> Am 20.06.2017 um 17:19 schrieb Hanno Böck <[email protected]>: > > On Tue, 20 Jun 2017 13:39:56 +0200 > Stefan Eissing <[email protected]> wrote: > >> Can we push the burden of getting a OCSP response to the client, even >> for must-staple certificates? > > No, you can't. > The whole point is that must staple enforces stapling. > > This has a bit to do with the history of certificate revocation and why > it's broken. > > All browsers do OCSP checks in a soft-fail mode (or not at all). This > basically makes it pointless, as an attacker can just block OCSP > requests. > > OCSP stapling was invented to move away from that unreliable mechanism. > Must-staple enforces that mechanism. There is no way to fall back to > the old unreliable mechanism if you want to have it secure.
So, the extension protects clients with incomplete or silently graceful fallbacks from exposing their users. Understood. Not sure if I share this strategy 100%, but it is what it is. If httpd persists responses and tries to renew a good amount of time before they expire (btw. do you know what common validity durations are?), this hopefully does not become a huge DoS opportunity. -Stefan
