[CentOS] https and self signed
Александр Кириллов
nevis2us at infoline.suFri Jun 17 17:57:18 UTC 2016
- Previous message: [CentOS] https and self signed
- Next message: [CentOS] https and self signed
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>> Then OCSP stapling is the way to go but it could be a real PITA to >> setup for the first time and may not be supported by older browsers >> anyway. >> > not really, because the same server tells the client that the SSL > certificate is good, as the SSL certificate itself; > these must be independent; Says who? Yes, the OCSP response comes from the same server but it's still signed by the issuer CA. OCSP stapling has been developed for a number of reasons including user privacy concerns and I find those reasons quite convincing. The need to revoke an issued certificate before its expiration date is rare. CA error, transfer of the domain ownership, loss of a private key... What else? Yet the origial OCSP implementation gives the interested third parties the ability to track browsing habits of unsuspecting visitors of the sites which do not implement OCSP stapling. This is not to mention much higher traffic the CAs will have to shoulder with the proliferation of secure sites.
- Previous message: [CentOS] https and self signed
- Next message: [CentOS] https and self signed
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list