Re: [TLS] CRL Stapling? (was Re: I-D Action: draft-ietf-tls-multiple-cert-status-extension-00.txt)

"Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com> Mon, 04 June 2012 10:31 UTC

Return-Path: <yngve@opera.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF32821F87A4 for <tls@ietfa.amsl.com>; Mon, 4 Jun 2012 03:31:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LdELUTp-zuw2 for <tls@ietfa.amsl.com>; Mon, 4 Jun 2012 03:31:45 -0700 (PDT)
Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by ietfa.amsl.com (Postfix) with ESMTP id 4E6E921F8771 for <tls@ietf.org>; Mon, 4 Jun 2012 03:31:44 -0700 (PDT)
Received: from acorna.invalid.invalid (pat-tdc.opera.com [213.236.208.22]) (authenticated bits=0) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id q54AVbSH024486 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 4 Jun 2012 10:31:38 GMT
Content-Type: text/plain; charset="iso-8859-15"; format="flowed"; delsp="yes"
To: Rob Stradling <rob.stradling@comodo.com>
References: <20120509153513.11861.32080.idtracker@ietfa.amsl.com> <4FC75249.3050805@comodo.com>
Date: Mon, 04 Jun 2012 12:31:39 +0200
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
Organization: Opera Software AS
Message-ID: <op.wfdji1xiqrq7tp@acorna.invalid.invalid>
In-Reply-To: <4FC75249.3050805@comodo.com>
User-Agent: Opera Mail/11.64 (Win32)
Cc: tls@ietf.org
Subject: Re: [TLS] CRL Stapling? (was Re: I-D Action: draft-ietf-tls-multiple-cert-status-extension-00.txt)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Jun 2012 10:31:47 -0000

On Thu, 31 May 2012 13:13:13 +0200, Rob Stradling  
<rob.stradling@comodo.com> wrote:

> Yngve,
>
> IIRC, when Opera does an online revocation check, it currently checks  
> CRLs for intermediate CA certificates and OCSP for end-entity  
> certificates.  This makes sense because:
>    - CRLs covering intermediate CA certificates tend to be roughly the  
> same size (sometimes smaller!) as the equivalent OCSP Responses (since  
> it's quite rare for intermediate CA certificates to be revoked).
>    - Possessing a current CRL means you won't have to do an online  
> revocation check if you encounter another certificate issued by the same  
> issuer.
>
> How would you feel about updating the multi-stapling I-D so that it  
> permits CRLs to be stapled (with a note to implementers that they should  
> only staple CRLs that are deemed to be "small enough")?

Like Martin Rex, I am concerned that this would significantly increase the  
complexity of the system:

  - The servers would have to download both, and then decide which to use.

  - Clients might need to associate the CRL data with the relevant CRL URL  
in their cache (in case the client can use it later), but this might lead  
to cache poisoning (the CRL might be valid, but it has been obsoleted by a  
newer CRL revoking some cert).

  - The record format would have to be adapted, possibly including a  
datatype for each entry in the list, alternatively a completely new record  
(which would assume just one datatype was used for the intermediates)

  - Each server having a cert from the same CA would each send the CRL from  
that CA, which might require duplicate resolving if the CRL is newer than  
the one currently cached.

  - This is not suitable for the cached info extension for caching across  
multiple servers: There might be a lot of these entries, increasing  
handshake size, and it might be abused to learn which sites the user have  
visited, since the extension must be sent before we know which certificate  
the site will present.

All in all, this adds so much complexity that I don't think it would be  
worth the effort.

> Simply adding something like "case crl_multi: CRLList;" to your  
> definition of CertificateStatus.response would be problematic, because  
> it would require the server to staple a (potentially huge!) CRL for the  
> end-entity certificate too.  So...
>
> How about changing the scope of the multi-stapling I-D so that it *only*  
> covers the intermediate CA certificate(s) in the chain?
>
>
> With this approach, an end-entity OCSP Response could be stapled using  
> the RFC6066 TLS extension, and the intermediate CRL(s) could be stapled  
> using the new multi-stapling TLS extension.

This would be even more complex, as we would either need a new handshake  
message for the new extension, or allow multiple messages, both of which  
would change the current TLS state engine.

>
> (End-entity certificate stapling is already defined in RFC6066 and this  
> existing TLS extension is already supported by many clients and servers.  
>   So why not make the multi-stapling TLS extension complement it, rather  
> than replace it?)
>
>
> On 09/05/12 16:35, internet-drafts@ietf.org wrote:
>>
>> A New Internet-Draft is available from the on-line Internet-Drafts  
>> directories. This draft is a work item of the Transport Layer Security  
>> Working Group of the IETF.
>>
>> 	Title           : The TLS Multiple Certificate Status Request Extension
>> 	Author(s)       : Yngve N. Pettersen
>> 	Filename        : draft-ietf-tls-multiple-cert-status-extension-00.txt
>> 	Pages           : 9
>> 	Date            : 2012-05-09
>>
>>     This document defines the Transport Layer Security (TLS) Certificate
>>     Status Version 2 Extension to allow clients to specify and support
>>     multiple certificate status methods.  Also defined is a new method
>>     based on the Online Certificate Status Protocol (OCSP) that servers
>>     can use to provide status information not just about the server's  
>> own
>>     certificate, but also the status of intermediate certificates in the
>>     chain.
>>
>>
>>
>> A URL for this Internet-Draft is:
>> http://www.ietf.org/internet-drafts/draft-ietf-tls-multiple-cert-status-extension-00.txt
>>
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>>
>> This Internet-Draft can be retrieved at:
>> ftp://ftp.ietf.org/internet-drafts/draft-ietf-tls-multiple-cert-status-extension-00.txt
>>
>> The IETF datatracker page for this Internet-Draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-tls-multiple-cert-status-extension/
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>


-- 
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer		     Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 23 69 32 60              Fax:    +47 23 69 24 01
********************************************************************