Request for OCSP Stapling

[wslack]

Per 18F/18f.gsa.gov#292

[jmhooper]

• An announcement from Amazon on 08/2014 that seems to suggest OCSP stapling is on by default.
• Here's Amazon's docs on OCSP stapling

Despite the above, it looks like SSL Labs is still saying we don't have OCSP stapling enabled?

I found an AWS Developer Forum Thread where they point to the the docs on OCSP stapling posted above as an answer to why someone did not see OCSP stapling.

[jmhooper]

From Amazon's docs on OCSP stapling:

If your distribution doesn't get much traffic in a CloudFront edge location, new requests are more likely to be directed to a server that hasn't validated the certificate with the CA yet. In that case, the viewer separately performs the validation step and the CloudFront server serves the object. That CloudFront server also submits a validation request to the CA, so the next time it receives a request that includes the same domain name, it has a validation response from the CA.

So it looks like the servers in edge locations will only have OCSP stapling enabled when they receive multiple requests from a client over some period of time.

[wslack]

@konklone given the info ^^, should we leave this open? Seems like it should be closed unless we want off CloudFront

[konklone]

Let's close it and re-open if it emerges as a more significant issue later.

[konklone]

However, note that if Federalist ever needs to explicitly discuss the third parties that might receive data about visitors to Federalist sites, the certificate authority will need to be listed as a potential third party that will get pinged. One of the benefits of OCSP stapling is that it removes this data sharing.

[wslack]

kk, I'm going to move this to our icebox but leave it open

[wslack]

Closing; can reopen if ever asked.