OCSP stapling
konklone opened this issue · 8 comments
Implement it for https.cio.gov using nginx 1.9.2, using @AGWA's excellent OCSP stapling guide, and then update the tech guidelines page with information about it.
It seems to me like there's still more advancement that has to happen in the browser and CA world (e.g. multistapling, must-staple, and short-lived certs that aren't checked for revocation) before this is worth pushing hard on. Happy to re-open if anyone wants to discuss further.
Well! This makes me think there could, either now or soon, be something worth including:
Mozilla has implemented support for OCSP Must-Staple, which is specified through a TLS Feature Extension (a new standard as of October 2015). So the CA includes the extension in the certificate they issue which basically says "this certificate should only be considered valid if OCSP information was stapled alongside it".
It'd be nice to hear from at least one other browser what their plans are, but since OCSP stapling itself is already widely supported, this may make it worth documenting and encouraging.
Before you enable OCSP stapling, you may want to read through this Twitter conversation from this morning: https://twitter.com/sleevi_/status/669566272003112960
I'd like to assist with guidance, as stapling is also enabled by default in IIS. From a customer experience perspective, wouldn't this lead to better performance?
Sure would, on browsers other than Chrome, anyway. I'm happy to add a section to the Technical Guidelines section (and add OCSP stapling support to https.cio.gov itself) -- any resources or things which should go into it?
Must-Staple is now also supported by Let's Encrypt and the Certbot client.
Handled by our cloud infrastructure.