yes and no, but faking a valid OCSP response that says good instead of revoked is also possible ...
Could you please provide any proof for that statement? If it were true the whole PKI infrastructure should probably be thrown out of the window. )
the primary reason was to prevent problems for connection problems - or whatever problems - in connection with the OCSP
Sure. I've never said privacy concerns were the main reason.
Security concerns can probably be addressed with reducing update interval of issuer-signed OCSP responses. For my free wosign certificates ii's 4 days and my understanding is that interval matches CRL update policy of the CA.
Per RFC2560 (see nextUpdate below):
2.4 Semantics of thisUpdate, nextUpdate and producedAt
Responses can contain three times in them - thisUpdate, nextUpdate and producedAt. The semantics of these fields are:
- thisUpdate: The time at which the status being indicated is known to be correct - nextUpdate: The time at or before which newer information will be available about the status of the certificate - producedAt: The time at which the OCSP responder signed this response.
If nextUpdate is not set, the responder is indicating that newer revocation information is available all the time.