Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
Graham Bartlett <graham.ietf@gmail.com> Sun, 07 March 2021 11:15 UTC
Return-Path: <graham.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D84A3A102D for <tls@ietfa.amsl.com>; Sun, 7 Mar 2021 03:15:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZPFdY7PoUl_b for <tls@ietfa.amsl.com>; Sun, 7 Mar 2021 03:15:44 -0800 (PST)
Received: from mail-pl1-x636.google.com (mail-pl1-x636.google.com [IPv6:2607:f8b0:4864:20::636]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E19713A0FF1 for <tls@ietf.org>; Sun, 7 Mar 2021 03:15:43 -0800 (PST)
Received: by mail-pl1-x636.google.com with SMTP id d8so3513507plg.10 for <tls@ietf.org>; Sun, 07 Mar 2021 03:15:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8ivjCbhBI6r3s8tbOZ1zwkIyGX7dAXyXurlacxT35yQ=; b=BMqNGLagwNsg1LUOSFL3hBFbBIOhbcwcHGV3Dal12UU14AQq6pNkPmqkjTf+t2zgGp VcI+GPsXLSrxuvdibP0UucjHY3gcmI5PIQVYvWhDsdtb68A26+bRWRzlG0ekkc/oRck1 sEAm4EhGcaVhjLjMT1l9AJ1B/8jNOQBnUqRXhLiKq7M4rOw9vSi8pB2RpmkFXdSoyURf RQlFNkrmrRCCqr/vljHrCbtt4WrVe5hLDKKQuEuDKIHtHv89/0mM3FvV7J2moYHFT83j yoLPZphhbscDsrfbuzXIoroMPtzoH/W23W9PK/s3WPL46uZLG8bFEFHYYbGPeTfMqJ2X mLmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8ivjCbhBI6r3s8tbOZ1zwkIyGX7dAXyXurlacxT35yQ=; b=tepQgxB12t7zHncz5yBAF63kU1RSjU9+/6FeRUNDgitanXRnPkeM8IMGvtcvW2SkiY xE3s9OPiolQZ9hLWQ8T3yW/iazpXhF0W7DRKsj2UFLECYxi2Sj4yXXZs0IuO+IUIMv1d N5U6arKIfWoiJctVIJFeMZ+cgRALqeD/BQ7Gzc0GCPH3953AdQZHNjKy84qg5P3WHswC b9Pk9J7nU6LloTEQVs2W0vcJX7mK/NLk2MqfppOezCS2h4OYyANFbUPkeeF0b2K6lCew kO/mP20zupEhTGcmFhK7UtKWLGYfN19jA7iqKrgAr0TMzX2eobVSEVy1tPsZn6rAWOrO zrqw==
X-Gm-Message-State: AOAM532vyTO3ssxywrjpn3tECvQ9aq9nFAn6iKxJv2/I2A6TOYwGkgR8 0PqVo0aj4gbFZNYYr3+9B4WlGSa3xMvtHn4Bbis=
X-Google-Smtp-Source: ABdhPJyEzEUlyQ1nAE/Mqykevjal43eiygMYalTE/lY1uMqOuE2JsYeJU1pUj57YHMKCsIiotaKY/TBdf9Hw/IRnUTA=
X-Received: by 2002:a17:902:6a88:b029:e3:cd8a:3a92 with SMTP id n8-20020a1709026a88b02900e3cd8a3a92mr16178495plk.22.1615115742291; Sun, 07 Mar 2021 03:15:42 -0800 (PST)
MIME-Version: 1.0
References: <DE27E5E0-4AB9-4B53-92F6-1057015A8F6C@ericsson.com> <20210305173516.GV30153@localhost> <701E874C-EA40-47FD-A4E4-C4C595E96337@ericsson.com> <CACsn0cmmKdR0-82DjrYZD5_CaF2bqwHnj07dM+Bnd-2aupU5QQ@mail.gmail.com> <CABcZeBP8wdmbO8DQPZ8e5CDZ76ioe3vzaJ+7YtQ74XZzcuxHmg@mail.gmail.com> <20210306061124.GY30153@localhost> <1615013752661.15146@cs.auckland.ac.nz> <20210306211036.GZ30153@localhost> <1615111060736.9067@cs.auckland.ac.nz>
In-Reply-To: <1615111060736.9067@cs.auckland.ac.nz>
From: Graham Bartlett <graham.ietf@gmail.com>
Date: Sun, 07 Mar 2021 11:15:31 +0000
Message-ID: <CAO4D2DN=kbUtSs=7GqDPibpDeJjL4GO7OWa22wbBHvNJeQU66A@mail.gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: Nico Williams <nico@cryptonector.com>, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, TLS List <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000172bc105bcf07069"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/uzfB9osCaLffrwz5z53nizYeeMo>
Subject: Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Mar 2021 11:15:47 -0000
Hi I have a fair amount of hands on experience with IPsec VPNs, and many organisations look to use TLS in a similar manner. To give you an example of where you might look to perform a regular revocation check on long lived connections; Solution with many remote devices (think remote access, so phones, laptops, IoT devices etc) A remote device is compromised, on the gateway there could be 1000s of devices connected. I've found that most vendor solutions aren't geared up for an admin to easily determine the compromised device and prevent this reconnecting. Most organisations have a disconnect between the SOC, PKI team and the team that manages the remote access gateway, getting a process that'll involve all 3 teams usually doesn't work. I've found that the best method to prevent the device from connecting is for the certificate to be revoked, the CRL refreshed and then a re-authentication performed on all active connections. I'm not as familiar with TLS as I am IPsec, but hope that this explains a scenario where I feel re-authentication would be very valuable. cheers On Sun, Mar 7, 2021 at 9:58 AM Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote: > Nico Williams <nico@cryptonector.com> writes: > > >When expirations are short, you will not forget to renew. That's part of > the > >point of short-lived certificates. > > So instead of getting one chance a year for your control system to break > itself if the renewal fails, you get hundreds of them? > > Peter. > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Question to TLS 1.3 and certificate revocat… Fries, Steffen
- Re: [TLS] Question to TLS 1.3 and certificate rev… John Mattsson
- Re: [TLS] Question to TLS 1.3 and certificate rev… Salz, Rich
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… John Mattsson
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Watson Ladd
- Re: [TLS] Question to TLS 1.3 and certificate rev… Eric Rescorla
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Peter Gutmann
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Hannes Tschofenig
- Re: [TLS] Question to TLS 1.3 and certificate rev… Peter Gutmann
- Re: [TLS] Question to TLS 1.3 and certificate rev… Graham Bartlett
- Re: [TLS] Question to TLS 1.3 and certificate rev… Deb Cooley
- Re: [TLS] Question to TLS 1.3 and certificate rev… Graham Bartlett
- Re: [TLS] Question to TLS 1.3 and certificate rev… Hannes Tschofenig
- Re: [TLS] Question to TLS 1.3 and certificate rev… Hannes Tschofenig
- Re: [TLS] Question to TLS 1.3 and certificate rev… Benjamin Kaduk
- Re: [TLS] Question to TLS 1.3 and certificate rev… Graham Bartlett
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Question to TLS 1.3 and certificate rev… Nico Williams
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Question to TLS 1.3 and certificate rev… Peter Gutmann
- Re: [TLS] Question to TLS 1.3 and certificate rev… Benjamin Kaduk
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Peter Gutmann
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Olle E. Johansson
- Re: [TLS] Question to TLS 1.3 and certificate rev… Fries, Steffen
- Re: [TLS] Question to TLS 1.3 and certificate rev… Salz, Rich
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Fries, Steffen
- Re: [TLS] Question to TLS 1.3 and certificate rev… Viktor Dukhovni
- Re: [TLS] Question to TLS 1.3 and certificate rev… Jonathan Hoyland
- Re: [TLS] Question to TLS 1.3 and certificate rev… Fries, Steffen
- Re: [TLS] Question to TLS 1.3 and certificate rev… Fries, Steffen
- Re: [TLS] Question to TLS 1.3 and certificate rev… Jonathan Hoyland