[CentOS] https and self signed
Walter H.
Walter.H at mathemainzel.info
Fri Jun 17 20:55:32 UTC 2016
On 17.06.2016 22:39, Александр Кириллов wrote:
>> yes and no, but faking a valid OCSP response that says good instead of
>> revoked is also possible ...
>
> Could you please provide any proof for that statement? If it were true
> the whole PKI infrastructure should probably be thrown out of the
> window. )
question back: is the SHA2 discussion a real security impact or just
paranoia?
so provide a proof of the following statement:
"using OCSP Stapling is as secure as not using OCSP Stapling"
just think of the "parallel universe" called real life ...
do you believe a car dealer that a used car is ok, or do you want a
proof by third party?
(here the car dealer is the server and 3rd pardy is the OCSP server or
CRL provided by the CA)
for me I refuse it or in other words, when there is no OCSP response and
I don't get a CRL from the CA
the SSL-host is blocked;
More information about the CentOS
mailing list