cURL / Mailing Lists / curl-library / Single Mail


Re: [Survey] What people want us to do next

From: Petr Pisar <>
Date: Mon, 16 Jun 2014 10:41:16 +0200

On Mon, Jun 16, 2014 at 10:11:16AM +0200, Daniel Stenberg wrote:
> On Sun, 15 Jun 2014, Alessandro Ghedini wrote:
> >>HTTPS: Live CRL checking and OCSP.
> >
> >There's a wishlist bug about this in the Debian bts, and I have briefly
> >looked into how to implement OCSP (RFC2560) a while back.
> We all know OCSP is completely broken and barely a tad bit more than
> useless. Browsers don't even implement it much or care about the responses,

Mozilla folks have opposite opinion. They removed CRL support in recent Firefox
and they kept OCSP as the only one method.

> I don't think we'll get much use out of implementing this now.
That means any applications aiming to conform to the legal requirements will
have to implement it on their own. Unfortuntelly the legal requirements differ
per county. Some EU countries (e.g. the Czech Republic) sticks on CRL, while
some EU countries (e.g. Germany) sticks on OCSP.

I'd rather see the support in the TLS libraries. Probably with some hooks to
delegate HTTP or LDAP retrievals to the upper layers.

> I think there's much more to gain by instead implementing the new methods
> that are being developed, like certificate pinning,

Great idea. Supplying the server certificate as trusted anchor does work as
the TLS libraries expect CA:true constraint.

> ocsp stapling etc.

This would make the OCSP transparent to the libcurl as the request and
response is part of TLS negotiation. However it's still OCSP. That means one
has to verify the OCSP response which itself may need to validate the
OCSP service certificate used to sign the OCSP response. So at the end, there
still will be demand for third-party network request. (Unless the OCSP
response will carry the whole OCSP trust chain with OCSP statuses for each
entry. Though that would undermin network traffic amount worries and possible
caching.) Personally I believe that dedicated local daemon like GnuPG's
dirmngr is the best approach.) However that's out of scope of libcurl

-- Petr

List admin:

  • application/pgp-signature attachment: stored
Received on 2014-06-16