On Mon, Jun 16, 2014 at 10:11:16AM +0200, Daniel Stenberg wrote: > On Sun, 15 Jun 2014, Alessandro Ghedini wrote: > >>HTTPS: Live CRL checking and OCSP. > > > >There's a wishlist bug about this in the Debian bts, and I have briefly > >looked into how to implement OCSP (RFC2560) a while back. > > We all know OCSP is completely broken and barely a tad bit more than > useless. Browsers don't even implement it much or care about the responses,
Mozilla folks have opposite opinion. They removed CRL support in recent Firefox and they kept OCSP as the only one method. > I don't think we'll get much use out of implementing this now. > That means any applications aiming to conform to the legal requirements will have to implement it on their own. Unfortuntelly the legal requirements differ per county. Some EU countries (e.g. the Czech Republic) sticks on CRL, while some EU countries (e.g. Germany) sticks on OCSP. I'd rather see the support in the TLS libraries. Probably with some hooks to delegate HTTP or LDAP retrievals to the upper layers. > I think there's much more to gain by instead implementing the new methods > that are being developed, like certificate pinning, Great idea. Supplying the server certificate as trusted anchor does work as the TLS libraries expect CA:true constraint. > ocsp stapling etc. This would make the OCSP transparent to the libcurl as the request and response is part of TLS negotiation. However it's still OCSP. That means one has to verify the OCSP response which itself may need to validate the OCSP service certificate used to sign the OCSP response. So at the end, there still will be demand for third-party network request. (Unless the OCSP response will carry the whole OCSP trust chain with OCSP statuses for each entry. Though that would undermin network traffic amount worries and possible caching.) Personally I believe that dedicated local daemon like GnuPG's dirmngr is the best approach.) However that's out of scope of libcurl probably. -- Petr
pgplEXoRssllH.pgp
Description: PGP signature
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
