[AusNOG] Lets Encrypt

Matt Palmer mpalmer at hezmatt.org
Wed Nov 19 18:41:03 EST 2014


On Tue, Nov 18, 2014 at 09:46:49PM -0800, Nick Savvides wrote:
> I also think that one biggest problems today is that OCSP is not enabled
> everywhere by default.

I think it's far, *far* overstating the case that a lack of OCSP is "one [of
the] biggest problems today".  It's problematic, but until the response
times of OCSP responders is below the magic threshold (100ms -- that's not
RTT, that's *total response time*), and the failed-request rate is down in
the noise, OCSP-by-default won't fly.  So, everyone, start checking OCSP
over GET requests without nonces, and CAs, start putting your OCSP
responders behind good CDNs.

- Matt

-- 
Judging by this particular thread, many people in this group spent their
school years taking illogical, pointless orders from morons and having their
will to live systematically crushed. And people say school doesn't prepare
kids for the real world.  -- Rayner, in the Monastery



More information about the AusNOG mailing list