Hey Maxim, > Presenting a certificate and a non-good certificate status to a > user looks like "bees against honey" for me. I would rather not.
While I agree that it looks kind of iffy, by not caching OCSP responses with "revoked" or "unknown" certificate status, we're loosing all of the OCSP stapling advantages (offloading CA's OCSP responders, improving user's privacy and perceived performance), while not changing anything for the user - he'll still receive exactly the same certificate status directly from CA's OCSP responder, just a few hundred milliseconds later. Best regards, Piotr Sikora _______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
