[TLS] clarifications on TLS extension "Certificate Status Request"

To: TLS wg <tls at ietf.org>
Subject: [TLS] clarifications on TLS extension "Certificate Status Request"
From: Nagendra Modadugu <ngm+ietf at google.com>
Date: Mon, 22 Jun 2009 12:05:54 -0700
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1245698037; bh=NwyG3vrs7GNM3ykF5dnwdtrdbYE=; h=DomainKey-Signature:MIME-Version:Date:Message-ID:Subject:From:To: Content-Type:Content-Transfer-Encoding:X-System-Of-Record; b=MS5zp FzDtzz/60NlkCTpPmVGycD5uF0hcrCaZlt5HADVebmT/irVJvmvcekD2d4bQ5mU6D8B ym4wbnKKNRUMVQ==
Domainkey-signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:date:message-id:subject:from:to:content-type: content-transfer-encoding:x-system-of-record; b=Zmj7XMgg8wJ20VlkNLFnwkCaXRNrmjGhMUf9wUfxl3XEnVzgPV1KO1A4z/4HMDsyH GD8FOvgGqC+lH8Ge8TdxA==
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>

I am currently implementing the "Certificate Status Request" extension
(RFC4366) for NSS.  The primary use of this implementation will be
OCSP verification of certificates presented by SSL websites.

For the general Internet context, I am unable to find a case where a
client should specify a non-empty responder_id_list.  But in any case,
say that the client does specify a responderID (to a general SSL
webserver), what is the server supposed to do?  The responderID is
supposed to be either 1) the hash of the responder public key, or 2) a
name (convention appears to be SubjectName of the responder).

Unless convention for a responderID "name" is a AIA URL (and clients
use a URL over a hash), the webserver will have to be pre-configured
to determine appropriate end-points for each possible responder.  What
is the recommended way to specify responderIDs?

Also, for the next revision of this RFC, it would useful to allow
servers to return multiple OCSP responses, as EV certificates tend to
be chained.

nagendra

Prev by Date: [TLS] Cached Info extension - Draft 01
Next by Date: Re: [TLS] Cached Info extension - Draft 01
Previous by thread: [TLS] Cached Info extension - Draft 01
Next by thread: [TLS] I-D ACTION:draft-ietf-tls-cached-info-01.txt
Index(es):
- Date
- Thread

[TLS] clarifications on TLS extension "Certificate Status Request"

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.