On Thu, Apr 10, 2014 at 11:10:11AM -0700, Geoffrey Thomas wrote: > On Thu, 10 Apr 2014, Kurt Roeckx wrote: > > >I'm hereing some vague cases why OCSP mandatory checking can't be > >enabled by default because some users can't contact the OCSP > >server. I've never had this problem myself and I think I've seen > >way to many weird setups already to not consider this a real > >problem. > > Well, you'll have the problem as soon as you're being MITM'd. A cert > verification solution that works fine when nobody's MITMing you is not > particularly useful. :-)
So if I'm understanding it right, we're not checking OCSP because the check might fail when there is a MITM attack, and we want to pretend nothing is going on in that case? That looks like a very good reason. Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org