At that time, OCSP Must-Staple, the major goal of `TLS Feature Extension`, now RFC 7633, was only a draft. But it's an RFC now :)
Already, Firefox has implemented OCSP Must-Staple in their development version (Fx 45): https://wiki.mozilla.org/CA:ImprovingRevocation#OCSP_Must-Staple
The new kid on the block of CA's, promising to be a big star, Let's Encrypt, already has support for OCSP Must-Staple in its code base: https://github.com/letsencrypt/boulder/pull/1224 It's just a matter of time before they'll support issuing Must-Staple certificates.
Unfurtunately, the issue on bugs.chromium.org hasn't got much attention: https://bugs.chromium.org/p/chromium/issues/detail?id=572734 Chromestatus.com doesn't mention `ocsp` altogether: https://www.google.com/search?q=ocsp+site%3Awww.chromestatus.com
So, my question to you all is: what's holding Chromium back in implementing this big step in certificate revocation checking?
So, my question to you all is: what's holding Chromium back in implementing this big step in certificate revocation checking?
It's not really up to the browser to decide this, is it? It's up to the server sysop who is implementing a Must-Staple certificate to weigh the pros and cons of Must-Staple and the chance of bad stapling.
The only thing a browser should do is honor the request of the certificates Must-Staple-feature. I don't see why it's up to Chromium to decide these things. Mozilla has enabled Must-Staple by default in its products; they don't see the problem you guys apparently see.. Got any proof of those statements?
It's not really up to the browser to decide this, is it? It's up to the server sysop who is implementing a Must-Staple certificate to weigh the pros and cons of Must-Staple and the chance of bad stapling.
The only thing a browser should do is honor the request of the certificates Must-Staple-feature. I don't see why it's up to Chromium to decide these things. Mozilla has enabled Must-Staple by default in its products; they don't see the problem you guys apparently see.. Got any proof of those statements?
We are living in a world were it takes almost nothing to set
Up that attack in less that a day with like literary no network expirence.
So I think the world of secure web applications needs a way to know that may cert matches the expected cert.
However from what I understand that even if ocsp must staple was implemented, it would not reject a staple provided by a fake provided the fake CA, because the current ca ties it to the certificate Id and not the common name.
So I think the world of secure web applications needs a way to know that may cert matches the expected cert.
So how would as a web developer take advantage of this feature for my own certs ? Is there a document somewhere?
--
You received this message because you are subscribed to the Google Groups "Security-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.