On Wednesday 07 Dec 2011 04:19:09 Kai Engert wrote:
snip
I haven't researched, but has anyone already thought of distributing
OCSP records using DNS in general?
If we had OCSP-in-DNS, we might not even require OCSP stapling. This
could run as a service completely independent of the SSL servers - only
clients would need to be updated to fetch OCSP from DNS - does this make
sense?
Hi Kai.
We discussed OCSP-in-DNS over at m.d.s.policy earlier this year...
https://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/a5f14bbd3159c44f/446abd478dc847ec
(it's a long thread, but it does contain a lot of useful thoughts)
Recalling that discussion, Gerv recently said...
https://mail1.eff.org/pipermail/observatory/2011-September/000405.html
...the arguments for something DNS-based are IMO very strong (much better
privacy story, very hard to DOS, cached and distributed).
Peter Gutmann lists numerous deficiencies with the OCSP protocol - e.g. see
here...
https://mail1.eff.org/pipermail/observatory/2011-September/000330.html
I think that any future DNS-based certificate status checking protocols should
at least consider addressing some of these issues.
snip
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto