Presentation is loading. Please wait.

Presentation is loading. Please wait.

Survey Results Rick Andrews 6 March 2014, IETF 89 London.

Published byFrankie Stevenson Modified over 9 years ago

Similar presentations

Presentation on theme: "Survey Results Rick Andrews 6 March 2014, IETF 89 London."— Presentation transcript:

1 Survey Results Rick Andrews 6 March 2014, IETF 89 London

2 Summary 2 of 7 clients (Mozilla, Comodo) responded; some questions still unanswered from Mozilla – Promises from Microsoft and Google 1 of 15 servers (CloudFlare) responded – Promise from Microsoft; “no business advantage for us to respond so we will abstain” – Oracle – No response from Apache, reached out to OpenSSL: no time, worry about hidden agenda 20 of 67 OCSP responders responded

3 Server Survey (CloudFlare) 2b) Which cryptographic algorithms/parameters does the product support for the creation of keys and CSRs? RSA 1024DSA 1024ECC nistp256MD2SHA1 RSA 2048DSA 2048ECC nistp384MD4SHA-256 RSA 3072DSA 3072ECC nistp521MD5SHA-384 RSA 4096DSA 4096ECC otherSHA-512 RSA otherDSA other

4 Server Survey (CloudFlare) 8c) Does the product check staples before installing them? Yes 8d) How frequently are new staples fetched? Hourly 8e) What is the behavior of the server when it has no valid staple? “OCSP response: no response sent”

5 Client Survey (Mozilla) 11a) Which of the following status mechanisms does the product support? (check all that apply; if multiple mechanisms are used, please explain under which conditions they are each used) 1 - CRL - Firefox currently has very, very limited support for CRLs and will soon have none. 5 - AIA (where the location of the OCSP responder is obtained from the AIA extension) 6 - Stapled OCSP 7 - multiple-stapled OCSP (Not yet) 8 - CRL Sets (Not yet) 9 - Blacklists 11b) What order of priority amongst these mechanisms does the product follow? 9, 6, 5

6 Client Survey (Mozilla) 21) Which versions of SSL/TLS does the product support? SSL3, TLS 1.0, TLS 1.1, TLS 1.2 21) Does the product support SPDY? SPDY 3, 3.1 29d) Does the product ever offer cipher suites that are not supported in the TLS version advertised (i.e. AEAD cipher suites prior to TLS 1.2)? No, we aim not to, but see https://bugzilla.mozilla.org/show_bug.cgi?id=9 19677 https://bugzilla.mozilla.org/show_bug.cgi?id=9 19677

7 Client Survey (Mozilla) 29a) Does the product support a ClientHello larger than 255 bytes? Yes 29h) Does the product support a ServerHello larger than 255 bytes? Yes

8 OCSP Responder Survey Responses from Actalis, Autoridad de Certificacion Firmaprofesional, Buypass, Certinomis, Chunghwa Telecom Corporation, Comodo, Entrust, Government of Hong Kong (SAR)/Hongkong Post, HARICA, Izenpe S.A., KEYNECTIS, SwissSign AG, TeliaSonera, Trend Micro, TrustCenter, Trustis, VeriSign (Symantec), Axway, Safelayer Keyone, CloudFlare

9 OCSP Responder Survey 7 are CAs that write their own responder 11 are CAs that use third-party responders (or intend to) 2 are developers of third-party responder code 1 is a CDN, but uses nginx as proxy

10 OCSP Responder Survey 2) Does the product support RFC 5019, Lightweight OCSP? 3 Yes 3) Does the product support RFC 6960, OCSP Algorithm Agility? 2 Yes 4) What is the behavior if a request is made for a certificate serial number that had not been issued? 1 Revoked, 4 Unknown, 3 Unauthorized, 2 Good

11 Observations Several people did not answer every question Some client vendors asked for test sites Apache responses are essential, but we’ve hit a roadblock Testing might be more productive than reporting

12 Next Steps?

13

14 Server Survey (CloudFlare) 4b) Does the product validate the certificate path upon installation? Yes 4c) Does the product allow PKCS#7 import (in which the PKCS#7 file contains intermediates and end-entity certificates, and the product discerns which is which?) Yes 4f) Does the product ensure that the certificate chain is in the correct order? Yes

15 Server Survey (CloudFlare) 4g) Can the product be configured to send a self- signed certificate as part of the certificate chain when it is not the sole certificate? Yes 4h) Can the product be configured to send unrelated certificates in the certificate chain? No 5) Key/certificate renewal: Does the product require a restart in order to change its key pair? No

16 Server Survey (CloudFlare) 6) Which versions of SSL/TLS does the product support? SSL3, TLS 1.0, TLS 1.1, TLS 1.2 8a) Does the product support OCSP stapling in accordance with RFC 6066? Yes 8b) Does the product support OCSP multiple- stapling in accordance with RFC 6961? No

Download ppt "Survey Results Rick Andrews 6 March 2014, IETF 89 London."

Similar presentations

SSL Implementation Guide Onno W. Purbo

SSL Implementation Guide Onno W. Purbo
Cryptography and Network Security

Cryptography and Network Security
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
SSL/TLS Trends, Practices, and Futures Brian A. McHenry, Security

SSL/TLS Trends, Practices, and Futures Brian A. McHenry, Security
+1 (801) 877-2100 Ultralight OCSP Improving Revocation Checking.

+1 (801) Ultralight OCSP Improving Revocation Checking.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements Presented by: Zhengyang Qu.

SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements Presented by: Zhengyang Qu.
Chapter 8 Web Security.

Chapter 8 Web Security.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.

TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.
Apache Security with SSL Using FreeBSD SANOG VI IP Services Workshop July 18, 2005 Hervey Allen Network Startup Resource Center.

Apache Security with SSL Using FreeBSD SANOG VI IP Services Workshop July 18, 2005 Hervey Allen Network Startup Resource Center.
PKI Processing with OpenSSL Rodney Thayer

PKI Processing with OpenSSL Rodney Thayer
Josh Benaloh Brian LaMacchia Winter 2011. Side-Channel Attacks Breaking a cryptosystem is a frontal attack, but there may be easier access though a side.

Josh Benaloh Brian LaMacchia Winter Side-Channel Attacks Breaking a cryptosystem is a frontal attack, but there may be easier access though a side.

Similar presentations

Ads by Google