I think this is of general interest, so I’m posting here rather than poking
friends I know.
Browsers are phasing out doing OCSP queries themselves. The common
justification, which makes sense to me, is that there are privacy concerns
about leaking where a user is surfing.
My question is, what are browsers doing, and planning, on doing about OCSP
stapled responses? I think there are three possibilities:
No stapled response
A stapled, valid, “good” response
A stapled, expired or “bad” response
I can imagine two possibilities, proceeding or popping up a warning page. I
haven’t seen the warning when there is no OCSP response, but maybe that does
happen.
We’re still going to staple good responses, when we have them, but I am
wondering if long-term we should still bother?
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
