[Letsencrypt-devel] Please update jessie-backports to certbot 0.10.1
Thomas Mayer
thomas.mayer at 2bis10.de
Sat Jan 21 14:31:02 UTC 2017
Dear maintainer,
I filed an issue to preserve setting --must-staple for the renewal
operation at
https://github.com/certbot/certbot/issues/3844
Without the bugfix applied, certbot's renewal operation silently falls
back to creating certificates without that option set.
I provided an initial patchset which received further improvements from
the community and finally made it into version 0.10.
To be able to use the renewal operation together with --must-staple, I
kindly ask to update jessie-backports to a recent version of certbot
(0.10.0 at least).
Relevance:
- The information "OSCP Must Staple" is contained in the certificate
itself and, given browser support, forces clients to perform a test for
revocation and not trust an entity, if the revocation check fails.
Scalability issues can be more or less solved by letting web servers
cache and serve revocation information (via OSCP Stapling).
- I don't want to open up the discussion here, but I think that "OSCP
Must Staple" should become a default one day in the future (in the sense
of "secure by default").
Best regards
Thomas Mayer
--
https://www.2bis10.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/letsencrypt-devel/attachments/20170121/1c2a0db5/attachment.sig>
More information about the Letsencrypt-devel
mailing list