Re: [TLS] How should inability to access key revocation lists impact the TLS handshake?
Xiaoyin Liu <xiaoyin.l@outlook.com> Mon, 24 October 2016 19:12 UTC
Return-Path: <xiaoyin.l@outlook.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA1231299C0 for <tls@ietfa.amsl.com>; Mon, 24 Oct 2016 12:12:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.018
X-Spam-Level:
X-Spam-Status: No, score=-1.018 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HK_RANDOM_ENVFROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=outlook.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y9_Z6XVuPUFv for <tls@ietfa.amsl.com>; Mon, 24 Oct 2016 12:12:30 -0700 (PDT)
Received: from BAY004-OMC4S14.hotmail.com (bay004-omc4s14.hotmail.com [65.54.190.216]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F1E21299B4 for <tls@ietf.org>; Mon, 24 Oct 2016 12:12:30 -0700 (PDT)
Received: from NAM04-SN1-obe.outbound.protection.outlook.com ([65.54.190.200]) by BAY004-OMC4S14.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Mon, 24 Oct 2016 12:12:30 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=TaMHLCLg88OOC9lRifj6iOjUA+FGzVXRIf25Jvn5Cck=; b=CdIXu/asGvjHjoYXTmp7sFIrWps4UsiPTntg6h+BrsuUvyhryzmnL+06sSgzsypmUA/qMSv4Ls98HqjjwuylFgWK3UTz3bvITmEglcrRaW7GylfY4KUkmg6KUIxV0feBb+56cuA7KFDp0aav79Kt4gHRqnNmrbM8DPPft4T1a8m8zBBySdC4j+Jg0rEv2tySeNEZKRAIp9fW8lmX9kdSqCcCH3Q10S/muL4hvlZbGSwhqOO+gBdw3rMnFOZQ0onmkYXbnkQ4mXKTXwYV4XcIPNcCgeWyrQr5mItQM5giiqpEdpYh8RxcLmJaykj06N3cuzOK6lvPfdo31/uaakE4mg==
Received: from CO1NAM04FT032.eop-NAM04.prod.protection.outlook.com (10.152.90.58) by CO1NAM04HT204.eop-NAM04.prod.protection.outlook.com (10.152.91.85) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.679.5; Mon, 24 Oct 2016 19:12:28 +0000
Received: from CY1PR15MB0778.namprd15.prod.outlook.com (10.152.90.55) by CO1NAM04FT032.mail.protection.outlook.com (10.152.90.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.679.5 via Frontend Transport; Mon, 24 Oct 2016 19:12:28 +0000
Received: from CY1PR15MB0778.namprd15.prod.outlook.com ([10.169.22.10]) by CY1PR15MB0778.namprd15.prod.outlook.com ([10.169.22.10]) with mapi id 15.01.0659.028; Mon, 24 Oct 2016 19:12:28 +0000
From: Xiaoyin Liu <xiaoyin.l@outlook.com>
To: "Salz, Rich" <rsalz@akamai.com>, Ryan Carboni <ryacko@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] How should inability to access key revocation lists impact the TLS handshake?
Thread-Index: AQHSLiIDJviNz/aqz06k2cfULs8chaC36P4AgAAP2pc=
Date: Mon, 24 Oct 2016 19:12:28 +0000
Message-ID: <CY1PR15MB0778C07EB8011F19A780023BFFA90@CY1PR15MB0778.namprd15.prod.outlook.com>
References: <CAO7N=i2uouA79B-k=Td_xP6yTANt9MEXyKzD2Sf_BAXzMjYYDw@mail.gmail.com>, <fa4ab4cc251d4113b7f978b45493a5b1@usma1ex-dag1mb1.msg.corp.akamai.com>
In-Reply-To: <fa4ab4cc251d4113b7f978b45493a5b1@usma1ex-dag1mb1.msg.corp.akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: akamai.com; dkim=none (message not signed) header.d=none;akamai.com; dmarc=none action=none header.from=outlook.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [xrZTU4DUMvOUM40g0miIztCXGv0s9z/Q]
x-eopattributedmessage: 0
x-microsoft-exchange-diagnostics: 1; CO1NAM04HT204; 6:HBB2RQaMIypRbYmHL0n0JzyCCzA/DGR73ybe4cd3PIjKBvZxmJrkFYCyXz7RAQARV4aTSocTlJUJeUfUdWukyz6pB+wxHIJ/AdswnC9i0LIDCkEh8W1PBEaFfTNLnMy/iOv77dPAoeW13/9q0Q8Cu7dZ11EolX9SFVRJjkIgeJEjIs1TrL/SvzrvYQJDupK9K7yH1o/i5kybD6Rxi3ilDoALROdWqKAyLBYDqLlidUDaJMjHSQdzwoGMZUDwajb70PROfR8ry6IXYRR6+HW4Q8odPNcX8tlxwffL/dv+jADzVFjiMqgcwtmraN9/vwyO; 5:fvMNOETEEtUtvLzEZ8OpRotPpu2FJ1g7a7ureNy5lm0lPJcjaYfLPAQR/M8e1j4IMN8o3ZjbQbkO0lV2Mc5jE7JLHJrF47Mi0ufNBir/VtUrxbGdorVXrL0sSFy2r+ps7OV+H+lJRCEoJum6bHIzig==; 24:G0av2HZyXJMoEkw1kpb3LFN/X+jIOoE455YCyO120N0VhdH1mcmvTcGGiPrtYEuwbNp99qrqGAKs2BlOYZUMWvn0IJrW1KhYGQ6gTArFfVg=; 7:YJ940hDV5UC/akXG8l9EaXZxMqfNMf2jbnFW+nxvQpnoIU4ubvOZqY6r3muhjmVjp76g8w/l7vZ47sngJIs7TN8Hjf/+GV2UvZRPvJZdgbpb8onGGH9hwZHywtfYyEfpMm4Uu5D3LcRD8pU9Ti9QMf5K2ymD7W/u/S2vTgvhVlVUJ+qY1OFbhyPjOjLH059Wr0zrk7dEcZo5sbqORrR+EnTP21XJt8DiNaxFEmWP3jaOpl3OH/c+VU/LUxTBDIXeJGaoZgLyrgpj4hggqGAM8WKj0jtZU7u8LlCUQPgZvBmXqhVGaYiYpo5Wt5LPx01jPPE/RcTTuyCg4k4QvW51AnaLzujFK5XLAWUNLkKLFuo=
x-forefront-antispam-report: EFV:NLI; SFV:NSPM; SFS:(10019020)(98900003); DIR:OUT; SFP:1102; SCL:1; SRVR:CO1NAM04HT204; H:CY1PR15MB0778.namprd15.prod.outlook.com; FPR:; SPF:None; LANG:en;
x-ms-office365-filtering-correlation-id: b56959cf-17d7-4951-0ba9-08d3fc41b259
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(1601124038)(1603103081)(1603101340)(1601125047); SRVR:CO1NAM04HT204;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(432015012)(82015046); SRVR:CO1NAM04HT204; BCL:0; PCL:0; RULEID:; SRVR:CO1NAM04HT204;
x-forefront-prvs: 0105DAA385
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY1PR15MB0778C07EB8011F19A780023BFFA90CY1PR15MB0778namp_"
MIME-Version: 1.0
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Oct 2016 19:12:28.2914 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1NAM04HT204
X-OriginalArrivalTime: 24 Oct 2016 19:12:30.0065 (UTC) FILETIME=[90D68E10:01D22E2A]
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/wPGjn_t8G6t-Yg-zyvboT_pPc7s>
Subject: Re: [TLS] How should inability to access key revocation lists impact the TLS handshake?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2016 19:12:32 -0000
But I think the problem is that there is no TLS alert for “revocation status inaccessible”.
Best,
Xiaoyin
From: Salz, Rich<mailto:rsalz@akamai.com>
Sent: Monday, October 24, 2016 2:15 PM
To: Ryan Carboni<mailto:ryacko@gmail.com>; tls@ietf.org<mailto:tls@ietf.org>
Subject: Re: [TLS] How should inability to access key revocation lists impact the TLS handshake?
> How should inability to access key revocation lists impact the TLS handshake, if previous public keys and/or certificate hashes are not cached?
Nobody does revocation on the web, for some almost all encompassing definition of nobody.
Instead, OCSP and OCSP stapling.
> I cannot see this in the standard. Considering that all one has to do is DDOS a certificate authority nowadays...
General PKI and key lifecycle issues are, properly, not part of the TLS spec.
/r$
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
- [TLS] How should inability to access key revocati… Ryan Carboni
- Re: [TLS] How should inability to access key revo… Salz, Rich
- Re: [TLS] How should inability to access key revo… Xiaoyin Liu
- Re: [TLS] How should inability to access key revo… Eric Rescorla