Re: [Trans] OCSP and SCTs
Brian Smith <brian@briansmith.org> Sun, 31 August 2014 18:44 UTC
Return-Path: <brian@briansmith.org>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5456B1A8AD8 for <trans@ietfa.amsl.com>; Sun, 31 Aug 2014 11:44:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cDMWETJ14-xj for <trans@ietfa.amsl.com>; Sun, 31 Aug 2014 11:44:12 -0700 (PDT)
Received: from mail-qa0-f51.google.com (mail-qa0-f51.google.com [209.85.216.51]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1D271A8AAC for <trans@ietf.org>; Sun, 31 Aug 2014 11:44:11 -0700 (PDT)
Received: by mail-qa0-f51.google.com with SMTP id j7so4091718qaq.38 for <trans@ietf.org>; Sun, 31 Aug 2014 11:44:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=VCrTxtMEw4kMKsR0zlCln+tnEqeX4Ejlq2XtRTvy6S4=; b=bH4VvGiKDG59VuEmIjW5Lsp7t4wcFJSza/wiB5KEkaf0+PfV3FiBXGU+DXN4yYGoEO J1lkU4cQqHBwZnXzuuUO8E22PGv7QXWX5iG3VjqlKmMRcReaz3+mH7CPPsW6dm4XIXgW yjd0dyk1Yw8OG20UNU6ycJGdZiGezjrLAr4UVmELgNyqRJu9i+SkKmtxENMLUrVC8znY QtMX3aVfhTu6wMhweI6uwjElR2Qs2+QShQi3kUiZj0Ok+uKthKuvMl1nMmzBo2olT5kT MPztUAZ8+SUjSDVrAkaIMWQHmfBxk9S9rZKzdbL4cLg6pFwMPE+lW6hdvYbp6/PnYz0i 6Xvg==
X-Gm-Message-State: ALoCoQmnaUtn+fqXFPlnYDcGxxBV0fQ4vZ/GZ7An89ExNOexDVeBneAgerKXcc00BnHD0kAMKPsR
MIME-Version: 1.0
X-Received: by 10.140.81.134 with SMTP id f6mr29058473qgd.60.1409510651138; Sun, 31 Aug 2014 11:44:11 -0700 (PDT)
Received: by 10.224.67.133 with HTTP; Sun, 31 Aug 2014 11:44:10 -0700 (PDT)
In-Reply-To: <1929A47D-06A5-4550-A26E-902DE964F980@gmail.com>
References: <DCB45BF3-C979-4025-A532-0349D971E95D@gmail.com> <CAFewVt4iX=ActoRLgHTMG=Rua-wZoT8owGLDHt3s=z4vreHQeQ@mail.gmail.com> <239CAEF3-C77D-4E0B-B64D-D715D71AD1A8@gmail.com> <CAFewVt6me=PE5NYVD3JDokrv8JV-ZJXYgdL0dVOf-4K1bFvLSQ@mail.gmail.com> <1929A47D-06A5-4550-A26E-902DE964F980@gmail.com>
Date: Sun, 31 Aug 2014 11:44:10 -0700
Message-ID: <CAFewVt46LqFsvUK0g9cQUbhytNzW6Z6ZhyYoE1vF-sQ-xjh47w@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Fabrice <fabrice.gautier@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/NU_PNqPJTYZaBPOw9bphxAYPSHo
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] OCSP and SCTs
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Aug 2014 18:44:13 -0000
On Sat, Aug 30, 2014 at 9:05 PM, Fabrice <fabrice.gautier@gmail.com> wrote: > On Aug 30, 2014, at 15:43, Brian Smith <brian@briansmith.org> wrote: >> On Sat, Aug 30, 2014 at 3:22 PM, Fabrice <fabrice.gautier@gmail.com> wrote: >>> On Aug 30, 2014, at 14:16, Brian Smith <brian@briansmith.org> wrote: >>> >>> I understand the issue you describe and how stapling has less opportunities >>> for failures and is a MUST for TLS clients, but my question was really about >>> what should a TLS client do when it does not get an OCSP response through >>> stapling (RFC6066) but get one directly from the OCSP responder or >>> potentially other means. >>> >>> To me, it seems logical for the TLS clients to process SCTs found in those >>> responses, no matter how it got them. >>> >> When the client is enforcing CT, it should reject the certificate due >> to the missing SCT before it even attempts revocation checking. >> >> Thus, it would never fetch the OCSP response and so it would never >> learn the SCT from a fetched response. > > I don't see any language in the RFC or draft that suggest there is an > ordering between revocation checking and CT validation, or any other parts > of the certificate validation. The only related language I found is rather > succinct: > > In addition to normal validation of the certificate and its chain, they > should validate the SCT (...) I understand that your question is "If I fetched an OCSP response, should I recognize the SCTs in the fetched response?" I don't have any opinion on that. You are right that the spec. doesn't talk about the ordering of doing revocation checking and SCT processing during certificate chain validation. I believe that the best ordering is to process SCTs, and reject certificates without SCTs, before doing revocation checking or path building, especially revocation checking and path building that requires doing any networking (OCSP fetching and/or AIA chasing), because this reduces the risks that are inherent in doing that networking and with doing path building in general. The draft should be changed to say that. However, you agree that the current draft allows a client to reject a certificate due to a missing SCT before it attempts any AIA chasing and/or OCSP fetching, right? If so, then the server must provide the SCT in the handshake--in the TLS extension, in the certificate, or in a stapled OCSP response--to interoperate with clients that work that way, regardless of whether some clients process SCTs in fetched OCSP responses. > If there are good reasons to ignore SCTs in non-stapled OCSP responses, I'd > like to know about them, and it probably should be mentioned in the RFC. A browser needs a reliable mechanism for getting SCTs in order for the browser to be able to make SCTs mandatory. Browsers that make SCT mandatory would ultimately be what would make CT effective. OCSP fetching is not reliable, in theory or on practice, so a client cannot rely on getting SCTs via OCSP fetching. A browser that processed SCTs in fetched OCSP responses would be encouraging websites to avoid the reliable mechanisms of SCT delivery in favor of an unreliable mechanism, causing CT to be unreliable and thus ineffective. Cheers, Brian
- [Trans] OCSP and SCTs Fabrice
- Re: [Trans] OCSP and SCTs Brian Smith
- Re: [Trans] OCSP and SCTs Fabrice
- Re: [Trans] OCSP and SCTs Brian Smith
- Re: [Trans] OCSP and SCTs Fabrice
- Re: [Trans] OCSP and SCTs Brian Smith
- Re: [Trans] OCSP and SCTs Fabrice Gautier
- Re: [Trans] OCSP and SCTs Kyle Hamilton
- Re: [Trans] OCSP and SCTs Rob Stradling
- Re: [Trans] OCSP and SCTs Rob Stradling
- Re: [Trans] OCSP and SCTs Stephen Kent