[cabfpub] Fwd: Re: [cabfrev] Must Staple Draft
Paul Tiemann
paul.tiemann.usenet at gmail.com
Wed Oct 3 10:17:31 MST 2012
On Oct 3, 2012, at 11:07 AM, Ryan Hurst wrote:
> Phillip,
>
> It does support fetching on startup there is the edge case however where it
> will not be able to fetch a response and one has not already been cached on
> the server.
I think fetch-on-startup was one of the options they considered but never implemented.
> Paul likely remembers more than I but I think it is also possible to
> configure to fail to start in those cases as well.
It used to fail on startup if 'ssl_stapling on' was specified in the config file and the certificate did not have an OCSP URI in the AIA.
That was changed so it will now log a warning but not block startup. (Blocking startup would have only served to force the administrator to set 'ssl_stapling off' in order to get the server up and running.)
> Ryan
> -----Original Message-----
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
> Behalf Of Phillip
> Sent: Wednesday, October 03, 2012 9:14 AM
> To: Paul Tiemann
> Cc: public at cabforum.org
> Subject: Re: [cabfpub] Fwd: Re: [cabfrev] Must Staple Draft
>
> Why does nginx do that?
>
> If it supports stapling, won't it pull the ocsp token during startup when it
> is configuring the cert and getting the key and such?
>
> On Oct 3, 2012, at 11:36 AM, Paul Tiemann wrote:
>
>>
>> On Oct 3, 2012, at 8:18 AM, Adam Langley wrote:
>>
>>> On Wed, Oct 3, 2012 at 9:37 AM, Paul Tiemann
>>> <paul.tiemann.usenet at gmail.com> wrote:
>>>> I don't like the name 'mustStaple' all that much because those words
> imply that the connection should be rejected completely if the client does
> not receive a staple.
>>>
>>> That is what the semantics of the extension will be, so I believe
>>> that mustStaple accurately reflects that.
>>
>> What happens in those cases where a server that does support stapling
> happens to not staple its response?
>>
>> Will the very first nginx SSL handshake for each nginx worker get rejected
> for the unlucky client who tries visiting the site? An nginx server with 16
> worker processes will give out 16 SSL handshakes without a staple for each
> SSL certificate configured.
>>
>>>> An extension that could contain multiple OID values would allow
>>>> future expansion. Something like how the AIA extension can contain
>>>> more than one item within it (CA Issuer, OCSP responder)
>>>
>>> We already have a mechanism in place for extensions in a certificate.
>>> Grouping these things together doesn't provide much benefit, but does
>>> mean more complexity cost. The AIA extension is a good example: OCSP
>>> responder and CA certificate pointers should have been separate X.509
>>> extensions, allowing the generic X.509 parser to do the work.
>>> Grouping them together just caused more code and hardly even makes
>>> sense: AIA vaguely contains "external stuff to do with the issuing
>>> certificate", but then doesn't include, say, the CPS or CRL pointers.
>>
>> If you make just one 'Certificate Handling Policies' extension,
>> eventually all "Cert Viewer" tools will at least know what to call it
>> at some point in the distant future.
>>
>> If you introduce a new top-level extension for each of these needs,
>> then certificate viewers may never be able to catch up. Imagine a
>> certificate with half a dozen "Unknown Extensions" appearing to the
>> curious user, and what kind of consternation that will cause (and
>> support calls to CAs)
>>
>> The MS cert viewer shows critical extensions with a yellow warning
>> triangle containing exclamation point -- that causes weekly support
> questions.
>>
>> I don't think AIA is hard to parse. In fact, why not just put the
>> mustStaple OID into the AIA itself? Then you don't have to worry
>> about the problem of the "Unknown Extension" in viewers.
>>
>> Cheers,
>>
>> Paul Tiemann
>> CTO, DigiCert, Inc.
>>
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
More information about the Public
mailing list