> yes and no, but faking a valid OCSP response that says good instead of
> revoked is also possible ...
Could you please provide any proof for that statement? If it were true
the whole PKI infrastructure should probably be thrown out of the
window. )
> the primary reason was to prevent problems for connection problems -
> or whatever problems - in connection with the OCSP
Sure. I've never said privacy concerns were the main reason.
Security concerns can probably be addressed with reducing update
interval of issuer-signed OCSP responses. For my free wosign
certificates ii's 4 days and my understanding is that interval matches
CRL update policy of the CA.
Per RFC2560 (see nextUpdate below):
2.4 Semantics of thisUpdate, nextUpdate and producedAt
Responses can contain three times in them - thisUpdate, nextUpdate
and producedAt. The semantics of these fields are:
- thisUpdate: The time at which the status being indicated is known
to be correct
- nextUpdate: The time at or before which newer information will be
available about the status of the certificate
- producedAt: The time at which the OCSP responder signed this
response.
If nextUpdate is not set, the responder is indicating that newer
revocation information is available all the time.