2012/11/7 Hervé COMMOWICK <[email protected]>: > As of now, on client side, it is only working on IE9 (not before not > after) and Opera, not so common...
It's enable in Firefox for a long time (Edit / Preference / Advanced / Encryption / Validation or search ocsp in about:config). See : https://bugzilla.mozilla.org/show_bug.cgi?id=110161 > > Look this : http://www.imperialviolet.org/2012/02/05/crlsets.html for > Google's thoughts > Short : "On this basis, we're currently planning on disabling online > revocation checks in a future version of Chrome. (There is a class of > higher-security certificate, called an EV certificate, where we haven't > made a decision about what to do yet.)" > > And this : https://bugzilla.mozilla.org/show_bug.cgi?id=360420#c10 for > Mozilla's thoughts. > Short : "it's busted by design. It can only carry a single response and > hardly any sites have only one OCSP certificate in their chain these > days. So it doesn't eliminate the OCSP lookup delay, which it's primary > attraction. > > Hervé C. > > > On 11/06/2012 11:02 PM, Willy Tarreau wrote: >> Hi Lukas, >> >> On Tue, Nov 06, 2012 at 04:57:59PM +0100, Lukas Tribus wrote: >>> >>> Don't know if it helps without some knowledge of the nginx source code, but >>> here [1] you can find the patches applied to nginx to introduce ocsp >>> support. >> >> Thanks for the pointer. Anyway as you suspect, source code alone doesn't >> tell much about the real benefits to expect from this feature, nor how >> it's supposed to be used (especially by clients). >> >>> Its doesn't seem to be trivial to implement though, because you also need to >>> run (at regular intervals) an OCSP query towards the CA's OCSP server... >> >> Amusingly, running a task at regular intervals is the easiest part to do, >> it's just like health checks. We could decide to dedicate such a task per >> stapling-enabled bind line and it would not be much of an issue. The overhead >> would not even be measurable if we were working at insane refresh rates. >> >> What's unclear to me is how many clients do support this nowadays, how many >> servers do, whether or not users are willing to allow outgoing connections >> to fetch such cert statuses, whether or not non-stapling aware clients would >> be impacted by the feature (eg: increased handshake size due to advertised >> extension and data to everyone) etc... >> >> I think we need to take more time to study this in details, but until >> someone comes with a detailed description of what this will bring to >> his site, I'm not sure anyone will spend more time on this :-/ >> >> Regards, >> Willy >> >> > > -- > Hervé COMMOWICK > Ingénieur systèmes et réseaux. > > http://www.rezulteo.com > by Lizeo Online Media Group <http://www.lizeo-online-media-group.com/> > 42 quai Rambaud - 69002 Lyon (France) ⎮ ☎ +33 (0)4 63 05 95 30 >
