[CentOS] https and self signed

Александр Кириллов

nevis2us at infoline.su
Fri Jun 17 20:39:33 UTC 2016


> yes and no, but faking a valid OCSP response that says good instead of
> revoked is also possible ...

Could you please provide any proof for that statement? If it were true 
the whole PKI infrastructure should probably be thrown out of the 
window. )

> the primary reason was to prevent problems for connection problems -
> or whatever problems - in connection with the OCSP

Sure. I've never said privacy concerns were the main reason.


Security concerns can probably be addressed with reducing update 
interval of issuer-signed OCSP responses. For my free wosign 
certificates ii's 4 days and my understanding is that interval matches 
CRL update policy of the CA.

Per RFC2560 (see nextUpdate below):

2.4  Semantics of thisUpdate, nextUpdate and producedAt

    Responses can contain three times in them - thisUpdate, nextUpdate
    and producedAt. The semantics of these fields are:

    - thisUpdate: The time at which the status being indicated is known
                  to be correct
    - nextUpdate: The time at or before which newer information will be
                  available about the status of the certificate
    - producedAt: The time at which the OCSP responder signed this
                  response.

    If nextUpdate is not set, the responder is indicating that newer
    revocation information is available all the time.




More information about the CentOS mailing list