IETF Logo Mail Archive

Re: [TLS] [pkix] New version of Multiple OCSP mode of Certificate

Peter Gutmann <pgut001@cs.auckland.ac.nz> Thu, 05 August 2010 14:40 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 718A13A68CC; Thu, 5 Aug 2010 07:40:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.224
X-Spam-Level:
X-Spam-Status: No, score=-3.224 tagged_above=-999 required=5 tests=[AWL=0.375, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SvThVWy4rEo9; Thu, 5 Aug 2010 07:40:07 -0700 (PDT)
Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by core3.amsl.com (Postfix) with ESMTP id 30EF73A6896; Thu, 5 Aug 2010 07:40:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1281019239; x=1312555239; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20<pgut001@cs.auckland.ac.nz> |To:=20mrex@sap.com,=20Nicolas.Williams@oracle.com |Subject:=20Re:=20[pkix]=20[TLS]=20=20New=20version=20of =20Multiple=20OCSP=20mode=20of=20Certificate|Cc:=20pkix@i etf.org,=20tls@ietf.org|In-Reply-To:=20<20100805015444.GF 5213@oracle.com>|Message-Id:=20<E1Oh1ca-0001D9-Jw@winterm ute02.cs.auckland.ac.nz>|Date:=20Fri,=2006=20Aug=202010 =2002:40:36=20+1200; bh=bFDdQxSDt8FxSbb4OdlHeWju5ie65fMaOQ9mCo/gXRI=; b=IriQAlh/NiLlG9ikH9hyT5ECsCHlc0U0L/gcVswd/Ndhyyb1VAREL/Dr yW8bJwdWoInVx9zugL6zvnQn41kI1/i1th2iF0mFoCsYOH/sAEJFep5xg 23prwGK7vGvDIfAvNhM2lBruAZ8c8puZGKWA45ryLNbBZuYNwsqvrRgRh o=;
X-IronPort-AV: E=Sophos;i="4.55,321,1278244800"; d="scan'208";a="19407006"
X-Ironport-HAT: UNIVERSITY - $RELAY-THROTTLE
X-Ironport-Source: 130.216.207.92 - Outgoing - Outgoing
Received: from wintermute02.cs.auckland.ac.nz ([130.216.207.92]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 06 Aug 2010 02:40:37 +1200
Received: from pgut001 by wintermute02.cs.auckland.ac.nz with local (Exim 4.69) (envelope-from <pgut001@cs.auckland.ac.nz>) id 1Oh1ca-0001D9-Jw; Fri, 06 Aug 2010 02:40:36 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: mrex@sap.com, Nicolas.Williams@oracle.com
In-Reply-To: <20100805015444.GF5213@oracle.com>
Message-Id: <E1Oh1ca-0001D9-Jw@wintermute02.cs.auckland.ac.nz>
Date: Fri, 06 Aug 2010 02:40:36 +1200
Cc: pkix@ietf.org, tls@ietf.org
Subject: Re: [TLS] [pkix] New version of Multiple OCSP mode of Certificate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Aug 2010 14:40:09 -0000

Nicolas Williams <Nicolas.Williams@oracle.com> writes:

>What can be done to improve the AIA situation is to constraint AIA URLs such
>that, for example, they cannot specify arbitrary port numbers, and to very
>few URL schemes (HTTP and LDAP should suffice).

The problem with this is that you now get into the URL-obfuscation arms race
that the malware industry has been playing with browser developers for the
last ten years or so.  Would you trust a random PKI implementation (written by
crypto developers not web developers and that's never had to deal with this
kind of attack) to get this right?  After the third attempt?  After the tenth
attempt?

Peter.

v2.23.0 | Report a Bug | By Email