Package: wget
Version: 1.16.3-2
Severity: wishlist
Tags: upstream
Forwarded: https://savannah.gnu.org/bugs/?43799
CRL checking has been implemented (--crl-file option), but except
in some particular cases, it is not very useful in practice as
there seems to be no way to get a comprehensive CRL file.
So, OCSP + OCSP stapling should be implemented. There should be
an option allowing the user to choose what to do if no stapling
information is provided: either return a failure, or use conventional
OCSP (with a failure if this fails too).
Notes:
* OCSP stapling isn't implemented on every server, but neither is
https anyway. Users should be encourage to complain at server
admins if this is not the case.
* Conventional OCSP has (minor) privacy issues, hence the choice to
get a failure instead of using conventional OCSP as a fallback.
Unchecked certificate revocation could lead to much more critical
privacy leak in case of MITM attack. And also note that DNS and
e-mail also have privacy issues (but people still use them) and
most users leave more important private data so that they probably
don't care.
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages wget depends on:
ii libc6 2.19-17
ii libgnutls-deb0-28 3.3.8-6
ii libidn11 1.29-1+b2
ii libnettle4 2.7.1-5
ii libpcre3 2:8.35-3.3
ii libpsl0 0.5.1-1
ii libuuid1 2.25.2-5
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages wget recommends:
ii ca-certificates 20141019
wget suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]