On 17.06.2016 22:39, Александр Кириллов wrote:
yes and no, but faking a valid OCSP response that says good instead of revoked is also possible ...
Could you please provide any proof for that statement? If it were true the whole PKI infrastructure should probably be thrown out of the window. )
question back: is the SHA2 discussion a real security impact or just paranoia?
so provide a proof of the following statement:
"using OCSP Stapling is as secure as not using OCSP Stapling"
just think of the "parallel universe" called real life ...
do you believe a car dealer that a used car is ok, or do you want a proof by third party? (here the car dealer is the server and 3rd pardy is the OCSP server or CRL provided by the CA)
for me I refuse it or in other words, when there is no OCSP response and I don't get a CRL from the CA the SSL-host is blocked;