Re: [Trans] OCSP and SCTs
Brian Smith <brian@briansmith.org> Sat, 30 August 2014 21:16 UTC
Return-Path: <brian@briansmith.org>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A1BD1A067F for <trans@ietfa.amsl.com>; Sat, 30 Aug 2014 14:16:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DhipPGrXKGpI for <trans@ietfa.amsl.com>; Sat, 30 Aug 2014 14:16:31 -0700 (PDT)
Received: from mail-qa0-f48.google.com (mail-qa0-f48.google.com [209.85.216.48]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD90B1A0502 for <trans@ietf.org>; Sat, 30 Aug 2014 14:16:30 -0700 (PDT)
Received: by mail-qa0-f48.google.com with SMTP id m5so3600128qaj.35 for <trans@ietf.org>; Sat, 30 Aug 2014 14:16:30 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=vdP9fC5eF/MkuUdYXls4Nbepezvhy2ivBcOKWYWrm0A=; b=Vw8NknrwuFQV0KgudYHN6q4HWatS5QiD3xf2ynq3Ksw0s8JJt/F4jjOv3wsY18SelN 0O881oCfgqeGzx/AVchb19MJM9omI0UHlMFoqEaNS1dpY3pJc12QoxpFv31p2C9acgmd OREBFtAO6AzAfRKV1VStEbg57jYJcolK54bhhKm2StEBX4B1SlXHxYC69STDMVfzIKBp gy5G1k09QpZ6ZVKtLjScLlw+DzFT3shTlaJLi8HE8lb7Quwrg7vIBnh5utVkjbvXfGud 2CBxgcYJeU9E53ocwADWza/H7vjzAY0vGVhHH/tOe794R5gtXR2zhDawulujSmd9iQHx Q0uQ==
X-Gm-Message-State: ALoCoQlwJ+ni0JkfcX9PArtn1b1cCX65EgFcFgaVhAy+QEudvkU4z8WXD6Oo+b1waMms9MyqyOCc
MIME-Version: 1.0
X-Received: by 10.224.151.143 with SMTP id c15mr21623409qaw.10.1409433389936; Sat, 30 Aug 2014 14:16:29 -0700 (PDT)
Received: by 10.224.67.133 with HTTP; Sat, 30 Aug 2014 14:16:29 -0700 (PDT)
In-Reply-To: <DCB45BF3-C979-4025-A532-0349D971E95D@gmail.com>
References: <DCB45BF3-C979-4025-A532-0349D971E95D@gmail.com>
Date: Sat, 30 Aug 2014 14:16:29 -0700
Message-ID: <CAFewVt4iX=ActoRLgHTMG=Rua-wZoT8owGLDHt3s=z4vreHQeQ@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Fabrice <fabrice.gautier@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/Ft4F_CiP38BARZYVV_nzp_PZT4I
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] OCSP and SCTs
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Aug 2014 21:16:32 -0000
On Sat, Aug 30, 2014 at 1:48 PM, Fabrice <fabrice.gautier@gmail.com> wrote: > Regarding the transport of SCTs as part of OCSP responses, the RFCs only talk about it in the context of OCSP stapling. Can SCTs also be provided in non stapled OCSP responses to TLS clients? A client that requires SCTs cannot rely on an unreliable fetching mechanism like OCSP fetching to get the SCTs. Consequently, the web server must always give the client the SCTs so that the client doesn't have to fetch anything to get them. > Or should the language be generalized to just talk about SCTs in OCSP responses, no matter how those responses are provided to the TLS client? No. It is critical that the OCSP response be stapled if the SCTs are embedded in an OCSP response. Just one example why: Imagine a captive portal on a Wifi network that forces people to login at https://example.org/ and which blocks requests to the OCSP responder for its certificate. If the SCTs are not provided in the handshake (in the certificate, in the TLS extension, or in a stapled OCSP response), then there would be no way to get the SCTs. Cheers, Brian
- [Trans] OCSP and SCTs Fabrice
- Re: [Trans] OCSP and SCTs Brian Smith
- Re: [Trans] OCSP and SCTs Fabrice
- Re: [Trans] OCSP and SCTs Brian Smith
- Re: [Trans] OCSP and SCTs Fabrice
- Re: [Trans] OCSP and SCTs Brian Smith
- Re: [Trans] OCSP and SCTs Fabrice Gautier
- Re: [Trans] OCSP and SCTs Kyle Hamilton
- Re: [Trans] OCSP and SCTs Rob Stradling
- Re: [Trans] OCSP and SCTs Rob Stradling
- Re: [Trans] OCSP and SCTs Stephen Kent