IETF Logo Mail Archive

Re: [Trans] OCSP and SCTs

Fabrice Gautier <fabrice.gautier@gmail.com> Sun, 31 August 2014 20:36 UTC

Return-Path: <fabrice.gautier@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A270B1A9039 for <trans@ietfa.amsl.com>; Sun, 31 Aug 2014 13:36:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2zwfzg9eAvsx for <trans@ietfa.amsl.com>; Sun, 31 Aug 2014 13:36:13 -0700 (PDT)
Received: from mail-pa0-x22c.google.com (mail-pa0-x22c.google.com [IPv6:2607:f8b0:400e:c03::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DABA1A9035 for <trans@ietf.org>; Sun, 31 Aug 2014 13:36:13 -0700 (PDT)
Received: by mail-pa0-f44.google.com with SMTP id rd3so10650207pab.31 for <trans@ietf.org>; Sun, 31 Aug 2014 13:36:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:from:subject:date:to; bh=r/HYIYJZNiePXopUMCi4mdnCuREWPqGSiKcJ8xRulYM=; b=UAiupIfbA7PjvldEUfrlvN+7F+Jlb4gCM2P7ZVPVecnrDNCYTki5vBniBszsnW8C8U MBjvl7xJiuwUMifY4t2ifGx3KC/Ak6fWIOoJf7qz9v0HuClfcsYAsRYzaZzlYFcBD3my b7d0N+/gCBWxMVa/5h8XWodbjRoIDWViKKV3hx5stWJy3pGkN543F3R38fUFeUbCM2gm 6OYTZqkrNGmLln0yVv3cArrOrzQZX3l5IoI+wTrSV/ItSNTtQzYPZyHWYv5GKyF2tr+w 8Kry2JafpQaBuAxUey5T6BQ+i9ReACEO+DXnfO3fUPhbvhC2xwAdQdD4KYpFLi4igzWh R/+Q==
X-Received: by 10.70.132.162 with SMTP id ov2mr17052376pdb.118.1409517372976; Sun, 31 Aug 2014 13:36:12 -0700 (PDT)
Received: from [10.0.1.7] (c-67-188-142-21.hsd1.ca.comcast.net. [67.188.142.21]) by mx.google.com with ESMTPSA id x7sm9062991pdj.36.2014.08.31.13.36.11 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 31 Aug 2014 13:36:11 -0700 (PDT)
References: <DCB45BF3-C979-4025-A532-0349D971E95D@gmail.com> <CAFewVt4iX=ActoRLgHTMG=Rua-wZoT8owGLDHt3s=z4vreHQeQ@mail.gmail.com> <239CAEF3-C77D-4E0B-B64D-D715D71AD1A8@gmail.com> <CAFewVt6me=PE5NYVD3JDokrv8JV-ZJXYgdL0dVOf-4K1bFvLSQ@mail.gmail.com> <1929A47D-06A5-4550-A26E-902DE964F980@gmail.com> <CAFewVt46LqFsvUK0g9cQUbhytNzW6Z6ZhyYoE1vF-sQ-xjh47w@mail.gmail.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <CAFewVt46LqFsvUK0g9cQUbhytNzW6Z6ZhyYoE1vF-sQ-xjh47w@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-Id: <FDE8E4B3-3B25-461F-8222-036BD2E3B065@gmail.com>
X-Mailer: iPad Mail (11D201)
From: Fabrice Gautier <fabrice.gautier@gmail.com>
Date: Sun, 31 Aug 2014 13:36:10 -0700
To: Brian Smith <brian@briansmith.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/cq_ydLRg9C0-0nw61L5o-X4KFlM
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] OCSP and SCTs
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Aug 2014 20:36:14 -0000

> On Aug 31, 2014, at 11:44, Brian Smith <brian@briansmith.org> wrote:
> 
>> On Sat, Aug 30, 2014 at 9:05 PM, Fabrice <fabrice.gautier@gmail.com> wrote:
>>> On Aug 30, 2014, at 15:43, Brian Smith <brian@briansmith.org> wrote:
>>>> On Sat, Aug 30, 2014 at 3:22 PM, Fabrice <fabrice.gautier@gmail.com> wrote:
>>>> On Aug 30, 2014, at 14:16, Brian Smith <brian@briansmith.org> wrote:
>>>> 
>>>> I understand the issue you describe and how stapling has less opportunities
>>>> for failures and is a MUST for TLS clients, but my question was really about
>>>> what should a TLS client do when it does not get an OCSP response through
>>>> stapling (RFC6066) but get one directly from the OCSP responder or
>>>> potentially other means.
>>>> 
>>>> To me, it seems logical for the TLS clients to process SCTs found in those
>>>> responses, no matter how it got them.
>>>> 
>>> When the client is enforcing CT, it should reject the certificate due
>>> to the missing SCT before it even attempts revocation checking.
>>> 
>>> Thus, it would never fetch the OCSP response and so it would never
>>> learn the SCT from a fetched response.
>> 
>> I don't see any language in the RFC or draft that suggest there is an
>> ordering between revocation checking and CT validation, or any other parts
>> of the certificate validation. The only related language I found is rather
>> succinct:
>> 
>> In addition to normal validation of the certificate and its chain, they
>> should validate the SCT (...)
> 
> I understand that your question is "If I fetched an OCSP response,
> should I recognize the SCTs in the fetched response?" I don't have any
> opinion on that.
> 
> You are right that the spec. doesn't talk about the ordering of doing
> revocation checking and SCT processing during certificate chain
> validation. I believe that the best ordering is to process SCTs, and
> reject certificates without SCTs, before doing revocation checking or
> path building, especially revocation checking and path building that
> requires doing any networking (OCSP fetching and/or AIA chasing),
> because this reduces the risks that are inherent in doing that
> networking and with doing path building in general. The draft should
> be changed to say that.
> 
> However, you agree that the current draft allows a client to reject a
> certificate due to a missing SCT before it attempts any AIA chasing
> and/or OCSP fetching, right?

Yes, but only because I don't think the draft says anything about rejecting certificates without SCTs. It only says that the SCTs should be validated and defines what a valid SCT is.

The only document I know of that talk about how a TLS client would react to no SCTs (or not enough of them) is Chrome's published plans for tying together EV certs and CT. In that case, certificates are not rejected, just the UI would look different.

But I guess these are policy decisions that maybe out of the scope of the current draft.


> If so, then the server must provide the
> SCT in the handshake--in the TLS extension, in the certificate, or in
> a stapled OCSP response--to interoperate with clients that work that
> way, regardless of whether some clients process SCTs in fetched OCSP
> responses.
> 
>> If there are good reasons to ignore SCTs in non-stapled OCSP responses, I'd
>> like to know about them, and it probably should be mentioned in the RFC.
> 
> A browser needs a reliable mechanism for getting SCTs in order for the
> browser to be able to make SCTs mandatory. Browsers that make SCT
> mandatory would ultimately be what would make CT effective. OCSP
> fetching is not reliable, in theory or on practice, so a client cannot
> rely on getting SCTs via OCSP fetching. A browser that processed SCTs
> in fetched OCSP responses would be encouraging websites to avoid the
> reliable mechanisms of SCT delivery in favor of an unreliable
> mechanism, causing CT to be unreliable and thus ineffective.

True,

Maybe the draft should specify that clients should not consider SCTs coming from unreliable mechanisms.

I think this might be an important detail for implementations which may not always know the origin of an ocsp response when processing it.


> Cheers,
> Brian

v2.23.0 | Report a Bug | By Email