Does anyone have any update on the status of the must-staple OID? -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+ben=digicert....@lists.mozilla.org] On Behalf Of Brian Smith Sent: Thursday, April 10, 2014 5:06 PM To: Phillip Hallam-Baker Cc: dev-security-policy@lists.mozilla.org Subject: Re: OCSP and must staple
On Thu, Apr 10, 2014 at 3:54 PM, Phillip Hallam-Baker <hal...@gmail.com>wrote: > One of the problems with OCSP is the hardfail issue. Stapling reduces > latency when a valid OCSP token is supplied but doesn't allow a server > to hardfail if the token isn't provided as there is currently no way > for a client to know if a token is missing because the server has been > borked or if the server doesn't staple. > > This draft corrects the problem. It has been in IETF limbo due to the > OID registry moving. But I now have a commitment from the AD that they > will approve the OID assignment if there is support for this proposal > from a browser provider: > David Keeler was working on implementing Must-Staple in Gecko. You can point them to these two bugs: https://bugzilla.mozilla.org/show_bug.cgi?id=921907 https://bugzilla.mozilla.org/show_bug.cgi?id=901698 The work got stalled because we decided to fix some infrastructure issues (like the new mozilla::pkix cert verification library) first. Now that work is winding down and I think we'll be able to finish the Must-Staple implementation soon. Check with David. Cheers, Brian _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy