[PATCH] OCSP stapling: better handling of successful OCSP responses.

Piotr Sikora piotr at cloudflare.com
Fri May 17 23:32:12 UTC 2013

Hey Maxim,

> Presenting a certificate and a non-good certificate status to a
> user looks like "bees against honey" for me.  I would rather not.

While I agree that it looks kind of iffy, by not caching OCSP
responses with "revoked" or "unknown" certificate status, we're
loosing all of the OCSP stapling advantages (offloading CA's OCSP
responders, improving user's privacy and perceived performance), while
not changing anything for the user - he'll still receive exactly the
same certificate status directly from CA's OCSP responder, just a few
hundred milliseconds later.

Best regards,
Piotr Sikora

More information about the nginx-devel mailing list