On 1/06/2014 4:35 AM, Michael Gilbert wrote: > On Sat, May 31, 2014 at 1:46 PM, Andrew McGlashan wrote: >> We may see certificate stapling as an answer, but that won't be enough >> if it cannot be certified to /require/ stapling in the cert itself. >> There may be other solutions in time. >> >> You are right in saying that the whole certificate revocations model is >> flawed, but not as flawed as what Google is choosing to use in CRLset. >> Quite simply, Google's response to this problem is a joke. > > It sounds like you've got a stinging itch there, so feel empowered to > go scratch it. I'm sure Google would be interested in a nice patch > set solving this problem once and for all.
Google did have OCSP, but they deliberately removed it recently. FWIW, Steve Gibson has a very good take on all of this. The OCSP server not found issue is rare, in the past the /main/ CA's got together to discuss the OCSP issue and they create CDN's to deal with issues like not being able to connect the OCSP server. The page that was linked from /google's/ pov ... was quite old btw. Google pushed back on OCSP when Steve Gibson had much to say about the whole revocation mess and he talked about alternative ideas that the industry is considering. The CA's backed Steve's take and can't seem to understand why Google would push back so hard to go against the OCSP idea and other possible solutions. Cheers A. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/538a29be.2020...@affinityvision.com.au
