[AusNOG] Lets Encrypt
Peter Tonoli
peter at medstv.unimelb.edu.au
Wed Nov 19 20:20:18 EST 2014
----- Original Message -----
> From: "Matt Palmer" <mpalmer at hezmatt.org>
> To: ausnog at lists.ausnog.net
> Sent: Wednesday, 19 November, 2014 6:41:03 PM
> Subject: Re: [AusNOG] Lets Encrypt
> On Tue, Nov 18, 2014 at 09:46:49PM -0800, Nick Savvides wrote:
> I think it's far, *far* overstating the case that a lack of OCSP is
> "one [of
> the] biggest problems today". It's problematic, but until the response
> times of OCSP responders is below the magic threshold (100ms -- that's
> not
> RTT, that's *total response time*), and the failed-request rate is
> down in
> the noise, OCSP-by-default won't fly. So, everyone, start checking
> OCSP
> over GET requests without nonces, and CAs, start putting your OCSP
> responders behind good CDNs.
I think the issue is that there aren't enough providers having OCSP stapling configured in their servers, and lack of RFC 6961 support in large hosting providers - which fixes the response time issue, as well as resolves the privacy problems related to OCSP too.
Cheers,
Peter.
--
Peter Tonoli < peter at medstv.unimelb.edu.au > +61-3-9231-2399
IT Manager
The University of Melbourne - Eastern Hill Academic Centre, St. Vincent's Institute and O'Brien Institute
More information about the AusNOG
mailing list