On 2019-06-21 01:01, Alan Altmark wrote:
Your oscp responder service not being available 24x7. For now, the policies dealing with the lack of ocsp and/or crl tend toward "assume it's ok". Kinda loosey goosey. I don't know for how much longer, though. But it will depend on what the client side is willing to tolerate.
The world seems to move more towards short lived certificates rather than the use of CRLs/OCSPs, as well as shipping targeted revocation rules in browsers for high value certificates that need them. Certificates that have expired you no longer need to carry revocation information for. The corollary to this is also that the browsers have the most advanced system in place for certificate handling and other software in the TLS ecosystem is unlikely to obey all rules correctly. OCSP hard fail is nothing that will come anytime soon. CAs have not shown that they can run OCSP responders reliably at scale and in some enterprise environments you can't even reach them. OCSP stapling is the more interesting technology here, essentially attaching a proof of non-revocation to the certificate presented during the handshake. But support for that is spotty at best. But again you would not rely on continuous availability of the OCSP responder in that case. Kind regards Philipp Kern ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www2.marist.edu/htbin/wlvindex?LINUX-390