122
edits
CA:ImprovingRevocation: Difference between revisions
Jump to navigation
Jump to search
Update Must-Staple
(Moved Revoked Intermediate Cert section to Completed) |
(Update Must-Staple) |
||
| Line 14: | Line 14: | ||
The following changes have been implemented and released. | The following changes have been implemented and released. | ||
=== OCSP Must-Staple === | |||
Websites that implement OCSP Must-Staple will get Hard Fail Revocation. | |||
A website may use OCSP Must-Staple to mandate support for revocation checking via OCSP stapling. A site that tells clients that an OCSP status response will always be stapled enables the browser to immediately stop processing when the response is not stapled. | |||
[http://tools.ietf.org/html/rfc7633 The IETF have specified a standard mechanism], which is implemented in Firefox Nightly. This is expected to ship with Firefox 45. | |||
* Release: Mozilla 45 | |||
* Discussion: [http://www.ietf.org/mail-archive/web/tls/current/msg10351.html ''Discussion Thread''] | |||
* Code Change: {{Bug|901698}}, {{Bug|921907}} | |||
* Dependencies: [[CA:ImprovingRevocation#OCSP_Stapling | OCSP Stapling]], insanity::pkix {{Bug|915930}} | |||
* Policy Change: None, though Must-Staple is a popular subject for proposals permitting "not short-lived" certificates in the future. | |||
* Process Change: None needed. | |||
=== Preload Revocations of Intermediate CA Certificates === | === Preload Revocations of Intermediate CA Certificates === | ||
| Line 149: | Line 169: | ||
* Process Change: None | * Process Change: None | ||
=== ''Change Name'' === | === ''Change Name'' === | ||