On 19/01/16 21:13, Charles Reiss wrote:
On 01/19/16 11:49, Jakob Bohm wrote:
<snip>
If there is no OCSP, it obviously cannot be stapled.The CA/Browser forum BRs contemplate OCSP stapling without an OCSP responder being listed in the certificate in section 7.1.2.2.c ("The HTTP URL of the Issuing CA’s OCSP responder MAY be omitted, provided that the Subscriber “staples” the OCSP response for the Certificate in its TLS handshakes [RFC4366].") I assume the idea is that the OCSP responder URL would be manually configured in the server and that this would make the certificate slightly smaller.
IIRC, the original motivation for this text was to make it possible to suppress OCSP requests directly from TLS clients (that don't support OCSP Stapling). In particular, there was a concern that some OCSP responders might not be able to cope with the OCSP traffic generated by certs used by sites with extremely high numbers of users.
At the time, Firefox didn't support OCSP Stapling, and it was much less common for CAs to use CDNs for their OCSP responders. (Indeed, some CAs didn't even support OCSP back then).
-- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
