Hi all,
I’ve been playing around with mbedTLS of late. It appears to lack any
support for OCSP--either stapling or just simple client queries. It supports
CRLs, but CRLs appear to be waning in terms of use; Let’s Encrypt, for example,
doesn’t create them, as I suspect is the case with other short-term-validity
certificate solutions.
mbedTLS is not the *most* prominent TLS implementation, but it’s also
hardly the least. The projects that incorporate it (e.g., PowerDNS) clearly
“survive” without OCSP. Chrome, at least doesn’t do OCSP client checks, and I
don’t think it mandates OCSP stapling … which basically means there’s a huge
swath of contexts where applications won’t notice if a certificate is revoked.
It begs the question … how relevant is certificate revocation nowadays?
How big of a problem is it if TLS validity checks ignore it?
Cheers,
-Felipe Gasper
Mississauga, Ontario
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
