OCSP Stapling

Glen <glen@amsl.com> Mon, 01 August 2016 18:58 UTC

Return-Path: <glen@amsl.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 10FB112D186 for <ietf@ietfa.amsl.com>; Mon, 1 Aug 2016 11:58:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.908
X-Spam-Status: No, score=-103.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id O06OITQ6mNLL for <ietf@ietfa.amsl.com>; Mon, 1 Aug 2016 11:58:35 -0700 (PDT)
Received: from mail.amsl.com (c8a.amsl.com []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AA3B12D14D for <ietf@ietf.org>; Mon, 1 Aug 2016 11:58:35 -0700 (PDT)
Received: from mail.amsl.com (localhost []) by c8a.amsl.com (Postfix) with ESMTPS id A8F681E5D8B for <ietf@ietf.org>; Mon, 1 Aug 2016 11:55:42 -0700 (PDT)
Received: from mail-qt0-f178.google.com (mail-qt0-f178.google.com []) by c8a.amsl.com (Postfix) with ESMTPSA id 747BF1E5D8A for <ietf@ietf.org>; Mon, 1 Aug 2016 11:55:42 -0700 (PDT)
Received: by mail-qt0-f178.google.com with SMTP id x25so110209953qtx.2 for <ietf@ietf.org>; Mon, 01 Aug 2016 11:58:34 -0700 (PDT)
X-Gm-Message-State: AEkoousyl1UwWK6iVxNntKZydMVyJQn96lEj9hUyyTCVU7T80+lBZns25inOROljJiBr0KtJ3mYECdGOH4Hfiw==
X-Received: by with SMTP id b58mr87429655qte.104.1470077914170; Mon, 01 Aug 2016 11:58:34 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Mon, 1 Aug 2016 11:58:13 -0700 (PDT)
From: Glen <glen@amsl.com>
Date: Mon, 01 Aug 2016 11:58:13 -0700
X-Gmail-Original-Message-ID: <CABL0ig54RAvDGoqJN+YuQWk1unkYuiQLExF4Guo8LXYQKpsg2Q@mail.gmail.com>
Message-ID: <CABL0ig54RAvDGoqJN+YuQWk1unkYuiQLExF4Guo8LXYQKpsg2Q@mail.gmail.com>
Subject: OCSP Stapling
To: ietf <ietf@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/MQNREeEQeqeviL1iQTn8mbJHuRE>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: glen@amsl.com
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Aug 2016 18:58:36 -0000

Dear IETF Community:

At IETF-Action, we received the following request:

> Currently I cannot view anything on the IETF website because your
> certificate authorities OCSP server is down and I cannot verify that
> the certificate has not been revoked.
> Please enable OCSP stapling on your webservers so that in the future
> your availability in browsers that require OCSP checks (Firefox with
> strict revocation checks enabled in my case) can still access your
> site without it being dependant on your CAs OCSP service.

I have referred this matter to the TMC, and they have asked me to
refer this out to the community.

Absent any objections to this, we will enable OCSP Stapling as
requested later this week.  If there are any objections or comments,
please make them known on this list for community debate.  (Although I
don't normally follow the IETF list, I will be doing so for the
duration of the discussion.)

Thank you for your review of this matter!

Glen Barney
IT Director
AMS (IETF Secretariat)