On Thu, 10 Apr 2014, Kurt Roeckx wrote:
What we really need is OCSP stapling. That would mean that the server asks the CA for the OCSP response and adds that response in the TLS session, and the client doesn't have to contact the CA anymore to ask for the status. Only the server would need to contact the CA. The server should have enough time to be able to refresh the OCSP response, which is valid for maximum 10 days.
Yes, agreed. Unfortunately not many sites enable it. I think it'd be productive to have Debian-packaged SSL _servers_ all support and document and maybe default to OCSP stapling, so that in a few years, maybe we can have the start of a working revocation protocol. Sadly, there isn't one right now, so I don't there's anything we can do today.
This documentation seems to imply that upstream Apache HTTPD does not usefully support stapling when intermediate certs are in play, which is basically always:
https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslusestapling
I'm hereing some vague cases why OCSP mandatory checking can't be enabled by default because some users can't contact the OCSP server. I've never had this problem myself and I think I've seen way to many weird setups already to not consider this a real problem.
Well, you'll have the problem as soon as you're being MITM'd. A cert verification solution that works fine when nobody's MITMing you is not particularly useful. :-)
-- Geoffrey Thomas https://ldpreload.com geo...@ldpreload.com -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
