On 05/06/2014 04:05 PM, Xuelei Fan wrote:
On 5/6/2014 9:36 PM, Florian Weimer wrote:
On 04/02/2014 01:19 AM, Xuelei Fan wrote:
Here is the updated version:
http://cr.openjdk.java.net/~xuelei/8034248/jep-csre-v01.txt
Updated the description section and a few words so that it is easier to
understand.
I think the server side would benefit from an API which allows code to
directly supply the OCSP response to be stapled, perhaps as part of the
extended trust manager.
Typically, OCSP response is time-variant. Ideally, the response should
be retrieved and updated internally, in time and automatically. For the
first stage, I only want to implement the essential feature, and keep
the footprint as small as possible.
I think we need a non-blocking way to inject the OCSP response into
SSLEngine.
And from a deployment perspective, we really need to provide something
that avoids making the OCSP request directly (or through an HTTP proxy).
Access to external resources is often quite restricted, and due to the
way OCSP has been specified, it is rather difficult to proxy it without
providing a generic web proxy service.
--
Florian Weimer / Red Hat Product Security Team
