[websec] Revocation check failures for HSTS sites
Adam Langley <agl@google.com> Mon, 28 March 2011 15:34 UTC
Return-Path: <agl@google.com>
X-Original-To: websec@core3.amsl.com
Delivered-To: websec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EF49D3A684A for <websec@core3.amsl.com>; Mon, 28 Mar 2011 08:34:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.977
X-Spam-Level:
X-Spam-Status: No, score=-105.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c6wgPRv8FtdU for <websec@core3.amsl.com>; Mon, 28 Mar 2011 08:34:57 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id 73CAC3A6810 for <websec@ietf.org>; Mon, 28 Mar 2011 08:34:57 -0700 (PDT)
Received: from wpaz17.hot.corp.google.com (wpaz17.hot.corp.google.com [172.24.198.81]) by smtp-out.google.com with ESMTP id p2SFaYdc005778 for <websec@ietf.org>; Mon, 28 Mar 2011 08:36:34 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1301326594; bh=7xb3C6Iy3Y3jx+aibguywc0tzL4=; h=MIME-Version:Date:Message-ID:Subject:From:To:Content-Type; b=a//BIPvaMz4AbT/j2OxWlMM1ACfW5R3C5xxAFAQKG3eGYKo8zriEQuPsgLVqMrexj V8Zmdx0VdTinpW5n8wJJg==
Received: from ywg4 (ywg4.prod.google.com [10.192.7.4]) by wpaz17.hot.corp.google.com with ESMTP id p2SFaXA7018067 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <websec@ietf.org>; Mon, 28 Mar 2011 08:36:34 -0700
Received: by ywg4 with SMTP id 4so1092071ywg.10 for <websec@ietf.org>; Mon, 28 Mar 2011 08:36:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=YWadRN4KSKv0yGaXZYzuftsdCA37NW8dGC0jgZb3vtA=; b=tc1kOfexFNUnLRudGLVBxx5BrlsN2j9e71wYFnHYZUnTCC6DfquTLbm5eMe3CmD9gg vZ6P49cL0Emt//gFFkew==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:date:message-id:subject:from:to:content-type; b=HRE3mb8g9VO8+ylGYuDUdsi5pkF95+DWnOYkul9mSAsbNCFvLVBahEj/4JiKOwapqh c0UDuWt/ymDfKJGuYHlg==
MIME-Version: 1.0
Received: by 10.151.136.2 with SMTP id o2mr3759527ybn.204.1301326593589; Mon, 28 Mar 2011 08:36:33 -0700 (PDT)
Received: by 10.151.78.8 with HTTP; Mon, 28 Mar 2011 08:36:33 -0700 (PDT)
Date: Mon, 28 Mar 2011 11:36:33 -0400
Message-ID: <AANLkTi=aoaSxWdAwHBAE-p1bP_ayzDw8H-PmqVnsKnF0@mail.gmail.com>
From: Adam Langley <agl@google.com>
To: websec@ietf.org
Content-Type: text/plain; charset="UTF-8"
X-System-Of-Record: true
Subject: [websec] Revocation check failures for HSTS sites
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2011 15:35:00 -0000
Currently Chrome treats revocation check failures as fatal for HSTS sites. This is scheduled to change with Chrome 12 when revocation check failures will not be treated differently for HSTS sites. The reason for this change is that several Google properties are either already HSTS or are planning/considering enabling it. However, it's unacceptable that a failure of our CA's servers brings down those services. Availability of service is very important. It has been suggested that OCSP stapling solves this issue. However, only a single OCSP response can be stapled in the current protocol and chained certificates are now almost ubiquitous. Even if OCSP stapling were extended to support multiple responses, the size of the OCSP responses (1-2KB) becomes problematic. Not only is another 2-5KB of overhead per connection a problem for for some users (it's another second of latency for dialups), it typically overflows the server's initial congestion window, causing another round trip. This can be reconfigured unilaterally on a per-server basis but many clients enforce it with their flow window. Cheers AGL
- [websec] Revocation check failures for HSTS sites Adam Langley
- Re: [websec] Revocation check failures for HSTS s… Steingruebl, Andy
- Re: [websec] Revocation check failures for HSTS s… Adam Langley
- Re: [websec] Revocation check failures for HSTS s… Steingruebl, Andy
- Re: [websec] Revocation check failures for HSTS s… Adam Langley