Re: [Trans] OCSP and SCTs

Kyle Hamilton <aerowolf@gmail.com> Mon, 01 September 2014 00:57 UTC

User-Agent: K-9 Mail for Android
In-Reply-To: <CAFewVt46LqFsvUK0g9cQUbhytNzW6Z6ZhyYoE1vF-sQ-xjh47w@mail.gmail.com>
References: <DCB45BF3-C979-4025-A532-0349D971E95D@gmail.com> <CAFewVt4iX=ActoRLgHTMG=Rua-wZoT8owGLDHt3s=z4vreHQeQ@mail.gmail.com> <239CAEF3-C77D-4E0B-B64D-D715D71AD1A8@gmail.com> <CAFewVt6me=PE5NYVD3JDokrv8JV-ZJXYgdL0dVOf-4K1bFvLSQ@mail.gmail.com> <1929A47D-06A5-4550-A26E-902DE964F980@gmail.com> <CAFewVt46LqFsvUK0g9cQUbhytNzW6Z6ZhyYoE1vF-sQ-xjh47w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----7VXLK5CIM3CBOM03R5V6QUW5SGWK32"
Content-Transfer-Encoding: 8bit
From: Kyle Hamilton <aerowolf@gmail.com>
Date: Sun, 31 Aug 2014 17:57:38 -0700
To: Brian Smith <brian@briansmith.org>, Fabrice <fabrice.gautier@gmail.com>
Message-ID: <404f9e8c-6605-4482-92ec-5ad4c6adcde0@email.android.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/2cWE5zdUG6vzO5h3xAGzckDBctk
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] OCSP and SCTs
Precedence: list

The more you apply your own "best idea" decision tree, the more you restrict perfectly valid options that would otherwise be legitimate by the spec, in the name of "interoperability". This is why, for example, Netscape's insistence on a "trustworthy" (which really devolves to "known, without judgment of trustworthiness") certifier managed to create a new and completely artificial cottage industry that suffered artificial stunted growth patterns... because it insisted on ITU-standard authentication before anyone knew what it was really good for.  It also basically destroyed one of the use-cases explicitly permitted by the spec, that of the unauthenticated connection.

Don't insist on a client-protocol stapling.  Not everything uses TLS -- and even though TLS is the intended use case, leaving low hanging fruit for other protocols is probably better than binding it so tightly to TLS that no one can conceive of a use aside from that binding.

-Kyle H

On August 31, 2014 11:44:10 AM PST, Brian Smith <brian@briansmith.org> wrote:
>On Sat, Aug 30, 2014 at 9:05 PM, Fabrice <fabrice.gautier@gmail.com>
>wrote:
>> On Aug 30, 2014, at 15:43, Brian Smith <brian@briansmith.org> wrote:
>>> On Sat, Aug 30, 2014 at 3:22 PM, Fabrice <fabrice.gautier@gmail.com>
>wrote:
>>>> On Aug 30, 2014, at 14:16, Brian Smith <brian@briansmith.org>
>wrote:
>>>>
>>>> I understand the issue you describe and how stapling has less
>opportunities
>>>> for failures and is a MUST for TLS clients, but my question was
>really about
>>>> what should a TLS client do when it does not get an OCSP response
>through
>>>> stapling (RFC6066) but get one directly from the OCSP responder or
>>>> potentially other means.
>>>>
>>>> To me, it seems logical for the TLS clients to process SCTs found
>in those
>>>> responses, no matter how it got them.
>>>>
>>> When the client is enforcing CT, it should reject the certificate
>due
>>> to the missing SCT before it even attempts revocation checking.
>>>
>>> Thus, it would never fetch the OCSP response and so it would never
>>> learn the SCT from a fetched response.
>>
>> I don't see any language in the RFC or draft that suggest there is an
>> ordering between revocation checking and CT validation, or any other
>parts
>> of the certificate validation. The only related language I found is
>rather
>> succinct:
>>
>> In addition to normal validation of the certificate and its chain,
>they
>> should validate the SCT (...)
>
>I understand that your question is "If I fetched an OCSP response,
>should I recognize the SCTs in the fetched response?" I don't have any
>opinion on that.
>
>You are right that the spec. doesn't talk about the ordering of doing
>revocation checking and SCT processing during certificate chain
>validation. I believe that the best ordering is to process SCTs, and
>reject certificates without SCTs, before doing revocation checking or
>path building, especially revocation checking and path building that
>requires doing any networking (OCSP fetching and/or AIA chasing),
>because this reduces the risks that are inherent in doing that
>networking and with doing path building in general. The draft should
>be changed to say that.
>
>However, you agree that the current draft allows a client to reject a
>certificate due to a missing SCT before it attempts any AIA chasing
>and/or OCSP fetching, right? If so, then the server must provide the
>SCT in the handshake--in the TLS extension, in the certificate, or in
>a stapled OCSP response--to interoperate with clients that work that
>way, regardless of whether some clients process SCTs in fetched OCSP
>responses.
>
>> If there are good reasons to ignore SCTs in non-stapled OCSP
>responses, I'd
>> like to know about them, and it probably should be mentioned in the
>RFC.
>
>A browser needs a reliable mechanism for getting SCTs in order for the
>browser to be able to make SCTs mandatory. Browsers that make SCT
>mandatory would ultimately be what would make CT effective. OCSP
>fetching is not reliable, in theory or on practice, so a client cannot
>rely on getting SCTs via OCSP fetching. A browser that processed SCTs
>in fetched OCSP responses would be encouraging websites to avoid the
>reliable mechanisms of SCT delivery in favor of an unreliable
>mechanism, causing CT to be unreliable and thus ineffective.
>
>Cheers,
>Brian
>
>_______________________________________________
>Trans mailing list
>Trans@ietf.org
>https://www.ietf.org/mailman/listinfo/trans

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

[Trans] OCSP and SCTs Fabrice
Re: [Trans] OCSP and SCTs Brian Smith
Re: [Trans] OCSP and SCTs Fabrice
Re: [Trans] OCSP and SCTs Brian Smith
Re: [Trans] OCSP and SCTs Fabrice
Re: [Trans] OCSP and SCTs Brian Smith
Re: [Trans] OCSP and SCTs Fabrice Gautier
Re: [Trans] OCSP and SCTs Kyle Hamilton
Re: [Trans] OCSP and SCTs Rob Stradling
Re: [Trans] OCSP and SCTs Rob Stradling
Re: [Trans] OCSP and SCTs Stephen Kent