Re: new version trusted-proxy20 draft

On 19/02/2014 9:53 p.m., Nicolas Mailhot wrote:
> 
> Le Mar 18 février 2014 10:49, Salvatore Loreto a écrit :
>>
> 
>> - if the question is how would be possible for the browser/client to run
>> OCSP  to check the validity of certificates from the CA if the OCSP is ran
>> over TLS
> 
> When OSCP refers to an external validation server accessing it requires
> going through the proxy first…
> 

Which circles back to DANE being far better than OSCP for most of these
scenarios. So the thing which should be mandated IMHO.
As this whole scenario is new there is no reason to stick with the
verification methods known to be unworkable.

Amos

Received on Wednesday, 19 February 2014 12:23:48 UTC