Hi Philipp, That sounds like we could just ignore CRL/OCSP entirely. So we could then just create the certificates for our servers without additional tasks.
Met vriendelijke groet/With kind regards/Mit freundlichen Grüßen, Berry van Sleeuwen Flight Forum 3000 5657 EW Eindhoven -----Original Message----- From: Linux on 390 Port <[email protected]> On Behalf Of Philipp Kern Sent: Saturday, June 22, 2019 8:14 PM To: [email protected] Subject: Re: Building a Certificate Authority On 2019-06-21 01:01, Alan Altmark wrote: > Your oscp responder service not being available 24x7. For now, the > policies dealing with the lack of ocsp and/or crl tend toward "assume > it's ok". Kinda loosey goosey. I don't know for how much longer, > though. > But > it will depend on what the client side is willing to tolerate. The world seems to move more towards short lived certificates rather than the use of CRLs/OCSPs, as well as shipping targeted revocation rules in browsers for high value certificates that need them. Certificates that have expired you no longer need to carry revocation information for. The corollary to this is also that the browsers have the most advanced system in place for certificate handling and other software in the TLS ecosystem is unlikely to obey all rules correctly. OCSP hard fail is nothing that will come anytime soon. CAs have not shown that they can run OCSP responders reliably at scale and in some enterprise environments you can't even reach them. OCSP stapling is the more interesting technology here, essentially attaching a proof of non-revocation to the certificate presented during the handshake. But support for that is spotty at best. But again you would not rely on continuous availability of the OCSP responder in that case. Kind regards Philipp Kern ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww2.marist.edu%2Fhtbin%2Fwlvindex%3FLINUX-390&data=02%7C01%7CBerry.vanSleeuwen%40atos.net%7C4fdb5add1555481e524e08d6f73d984d%7C33440fc6b7c7412cbb730e70b0198d5a%7C0%7C0%7C636968241256011408&sdata=9WlSaasM0Z89zpYkF3sWuYCZ1KbTMKTMg5%2FaMbgndmo%3D&reserved=0 This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, Atos’ liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted. On all offers and agreements under which Atos Nederland B.V. supplies goods and/or services of whatever nature, the Terms of Delivery from Atos Nederland B.V. exclusively apply. The Terms of Delivery shall be promptly submitted to you on your request. ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www2.marist.edu/htbin/wlvindex?LINUX-390
