On 02/09/2012 02:20 AM, From Brian Smith:
Effectively, we would be making the most popular servers on the internet faster, and giving them a significant competitive advantage over less popular servers. I am not sure this is compatible with Mozilla's positions on net neutrality and related issues.
Yes certainly it isn't - this is about Google and not Mozilla. And I don't expect Mozilla not to check the status of a certificate either (or at least attempting to check...).
AFAICT, improving the situation for the top 500 sites (only) would be the argument for *mandatory* OCSP stapling and against implementing Google's mechanism.
Agreed. (I would like to add that we should consider the top 500 secured sites when speaking about those, where essential traffic is generation in SSL mode).
The 500 biggest sites on the internet all have plenty of resources to figure out how to deploy OCSP stapling.
Absolutely.
The issue with OCSP stapling is the long tail of websites, that don't have dedicated teams of sysadmins to very carefully change the firewall rules to allow outbound connections from some servers.
I believe stapling will be successful when web servers will do it by default. This is entirely possible and wouldn't require from the admins lots of knowledge. The majority will never turn it on if it's only optional.
A better (than "favor the Alexa 500") solution may be to do auto-load CRLs for the sub-CA that handles EV roots
That's a very good idea (and for the reasons you stated).
However, I don't think we should reject Google's improvement here because it isn't perfect. OCSP fetching is frankly a stupid idea, and AFAICT, we're all doing it mostly because everybody else is doing it and we don't want to look less secure.
Well, in fact the Mozilla based browsers were one of the first to successfully support OCSP. Most, if not all other browsers either didn't even exist at that time or didn't support OCSP (and CRL checking was not turned on by default either).
-- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP: start...@startcom.org Blog: http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
