- From: patrick mcmanus <pmcmanus@mozilla.com>
- Date: Mon, 30 Jul 2012 08:52:51 -0700
- To: Yoav Nir <ynir@checkpoint.com>
- CC: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On 7/30/2012 8:46 AM, Yoav Nir wrote: > > Additionally, TLS requires the client to check revocation of the server certificate. Some browsers don't, but that's besides the point. Checking revocation involves fetching either a CRL or an OCSP response, and they are typically fetched over HTTP. If HTTP has to have TLS we have a bootstrap problem, unless checking revocation is relegated back down to HTTP/1.0. that's not a roadblock.. we can address this largely via ocsp stapling.. also ocsp with a ca can be done over tls without cert verification because the ocsp response is signed separately.
Received on Monday, 30 July 2012 15:53:27 UTC