[websec] Requiring OCSP Stapling as a directive in HSTS

Tom Ritter <tom@ritter.vg> Mon, 19 January 2015 17:56 UTC

Return-Path: <tom@ritter.vg>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 0A55A1B2B2C for <websec@ietfa.amsl.com>; Mon, 19 Jan 2015 09:56:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id byruQZKj_3YO for <websec@ietfa.amsl.com>; Mon, 19 Jan 2015 09:56:00 -0800 (PST)
Received: from mail-ig0-x230.google.com (mail-ig0-x230.google.com [IPv6:2607:f8b0:4001:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67BAC1ACDB2 for <websec@ietf.org>; Mon, 19 Jan 2015 09:56:00 -0800 (PST)
Received: by mail-ig0-f176.google.com with SMTP id hl2so12120611igb.3 for <websec@ietf.org>; Mon, 19 Jan 2015 09:55:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:from:date:message-id:subject:to:content-type; bh=ObBLKzeX7FHblZZMjhzRarigjmcoU8NxzNG8AWaVFDM=; b=4tYoLUqmcAEQVEy7UzhGC4+62bi2EI69ReCe2LTzQfEL244t/BtDs+mkg1kZmgeINo lzSbW22dlG1yP5EfIw9YsxyorwqY5Y30VWS/nG1BynKU6SZ59EP023oY4bLdonj0nANU HnWTHJ0w3mFtLBfDdDf/1XvoYGSqgVrIYBhgM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=ObBLKzeX7FHblZZMjhzRarigjmcoU8NxzNG8AWaVFDM=; b=ftabosZEoOkqsLPnp84b24TdWiDmkUDHnIhETdERdcKXp0A4MfF2e0l4RVVOn+66gc h8YFoCnn3xYh86NjszeSmYJ7BfwuWE4ob7zakpJEJRthb1XFFNh28PerrRNutPuq0jiD 6ordKfP9L4c7Zcmq5WejgTY1XHOKgNA6wpsEEhvarmcvGegANoV5AtrvMNz471lPHjsY b7bGyIG/4L+q8NzTOtUAGMscUtEDAIGjhqYt8ZalBWTPHnTiUK9QTlus7NdeyTsrsNQP XonN/mmyz7KstlWcsQnh8m7dZtZFd9cSEKTnfrnM2Wox1q9juXsIhkNW7qm/1n+kCR8v rxpA==
X-Gm-Message-State: ALoCoQk/jQ1AlIGP1SK7RyoQGKvEIIAMfzdDwLxrE/D3Ygs/q9KAm023ECtqdqMsy30VPEyuBBGl
X-Received: by with SMTP id z5mr20569560igl.19.1421690159414; Mon, 19 Jan 2015 09:55:59 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Mon, 19 Jan 2015 09:55:39 -0800 (PST)
From: Tom Ritter <tom@ritter.vg>
Date: Mon, 19 Jan 2015 11:55:39 -0600
Message-ID: <CA+cU71=LyXAvBYJQdMdmqmtrWg15aUG5tS+VQh9ZLqfHKA4pQw@mail.gmail.com>
To: IETF WebSec WG <websec@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1
Archived-At: <http://mailarchive.ietf.org/arch/msg/websec/FfsLW9QmvgSzCF0DoP6gIbkotm8>
Subject: [websec] Requiring OCSP Stapling as a directive in HSTS
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jan 2015 17:56:04 -0000

Hi all.  I'd like to propose an idea: add an optional directive to the
HSTS header that, when included, mandates any certificate received for
a domain require OCSP Stapling. It would respect includeSubdomains and

The threat model I'm trying to address is an attacker who can get a
valid certificate misissued for a domain.  Because of the revocation
situation, the attacker can then MITM users with impunity, blocking
revocation lookups if they occur.  While UAs would receive a crlset or
other push of revoked certificates, I believe that the UA will still
work if that connection is blocked, and it's not clear how long that
connection must be blocked before the UA stops working entirely.  (If
that happens at all.)

Counting from the detection of the attack (which efforts like CT and
Pinning help detect), requiring OCSP stapling changes the window of
attack from {forever?, 30 days?, an unknown value?} to the OCSP
staple's lifetime.  (Assuming the attacker gets a OCSP signature right
before revocation.)

Why OCSP stapling and not require the UA to instead use 'hard-fail'
revocation checking?  Well, CRLs have all sorts of drawbacks: longer
expiry times, large sizes, and they're pretty much being phased out
everywhere.  (I know about Delta-CRLs - developing a specification for
them, implementing, and deploying them will take years, if ever, due
to IPR stuff. This does not.)   What about requiring OCSP querying?
Browsers don't much care for that - it's slow, can timeout for
non-security reasons, it's out of the control of the web site owner.
That leaves us with OCSP Stapling - it's fast, implemented, deployed.

While I'm not opposed to making the language say "Hard Fail Revocation
Checking" I would expect UAs to interpret that as OCSP stapling, and
would not want to delay implementation to account for unlikely-used
corner cases.  And if we say OCSP Stapling, there's no reason that
down the road we could add a new directive for 'hard-fail-revocation'
and let it encompass many different checks.

As far as 'Where?' and why 'In HSTS'?  I see four options: a HTTP
Header, a TLS Extension, a DNSSEC record, and a Certificate Extension.

Certificate Extension is being worked on
(https://datatracker.ietf.org/doc/draft-hallambaker-tlsfeature/) but I
see it as a compliment to this.  The certificate extension only
dictates policy for this certificate.  If we assume an attacker can
get a misissued certificate for a domain, the cert extension is only
useful when it is the default issuing status and an attacker must have
additional privledges to circumvent it.  And it doesn't make sense to
have a certificate extension dictate policy for a whole domain, that's
a very strange location to put this sort of data.

A DNSSEC record has deployment problems, we can't retrieve it
reliably. Fallback or soft-fail provides no security and is useless

A TLS Extension makes a certain amount of sense.  We're trying to
dictate a policy for TLS connections, not HTTP.  But it's more
difficult to deploy TLS Extensions than HTTP headers, the TLS working
group is tremendously busy, and technically this would fit more with
the closed PKIX group.

That leaves us with a HTTP Header.  I think it makes more sense to put
this as a directive on HSTS rather than making a new header. While I
could imagine situations where one would want to require revocation
checking (or pinning for example) without requiring TLS, I don't see
it as a huge use case.  Rather, putting it in HSTS is a small
incremental upgrade that avoids redefining all the other stuff.

Should the UA require a staple for all certs in the chain
(Intermediates included) or just the leaf?  I'm not religious about
one or the other, I'd probably lean towards requiring all but I'd need
to review the implementation and deployment status of multi-stapling.
Just requiring the leaf is simpler from a deployment perspective I
believe, and compromised intermediates cause immediate browser pushes

Would there be support for this draft?