On Wed, Dec 05, 2018 at 07:07:30AM +0300, Daniel Kahn Gillmor wrote:
> One mitigating factor of the ETSI standard, i suppose, is that the
> CABForum's Baseline Requirements forbid issuance of a certificate with
> any subjectAltName other than dNSName or iPAddress, so otherName looks
> like it must
I was trying to sort out concrete, specific advice for OCSP stapling
that provides security benefits for the server (and not just performance
and privacy benefits). Either i'm easily confused, or it's a mess. I
hope it's the former, please unconfuse me!
Given the IAB's statement from nearly two
> * the status_request TLS extension doesn't provide a mechanism for
stapling OCSP for intermediate certs.
Nobody does this. There's a handful of reasons, but the end result is: nobody
does this.
>So i think this is a big swirling mishmash of not-quite-compatible and
not-qu
