>>On 10/23/13 12:31 PM, Kathleen Wilson wrote: >>> On 10/22/13 1:19 PM, Eddy Nigg wrote: >>> >>> I've been on the sidelines for most of this and other discussions >>> here, however I don't think this is correct at all - if the server >>> doesn't provide a correct stapled response, the browser must still be >>> able to find the OCSP response on its own. Additionally servers >>> usually will use the exact same information to find a valid OCSP >>> response to include as a browser would, and this response must be fairly frequently updated too. >>> Except if the server admin bothers to configure that manually which I >>> doubt over the longer term for most. >> >> >> I'm not sure I understand your message. Are you saying that even if >> OCSP stapling is used, the certs must have the OCSP URI in them, in >> case the server's stapled response doesn't work, and the browser needs >> to fallback to the OCSP URI in the cert? >>
Kathleen and Eddy, As you and others may know, but for the benefit of others, I have a draft ballot with the CA/Browser Forum (Ballot 103) to clarify a nuance that I believe was incorrectly expressed concerning OCSP stapling when the Baseline Requirements were adopted. Soon after adoption, we created a punch-list of items to fix. Issue 7 was to clarify the use of the AIA for OCSP and make it a firm requirement.) Section 13.2.1 and Appendix B of the BRs contemplated that OCSP stapling could be used instead of the OCSP AIA for "high traffic sites" if the CA and the Server could ensure that the OCSP response was stapled. However, existing client capabilities were not adequately discussed or addressed, including several important facts - this works only where the server can confirm that all browsers connecting (via the certificate without the OCSP AIA) support stapling; that it might work if the site could control which browsers were used to connect to the site; that the most efficient known way for a server to support OCSP stapling is to obtain fresh OCSP responses using the AIA URI contained in the certificate itself; the browser needs to be able to fall back to the OCSP URI if the server fails to staple; and that the benefits of putting the AIA for OCSP in the certificate far outweigh any perceived benefit of leaving it out. Some may argue that compliance with section 13.2.1 is theoretically possible, but I am not aware of any CA-subscriber combination that can claim full compliance -- especially since OCSP stapling, this exception, and the BRs themselves are relatively new. So long story short, yes, the OCSP URI does need to be in the AIA of the certificate. Thanks, Ben
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy