Here is a summary of OCSP Must-Staple:
+ OCSP Must-Staple (assertion in certificate) : The flag is implemented as a specific object identifier (OID) extension in the SSL certificate
-> Pros : No “first visit” problem – all connections to the Web Server carry the Must-Staple flag.
-> Cons : Web server needs a certificate issued with the OCSP Must-Staple flag.
+ OCSP Must-Staple (assertion in HTTP Response) : The flag is implemented as an HTTP Response Header
-> Pros : Works with existing SSL certificate.
-> Cons : “First visit” problem
OCSP Must-Staple removes most of the issues with traditional revocation checking, and allows the browsers to implement a hard-fail policy. Although there are some cons listed, these are basically items that will be resolved as the deployed browsers and Web servers support OCSP Stapling and Must-Staple.
Currently, all of the new desktop browsers support OCSP stapling. Regarding Web servers, Microsoft IIS by default supports OCSP Stapling and versions of Apache and Nginx can be configured to support OCSP Stapling. Other servers such as F5 will soon support OCSP Stapling as well.
|