Re: [TLS] OCSP must staple

Yoav Nir <ynir.ietf@gmail.com> Sun, 08 June 2014 04:59 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CCC01A02C9 for <tls@ietfa.amsl.com>; Sat, 7 Jun 2014 21:59:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 37ciyLHAh4Oc for <tls@ietfa.amsl.com>; Sat, 7 Jun 2014 21:59:27 -0700 (PDT)
Received: from mail-we0-x22f.google.com (mail-we0-x22f.google.com [IPv6:2a00:1450:400c:c03::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26BAC1A02CC for <tls@ietf.org>; Sat, 7 Jun 2014 21:59:27 -0700 (PDT)
Received: by mail-we0-f175.google.com with SMTP id p10so4414623wes.20 for <tls@ietf.org>; Sat, 07 Jun 2014 21:59:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=/cc/gZL/1h089Un2LjE7POo9/TZLsrQymJ2vHcorRjo=; b=FuO97zTbdAHkL5ZQZXe1ZRNcL0BHvZKkpc8+KFN3rLGeMCGDJT+4m1QXvSlMC+fPK9 N/0Ute+26AX8bwXFqRSIFif9pqfxzQ+7kXesOmA2znkkIcVdfEM5hsLKJMPdxxhd4UNe XsoRNMaX3SHt6yhO01EKKDNHkkf/OIwtgjWhQzWWTMSklsIzSOOV48fXl/CEmUKbeXlz GYsrgPIcQr84B7mzPHly3J56PV4ka/bcVMk2ZkTInYOHyi9F4HOHb7UIYZAu70mvtnga ZquIthD0HVGLzZm6JPbU0d15dhxkBg6PYMQUJA0DwG7K7eDZ29xVYXPdllY5KmcgjlW1 u66A==
X-Received: by 10.180.212.112 with SMTP id nj16mr18397025wic.1.1402203558854; Sat, 07 Jun 2014 21:59:18 -0700 (PDT)
Received: from [192.168.1.102] (bzq-84-109-50-18.red.bezeqint.net. [84.109.50.18]) by mx.google.com with ESMTPSA id s3sm19025162wje.36.2014.06.07.21.59.17 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 07 Jun 2014 21:59:18 -0700 (PDT)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <155f01cf82ce$7cfa8360$76ef8a20$@digicert.com>
Date: Sun, 08 Jun 2014 07:59:21 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <C877733F-EBCC-4D88-8B99-271914A517B4@gmail.com>
References: <097101cf7aa7$17f960a0$47ec21e0$@digicert.com> <4AA8E7B7-A19D-4E65-AF18-C4D02A513652@ieca.com> <538EF79B.3000506@cs.tcd.ie> <CAMm+LwgTnva9jJgVfkaOZ1qP0Rk3w-mFfepnubosgtrCEARv=g@mail.gmail.com> <539069CC.5010304@cs.tcd.ie> <CAFewVt4p4rJ738Yo=XQm6T_jyvG3TnJsSQ5HDZDrqAkyNDa7tg@mail.gmail.com> <20140605173223.GK27883@mournblade.imrryr.org> <20140607164945.GA23329@roeckx.be> <20140607170619.GC27883@mournblade.imrryr.org> <2A0EFB9C05D0164E98F19BB0AF3708C7130F434F7A@USMBX1.msg.corp.akamai.com> <20140607184737.GD27883@mournblade.imrryr.org> <2A0EFB9C05D0164E98F19BB0AF3708C7130F434F7D@USMBX1.msg.corp.akamai.com> <155f01cf82ce$7cfa8360$76ef8a20$@digicert.com>
To: Jeremy Rowley <jeremy.rowley@digicert.com>
X-Mailer: Apple Mail (2.1878.2)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/z9GhI-goUHcInRgsM7A7hs_tmH8
Cc: tls@ietf.org
Subject: Re: [TLS] OCSP must staple
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Jun 2014 04:59:28 -0000

On Jun 8, 2014, at 7:02 AM, Jeremy Rowley <jeremy.rowley@digicert.com> wrote:

> Non-compliance by certain CAs is really irrelevant to whether OCSP Must
> Staple should be adopted as a standard. Must staple is about letting server
> operators dictate whether stapling is required, not on improving CA
> certificate profiles. 

dictate to whom?  Isn’t the presence of this extension a mandate on the server operators themselves?

And enforced how?  Suppose a server sends the client a certificate with the extension, and does not staple an OCSP response, are clients going to cut the connection or are they going to try the OCSP server. And if they try the OCSP server, is ti going to reject them?

I’m trying to get my head around how this extension is going to be deployed.

Yoav