Hi,
On 03/12/18 21:40, Viktor Dukhovni wrote:
On Dec 3, 2018, at 3:35 PM, Charles Mills <charlesm@xxxxxxx> wrote:
OCSP and OCSP stapling are currently higher on my wish list than this.
Good luck with OCSP, the documentation could definitely be better, and
various projects get it wrong. IIRC curl gets OCSP right, so you
could look there for example code, some other projects go through the
motions, but don't always achieve a robust result.
[ FWIW, I don't care much for OCSP, it's often not required, so it is
then not clear what security properties it provides. ]
the only reason to use OCSP I currently have is in Firefox: if you turn
off "Query OCSP responder servers" in Firefox then EV certificates will
no longer show up with their owner/domain name. Now the question is:
does Firefox get OCSP "right" ;) ?
cheers,
JJK / Jan Just Keijser
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
