[cabfpub] CT and OCSP Stapling
Ben Laurie
benl at google.com
Wed Oct 24 04:05:14 MST 2012
On 24 October 2012 12:03, Brian Smith <bsmith at mozilla.com> wrote:
> Ben Laurie wrote:
>> One thing I'd note is that OCSP requires the response is signed, but
>> since the SCT is already signed, this signature is not needed. If we
>> also said that the OCSP response could be signed by anyone for this
>> particular response, then OCSP stapling could be used even with CAs
>> that don't support it.
>
> The server would have to be able to tell, by looking at the handshake, the difference between a client that supports these not-signed-by-the-issuing-CA OCSP responses and one that doesn't. Otherwise, a "normal" OCSP stapling client may reject the connection on the grounds that the OCSP response seems to have been forged.
>
> But, if the client is going to signal its support for CT in its handshake anyway in a client hello extension, then the server might just as well put the SCT in the corresponding server hello extension. I am not sure there's a real-world situation where a server hello extension wouldn't work, but where the server would be able to receive the signal that third-party OCSP responses with SCT are supported from its TLS stack AND be able to vary the stapled OCSP response accordingly.
I dropped this idea from the I-D, particularly since the OCSP response
needs to include the certificate status anyway, which does need to be
signed.
More information about the Public
mailing list