gregk4sec commented on PR #38: URL: https://github.com/apache/tomcat-native/pull/38#issuecomment-3863764787
> If we ignore the dramatics, this boils down to an assessment of the risk that a CA might deploy a malfunctioning OCSP responder vs the risk of applying the patch and the ongoing maintenance cost. Is the cost of protecting Tomcat Native against the CA making a mistake worth it given the likelihood of that mistake happening? > > I think both the risk of a malfunctioning responder and and the risk of applying the patch are very low. The ongoing maintenance is minimal. > > If this PR had been presented without the dramatics I think I would have reviewed it, concluded the check was a reasonable one to make and committed it. Therefore, I intend to commit this later today (before I tag the next round of releases) unless there are objections. Consider the possibility of DNS Hijacking against to OCSP Responder, of any Public CA / or trusted Enterprise/Internal/intermediate CA. +1 It is highly necessary to enhance Tomcat's robustness to prevent potential crash risks arising from external uncontrollable assets. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
