-
Notifications
You must be signed in to change notification settings - Fork 4
/
872.txt
113 lines (84 loc) · 5.09 KB
/
872.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
[27] [DFN[OCSP Stapling]] は、 [[TLS handshake]] において [[OCSP応答]]を
[[TLSサーバー]]から[[TLSクライアント]]へと送信するものです。
これによって[[クライアント]]は別途 [[OCSPサーバー]]に照会することなく[[サーバー証明書]]が[[失効]]していないか確認できます。
;; [28] [[OCSP応答]]は [[CA]] により[[署名]]されていますから、
直接の送信元が誰であっても (正しく[[署名]]されていることが確認できる限りは)
信用できます。
* 仕様書
[REFS[
- [1] [CITE@en[RFC 6066 - Transport Layer Security (TLS) Extensions: Extension Definitions]]
([TIME[2015-02-01 18:07:52 +09:00]] 版)
<https://tools.ietf.org/html/rfc6066#section-8>
]REFS]
* 利用例
[REFS[
- [20] [CITE[CloudFlare - The web performance & security company]] ([TIME[2016-05-10 09:01:47 +09:00]]) <https://www.cloudflare.com/>
- [21] [CITE@en[Bugzilla Main Page]] ([TIME[2016-05-11 20:40:12 +09:00]]) <https://bugzilla.mozilla.org/>
- [22] [CITE[Amazon | 本, ファッション, 家電から食品まで | アマゾン]] ([TIME[2016-05-11 20:44:07 +09:00]]) <https://www.amazon.co.jp/>
]REFS]
* 関連
[23] [[OCSP Multi-Stapling]] もあります。
* 歴史
[2] [CITE@en[Security/Server Side TLS - MozillaWiki]]
([TIME[2015-03-22 14:32:49 +09:00]] 版)
<https://wiki.mozilla.org/Security/Server_Side_TLS#OCSP_Stapling>
[3] [CITE@en[CA:RevocationPlan - MozillaWiki]]
( ([TIME[2016-05-09 14:49:37 +09:00]]))
<https://wiki.mozilla.org/CA:RevocationPlan>
[4] [CITE@en-US[OCSP Stapling in Firefox | Mozilla Security Blog]]
( ([TIME[2016-05-09 20:06:13 +09:00]]))
<https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/>
[5] [CITE@en-US[Improving Revocation: OCSP Must-Staple and Short-lived Certificates | Mozilla Security Blog]]
( ([TIME[2016-05-09 20:09:44 +09:00]]))
<https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/>
[6] [CITE@en[ImperialViolet - No, don't enable revocation checking]]
( ([[Adam Langley]]著, [TIME[2016-05-09 20:59:09 +09:00]]))
<https://www.imperialviolet.org/2014/04/19/revchecking.html>
[7] [CITE@en[draft-hallambaker-muststaple-00 - X.509v3 Extension: OCSP Stapling Required]]
( ([TIME[2016-03-27 22:08:53 +09:00]]))
<https://tools.ietf.org/html/draft-hallambaker-muststaple-00>
[8] [CITE@en[RFC 7633 - X.509v3 Transport Layer Security (TLS) Feature Extension]]
( ([TIME[2016-03-31 08:08:39 +09:00]]))
<https://tools.ietf.org/html/rfc7633>
[9] [CITE[RFC Errata Report » RFC Editor]]
( ([TIME[2016-05-09 21:20:19 +09:00]]))
<https://www.rfc-editor.org/errata_search.php?rfc=7633>
[10] [CITE[OCSP Must-Staple と OCSP Multi-Stapling、及び OneCRL|サイバートラスト]]
( ([TIME[2016-05-09 21:25:07 +09:00]]))
<https://www.cybertrust.ne.jp/journal/ocsp-must-staple-ocsp-multi-stapling-onecrl.html>
[11] [CITE@en[Improving revocation : will Let's Encrypt support OCSP Must-staple? - Feature Requests - Let's Encrypt Community Support]]
([TIME[2016-05-09 21:31:05 +09:00]])
<https://community.letsencrypt.org/t/improving-revocation-will-lets-encrypt-support-ocsp-must-staple/4334/19>
[12] [CITE@en[Issue 572734 - chromium - Support for OCSP Must-staple - Monorail]]
( ([TIME[2016-05-09 21:33:11 +09:00]]))
<https://bugs.chromium.org/p/chromium/issues/detail?id=572734>
[13] [CITE@en[901698 – implement OCSP-must-staple (off by default)]]
( ([TIME[2016-05-09 21:33:58 +09:00]]))
<https://bugzilla.mozilla.org/show_bug.cgi?id=901698>
[14] [CITE['''['''websec''']''' Requiring OCSP Stapling as a directive in HSTS]]
( ([TIME[2015-04-27 20:20:37 +09:00]]))
<https://www.ietf.org/mail-archive/web/websec/current/msg02297.html>
[15] [CITE@en[921907 – Enable OCSP must-staple feature]]
( ([TIME[2016-05-09 21:46:19 +09:00]]))
<https://bugzilla.mozilla.org/show_bug.cgi?id=921907>
[16] [CITE[JEP 249: OCSP Stapling for TLS]]
( ([TIME[2016-05-09 22:20:19 +09:00]]))
<http://openjdk.java.net/jeps/249>
[17] [CITE@en[Bug 50740 – Enable OCSP Stapling by default]]
( ([TIME[2016-05-09 22:24:33 +09:00]]))
<https://bz.apache.org/bugzilla/show_bug.cgi?id=50740>
[18] [CITE@en[360420 – Implement OCSP Stapling in libSSL]]
( ([TIME[2016-05-09 22:25:14 +09:00]]))
<https://bugzilla.mozilla.org/show_bug.cgi?id=360420>
[19] [CITE@en[gecko-dev/NSSCertDBTrustDomain.cpp at master · mozilla/gecko-dev]]
( ([TIME[2016-05-10 22:46:40 +09:00]]))
<https://github.com/mozilla/gecko-dev/blob/master/security/certverifier/NSSCertDBTrustDomain.cpp>
[24] [CITE@en[OpenSSL]]
( ([[OpenSSL Foundation, Inc.]]著, [TIME[2016-05-28 15:30:23 +09:00]]))
<https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_tlsext_status_cb.html>
[25] [CITE@en[OpenSSL]]
( ([[OpenSSL Foundation, Inc.]]著, [TIME[2016-05-28 15:41:29 +09:00]]))
<https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_tlsext_status_cb.html>
[26] [CITE@en[nginx/ngx_event_openssl_stapling.c at master · nginx/nginx]]
( ([TIME[2016-05-29 00:30:40 +09:00]]))
<https://github.com/nginx/nginx/blob/master/src/event/ngx_event_openssl_stapling.c>