On Fri, Jun 29, 2012 at 11:37 AM, Alexey Melnikov <[email protected]> wrote: > On 29/06/2012 17:45, Steingruebl, Andy wrote: >>> >>> -----Original Message----- >>> From: Alexey Melnikov [mailto:[email protected]] >>> >>> Maybe this is not a good example, but I am thinking that something like >>> OCSP retrieval failing on the client side is not something that would >>> show up in the webserver logs. >> >> Sure, but doesn't the OCSP site know whether it has set HSTS? > > You might be thinking of a different usage of OCSP. > > I was thinking about: a browsers gets certificate from TLS. It tries to > verify it using OCSP against a third party OCSP server. The OCSP server is > down. Now the website the browser is trying to access is effectively down > with HSTS enabled.
Right, this is why browsers don't use OCSP. The problem here is OCSP, not HSTS. Adam _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
