2.4.x, are you vetoing changing the trunk default config
>> to enable stapling, and are the criteria of the veto both
>>
>> 1. The default configuration should not trigger unsolicited outgoing
>> queries to untrusted systems, for both a) and b), that's how I would put it.
>> 2. Additionally, features enabled by default need to have sufficient
>> coverage in the test framework.
>
> For GA releases, my position is that both criteria apply, yes. If it's
> enabled in trunk, an alpha or a beta for getting broader testing exposure,
> then the docs and release notes/announcement should prominently say so
> (not only for OCSP stapling specifically, but in general for those
> features which may trigger unsolicited outgoing connections).
>
> Kaspar
>
>
> [1]
> https://mail-archives.apache.org/mod_mbox/httpd-dev/201504.mbox/%3c7c89cdba-b463-415f-82da-ddd6ad88c...@jagunet.com%3E
>
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
that it should be off by default.
Given the current stapling code, that's fair enough.
Is it feasible to engineer around these issues so that stapling could be
enabled by default in some future httpd release? If not, what's the
showstopper?
Thanks.
--
Rob Stradling
Senior Research Development
on these
organizations, but maybe my understanding of OCSP
stapling is entirely wrong.
Regards
Rüdiger
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
s/2.2.13/2.2.30/
?
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
of our certs will send a
cert chain terminating with AddTrust External CA Root.
I do _not_ want mod_ssl to autocorrect this by following the AIA
URL(s) and deciding to also send the cross-certificate issued by UTN.
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust
-print_certs, but which one of those certs
(if any) should the user append to SSLCertificateChainFile ?
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
to reduce the number of servers
with misconfigured chains!
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
is not added). Being less broken would mean
that the remaining brokenness is less likely to be detected and corrected.
So if the goal is to maximize the % of servers that are 100% correctly
configured, one-hop AIA-autocorrection might actually be counterproductive.
--
Rob Stradling
Senior
that does most of this already... ;-) )
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
On 14/10/13 17:28, Kaspar Brand wrote:
On 14.10.13 10:51, Rob Stradling wrote:
Kaspar, I don't think data from 2010 (or even data from today) should be
assumed to be a reliable indicator of future use of non-RSA certs on
public sites.
Past performance is not indicative of future performance
CAs) in ECC certs continues to
grow. Since a significant proportion (I estimate ~20%) of deployed
clients will accept RSA server certs but not ECC server certs, I think
that configuring both an ECC cert and an RSA cert on a single vhost may
yet become popular!
snip
--
Rob Stradling
Senior
be a good thing, but probably the
default should also be raised to e.g. 2048 bit.
cu,
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England
On Wednesday 05 Jan 2011 10:03:19 Rob Stradling wrote:
On Friday 24 December 2010 16:24:03 Igor Galić wrote:
snip
If we want to see more extensive testing in the field,
then this is the right time to make 'On' the default.
Steve, has Igor persuaded you?
I was hoping to generate a bit
On Wednesday 09 Feb 2011 09:39:36 Rob Stradling wrote:
On Wednesday 05 Jan 2011 10:03:19 Rob Stradling wrote:
On Friday 24 December 2010 16:24:03 Igor Galić wrote:
snip
If we want to see more extensive testing in the field,
then this is the right time to make 'On' the default
On Friday 24 December 2010 16:24:03 Igor Galić wrote:
snip
If we want to see more extensive testing in the field,
then this is the right time to make 'On' the default.
Steve, has Igor persuaded you?
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
On Wednesday 22 December 2010 16:11:21 Dr Stephen Henson wrote:
On 22/12/2010 15:32, Rob Stradling wrote:
On Friday 03 December 2010 10:31:24 Rob Stradling wrote:
snip
Would it be possible to make OCSP Stapling enabled by default (when the
server certificate contains an OCSP Responder
On Friday 03 December 2010 10:31:24 Rob Stradling wrote:
snip
Would it be possible to make OCSP Stapling enabled by default (when the
server certificate contains an OCSP Responder URL in the AIA extension)
instead of disabled by default?
(Perhaps SSLUseStapling could be replaced
many webmasters would bother to add SSLUseStapling on to
their config files, even though OCSP Stapling benefits all parties.
I understand that Microsoft IIS 7.x enables OCSP Stapling by default.
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
18 matches
Mail list logo