Hey Felipe
There are three key questions when it comes to revocation checking, namely:
* What is the TLS stack being used for?
* What would the device do when a revocation check fails?
* How are the certificates and trust anchors managed?
You mentioned Mbed TLS. It is used for embedded devices. In the embedded
environment you are not going to import all trust anchors typically found on a
laptop or desktop PC. Instead, you will have a small number, often only one
trust anchor. The device, because it has limited resources, will only talk to a
small number of servers, often only one or two. These servers manage the device
over it's lifetime, including providing firmware updates. Alongside this device
management server is functionality to automatically provision the device with
new certificates and also with trust anchors (if needed).
Since the device is under the full control of the device management server, any
necessary changes to certificates will be managed by that server.
What benefit would CRLs and OSCP provide in such an environment?
If you want to hear more about the use of device management on IoT devices, I
have published numerous videos about it. It is a widely deployed concept these
days with standards available but also lots of proprietary solutions.
Ciao
Hannes
-----Original Message-----
From: TLS <tls-boun...@ietf.org> On Behalf Of Felipe Gasper
Sent: Tuesday, December 7, 2021 2:56 PM
To: tls@ietf.org
Subject: [TLS] Does revocation matter?
Hi all,
I’ve been playing around with mbedTLS of late. It appears to lack any
support for OCSP--either stapling or just simple client queries. It supports
CRLs, but CRLs appear to be waning in terms of use; Let’s Encrypt, for example,
doesn’t create them, as I suspect is the case with other short-term-validity
certificate solutions.
mbedTLS is not the *most* prominent TLS implementation, but it’s also
hardly the least. The projects that incorporate it (e.g., PowerDNS) clearly
“survive” without OCSP. Chrome, at least doesn’t do OCSP client checks, and I
don’t think it mandates OCSP stapling … which basically means there’s a huge
swath of contexts where applications won’t notice if a certificate is revoked.
It begs the question … how relevant is certificate revocation nowadays?
How big of a problem is it if TLS validity checks ignore it?
Cheers,
-Felipe Gasper
Mississauga, Ontario
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
IMPORTANT NOTICE: The contents of this email and any attachments are
confidential and may also be privileged. If you are not the intended recipient,
please notify the sender immediately and do not disclose the contents to any
other person, use it for any purpose, or store or copy the information in any
medium. Thank you.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
