Re: [Trans] OCSP and SCTs
Fabrice <fabrice.gautier@gmail.com> Sat, 30 August 2014 22:22 UTC
Return-Path: <fabrice.gautier@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A67A21A0BEB for <trans@ietfa.amsl.com>; Sat, 30 Aug 2014 15:22:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xtVIjI_Hykp0 for <trans@ietfa.amsl.com>; Sat, 30 Aug 2014 15:22:02 -0700 (PDT)
Received: from mail-pd0-x229.google.com (mail-pd0-x229.google.com [IPv6:2607:f8b0:400e:c02::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFED61A1F04 for <trans@ietf.org>; Sat, 30 Aug 2014 15:22:02 -0700 (PDT)
Received: by mail-pd0-f169.google.com with SMTP id g10so3046331pdj.28 for <trans@ietf.org>; Sat, 30 Aug 2014 15:22:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=TswakxK7jIeJizwQKcclVAubAQWlhMiLmMMPNbWU1/E=; b=yP0aoARBxbvO3Q+9oO4aU+v7vfD5CF4cQQEHXGCqU2oW16NK+MS9XTsWpqil5qP66/ SVUp0imQBQeIxSOffjnt+VOcpBiD0G7wL5haFtjHCbYMU9DQgiYqS35SJjMY5Doa4awy bVaho8WJkg8PMWSvX19xkV+W4E3VmtB/NRYClo/ExDHYIjgxcU93FHnCJ4hK/UpTemTK y6gSsUJT9uoJKwamfqL9YMPQiixdo7ciHIIh5Q0qFlTchTYnL+X940RpAOXeo132fce6 1cJ5zbTx2tgX9msC9IFyj7eqeX+vjdUCn1RD87qxLRwna21dvpXwK8mcPjAcqLDACMJS UoCg==
X-Received: by 10.70.49.2 with SMTP id q2mr24923222pdn.28.1409437322397; Sat, 30 Aug 2014 15:22:02 -0700 (PDT)
Received: from [10.0.1.4] (c-67-188-142-21.hsd1.ca.comcast.net. [67.188.142.21]) by mx.google.com with ESMTPSA id ny7sm12783811pab.38.2014.08.30.15.22.00 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 30 Aug 2014 15:22:01 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Fabrice <fabrice.gautier@gmail.com>
X-Mailer: iPhone Mail (11D257)
In-Reply-To: <CAFewVt4iX=ActoRLgHTMG=Rua-wZoT8owGLDHt3s=z4vreHQeQ@mail.gmail.com>
Date: Sat, 30 Aug 2014 15:22:00 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <239CAEF3-C77D-4E0B-B64D-D715D71AD1A8@gmail.com>
References: <DCB45BF3-C979-4025-A532-0349D971E95D@gmail.com> <CAFewVt4iX=ActoRLgHTMG=Rua-wZoT8owGLDHt3s=z4vreHQeQ@mail.gmail.com>
To: Brian Smith <brian@briansmith.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/pf1nss9fsZZfHmYShMQTjdIP1Vo
Cc: "trans@ietf.org" <trans@ietf.org>
Subject: Re: [Trans] OCSP and SCTs
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Aug 2014 22:22:04 -0000
> On Aug 30, 2014, at 14:16, Brian Smith <brian@briansmith.org> wrote: > >> On Sat, Aug 30, 2014 at 1:48 PM, Fabrice <fabrice.gautier@gmail.com> wrote: >> Regarding the transport of SCTs as part of OCSP responses, the RFCs only talk about it in the context of OCSP stapling. Can SCTs also be provided in non stapled OCSP responses to TLS clients? > > A client that requires SCTs cannot rely on an unreliable fetching > mechanism like OCSP fetching to get the SCTs. Consequently, the web > server must always give the client the SCTs so that the client doesn't > have to fetch anything to get them. > >> Or should the language be generalized to just talk about SCTs in OCSP responses, no matter how those responses are provided to the TLS client? > > No. It is critical that the OCSP response be stapled if the SCTs are > embedded in an OCSP response. > > Just one example why: Imagine a captive portal on a Wifi network that > forces people to login at https://example.org/ and which blocks > requests to the OCSP responder for its certificate. If the SCTs are > not provided in the handshake (in the certificate, in the TLS > extension, or in a stapled OCSP response), then there would be no way > to get the SCTs. I understand the issue you describe and how stapling has less opportunities for failures and is a MUST for TLS clients, but my question was really about what should a TLS client do when it does not get an OCSP response through stapling (RFC6066) but get one directly from the OCSP responder or potentially other means. To me, it seems logical for the TLS clients to process SCTs found in those responses, no matter how it got them. -- Fabrice > > Cheers, > Brian
- [Trans] OCSP and SCTs Fabrice
- Re: [Trans] OCSP and SCTs Brian Smith
- Re: [Trans] OCSP and SCTs Fabrice
- Re: [Trans] OCSP and SCTs Brian Smith
- Re: [Trans] OCSP and SCTs Fabrice
- Re: [Trans] OCSP and SCTs Brian Smith
- Re: [Trans] OCSP and SCTs Fabrice Gautier
- Re: [Trans] OCSP and SCTs Kyle Hamilton
- Re: [Trans] OCSP and SCTs Rob Stradling
- Re: [Trans] OCSP and SCTs Rob Stradling
- Re: [Trans] OCSP and SCTs Stephen Kent