On 02/08/2012 04:20 PM, Brian Smith wrote:
However, I don't think we should reject Google's improvement here because it
isn't perfect. OCSP fetching is frankly a stupid idea, and AFAICT, we're all
doing it mostly because everybody else is doing it and we don't want to look
less secure. In the end, for anything serious, we have been relying (and
continue to rely) on browser updates to*really* protect users from
certificate-related problems. And, often we're making almost arbitrary
decisions as to which breaches of which websites are worth issuing a browser
update for. Google is just improving on that. Props to Adam, Ben, Wan-Teh,
Ryan, and other people involved.
We do OCSP fetching because CRL fetching on the internet as a whole
didn't scale when it was tried. OCSP may not be perfect, but we do it
because it's the best thing we have today.
OCSP stapling would certainly improve things, which is why it was
created, what was it, oh at least 5 years ago. Part of what we are
fighting is the general inertia of the web. It took close to 15 years to
get OCSP generally turned on!
bob
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto