If there was a DoS attack it would be the first and the last. OCSP is only a DoS issue for servers that don't staple. All modern servers can staple if configured to do so. Further it is only the weaker CAs that don't have DoS proof OCSP service.
So if there was a DoS attack we would see a sudden upgrade to server stapling and the OCSP service could probably be phased out after a short time (except for feeding the cert holders with their tokens). On Thu, Apr 24, 2014 at 12:39 AM, Daniel Micay <[email protected]> wrote: > I'm talking about the DoS vulnerability opened up by making a few OCSP > servers a single point of failure for *many* sites. > > It's also not great that you have to let certificate authorities know > about your browsing habits. > > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > -- Website: http://hallambaker.com/ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
