On 17.06.2016 22:39, Александр Кириллов wrote: >> yes and no, but faking a valid OCSP response that says good instead of >> revoked is also possible ... > > Could you please provide any proof for that statement? If it were true > the whole PKI infrastructure should probably be thrown out of the > window. ) question back: is the SHA2 discussion a real security impact or just paranoia? so provide a proof of the following statement: "using OCSP Stapling is as secure as not using OCSP Stapling" just think of the "parallel universe" called real life ... do you believe a car dealer that a used car is ok, or do you want a proof by third party? (here the car dealer is the server and 3rd pardy is the OCSP server or CRL provided by the CA) for me I refuse it or in other words, when there is no OCSP response and I don't get a CRL from the CA the SSL-host is blocked;