On 9-Jan-09, at 9:38 AM, Michael Ströder wrote:
Johnathan Nightingale wrote:
To give you a
somewhat recent example, we were strong proponents of mandatory OCSP
support by 2010 because we think it's better for the health of the
net
to have high-availability revocation information available for
high-assurance certs, despite the arguments from some quarters that
it
would be too costly to support on high-traffic sites.
Can OCSP still be disabled? Personally I have strong privacy concerns
since when checking for a server cert via OCSP the OCSP responder
knows
which server you try to access (because the FQDN is in the server
cert's
subject DN).
You can disable it, although EV certs will stop being treated as EV in
that case (since bug 405139).
You may also be interested in the work on OCSP-stapling, so that no
third party learns about your browsing, but you still get a CA-signed
OCSP response. The CAs are interested in this too, since it takes the
load off of them for high-traffic sites.
Cheers,
J
---
Johnathan Nightingale
Human Shield
john...@mozilla.com
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
