Comments (4)
jsha
commented on June 13, 2024
Note: some of this would be solved by implementing the issuer cache and putting "fetch issuer" in updateResponse instead of at startup. Then you'd only need the ignore-signature-validation flag for certificates that (a) don't have AIA, and (b) don't have a local copy of the issuer certificate. Since you would need (b) to serve the cert anyhow, you can probably punt on the config flag altogether.
Note that you will also have a case where AIA is present, but the fetch fails. Probably that should be considered the same as a failure to fetch or parse the OCSP response itself.
from stapled.
cpu
commented on June 13, 2024
Is there a good use-case for serving an OCSP response when the daemon can't check its signature?
My gut instinct is that it could be a foot-gun option someone would be tempted to turn on as a quick fix to a problem better addressed other ways.
from stapled.
jsha
commented on June 13, 2024
Is there a good use-case for serving an OCSP response when the daemon can't check its signature?
I think not.
from stapled.
rolandshoemaker
commented on June 13, 2024
My gut instinct is that it could be a foot-gun option someone would be tempted to turn on as a quick fix to a problem better addressed other ways.
Agreed.
Is there a good use-case for serving an OCSP response when the daemon can't check its signature?
I think not.
Agreed, closing.
from stapled.
Related Issues (20)
- Add stableCache interface HOT 1
- Implement issuer caching
- Support multiple proxies HOT 1
- Move http.Client from Entry to stapled
- Move refresh checking from per Entry to single goroutine HOT 1
- Cleanup configuration format
- Support NextPublish extension
- Max cache size should be configurable
- Configurable Alert Hooks
- Write configuration documentation
- Split up Entry
- Allow per serial responder overrides HOT 1
- Make supported request hash functions configurable
- Responder picker type should be configurable HOT 1
- Add tooling for distro packaging HOT 1
- Write integration tests
- Write documentation for Apache/nginx usage
- Option to accept & store responses for expired certs
- Check for cert revocation
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from stapled.