On Fri, Jun 29, 2012 at 11:37 AM, Alexey Melnikov
wrote:
> On 29/06/2012 17:45, Steingruebl, Andy wrote:
>>>
>>> -Original Message-
>>> From: Alexey Melnikov [mailto:alexey.melni...@isode.com]
>>>
>>> Maybe this is not a good example, but I am thinking that something like
>>> OCSP retrieva
On 29/06/2012 17:45, Steingruebl, Andy wrote:
-Original Message-
From: Alexey Melnikov [mailto:alexey.melni...@isode.com]
Maybe this is not a good example, but I am thinking that something like
OCSP retrieval failing on the client side is not something that would
show up in the webserver
On Fri, Jun 29, 2012 at 8:10 AM, Steingruebl, Andy
wrote:
>> The point of "this is testing" is the opposite: people who can't talk to
>> you because you've configured HSTS in a way inconsistent with your
>> actual site posture.
>> -Ekr
>
> Can you give us an example of how/where you think this c
> -Original Message-
> From: Alexey Melnikov [mailto:alexey.melni...@isode.com]
>
> Maybe this is not a good example, but I am thinking that something like
> OCSP retrieval failing on the client side is not something that would
> show up in the webserver logs.
Sure, but doesn't the OCSP s
On 29/06/2012 16:10, Steingruebl, Andy wrote:
The point of "this is testing" is the opposite: people who can't talk to you
because you've configured HSTS in a way inconsistent with your
actual site posture.
-Ekr
Can you give us an example of how/where you think this could occur and how it
is
> The point of "this is testing" is the opposite: people who can't talk to you
> because you've configured HSTS in a way inconsistent with your
> actual site posture.
> -Ekr
Can you give us an example of how/where you think this could occur and how it
is distinct from other ways you could usin
On Tue, Jun 12, 2012 at 12:00 AM, =JeffH wrote:
> Hi, thanks for your thoughts Yoav, apologies for latency,
>
>> I guess my issue with this..
>
> ..where "this" is denying the user the capability to "click-through" TLS/SSL
> errors/warnings in all error cases..
>
>> ..is because when I read the dr
Hi, thanks for your thoughts Yoav, apologies for latency,
> I guess my issue with this..
..where "this" is denying the user the capability to "click-through" TLS/SSL
errors/warnings in all error cases..
> ..is because when I read the draft for the first
> time, I thought this would be a good
Hi
It was my review that triggered this, so I'd like to explain my position.
There are several things that could be considered failures of the TLS layer:
1. Revoked certificate
2. No CRL/OCSP response
3. Expired certificate
4. Expired CRL (yes, I know NextUpdate is not expiry…)
5. Mismatch b