One of the problems with OCSP is the hardfail issue. Stapling reduces latency when a valid OCSP token is supplied but doesn't allow a server to hardfail if the token isn't provided as there is currently no way for a client to know if a token is missing because the server has been borked or if the server doesn't staple.
This draft corrects the problem. It has been in IETF limbo due to the OID registry moving. But I now have a commitment from the AD that they will approve the OID assignment if there is support for this proposal from a browser provider: https://tools.ietf.org/html/draft-hallambaker-tlsfeature-02 So anyone in mozilla space willing to co-author? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy