Hey Felipe There are three key questions when it comes to revocation checking, namely: * What is the TLS stack being used for? * What would the device do when a revocation check fails? * How are the certificates and trust anchors managed?
You mentioned Mbed TLS. It is used for embedded devices. In the embedded environment you are not going to import all trust anchors typically found on a laptop or desktop PC. Instead, you will have a small number, often only one trust anchor. The device, because it has limited resources, will only talk to a small number of servers, often only one or two. These servers manage the device over it's lifetime, including providing firmware updates. Alongside this device management server is functionality to automatically provision the device with new certificates and also with trust anchors (if needed). Since the device is under the full control of the device management server, any necessary changes to certificates will be managed by that server. What benefit would CRLs and OSCP provide in such an environment? If you want to hear more about the use of device management on IoT devices, I have published numerous videos about it. It is a widely deployed concept these days with standards available but also lots of proprietary solutions. Ciao Hannes -----Original Message----- From: TLS <tls-boun...@ietf.org> On Behalf Of Felipe Gasper Sent: Tuesday, December 7, 2021 2:56 PM To: tls@ietf.org Subject: [TLS] Does revocation matter? Hi all, I’ve been playing around with mbedTLS of late. It appears to lack any support for OCSP--either stapling or just simple client queries. It supports CRLs, but CRLs appear to be waning in terms of use; Let’s Encrypt, for example, doesn’t create them, as I suspect is the case with other short-term-validity certificate solutions. mbedTLS is not the *most* prominent TLS implementation, but it’s also hardly the least. The projects that incorporate it (e.g., PowerDNS) clearly “survive” without OCSP. Chrome, at least doesn’t do OCSP client checks, and I don’t think it mandates OCSP stapling … which basically means there’s a huge swath of contexts where applications won’t notice if a certificate is revoked. It begs the question … how relevant is certificate revocation nowadays? How big of a problem is it if TLS validity checks ignore it? Cheers, -Felipe Gasper Mississauga, Ontario _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls