Re: [TLS] OCSP must staple

Tom Ritter <tom@ritter.vg> Thu, 05 June 2014 17:14 UTC

Return-Path: <tom@ritter.vg>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50BF21A01F6 for <tls@ietfa.amsl.com>; Thu, 5 Jun 2014 10:14:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.778
X-Spam-Level:
X-Spam-Status: No, score=-0.778 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_51=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 347vKjS_qV0P for <tls@ietfa.amsl.com>; Thu, 5 Jun 2014 10:14:45 -0700 (PDT)
Received: from mail-vc0-x235.google.com (mail-vc0-x235.google.com [IPv6:2607:f8b0:400c:c03::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 250091A0090 for <tls@ietf.org>; Thu, 5 Jun 2014 10:14:45 -0700 (PDT)
Received: by mail-vc0-f181.google.com with SMTP id hq11so1521994vcb.12 for <tls@ietf.org>; Thu, 05 Jun 2014 10:14:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=sqNVnIgA5P/v18XtLGStcAt9MIVQB7AJ2HZenfOGieI=; b=Eimzh0HMUmwxtej08f1J/UkCMsaFyOJx44QDyeecLoBGIIVX53Vwi4hyN9u+1Xrmbi evD7ct4dqF+jjUWgLp0MZGoE1KkfC2+WHOLRqGKb50fYyaeQkLtr76TgrBe7eZXL0Yc8 ee3HAtEj6S810nD4wpTtinVCwlYSm4Ojp186o=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=sqNVnIgA5P/v18XtLGStcAt9MIVQB7AJ2HZenfOGieI=; b=SvqIF7taeteDPIb+E+AHOohCVxEj4kqD19Ke7fWyIIcLk8opZhWRuYODhtR9cKjp6y /E7Wj0clxpMwWMzwcebWDKLOmZhZr5fPm8Pn9mN1yJM65WO7Ygtxn8JKNL672cJwVLQL 0ipj2dLmCWzkEFpOiO1wjY4graBmV5lF940DbwLQPJy+8vkCfy1lhKGHslJbfMw55vDN kroR1JMN+0ouThHmwaBvfJs8VHZuLlWQpxiUvNTgFBrARwj3K46PQZaTC8TXw5JvonE1 9BP15BHdRuJZnZnnm/3B4OiLXQuXRRTzF75T3wa0Io4+ZzXGu64dhB2aN5GlKknZoDBZ cdMQ==
X-Gm-Message-State: ALoCoQl60PtbeKNBVhlGBlIuhKLMCxgY/DE/EFxyDe0lgLkdS0/TurKM9NQLmCXia2viUDPEtj1U
X-Received: by 10.220.44.141 with SMTP id a13mr3061290vcf.71.1401988478184; Thu, 05 Jun 2014 10:14:38 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.58.106.39 with HTTP; Thu, 5 Jun 2014 10:14:18 -0700 (PDT)
In-Reply-To: <CAFewVt4p4rJ738Yo=XQm6T_jyvG3TnJsSQ5HDZDrqAkyNDa7tg@mail.gmail.com>
References: <20140528184735.GA20602@roeckx.be> <097101cf7aa7$17f960a0$47ec21e0$@digicert.com> <4AA8E7B7-A19D-4E65-AF18-C4D02A513652@ieca.com> <538EF79B.3000506@cs.tcd.ie> <CAMm+LwgTnva9jJgVfkaOZ1qP0Rk3w-mFfepnubosgtrCEARv=g@mail.gmail.com> <539069CC.5010304@cs.tcd.ie> <CAFewVt4p4rJ738Yo=XQm6T_jyvG3TnJsSQ5HDZDrqAkyNDa7tg@mail.gmail.com>
From: Tom Ritter <tom@ritter.vg>
Date: Thu, 5 Jun 2014 13:14:18 -0400
Message-ID: <CA+cU71ntKUqSnkUbgF9JSf8T-5S3g2NxUO4S3kHz5ionmBf00w@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Content-Type: multipart/alternative; boundary=047d7b34309438c49f04fb19e113
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/z8jZk63huiwwiwEk0b_s3Gopyp8
Cc: Phillip Hallam-Baker <hallam@gmail.com>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] OCSP must staple
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jun 2014 17:14:46 -0000

On 5 June 2014 13:05, Brian Smith <brian@briansmith.org> wrote:

> I think in the many years before Must-Staple could become ubiquitous,
> we'll need another mechanism to indicate that all certificates for a given
> hostname must be Must-Staple, whether they contain the Must-Staple feature
> in the X.509 certificate or not. I don't know that that has to be addressed
> in *this* draft or in a draft of a different feature, but it seems like in
> the near term we should also have a mechanism that applies to certificates
> that do not contain the feature.
>

I believe it is many people's intention (at least it is mine) to include it
as a directive in HSTS.  There'a an argument to make it a separate header,
like PKP.  "What if I want my site not to require SSL, but if it does, to
use these certs and that they should be stapled."

-tom