Hi Carl, On 01/04/15 06:16, Carl Mehner wrote: > If we do want to put these type of considerations in the draft, > maybe the security considerations section is the best place. > Something along the lines of: > > When preparing to use the new certificate received from a issuance or > refresh, the client software should check that the OCSP response from > the certificate authority is valid before enabling the new certificate > for use in the server system. If the OCSP response is requested too > early by the server system, a 'revoked' or 'unknown' OCSP response may > be cached and cause browsers to fail connection attempts.
Maybe. OTOH, my "client s/w" in this case is the openssl CLI and that's fairly gigantically crap. I did get it to emit an OCSP request that was sent somewhere but only ever got an error response. Before I figured that out I found the set of postings from other folks who'd suffered the same issue so I stopped playing. I'd argue that stuff like this ought be catered for by acme, but we can have that discussion down the road when/if we're standardising the protocol in a wg. S. PS: My Cullen-moment here was also extended because I got bad warnings from browsers - FF said "bad issuer" and it was only when I got to my phone and running the qualsys tests that I saw that it was actually an ocsp issue. _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
