On Thu, Apr 10, 2014 at 3:54 PM, Phillip Hallam-Baker <[email protected]>wrote:
> One of the problems with OCSP is the hardfail issue. Stapling reduces > latency when a valid OCSP token is supplied but doesn't allow a server > to hardfail if the token isn't provided as there is currently no way > for a client to know if a token is missing because the server has been > borked or if the server doesn't staple. > > This draft corrects the problem. It has been in IETF limbo due to the > OID registry moving. But I now have a commitment from the AD that they > will approve the OID assignment if there is support for this proposal > from a browser provider: > David Keeler was working on implementing Must-Staple in Gecko. You can point them to these two bugs: https://bugzilla.mozilla.org/show_bug.cgi?id=921907 https://bugzilla.mozilla.org/show_bug.cgi?id=901698 The work got stalled because we decided to fix some infrastructure issues (like the new mozilla::pkix cert verification library) first. Now that work is winding down and I think we'll be able to finish the Must-Staple implementation soon. Check with David. Cheers, Brian _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
