Re: [TLS] How should inability to access key revocation lists impact the TLS handshake?
Eric Rescorla <ekr@rtfm.com> Mon, 24 October 2016 19:18 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3A5B12989D for <tls@ietfa.amsl.com>; Mon, 24 Oct 2016 12:18:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c7U27jP-2ckG for <tls@ietfa.amsl.com>; Mon, 24 Oct 2016 12:18:24 -0700 (PDT)
Received: from mail-yb0-x22d.google.com (mail-yb0-x22d.google.com [IPv6:2607:f8b0:4002:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC3781299BB for <tls@ietf.org>; Mon, 24 Oct 2016 12:18:24 -0700 (PDT)
Received: by mail-yb0-x22d.google.com with SMTP id g68so88217206ybi.0 for <tls@ietf.org>; Mon, 24 Oct 2016 12:18:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=EmRenR3BHwYTw4cheF5g//2biRwU1wVO9mbIjvrqXX8=; b=z4VarbEW1LBtAlsUs1lBVfTmilzfhRrDAfgpAdl3gSK4qUyrk/FMOozh+c8w30TcAm wSmMn2g1xfZFQKB6M+5rBgHKFyfP9P1MWpdiyaVHAdy71tDcDFP/P6Ik2fGvu+i4XH36 /9/B6uLnltcT7LgAsqZlocrXdmY82sD1MPnrRgMJuGkxftsVjyCchqkjSuFt0JXmPikp jQCh+kAiE68w51wSLju1wGaSnA++8/W2Mf6EqmXmt6rIChg479kax04jnzu2sCpXCyvX wXKeF4Jivom4E5ItQ1PL1GtFjb4Ff5l9m3DdyeJhGLCxYy8nGtY+tXiEjI5BJYdih3s/ l4eQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=EmRenR3BHwYTw4cheF5g//2biRwU1wVO9mbIjvrqXX8=; b=j3cYF2HMU3VroiD9Gk4Vy5QSHNxKogx8yORkmWsUtJ4gu5liBVXYx2Aw3f7A7O8K4x JrlAWWPGGQXPynTOrovG4QSG50bzDL6oT08a8adFKRWuNTz+MjnaA7jVieogmLNFNoCg SWF/EcxNDTpeB0m3/JmgKQRVbfbJChAWWS3df88hOqbD+1NWKYPKV4WfcWAw8v65g8PL q14ievBUVmVHelrKrYlWGTUsNMOUT4KqoSn+r+PsaSFTxG60puiooYTF+4oihlp2tljH zEOw9kJbU4OJ222MZk9ily6obAwJdwGQRVUJJBfCN4/N4hWUxqZEDipSh9nYNeCYEktB FX3w==
X-Gm-Message-State: ABUngvf35WbjlRakxWgTeHCwL7PSGS25ZhH5uq/VYcq+hYeQQP5tcnEqh82gnf4Vtyq1oSe/CIrZD0+y2qIN2g==
X-Received: by 10.37.246.15 with SMTP id t15mr18475761ybd.107.1477336704034; Mon, 24 Oct 2016 12:18:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.82.210 with HTTP; Mon, 24 Oct 2016 12:17:43 -0700 (PDT)
In-Reply-To: <CY1PR15MB0778C07EB8011F19A780023BFFA90@CY1PR15MB0778.namprd15.prod.outlook.com>
References: <CAO7N=i2uouA79B-k=Td_xP6yTANt9MEXyKzD2Sf_BAXzMjYYDw@mail.gmail.com> <fa4ab4cc251d4113b7f978b45493a5b1@usma1ex-dag1mb1.msg.corp.akamai.com> <CY1PR15MB0778C07EB8011F19A780023BFFA90@CY1PR15MB0778.namprd15.prod.outlook.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 24 Oct 2016 12:17:43 -0700
Message-ID: <CABcZeBMPD28EZfWMo-_MNT-CatgJBYWyV=cUUfuTWh-uwJaZXw@mail.gmail.com>
To: Xiaoyin Liu <xiaoyin.l@outlook.com>
Content-Type: multipart/alternative; boundary="f403045da0a6755a09053fa141c3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/stfQVixs0P4YRoWf3QRKotR_j24>
Cc: "tls@ietf.org" <tls@ietf.org>, Ryan Carboni <ryacko@gmail.com>
Subject: Re: [TLS] How should inability to access key revocation lists impact the TLS handshake?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2016 19:18:27 -0000
"certificate_unknown" seems like it should be fine for this On Mon, Oct 24, 2016 at 12:12 PM, Xiaoyin Liu <xiaoyin.l@outlook.com> wrote: > But I think the problem is that there is no TLS alert for “revocation > status inaccessible”. > > > > Best, > > Xiaoyin > > *From: *Salz, Rich <rsalz@akamai.com> > *Sent: *Monday, October 24, 2016 2:15 PM > *To: *Ryan Carboni <ryacko@gmail.com>; tls@ietf.org > *Subject: *Re: [TLS] How should inability to access key revocation lists > impact the TLS handshake? > > > > How should inability to access key revocation lists impact the TLS > handshake, if previous public keys and/or certificate hashes are not cached? > > Nobody does revocation on the web, for some almost all encompassing > definition of nobody. > > Instead, OCSP and OCSP stapling. > > > I cannot see this in the standard. Considering that all one has to do is > DDOS a certificate authority nowadays... > > General PKI and key lifecycle issues are, properly, not part of the TLS > spec. > > /r$ > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
- [TLS] How should inability to access key revocati… Ryan Carboni
- Re: [TLS] How should inability to access key revo… Salz, Rich
- Re: [TLS] How should inability to access key revo… Xiaoyin Liu
- Re: [TLS] How should inability to access key revo… Eric Rescorla