You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There exists a TLS Security Policy a TLS certificate requestor can opt into*, to tell the client something like “if you don't see a recent OCSP attachment on this handshake, assume you're being MitM'd by an attacker who doesn't want you to see the CRLs.”
A server offering an end-entity certificate with a TLS feature extension MUST satisfy a client request for the specified feature unless this would be redundant as described below. Clients MAY refuse to accept the connection if the server does not accept a request for a specified feature.
…
In the case that a client determines that the server configuration is inconsistent with a policy specifying support for the TLS status_request extension it SHOULD reject the TLS configuration.
*Let's Encrypt has apparently supported this since mid-2016, with --must-staple on its Certbot client.
The text was updated successfully, but these errors were encountered:
There exists a TLS Security Policy a TLS certificate requestor can opt into*, to tell the client something like “if you don't see a recent OCSP attachment on this handshake, assume you're being MitM'd by an attacker who doesn't want you to see the CRLs.”
I'm very curious whether my browser implements this “SHOULD”, but I haven't been able to find a test site for it: https://datatracker.ietf.org/doc/html/rfc7633
*Let's Encrypt has apparently supported this since mid-2016, with
--must-stapleon its Certbot client.The text was updated successfully, but these errors were encountered: