On Tue, 20 Jun 2017 13:39:56 +0200 Stefan Eissing <stefan.eiss...@greenbytes.de> wrote:
> Can we push the burden of getting a OCSP response to the client, even > for must-staple certificates? No, you can't. The whole point is that must staple enforces stapling. This has a bit to do with the history of certificate revocation and why it's broken. All browsers do OCSP checks in a soft-fail mode (or not at all). This basically makes it pointless, as an attacker can just block OCSP requests. OCSP stapling was invented to move away from that unreliable mechanism. Must-staple enforces that mechanism. There is no way to fall back to the old unreliable mechanism if you want to have it secure. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42