On Tue, Dec 11, 2018 at 1:03 AM Daniel Kahn Gillmor <[email protected]> wrote: > I'd be interested in hearing the reasons enumerated. It seems to me > like being able to promptly revoke an intermediate certificate is a > useful bit of mechanism. is it just because we hope the major browsers > are clever and responsive enough that they'll push out a CRLset (or > equivalent) when they hear of an intermediate that is found to be > violating the BRs?
Yeah, from the browser side of things, we tend to rush out updates when an intermediate is revoked. I don't think that there is any reason we would prevent stapling in TLS 1.3, other than the extensions being hard to plumb through. NSS throws them away and doesn't have an API surface for exposing the information. It's fairly tricky getting all this stuff where it is needed. _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
