Re: new version trusted-proxy20 draft from Patrick McManus on 2014-02-21 (ietf-http-wg@w3.org from January to March 2014)

From: Patrick McManus <pmcmanus@mozilla.com>
Date: Fri, 21 Feb 2014 08:21:20 -0500
To: Nicolas Mailhot <nicolas.mailhot@laposte.net>
Cc: Salvatore Loreto <salvatore.loreto@ericsson.com>, Paul Hoffman <paul.hoffman@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>, "draft-loreto-httpbis-trusted-proxy20@tools.ietf.org" <draft-loreto-httpbis-trusted-proxy20@tools.ietf.org>
Message-ID: <CAOdDvNp8MemSFDnRW99UwdDefGBGfNzpw=22zk2YU6gt4Q7J0w@mail.gmail.com>

On Wed, Feb 19, 2014 at 3:53 AM, Nicolas Mailhot <
nicolas.mailhot@laposte.net> wrote:

>
> Le Mar 18 février 2014 10:49, Salvatore Loreto a écrit :
> >
>
> > - if the question is how would be possible for the browser/client to run
> > OCSP  to check the validity of certificates from the CA if the OCSP is
> ran
> > over TLS
>
> When OSCP refers to an external validation server accessing it requires
> going through the proxy first...
>
> --

OCSP Stapling would be the answer here. (the proxy presents the OCSP
response as part of the TLS handshake.. it is still signed by the CA though
with a short lifetime - so the client doesn't need to go to the CA directly)

Received on Friday, 21 February 2014 13:21:47 UTC