Re: [TLS] OCSP must staple

Viktor Dukhovni <viktor1dane@dukhovni.org> Sun, 08 June 2014 16:03 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EFD61A0139 for <tls@ietfa.amsl.com>; Sun, 8 Jun 2014 09:03:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100
X-Spam-Level:
X-Spam-Status: No, score=-100 tagged_above=-999 required=5 tests=[USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zWMU7rz0Uqlc for <tls@ietfa.amsl.com>; Sun, 8 Jun 2014 09:03:54 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF26E1A00E4 for <tls@ietf.org>; Sun, 8 Jun 2014 09:03:54 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 290792AB222; Sun, 8 Jun 2014 16:03:54 +0000 (UTC)
Date: Sun, 8 Jun 2014 16:03:54 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20140608160354.GH27883@mournblade.imrryr.org>
References: <CAFewVt4p4rJ738Yo=XQm6T_jyvG3TnJsSQ5HDZDrqAkyNDa7tg@mail.gmail.com> <20140605173223.GK27883@mournblade.imrryr.org> <20140607164945.GA23329@roeckx.be> <20140607170619.GC27883@mournblade.imrryr.org> <2A0EFB9C05D0164E98F19BB0AF3708C7130F434F7A@USMBX1.msg.corp.akamai.com> <20140607184737.GD27883@mournblade.imrryr.org> <2A0EFB9C05D0164E98F19BB0AF3708C7130F434F7D@USMBX1.msg.corp.akamai.com> <155f01cf82ce$7cfa8360$76ef8a20$@digicert.com> <C877733F-EBCC-4D88-8B99-271914A517B4@gmail.com> <CA+cU71nPXxpk05F+5bthRDXyJKVQwHQGSmT0B3qkCg875B69AQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CA+cU71nPXxpk05F+5bthRDXyJKVQwHQGSmT0B3qkCg875B69AQ@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/mzud_VG2mcpurJ3H0LWH5a60su0
Subject: Re: [TLS] OCSP must staple
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Jun 2014 16:03:56 -0000

On Sun, Jun 08, 2014 at 01:10:47AM -0400, Tom Ritter wrote:

> I don't understand what you mean by the OCSP server rejcting them.

Well, the server was supposed to have stapled, so the OCSP server
could in principle (knowing the server's certificate requires
stapling) refuse to provide an unstapled response.

-- 
	Viktor.