Re: Sanctions short of distrust

Tue, 06 Sep 2016 09:44:22 -0700 

On 06/09/2016 18:15, Ryan Hurst wrote:

On Tuesday, September 6, 2016 at 7:54:14 AM UTC-7, Jakob Bohm wrote:

On 06/09/2016 16:43, Martin Rublik wrote:

On Tue, Sep 6, 2016 at 2:16 PM, Jakob Bohm <jb-mozi...@wisemo.com> wrote:


Here are a list of software where I have personally observed bad OCSP
stapling support:

IIS for Windows Server 2008 (latest IIS supporting pure 32 bit
configurations): No obvious (if any) OCSP stapling support.



AFAIK IIS 7.0 supports OCSP stapling and it is enabled by default, for more
information see https://unmitigatedrisk.com/?p=95 or
https://www.digicert.com/ssl-support/windows-enable-ocsp-stapling-on-server.htm




Nice surprise (if true), this was unreasonably well hidden, for example
there is no indication of this in any relevant parts of the
administration user interface.  I'll have to device a test to check if
it actually does staple OCSP on our servers.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded


It is true. Windows (and IIS as a result) was the first to support OCSP 
stapling and has the most robust support for it. Sleevi has a nice summary OCSP 
stapling issues here - https://gist.github.com/sleevi/5efe9ef98961ecfb4da8

Lets start a new thread to discuss OCSP stapling vs re-using this one.



As I stated elsewhere, the only point of mentioning OCSP problems in
here was to counter repeated suggestions in this thread that adding
something to stapled OCSP responses would be a viable solution
to dealing with partially distrusted CAs.  I had no intention of
discussing the details of OCSP stapling implementation in this forum.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to