Issue 44783: SSL needs client OCSP stapling

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/88946

classification

Title:	SSL needs client OCSP stapling
Type:	enhancement	Stage:
Components:	SSL	Versions:

process

Status:	open	Resolution:
Dependencies:		Superseder:
Assigned To:	christian.heimes	Nosy List:	christian.heimes, pprindeville
Priority:	normal	Keywords:

Created on 2021-07-30 17:53 by pprindeville, last changed 2022-04-11 14:59 by admin.

Messages (1)
msg398592 - (view)	Author: Philip Prindeville (pprindeville) *	Date: 2021-07-30 17:53
When TLS client certificates are used for authentication, servers need to ensure that the certificate is current and hasn't been revoked. In zero-trust and other architectures with heavy use of micro-services, server-side validation of the client certs repeatedly can be a significant burden. Forcing the client to present a signed, stapled OCSP response to the handshake eliminates this repetitive extra step.

msg398592 - (view)

Author: Philip Prindeville (pprindeville) *

Date: 2021-07-30 17:53

When TLS client certificates are used for authentication, servers need to ensure that the certificate is current and hasn't been revoked.  In zero-trust and other architectures with heavy use of micro-services, server-side validation of the client certs repeatedly can be a significant burden.

Forcing the client to present a signed, stapled OCSP response to the handshake eliminates this repetitive extra step.

History
Date	User	Action	Args
2022-04-11 14:59:48	admin	set	github: 88946
2021-07-30 17:53:19	pprindeville	create