Reading the discussion so far I want to raise something to consider. There are separate questions that shouldn't be confused: 1. Is OCSP stapling with soft-fail (absent further enforcement mechanisms like muststaple) actually useful? 2. Should server operators enable OCSP stapling?
For 1. one can reasonably argue that it is not, as an attacker can potentially rely on the softfail property. However for a server operator the question isn't just whether OCSP stapling serves its purpose. A server operator naturally will have to deal with a variety of clients that have a variety of behaviors. Some clients will do OCSP requests when no stapled response is sent. Thus even if you think OCSP stapling and the whole process of revocation is useless, there are still good reasons for a server operator to enable stapling: 1. It avoids an extra connection for clients to the OCSP server, thus making client connections potentially faster. 2. It avoids a potential privacy issue for clients who would otherwise leak their intent to connect to a specific host to their CA. tl;dr I think enabling OCSP stapling on servers almost always makes sense. -- Hanno Böck https://hboeck.de/ _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
