[CentOS] https and self signed
nevis2us at infoline.su
Fri Jun 17 20:39:33 UTC 2016
> yes and no, but faking a valid OCSP response that says good instead of
> revoked is also possible ...
Could you please provide any proof for that statement? If it were true
the whole PKI infrastructure should probably be thrown out of the
> the primary reason was to prevent problems for connection problems -
> or whatever problems - in connection with the OCSP
Sure. I've never said privacy concerns were the main reason.
Security concerns can probably be addressed with reducing update
interval of issuer-signed OCSP responses. For my free wosign
certificates ii's 4 days and my understanding is that interval matches
CRL update policy of the CA.
Per RFC2560 (see nextUpdate below):
2.4 Semantics of thisUpdate, nextUpdate and producedAt
Responses can contain three times in them - thisUpdate, nextUpdate
and producedAt. The semantics of these fields are:
- thisUpdate: The time at which the status being indicated is known
to be correct
- nextUpdate: The time at or before which newer information will be
available about the status of the certificate
- producedAt: The time at which the OCSP responder signed this
If nextUpdate is not set, the responder is indicating that newer
revocation information is available all the time.
More information about the CentOS