No, don't enable revocation checking: https://www.imperialviolet.org/2014/04/19/revchecking.html …
@rmhrisk @primetomas @agl__ Please describe an implementation strategy that isn't poor that doesn't depend on Must-Staple.
-
-
@BRIAN_____@primetomas@agl__ for one don't ignore authoritative unknowns. You reached the CA he spent the time & energy to sign a message. -
@BRIAN_____@primetomas@agl__ Secondly don't give SSL indicator too certificates when you fail to retrieve status. This is what Opera does. -
@BRIAN_____@primetomas@agl__ have CA's produce OCSP responses that are within 24 hours of freshness. -
@BRIAN_____@primetomas@agl__ capture statistics on ocsp connect failures, publish them on a per CA basis. -
@rmhrisk@BRIAN_____@primetomas@agl__ doesn't solve the privacy issues either. Must staple is really the only workable path -
@sleevi_@BRIAN_____@primetomas@agl__ privacy is another matter and must staple addresses that.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.