Review Request of JDK Enhancement Proposal: OCSP stapling
Florian Weimer
fweimer at redhat.com
Fri May 9 08:54:04 UTC 2014
On 05/06/2014 04:05 PM, Xuelei Fan wrote:
> On 5/6/2014 9:36 PM, Florian Weimer wrote:
>> On 04/02/2014 01:19 AM, Xuelei Fan wrote:
>>> Here is the updated version:
>>> http://cr.openjdk.java.net/~xuelei/8034248/jep-csre-v01.txt
>>>
>>> Updated the description section and a few words so that it is easier to
>>> understand.
>>
>> I think the server side would benefit from an API which allows code to
>> directly supply the OCSP response to be stapled, perhaps as part of the
>> extended trust manager.
>>
> Typically, OCSP response is time-variant. Ideally, the response should
> be retrieved and updated internally, in time and automatically. For the
> first stage, I only want to implement the essential feature, and keep
> the footprint as small as possible.
I think we need a non-blocking way to inject the OCSP response into
SSLEngine.
And from a deployment perspective, we really need to provide something
that avoids making the OCSP request directly (or through an HTTP proxy).
Access to external resources is often quite restricted, and due to the
way OCSP has been specified, it is rather difficult to proxy it without
providing a generic web proxy service.
--
Florian Weimer / Red Hat Product Security Team
More information about the security-dev
mailing list