <>
References: <> <>
Date: Tue, 30 Mar 2010 11:24:43 -0400
X-Google-Sender-Auth: d33c9cbfb71d817e
Received: by with SMTP id l35mr4059544vcr.89.1269962683177; Tue, 30 Mar 2010 08:24:43 -0700 (PDT)
Message-ID: <>
From: Adam Langley <>
To: Stefan Santesson <>
Content-Type: text/plain; charset=UTF-8
Cc: Simon Josefsson <>, "" <>
Subject: Re: [TLS] New Cached info draft
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 30 Mar 2010 15:24:20 -0000

On Tue, Mar 30, 2010 at 7:14 AM, Stefan Santesson <> wrote:
> I have included your sample in draft 07.
> I think this document is done now and good to go.

For people looking to test interop I've a couple of patches: (client and server)  (server)

For the OpenSSL patch, it's enabled by default (probably breaking the
no-tlsext build, but that's already broken since 0.9.8m).

For NSS, you can use the selfserv and tstclnt utilities from NSS. For
tstclnt, give -I /path/to/server-certificate.pem and for selfself,
give just -I.

One last point, I think I'd like to see the ability to cache the

enum {
} CachedInformationType;

4.3.  Data Substitution Syntax for certificate_status

   When a digest for an object of type certificate_status is provided in the
   client hello, the server MAY substitute the cached data with a
   matching digest value received from the client by expanding the
   CertificateStatus handshake message as follows.

   Original handshake message syntax defined in RFC 3546 [RFC3546]:

     struct {
          CertificateStatusType status_type;
          select (status_type) {
              case ocsp: OCSPResponse;
          } response;
      } CertificateStatus;

      opaque OCSPResponse<1..2^24-1>;

   The substitution syntax is defined by defining an additional
status_type which is only valid in a CertificateStatus message:

      enum { ocsp_cached(2) } CertificateStatusType;

     struct {
          CertificateStatusType status_type;
          select (status_type) {
              case ocsp: OCSPResponse;
              case ocsp_cached: opaque digest_value<0..8>;
          } response;
      } CertificateStatus;


Adam Langley