On 17.06.2016 19:57, Александр Кириллов wrote:
Then OCSP stapling is the way to go but it could be a real PITA to
setup for the first time and may not be supported by older browsers
anyway.
not really, because the same server tells the client that the SSL
certificate is good, as the SSL certificate itself;
these must be independent;
Says who?
the logic; anything you do to reduce problems or to prevent problems
connecting to SSL sites because
of slow OCSP servers or similar reduces security itself ...
Yes, the OCSP response comes from the same server but it's still
signed by the issuer CA.
yes and no, but faking a valid OCSP response that says good instead of
revoked is also possible ...
OCSP stapling has been developed for a number of reasons including
user privacy concerns and I find those reasons quite convincing.
the primary reason was to prevent problems for connection problems - or
whatever problems - in connection with the OCSP
The need to revoke an issued certificate before its expiration date is
rare.
maybe; but Heartbleed showed us something different ...;
Yet the origial OCSP implementation gives the interested third parties
the ability to track browsing habits of unsuspecting visitors of the
sites which do not implement OCSP stapling. This is not to mention
much higher traffic the CAs will have to shoulder with the
proliferation of secure sites.
of course; if there would be only one CA, and there would be only SSL,
this CA would know what hosts you connect in your browser, because of
OCSP ...
but the privacy concerns in this connections is less than the tracking
cookies where a little bit more of information is sent ...
(with OCSP they know only which IP address is verifying which
certificate and what time)
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
