[10] Improving Revocation: OCSP Must-Staple and Short-lived Certificates | Mozilla Security Blog
( ())
https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/
In an ideal world, the browser would perform an online status check (such as OCSP) whenever it verifies a certificate, and reject the certificate if the check failed. However, these checks can be slow and unreliable. They time out about 15% of the time, and take about 350ms even when they succeed. Browsers generally soft-fail on revocation in an attempt to balance these concerns.
[11] Security FAQ - The Chromium Projects
( ())
https://www.chromium.org/Home/chromium-security/security-faq#TOC-What-s-the-story-with-certificate-revocation-
Chrome performs online checking for Extended Validation certificates if it does not already have a non-expired CRLSet entry covering the domain. If Chrome does not get a response, it simply downgrades the security indicator to Domain Validated.
[12] Issue 361820 - chromium - Check For Server Certificate Revocation checkbox is confusing - Monorail
( ())
https://bugs.chromium.org/p/chromium/issues/detail?id=361820
[13] Certificate revocation and the performance of OCSP | Netcraft
( ())
http://news.netcraft.com/archives/2013/04/16/certificate-revocation-and-the-performance-of-ocsp.html
[14] Internet Explorer 7 における HTTPS セキュリティの強化点
( ())
https://msdn.microsoft.com/ja-jp/library/bb250503
原因 : Windows Vista にパフォーマンス強化および OCSP プロトコルのサポートが追加されたことで、WININET では既定で失効状態のチェックが有効になり、セキュリティが強化されます。
[15] 991815 – (mozilla::pkix) Sites not getting EV treatment with mozilla::pkix is on, but do get EV treatment when mozilla::pkix is off because OCSP response is old
( ())
https://bugzilla.mozilla.org/show_bug.cgi?id=991815
[18] OpenSSL: how to setup an OCSP server for checking third-party certificates? - Server Fault
( ())
http://serverfault.com/questions/131983/openssl-how-to-setup-an-ocsp-server-for-checking-third-party-certificates
[22] Feature request: OCSP Must Staple (RFC 7633) - Google グループ
( ())
https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/-pB8IFNu5tw
The state of the world for OCSP code is bad. Real bad. Unless you're running IIS, or running a home-grown OCSP daemon, you're going to staple bad responses. That is, if you turn on stapling in Apache or nginx, you're going to serve junk to a portion of your users. When you serve junk, in a must-staple world, everything goes badly.
Further, the world assumes clients are well-behaved - they have good clocks, good caching logic, and good OCSP implementations. Unfortunately, those assumptions can all be wrong - and when something's wrong on the client, it could brick sites. We already see this with HSTS and a variety of otherwise fixable errors (such as clock skew) contributing significantly to warning fatigue or user frustration - and it's actually rather surprisingly hard to quantify, on the client, the ways in which the client could have screwed up.
To that end, our focus has been on quantifying the OCSP ecosystem - both in terms of what the CAs are sending (... frequently, horribly bloated responses that often fail basic DER encoding rules), and what servers are doing. We're also exploring how to allow server operators to participate in that virtuous feedback cycle, by providing something akin to 'expect-staple' - that is, a signifier that the server *should* always be sending valid stapled responses, and a means of getting feedback when this is not the case. This will allow sites to further debug and investigate, both client errors and the fact that, again, most of the OCSP fetching code on servers is bad.
[23] RFC 4557 - Online Certificate Status Protocol (OCSP) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)
()
https://tools.ietf.org/html/rfc4557
[24] Only specific APIs should skip the fetch event when called within a service worker · Issue #303 · whatwg/fetch
()
https://github.com/whatwg/fetch/issues/303
[25] Document CORS safelist exceptions
(estark37著, )
https://github.com/whatwg/fetch/commit/860ab8669fb3775b77b6f81e44e5a2609db0bc93
[26] High-reliability OCSP stapling and why it matters
()
https://blog.cloudflare.com/high-reliability-ocsp-stapling/
[27] OCSP / SCT requirements of the cert-chain · Issue #175 · WICG/webpackage
()
https://github.com/WICG/webpackage/issues/175
[29] 966856 - Add SHA-2 support to mozilla::pkix's OCSP implementation
()
https://bugzilla.mozilla.org/show_bug.cgi?id=966856
[30] Revocation checking for EV server certificates in Chrome, https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/S6A14e_X-T0/m/T4WxWgajAAAJ
[31] Ryan HurstさんはTwitterを使っています: 「Chrome has not done OCSP checking due to privacy concerns for DV/OV certificates for some time. They have now announced they will expand this to EV. Personally, I think this is a good change. https://t.co/eV5k0gTzH0」 / Twitter, 午後11:55 · 2022年8月24日 +09:00, https://twitter.com/rmhrisk/status/1562453501602459648
[32] RFC 4557: Online Certificate Status Protocol (OCSP) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT), https://www.rfc-editor.org/rfc/rfc4557.html