Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Proposal: crypto/tls: Support RFC 6961 Multiple Certificate Status Request Extension #22267
Go's TLS library supports RFC 6066's
A new extension,
I say we add support for RFC 6961's
I don't think this gels with the direction that revocation is taking. Instead, I expect to see browsers shipping information about intermediate revocations and using OCSP stapling only for the leaf. See Mozilla's efforts in recent years to require disclosure of all intermediates.
I'll give more context about why I wanted this. It's not for browsers but for my company's internal PKI.
We have intermediate CAs that sign certificates for sets of similar servers. If one of our intermediate CAs gets somehow compromised, we can just revoke it in our DB, generate a new one and have every server in the intermediate CA's cluster get new certificates from the new intermediate CA.
A CRL would definitely work but it would be a lot less elegant because then we'll have a split of revoked certificates. Some in our DB and some in the CRL. Along with all the other downsides of using and maintaining a CRL.
Also, I forgot to mention that if we decide to implement it, I'm available to create the CL.