Welcome! Log In Create A New Profile

Re: [PATCH] OCSP stapling: better handling of successful OCSP responses.

Forum List Message List New Topic Print View

Piotr Sikora

May 17, 2013 07:34PM

Hey Maxim,

> Presenting a certificate and a non-good certificate status to a
> user looks like "bees against honey" for me. I would rather not.

While I agree that it looks kind of iffy, by not caching OCSP
responses with "revoked" or "unknown" certificate status, we're
loosing all of the OCSP stapling advantages (offloading CA's OCSP
responders, improving user's privacy and perceived performance), while
not changing anything for the user - he'll still receive exactly the
same certificate status directly from CA's OCSP responder, just a few
hundred milliseconds later.

Best regards,
Piotr Sikora

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH] OCSP stapling: better handling of successful OCSP responses.	Piotr Sikora	904	May 16, 2013 06:44PM
Re: [PATCH] OCSP stapling: better handling of successful OCSP responses.	Piotr Sikora	390	May 16, 2013 07:12PM
Re: [PATCH] OCSP stapling: better handling of successful OCSP responses.	Maxim Dounin	426	May 17, 2013 09:22AM
Re: [PATCH] OCSP stapling: better handling of successful OCSP responses.	Piotr Sikora	501	May 17, 2013 07:34PM
Re: [PATCH] OCSP stapling: better handling of successful OCSP responses.	Maxim Dounin	519	May 20, 2013 06:58AM
Re: [PATCH] OCSP stapling: better handling of successful OCSP responses.	Piotr Sikora	499	May 21, 2013 08:20PM
Re: [PATCH] OCSP stapling: better handling of successful OCSP responses.	Maxim Dounin	442	May 23, 2013 11:26AM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 189

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018