Hi all, I’ve been playing around with mbedTLS of late. It appears to lack any support for OCSP--either stapling or just simple client queries. It supports CRLs, but CRLs appear to be waning in terms of use; Let’s Encrypt, for example, doesn’t create them, as I suspect is the case with other short-term-validity certificate solutions.
mbedTLS is not the *most* prominent TLS implementation, but it’s also hardly the least. The projects that incorporate it (e.g., PowerDNS) clearly “survive” without OCSP. Chrome, at least doesn’t do OCSP client checks, and I don’t think it mandates OCSP stapling … which basically means there’s a huge swath of contexts where applications won’t notice if a certificate is revoked. It begs the question … how relevant is certificate revocation nowadays? How big of a problem is it if TLS validity checks ignore it? Cheers, -Felipe Gasper Mississauga, Ontario _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls