From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 7BB09138247 for ; Wed, 6 Nov 2013 21:40:59 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0142CE09F0; Wed, 6 Nov 2013 21:40:51 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id F0B0AE0968 for ; Wed, 6 Nov 2013 21:40:49 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 2309833F0F9 for ; Wed, 6 Nov 2013 21:40:49 +0000 (UTC) X-Virus-Scanned: by amavisd-new using ClamAV at gentoo.org X-Spam-Flag: NO X-Spam-Score: -1.234 X-Spam-Level: X-Spam-Status: No, score=-1.234 tagged_above=-999 required=5.5 tests=[AWL=-1.231, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no Received: from smtp.gentoo.org ([IPv6:::ffff:127.0.0.1]) by localhost (smtp.gentoo.org [IPv6:::ffff:127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nLALMKFB8lpt for ; Wed, 6 Nov 2013 21:40:43 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 47C4133EF8B for ; Wed, 6 Nov 2013 21:40:41 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1VeAq4-0004Kd-QP for gentoo-dev@gentoo.org; Wed, 06 Nov 2013 22:40:36 +0100 Received: from ip68-231-22-224.ph.ph.cox.net ([68.231.22.224]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 06 Nov 2013 22:40:36 +0100 Received: from 1i5t5.duncan by ip68-231-22-224.ph.ph.cox.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 06 Nov 2013 22:40:36 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-dev@lists.gentoo.org From: Duncan <1i5t5.duncan@cox.net> Subject: [gentoo-dev] OCSP Was: friendly reminder wrt net virtual in init scripts Date: Wed, 6 Nov 2013 21:40:10 +0000 (UTC) Message-ID: References: <20131105033007.GA23263@linux1> <20131105144915.GM22282@server> <52791F2E.2020704@orlitzky.com> <527A9478.10208@whissi.de> <20131106201334.GD22282@server> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: ip68-231-22-224.ph.ph.cox.net User-Agent: Pan/0.140 (Chocolate Salty Balls; GIT 6e6fd84 /usr/src/portage/src/egit-src/pan2) X-Archives-Salt: 3b16a9b1-b650-43c6-b0b3-fd293abe1389 X-Archives-Hash: 10658d6b9505c1e91a5d16f3a77faecb mingdao posted on Wed, 06 Nov 2013 14:13:34 -0600 as excerpted: > Thanks for the detailed explanation, Thomas. > > Now, if any one of us turned off OCSP as Michael suggested, what should > one do after turning it back on? Could there now be certificates trusted > there which should not be? AFAIK, no... except possibly for any ongoing connections and any possible overrides you did during the "off" time. New connections will automatically be checked again. Meanwhile, another question for Thomas. Is this "certificate stapling" the same thing google chrome is now doing for the google site, that enabled it to detect the (I think it was) Iranian and/or Chinese CA tampering, allowing them to say a "google" cert was valid that was actually their MitM cert, as appeared in the tech-news a few months ago? Or was that something different? I had interpreted (well, I think I read, but either the journalist could have been mixed up too, or maybe I was misinterpreting what I read, either way the effect on my understanding is the same) the "certificate stapling" referred to at the time as indicating that google configured the certs for their own sites into chrome as shipped itself, effectively hard-coding them, NOT as google handling its own OCSP requests, as OCSP cert stapling does. So now I'm wondering if I interpreted wrong then, or if there's actually two different things being referred to as certificate stapling, here. -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman