Re: [TLS] OCSP must staple
Yoav Nir <ynir.ietf@gmail.com> Sun, 08 June 2014 04:59 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CCC01A02C9 for <tls@ietfa.amsl.com>; Sat, 7 Jun 2014 21:59:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 37ciyLHAh4Oc for <tls@ietfa.amsl.com>; Sat, 7 Jun 2014 21:59:27 -0700 (PDT)
Received: from mail-we0-x22f.google.com (mail-we0-x22f.google.com [IPv6:2a00:1450:400c:c03::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26BAC1A02CC for <tls@ietf.org>; Sat, 7 Jun 2014 21:59:27 -0700 (PDT)
Received: by mail-we0-f175.google.com with SMTP id p10so4414623wes.20 for <tls@ietf.org>; Sat, 07 Jun 2014 21:59:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=/cc/gZL/1h089Un2LjE7POo9/TZLsrQymJ2vHcorRjo=; b=FuO97zTbdAHkL5ZQZXe1ZRNcL0BHvZKkpc8+KFN3rLGeMCGDJT+4m1QXvSlMC+fPK9 N/0Ute+26AX8bwXFqRSIFif9pqfxzQ+7kXesOmA2znkkIcVdfEM5hsLKJMPdxxhd4UNe XsoRNMaX3SHt6yhO01EKKDNHkkf/OIwtgjWhQzWWTMSklsIzSOOV48fXl/CEmUKbeXlz GYsrgPIcQr84B7mzPHly3J56PV4ka/bcVMk2ZkTInYOHyi9F4HOHb7UIYZAu70mvtnga ZquIthD0HVGLzZm6JPbU0d15dhxkBg6PYMQUJA0DwG7K7eDZ29xVYXPdllY5KmcgjlW1 u66A==
X-Received: by 10.180.212.112 with SMTP id nj16mr18397025wic.1.1402203558854; Sat, 07 Jun 2014 21:59:18 -0700 (PDT)
Received: from [192.168.1.102] (bzq-84-109-50-18.red.bezeqint.net. [84.109.50.18]) by mx.google.com with ESMTPSA id s3sm19025162wje.36.2014.06.07.21.59.17 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 07 Jun 2014 21:59:18 -0700 (PDT)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <155f01cf82ce$7cfa8360$76ef8a20$@digicert.com>
Date: Sun, 08 Jun 2014 07:59:21 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <C877733F-EBCC-4D88-8B99-271914A517B4@gmail.com>
References: <097101cf7aa7$17f960a0$47ec21e0$@digicert.com> <4AA8E7B7-A19D-4E65-AF18-C4D02A513652@ieca.com> <538EF79B.3000506@cs.tcd.ie> <CAMm+LwgTnva9jJgVfkaOZ1qP0Rk3w-mFfepnubosgtrCEARv=g@mail.gmail.com> <539069CC.5010304@cs.tcd.ie> <CAFewVt4p4rJ738Yo=XQm6T_jyvG3TnJsSQ5HDZDrqAkyNDa7tg@mail.gmail.com> <20140605173223.GK27883@mournblade.imrryr.org> <20140607164945.GA23329@roeckx.be> <20140607170619.GC27883@mournblade.imrryr.org> <2A0EFB9C05D0164E98F19BB0AF3708C7130F434F7A@USMBX1.msg.corp.akamai.com> <20140607184737.GD27883@mournblade.imrryr.org> <2A0EFB9C05D0164E98F19BB0AF3708C7130F434F7D@USMBX1.msg.corp.akamai.com> <155f01cf82ce$7cfa8360$76ef8a20$@digicert.com>
To: Jeremy Rowley <jeremy.rowley@digicert.com>
X-Mailer: Apple Mail (2.1878.2)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/z9GhI-goUHcInRgsM7A7hs_tmH8
Cc: tls@ietf.org
Subject: Re: [TLS] OCSP must staple
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Jun 2014 04:59:28 -0000
On Jun 8, 2014, at 7:02 AM, Jeremy Rowley <jeremy.rowley@digicert.com> wrote: > Non-compliance by certain CAs is really irrelevant to whether OCSP Must > Staple should be adopted as a standard. Must staple is about letting server > operators dictate whether stapling is required, not on improving CA > certificate profiles. dictate to whom? Isn’t the presence of this extension a mandate on the server operators themselves? And enforced how? Suppose a server sends the client a certificate with the extension, and does not staple an OCSP response, are clients going to cut the connection or are they going to try the OCSP server. And if they try the OCSP server, is ti going to reject them? I’m trying to get my head around how this extension is going to be deployed. Yoav
- [TLS] OCSP must staple Kurt Roeckx
- Re: [TLS] OCSP must staple Jeremy Rowley
- Re: [TLS] OCSP must staple Sean Turner
- Re: [TLS] OCSP must staple Stephen Farrell
- Re: [TLS] OCSP must staple Stephen Farrell
- Re: [TLS] OCSP must staple Brian Smith
- Re: [TLS] OCSP must staple Tom Ritter
- Re: [TLS] OCSP must staple Viktor Dukhovni
- Re: [TLS] OCSP must staple Salz, Rich
- Re: [TLS] OCSP must staple Michael StJohns
- Re: [TLS] OCSP must staple Brian Smith
- Re: [TLS] OCSP must staple Michael StJohns
- Re: [TLS] OCSP must staple Phillip Hallam-Baker
- Re: [TLS] OCSP must staple Kurt Roeckx
- Re: [TLS] OCSP must staple Viktor Dukhovni
- Re: [TLS] OCSP must staple Kurt Roeckx
- Re: [TLS] OCSP must staple Salz, Rich
- Re: [TLS] OCSP must staple Viktor Dukhovni
- Re: [TLS] OCSP must staple Salz, Rich
- Re: [TLS] OCSP must staple Jeremy Rowley
- Re: [TLS] OCSP must staple Yoav Nir
- Re: [TLS] OCSP must staple Tom Ritter
- Re: [TLS] OCSP must staple Viktor Dukhovni
- Re: [TLS] OCSP must staple Peter Bowen
- Re: [TLS] OCSP must staple Tom Ritter
- Re: [TLS] OCSP must staple Salz, Rich
- Re: [TLS] OCSP must staple Ryan Sleevi
- Re: [TLS] OCSP must staple Kyle Hamilton
- Re: [TLS] OCSP must staple Viktor Dukhovni
- Re: [TLS] OCSP must staple Yoav Nir
- Re: [TLS] OCSP must staple Kyle Hamilton
- Re: [TLS] OCSP must staple Geoffrey Keating
- Re: [TLS] OCSP must staple Jeremy Rowley
- Re: [TLS] OCSP must staple Brian Smith
- Re: [TLS] OCSP must staple Adam Langley
- Re: [TLS] OCSP must staple Yoav Nir
- Re: [TLS] OCSP must staple Brian Smith
- Re: [TLS] OCSP must staple Kurt Roeckx
- Re: [TLS] OCSP must staple Brian Smith
- Re: [TLS] OCSP must staple Yoav Nir
- Re: [TLS] OCSP must staple Yoav Nir
- Re: [TLS] OCSP must staple Brian Smith
- Re: [TLS] OCSP must staple Yoav Nir
- Re: [TLS] OCSP must staple Rob Stradling
- Re: [TLS] OCSP must staple Yoav Nir