On Wednesday 07 Dec 2011 04:19:09 Kai Engert wrote: <snip> > I haven't researched, but has anyone already thought of distributing > OCSP records using DNS in general? > > If we had OCSP-in-DNS, we might not even require OCSP stapling. This > could run as a service completely independent of the SSL servers - only > clients would need to be updated to fetch OCSP from DNS - does this make > sense?
Hi Kai. We discussed OCSP-in-DNS over at m.d.s.policy earlier this year... https://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/a5f14bbd3159c44f/446abd478dc847ec (it's a long thread, but it does contain a lot of useful thoughts) Recalling that discussion, Gerv recently said... https://mail1.eff.org/pipermail/observatory/2011-September/000405.html "...the arguments for something DNS-based are IMO very strong (much better privacy story, very hard to DOS, cached and distributed)." Peter Gutmann lists numerous deficiencies with the OCSP protocol - e.g. see here... https://mail1.eff.org/pipermail/observatory/2011-September/000330.html I think that any future DNS-based certificate status checking protocols should at least consider addressing some of these issues. <snip> Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
