Now we have ACME, why not move to 3-day certs issued daily and avoid the need for revocation entirely?
For your use case – perhaps. For my – no way.
On Fri, Sep 16, 2022 at 11:43 AM Salz, Rich <rsalz=40akamai....@dmarc.ietf.org>
wrote:
I think this is of general interest, so I’m posting here rather than poking
friends I know.
Browsers are phasing out doing OCSP queries themselves. The common
justification, which makes sense to me, is that there are privacy concerns
about leaking where a user is surfing.
My question is, what are browsers doing, and planning, on doing about OCSP
stapled responses? I think there are three possibilities:
No stapled response
A stapled, valid, “good” response
A stapled, expired or “bad” response
I can imagine two possibilities, proceeding or popping up a warning page. I
haven’t seen the warning when there is no OCSP response, but maybe that does
happen.
We’re still going to staple good responses, when we have them, but I am
wondering if long-term we should still bother?
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
