You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This bug is an umbrella/tracking bug, acting as a one-stop-shop to see progress on the multiple sub-tasks necessary to achieve this large-scale project.
OCSP carries with it two large disadvantages: it is very high traffic and expensive for a CA to run, and it can theoretically leak browsing activity to CAs by observing streams of OCSP requests from a single client. Historically, these two disadvantages have been outweighed by the even larger disadvantage of CRLs: that they're huge, so unwieldy to work with that most clients simply don't. This disadvantage has, for web browsers at least, been largely mitigated by the advent of OneCRL and CRLite, methods by which browser vendors ingest and pre-process CRLs into much smaller formats, and push the results out to individual browsers via the browser's normal update mechanisms. As a result, the BRs were recently updated to allow CAs to omit OCSP information from certificates as long as they include CRL information instead. We intend to follow this path, and hope to significantly decrease costs by doing so.
This bug is an umbrella/tracking bug, acting as a one-stop-shop to see progress on the multiple sub-tasks necessary to achieve this large-scale project.
OCSP carries with it two large disadvantages: it is very high traffic and expensive for a CA to run, and it can theoretically leak browsing activity to CAs by observing streams of OCSP requests from a single client. Historically, these two disadvantages have been outweighed by the even larger disadvantage of CRLs: that they're huge, so unwieldy to work with that most clients simply don't. This disadvantage has, for web browsers at least, been largely mitigated by the advent of OneCRL and CRLite, methods by which browser vendors ingest and pre-process CRLs into much smaller formats, and push the results out to individual browsers via the browser's normal update mechanisms. As a result, the BRs were recently updated to allow CAs to omit OCSP information from certificates as long as they include CRL information instead. We intend to follow this path, and hope to significantly decrease costs by doing so.
Subtasks:
The text was updated successfully, but these errors were encountered: