On Fri, Mar 05, 2021 at 02:01:52PM +0000, Fries, Steffen wrote: > I've got a question regarding application of TLS 1.3 to protect long > lasting connections. Specifically on the trigger to perform a > revocation check for the utilized certificates in the handshake. > > The background is that for the securing TCP based communication in > power system automation we defined the application of TLS in IEC > 62351-3. The document specifies how to use TLS v1.2 in this > environment. As some of the connections are rather long lasting > connections, the document defines the usage of TLS session > renegotiation at least every 24 hours to update the session key > material on one hand and to enforce the certificate verification from > both sides (TLS is always used with mutual authentication) including > the revocation check. The 24 hours were motivated by an expected CRL > update once a day.
This harks back to another recent thread where it was noted that one needs to make a distinction between authentication and authorisation. The integrity of a TLS 1.3 session (which always performs ephemeral key agreement that offers forward-secrecy) is not compromised if later the signing keys of one of the parties is compromised. So there is no need to check CRLs or renegotiate to just to maintain a secure connection. On the server side, if the client's identity is used as a key into an authorisation table, one just needs to periodically (or even at each logical request) to revalidate the client's authorisation, there is generally no need to "re-authenticate" the client. If the client is presenting bearer-tokens for entitlement, the client may periodically need to obtain fresh tokens. If there is a concern that a server may somehow mid-session cease to be a legitimate application endpoint for clients that are still connected to it, and an expectation that timely CRLs and periodic revalidation of the server certificate would help to avoid that, then perhaps something should be done. This feels to me like rather a very distant risk. When a server is taken out of rotation, the operator should typically terminate all client connections at that time. How often would one expect to lose operational control of a running server, such that the only way to protect active clients is via certificate revocation, with clients finding out soon enough for this to be useful? If loss of operational control of servers is a real concern, then I guess clients should avoid long-lived sessions, and open new connections frequently, limiting connection reuse and TLS session resumption to just minutes (just to amortise the cost of the initial handshake over a short sequence of back-to-back requests). Once there's a new TLS session every ~5 minutes, there's no need for CRLs, renegotiation, ... but a quick sequence of requests is still handled efficiently. So, in summary, avoid CRLs, OCSP, ... they're obsolete crutches. Use short-lived certificates (possibly just days or hours), reconnect often if that's appropriate. Demand fresh authorisation tokens from clients if authorisation is encoded in the tokens, rather than checked out of band by the server on a request-by-request basis. -- Viktor. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls