[issue17123] Add OCSP support to ssl module
Daniel Kahn Gillmor
report at bugs.python.org
Wed Oct 16 21:46:40 EDT 2019
Daniel Kahn Gillmor <dkg at fifthhorseman.net> added the comment:
On Thu 2019-10-10 01:38:42 +0000, Benjamin Peterson wrote:
> Considering OSCP has fallen out of favor relative to CT in recent
> years, may be should simply reject this feature request.
CT provides the possibility of a website operator to *detect* CA
malfeasance.
OCSP provides a live "proof of freshness" of the certificate at a
cadence significantly shorter than the lifetime of most certificates
(even the 90-day certificates offered by ACME-driven CAs like Let's
Encrypt).
These are orthogonal, and mutually-reinforcing mechanisms, not competing
mechanisms.
--dkg
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue17123>
_______________________________________
More information about the Python-bugs-list
mailing list