GSA/https

OCSP stapling

konklone opened this issue · 8 comments

Implement it for https.cio.gov using nginx 1.9.2, using @AGWA's excellent OCSP stapling guide, and then update the tech guidelines page with information about it.

It seems to me like there's still more advancement that has to happen in the browser and CA world (e.g. multistapling, must-staple, and short-lived certs that aren't checked for revocation) before this is worth pushing hard on. Happy to re-open if anyone wants to discuss further.

Well! This makes me think there could, either now or soon, be something worth including:

https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/

Mozilla has implemented support for OCSP Must-Staple, which is specified through a TLS Feature Extension (a new standard as of October 2015). So the CA includes the extension in the certificate they issue which basically says "this certificate should only be considered valid if OCSP information was stapled alongside it".

It'd be nice to hear from at least one other browser what their plans are, but since OCSP stapling itself is already widely supported, this may make it worth documenting and encouraging.

AGWA commented

Before you enable OCSP stapling, you may want to read through this Twitter conversation from this morning: https://twitter.com/sleevi_/status/669566272003112960

Thanks, @AGWA -- that is a super enlightening conversation.

@pzb Do you have any idea how Amazon is implementing OCSP stapling at scale for CloudFront? Is it vanilla nginx, or is there work being done to make up for the problems with current open source implementations?

I'd like to assist with guidance, as stapling is also enabled by default in IIS. From a customer experience perspective, wouldn't this lead to better performance?

Sure would, on browsers other than Chrome, anyway. I'm happy to add a section to the Technical Guidelines section (and add OCSP stapling support to https.cio.gov itself) -- any resources or things which should go into it?

J0WI commented

Must-Staple is now also supported by Let's Encrypt and the Certbot client.

Handled by our cloud infrastructure.