Enabling revocation for billions of consumers
1 / 28

Enabling Revocation for Billions of Consumers - PowerPoint PPT Presentation

  • Uploaded on

Enabling Revocation for Billions of Consumers. Kelvin Yiu kelviny@microsoft.com Microsoft Corporation. Agenda. Why X.509 Revocation is Difficult Lessons Learned Enabling Revocation – The Hard Questions X.509 Revocation in Windows Vista Best Practices.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Enabling Revocation for Billions of Consumers' - omer

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Enabling revocation for billions of consumers

Enabling Revocation for Billions of Consumers

Kelvin Yiu


Microsoft Corporation


  • Why X.509 Revocation is Difficult

  • Lessons Learned

  • Enabling Revocation – The Hard Questions

  • X.509 Revocation in Windows Vista

  • Best Practices

The consumer grandma understands this right
The ConsumerGrandma Understands This Right?

  • Hmmmm?

  • Despite popular legislation, you cannot legislate comprehension by end users

  • What do all of these fields mean to me?

  • certifcatePolicies are for lawyers, not consumers or end users

Why is revocation so difficult multitude of application scenarios requirements
Why is Revocation So Difficult?Multitude of Application Scenarios & Requirements

  • Client scenarios

    • SSL server authentication (Internet Explorer)

    • Smart card logon

    • Outlook S/MIME

    • Code signature verification (Authenticode)

      • Install time vs load time

    • Wireless, RAS

  • Server scenarios

    • Smart card logon (DC)

    • IIS SSL client authentication

    • Radius

Why is revocation so difficult multitude of locations and connectivity options
Why is Revocation So Difficult?Multitude of Locations and Connectivity Options

Business Partner

Main Office

Wireless Network




  • A certificate may be validated anywhere using any connectivity option:

    • LAN

    • VPN

    • RPC over HTTP

    • Extranet

    • Private network

    • No connectivity

Branch Office

Remote User


Why is revocation so difficult peak bandwidth
Why is Revocation So Difficult?Peak Bandwidth = $$$

Source: VeriSign (RSA 2005)

  • Usage mostly due to code signing CRLs (90%+)

  • Wide variance in bandwidth use

    • Highest use is Monday morning

    • High fixed cost to handle peak bandwidth

  • Client side retry logic means service degenerate quickly

  • OCSP generally uses less bandwidth than CRLs, but not always

Lessons learned enabling revocation in internet explorer
Lessons LearnedEnabling Revocation in Internet Explorer

  • First tried enabling SSL revocation in IE 3.02

    • SSL sometimes grinds to a halt

    • IE 3.02 didn’t ship with revocation enabled

  • Threat - is the risk worth the pain?

    • $50 credit card liability

    • No real protection from phishing scams

    • Will users be bothered to report key compromise?

  • What is tolerable for the average consumer?

Lessons learned outlook 2000 s mime deployments
Lessons LearnedOutlook 2000 S/MIME Deployments

  • Users complained Outlook often hangs when revocation checking is enabled

    • Lesson learned: 90s per URL timeout is too long. Will do 15s but let the retrieval finish in the background

    • Lesson 2 learned: 15s is still too long, but shorter timeout increases % retrieval failure

  • What were the causes?

    • Outlook blocks until signature validation completes

      • Outlook 2003 performs validation on background thread

    • Operational errors (offline server, CRL not published)

    • Multiple URLs in the CDP (Internet vs Intranet)

Lessons learned enabling revocation for authenticode
Lessons LearnedEnabling Revocation for Authenticode

  • Enabled revocation checking for ActiveX download as a critical security update

    • Had to make revocation error non-fatal to present regression

  • Caused problems for scenarios that validate signature at load time

    • Developers did not understand network implication of calling verify signature API

    • Some anti-virus products performs self integrity checks periodically

    • Machines in private network cannot download CRL

Lessons learned misbehaving proxies
Lessons LearnedMisbehaving Proxies

  • Unreliable caching semantics in HTTP 1.0

    • “expires” header assumes synchronous clocks

    • Windows sets “Pragma: no-cache” to avoid retrieving stale CRLs

  • Auto-proxy does not always return active proxies

    • Clients would fail randomly because a random proxy is selected from the list

  • Incorrect proxy configuration (wininet.dll vs winhttp.dll)

  • Proxy access policy

    • Not all users have Internet access

    • Users but not machines have access

Enabling revocation by default the hard questions
Enabling Revocation by DefaultThe Hard Questions

  • Is the benefit worth the infrastructure and user costs?

  • Should online revocation be required for all applications?

    • OS boot and signature validation makes this challenging

    • What is the expect behavior when working offline?

  • What is the expected behavior for mobile users?

    • How does a laptop in a hotel room contact the intranet (LDAP) URL for CRLs? Should VPN be required?

    • When is failure an acceptable option?

  • Will users tolerate reduced performance and reliability?

  • What is the reasonable level of assurance for consumers?

Enabling revocation by default what problem does revocation really solve
Enabling Revocation by DefaultWhat Problem does Revocation Really Solve?

  • Revocation is an attempt at a perfect solution in an imperfect world

    • Imperfect CA identity validation procedures

    • Key compromise

  • How often are key compromise reported to the CA?

    • Can take days or weeks for info to propagate

  • HTTPS protects users from untrustworthy networks

    • WiFi hotspots, neighbor

    • Pharming attacks

  • Works well when protecting users from key/certificates that were compromised in the past

Our goals for windows vista enabling revocation for billions of consumers
Our Goals for Windows VistaEnabling Revocation for Billions of Consumers

  • “It just works”

    • Good defaults but not optimized for all scenarios

    • Can be fine tuned with custom policy

  • Balance between threat mitigation and user experience

  • Minimize peak bandwidth usage for network operators and CAs

  • Enterprise managed tolerance on revocation freshness

    • Network connectivity issues, infrastructure failures necessitate the need for “emergency mode” to ignore all offline and stale revocation errors

  • IE7 on Windows Vista revocation enabled by default!

Revocation in windows vista taking revocation to the next level
Revocation in Windows VistaTaking Revocation to the Next Level

  • OCSP client

    • Supports the light weight OCSP profile

  • TLS “Stapling” extensions

    • IE7 on Windows Vista and IIS7

  • HTTP 1.1 caching proxies

  • Randomized pre-fetch to take advantage of overlapping validity periods in OCSP or CRL

  • Flush CRLs and OCSPs from memory caches via certutil.exe

  • OCSP responder in “Longhorn” Server

Revocation in windows vista how tls stapling scales
Revocation in Windows VistaHow TLS “Stapling” Scales


Public Certification Authority


  • Grandma connects to https://www.contoso.com

  • Contoso pre-fetches the OCSP response for its certificate


Revocation in windows vista how tls stapling scales1
Revocation in Windows VistaHow TLS “Stapling” Scales


Public Certification Authority


  • Contoso returns its certificate chain and the OCSP response in the TLS handshake

  • Stapling reduces load on the CA to # of servers, not clients


Revocation in windows vista crl vs ocsp
Revocation in Windows VistaCRL vs OCSP

  • Windows will always prefer cached objects or a “stapled” OCSP response

  • If network retrieval is required, then OCSP is preferred if both AIA and CDP are present

    • Try all OCSP URLs, then CDP URLs

  • Windows will switch to CRLs if:

    • The number of OCSP responds retrieved for an issuer exceeds 50 (configurable in the registry)

    • Configured by group policy

  • Network timeout is still 15 seconds per URL

Revocation in windows vista how pre fetch works
Revocation in Windows VistaHow Pre-Fetch Works

  • In the background, client selects a random time between next expected publication time and expiration

    • Expected publication time computed from fetch time + max-age

Revocation in windows vista why pre fetch is valuable
Revocation in Windows VistaWhy Pre-Fetch is Valuable

  • TLS “Stapling” does not return CRLs for intermediate CA certificates

  • Works with both OCSP and CRL

  • Supports LDAP URLs too with nextPublishTime

  • Useful on server scenarios too

    • Pre-fetches CRLs on domain controllers for smart card logon

  • Pre-fetched URLs that are not used during the next cycle will be removed from pre-fetch list

Revocation in windows vista http 1 1 proxy support
Revocation in Windows VistaHTTP 1.1 proxy support

  • Reduces load on the CA to # of proxies, not clients

  • Caches HTTP GETs, can be configured to cache dynamic content, HTTP POSTs but not LDAP

  • “ETag” allows “conditional” GETS

    • allows clients and proxies to query the origin server for freshness without downloading object

  • “Max-age” specifies the length of time proxies can return cached object on its own

    • Helps enable pre-fetch functionality in proxies

  • Retrieval of stale object will force all proxies to revalidate with origin server

Enabling revocation for billions of consumers

Revocation in Windows VistaHTTP 1.1 proxy support







HTTP 1.1

Caching Proxy

  • A requests CRL on 2/1/2005, 8:00am

  • Revocation services sends the following headers in the HTTP response:

  • HTTP/1.1 200 OK

  • Content-Length: 1653

  • Date: Sun, 01 Feb 2005 08:00:00GMT

  • Content-Type: application/pkix-crl

  • Last-Modified: Sun, 01 Feb 2005 00:00:00 GMT

  • ETag: "39a0-28d-4029bce7”

  • Expires: Sat, 07 Feb 2005 23:59:59 GMT

  • Cache-Control: Max-age = 86400

Enabling revocation for billions of consumers

Revocation in Windows VistaHTTP 1.1 proxy support



  • HTTP Proxy caches CRL and returns it to A





HTTP 1.1

Caching Proxy

4. B requests the same CRL an hour later. Since the proxy cached the CRL for less than 1 day, the proxy can return its cached copy to B without revalidating with the revocation service

Enabling revocation for billions of consumers

Revocation in Windows VistaHTTP 1.1 proxy support



5. C requests the same CRL 2 days later. Since it is more than 1 day since the proxy validated with the revocation service, it sends a conditional GET to the service





GET http://...

If-None-Match: "39a0-28d-4029bce7"

HTTP 1.1

Caching Proxy

  • Revocation service returns only updated headers to proxy since the CRL was not updated

  • HTTP/1.1 304 Not Modified

  • Date: Tue, 03 Feb 2005 9:00:00GMT

  • ETag: "39a0-28d-4029bce7“

  • Cache-Control: Max-age = 86400

Revocation best practices industry call to action
Revocation Best PracticesIndustry Call to Action

  • Use HTTP, not LDAP

    • Set Etag, and cache-control: max-age

  • Keep it simple - 1 OCSP URL and 1 CDP URL accessible everywhere

  • Use overlapping validity period

  • max-age should be less than overlap period

    • Can be shorter for long lived CRLs

  • Support the light weight OCSP profile for high volume environments

    • Pre-generate OCSP response if security requirements permits

    • Don’t use nonce since it is not cachable

  • Ensure new browser / server supports stapling

  • Push for stapling in updated protocols

Questions comments
Questions / Comments?

  • Experiment with Windows Vista Beta 2

  • Feedback always welcomed

    • kelviny@microsoft.com

Other pki enhancements in vista
Other PKI Enhancements in Vista

  • Path validations improvements

    • Reject certs with unrecognized critical extensions

    • Fixed a number of issues around Qualified Subordination

      • Self-issued certificates

      • inhibitAnyPolicy extension

      • Apply name constraints to all certificates below constraining certificate (not just end entity)

    • Cross-Certificate discovery using Subject Information Access extension

  • ECC and SHA2 support

Other pki enhancements in vista1
Other PKI Enhancements in Vista

  • Improved diagnostics support

    • PKI applications are hard to troubleshoot

      • Not enough information

      • Too many moving parts

        • Network or proxy problem?

        • Bad information in certificate?

        • Application vs platform problem?

    • Extensive diagnostic information about path validation failures

      • Information in structured in XML designed for automated post-processing and troubleshooting

      • Integrated with new Windows Event Viewer

    • No changes needed for legacy applications