We enable OCSP in hard-fail mode, meaning that if the revocation status of a certificate cannot be verified because the CA cannot be reached, then it will be treated as broken.
The fact that not every application that uses TLS certificates does this blows my mind. Certificate revocation should be a valid tool to deal with the compromise of cryptographic credentials, but if applications don’t check, then they’re opening themselves (and their users) up to a security vulnerability.
The fact that not every application that uses TLS certificates does this blows my mind. Certificate revocation should be a valid tool to deal with the compromise of cryptographic credentials, but if applications don’t check, then they’re opening themselves (and their users) up to a security vulnerability.