mingdao posted on Wed, 06 Nov 2013 14:13:34 -0600 as excerpted: > Thanks for the detailed explanation, Thomas. > > Now, if any one of us turned off OCSP as Michael suggested, what should > one do after turning it back on? Could there now be certificates trusted > there which should not be?
AFAIK, no... except possibly for any ongoing connections and any possible overrides you did during the "off" time. New connections will automatically be checked again. Meanwhile, another question for Thomas. Is this "certificate stapling" the same thing google chrome is now doing for the google site, that enabled it to detect the (I think it was) Iranian and/or Chinese CA tampering, allowing them to say a "google" cert was valid that was actually their MitM cert, as appeared in the tech-news a few months ago? Or was that something different? I had interpreted (well, I think I read, but either the journalist could have been mixed up too, or maybe I was misinterpreting what I read, either way the effect on my understanding is the same) the "certificate stapling" referred to at the time as indicating that google configured the certs for their own sites into chrome as shipped itself, effectively hard-coding them, NOT as google handling its own OCSP requests, as OCSP cert stapling does. So now I'm wondering if I interpreted wrong then, or if there's actually two different things being referred to as certificate stapling, here. -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman