On Friday, 16 September 2022 17:42:08 CEST, Salz, Rich wrote:
I think this is of general interest, so I’m posting here rather
than poking friends I know.
Browsers are phasing out doing OCSP queries themselves. The
common justification, which makes sense to me, is that there are
privacy concerns about leaking where a user is surfing.
My question is, what are browsers doing, and planning, on doing
about OCSP stapled responses? I think there are three
possibilities:
No stapled response
A stapled, valid, “good” response
A stapled, expired or “bad” response
I can imagine two possibilities, proceeding or popping up a
warning page. I haven’t seen the warning when there is no OCSP
response, but maybe that does happen.
We’re still going to staple good responses, when we have them,
but I am wondering if long-term we should still bother?
1. there is the RFC 7633
2. as long as certificates with long life-times (year or more) are common,
I think it's useful
The problem is that OCSP and OCSP stapling is not a feature making
headlines,
next to nobody will be deploying a self-compiled NGINX or Apache just to
get
support for OCSP stapling. So in practice, for OCSP stapling to become
common,
the implementations of those need to filter down to long-term supported
distributions...
--
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls