[CentOS] https and self signed

Fri Jun 17 20:55:32 UTC 2016
Walter H. <Walter.H at mathemainzel.info>

On 17.06.2016 22:39, Александр Кириллов wrote:
>> yes and no, but faking a valid OCSP response that says good instead of
>> revoked is also possible ...
> Could you please provide any proof for that statement? If it were true 
> the whole PKI infrastructure should probably be thrown out of the 
> window. ) 
question back: is the SHA2 discussion a real security impact or just 

so provide a proof of the following statement:

"using OCSP Stapling is as secure as not using OCSP Stapling"

just think of the "parallel universe" called real life ...

do you believe a car dealer that a used car is ok, or do you want a 
proof by third party?
(here the car dealer is the server and 3rd pardy is the OCSP server or 
CRL provided by the CA)

for me I refuse it or in other words, when there is no OCSP response and 
I don't get a CRL from the CA
  the SSL-host is blocked;