Hanno, did you receive any reply on this from a httpd dev? I am currently about to embark on a project in the OCSP neighbourhood, so I do not have 100% time available right now. But I would be sorry to leave such an opportunity for funded improvement of httpd go to waste...
If not, who would be a good contact at Linux Foundation / Core Infra to talk to? Cheers, Stefan > Am 31.05.2017 um 16:13 schrieb Hanno Böck <ha...@hboeck.de>: > > Hi, > > On Wed, 31 May 2017 07:45:23 -0500 > Jim Riggs <apache-li...@riggs.me> wrote: > >> This was mentioned in today's Bulletproof TLS newsletter >> (https://www.feistyduck.com/bulletproof-tls-newsletter/issue_28_lets_encrypt_downtime.html): >> >> https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html > > I'm the author of that post, thanks for bringing that up. > > In the meantime I found that there are even more bugs in the apache bz > that are unhandled that sound quite concerning. This one > https://bz.apache.org/bugzilla/show_bug.cgi?id=59049 > is imho a security vulnerability, yet it's been ignored for over a year. > > > Please note also that I had some conversations with the Linux > Foundation / Core Infrastructure Initiative about OCSP stapling and > hey indicated that they would consider to provide funding if there's an > effort to improve the situation. > > > -- > Hanno Böck > https://hboeck.de/ > > mail/jabber: ha...@hboeck.de > GPG: FE73757FA60E4E21B937579FA5880072BBB51E42