Opened 7 years ago

Closed 7 years ago

#49 closed defect (invalid)

Explain why OCSP Stapling is acceptable but OCSP Fetching is not

Reported by: rob.stradling@… Owned by: draft-ietf-trans-rfc6962-bis@…
Priority: major Milestone:
Component: rfc6962-bis Version:
Severity: - Keywords:


Brian Smith wrote:
"A browser needs a reliable mechanism for getting SCTs in order for the browser to be able to make SCTs mandatory. Browsers that make SCT mandatory would ultimately be what would make CT effective. OCSP fetching is not reliable, in theory or on practice, so a client cannot rely on getting SCTs via OCSP fetching. A browser that processed SCTs in fetched OCSP responses would be encouraging websites to avoid the reliable mechanisms of SCT delivery in favor of an unreliable mechanism, causing CT to be unreliable and thus ineffective."

We should explain this in the draft. Perhaps in the Security Considerations?

Change History (2)

comment:1 Changed 7 years ago by benl@…

Surely 3.4:

" The SCT data corresponding to at least one certificate in the chain

from at least one log must be included in the TLS handshake,"

is adequate explanation?

comment:2 Changed 7 years ago by benl@…

  • Resolution set to invalid
  • Status changed from new to closed

We already explain why, closing.

Note: See TracTickets for help on using tickets.