[cabfpub] Changes to improve OCSP interoperability, security, and usability

Gervase Markham gerv at mozilla.org
Wed Oct 23 14:47:34 UTC 2013

On 23/10/13 04:45, Brian Smith wrote:
> 6. For must-staple in particular, it may be worthwhile to consider
> adding a backup OCSP AIA URI to certificates, that is used in case the
> normal OCSP responder is not working. Then we could change servers'
> OCSP stapling implementations to try each of the URIs in order. This
> would likely improve the availability of sites that use must-staple in
> the event that a CA's CDN experiences downtime.

In this particular case, it seems to me like something that might be
solved by market forces. If one CA's certs have a backup OCSP responder
and so work more of the time, that's a selling point for them.

CAs who have decided to do this may even want to write the webserver
patches to take advantage of it :-)


More information about the Public mailing list