Speaking for a broader-than-browser implementation: PKI stack in Windows found
hard failure on OCSP non-deployable.
This is not to say that OCSP is entirely useless; OCSP information is
considered as part of certificate validation.
A very much simplified summary:
* If OCSP says "revoked",
> On 19 Jan 2022, at 9:57 am, Yaron Sheffer wrote:
>
> But this raises a larger question: many client-side implementations soft-fail
> if they don’t get an OCSP response within the handshake, i.e. they just
> ignore the problem. As far as we understand, this makes OCSP stapling
> completely
On Wed, Jan 19, 2022 at 6:57 AM Yaron Sheffer wrote:
> Hi,
>
>
>
> RFC 7525 (the TLS BCP) has a section [1] with “weak” recommendations to
> use OCSP and OCSP stapling. We are changing these recommendations [2] in
> view of OCSP stapling in TLS 1.3 and the obsolescence of RFC 6961.
>
>
>
> But
For additional context, here's s research study we published a few years
back on OCSP must-staple in the Web context:
https://cbw.sh/static/pdf/chung-imc18.pdf
Nick
On Wed, Jan 19, 2022 at 11:58 AM Mohit Sahni wrote:
> Hi,
> > So for the new BCP, we have three options:
> >
> > Add a
* We would be grateful for feedback based on implementation experience. In
particular if you have quantitative data on the use or quality of OCSP that’s
more recent than Chung18 [3], that would be very useful.
For what it’s worth, *our* customers want OCSP stapling. (It’s enabled by
Hi,
> So for the new BCP, we have three options:
>
> Add a SHOULD-level requirement (for TLS 1.3 implementations, possibly also
> TLS 1.2 implementations) to fail the handshake if the OCSP response is
> missing or invalid. (As far as we can tell, RFC 8446 is silent on this.)
> Remove the whole
Hi,
On Wed, 19 Jan 2022 16:57:07 +0200
Yaron Sheffer wrote:
> But this raises a larger question: many client-side implementations
> soft-fail if they don’t get an OCSP response within the handshake,
> i.e. they just ignore the problem. As far as we understand, this
> makes OCSP stapling
Hi, RFC 7525 (the TLS BCP) has a section [1] with “weak” recommendations to use OCSP and OCSP stapling. We are changing these recommendations [2] in view of OCSP stapling in TLS 1.3 and the obsolescence of RFC 6961. But this raises a larger question: many client-side implementations soft-fail if
Hi Everyone,
As Douglas wrote, we have discussed the issues together at length, and we
thank him for the productive (and friendly :-)) conversation.
Our paper, which describes our concerns, can be found here:
https://eprint.iacr.org/2022/065
And a reference implementation of our proposed KDF:
