On Mon, 16 Jun 2014, Petr Pisar wrote:
We all know OCSP is completely broken and barely a tad bit more than
useless. Browsers don't even implement it much or care about the responses,
Mozilla folks have opposite opinion. They removed CRL support in recent
Firefox and they kept OCSP as the only one method.
(I'll pretend here that I don't work for Mozilla! :-))
CRL is an even more broken approach since it simply doesn't scale, especially
not for a library such as libcurl.
Firefox may still use OCSP but it also doesn't fail hard on OSCP errors (in a
default install), because of the problems with it.
I think we all == people in the curl project, browser developers, server
developers and more, want better ways to figure out when a server cert is fine
or not. I'm not a TLS expert so I will refrain from speculating exactly how
the future will look like or what the best contenders are, but we need
improvements in this area.
I don't think we'll get much use out of implementing this now.
That means any applications aiming to conform to the legal requirements will
have to implement it on their own. Unfortuntelly the legal requirements
differ per county. Some EU countries (e.g. the Czech Republic) sticks on
CRL, while some EU countries (e.g. Germany) sticks on OCSP.
That's how the situation is already so this is nothing new. Of course, should
anyone want to work on an OSCP implementation and advocate for it, then I
wouldn't fight it.
--
/ daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
