[CentOS] https and self signed

Fri Jun 17 20:39:33 UTC 2016
Александр Кириллов <nevis2us at infoline.su>

> yes and no, but faking a valid OCSP response that says good instead of
> revoked is also possible ...

Could you please provide any proof for that statement? If it were true 
the whole PKI infrastructure should probably be thrown out of the 
window. )

> the primary reason was to prevent problems for connection problems -
> or whatever problems - in connection with the OCSP

Sure. I've never said privacy concerns were the main reason.

Security concerns can probably be addressed with reducing update 
interval of issuer-signed OCSP responses. For my free wosign 
certificates ii's 4 days and my understanding is that interval matches 
CRL update policy of the CA.

Per RFC2560 (see nextUpdate below):

2.4  Semantics of thisUpdate, nextUpdate and producedAt

    Responses can contain three times in them - thisUpdate, nextUpdate
    and producedAt. The semantics of these fields are:

    - thisUpdate: The time at which the status being indicated is known
                  to be correct
    - nextUpdate: The time at or before which newer information will be
                  available about the status of the certificate
    - producedAt: The time at which the OCSP responder signed this

    If nextUpdate is not set, the responder is indicating that newer
    revocation information is available all the time.