On Tue, Apr 03, 2018 at 02:11:07AM +0200, Jakob Bohm via dev-security-policy wrote: > seems > to be mostly justified as a poor workaround for the browsers and > certificate libraries not properly implementing reliable revocation > checks.
The problem is not in the libraries, or even the applications making use of them, it's that actually trying to check them is not reliable. There are just too many cases where trying to check it results in an error. OCSP stapling should at least help with this. We should really encourage people to use this, and have software enable this by default. According to ssl-pulse 31% of the sites enable it. There might also be library or application bugs. At least firefox for me is annoying that if it for whatever reasons fails, it says it's an internal server error (which as far as I know is never the case), and then even doesn't seem to retry it and just give that same error again. Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy