On Wed, Aug 19, 2015 at 03:37:06PM +0000, Tim Ruehsen wrote: > Regarding MITM and other attacks... did you notice that OCSP responder URLs > are HTTP (plain text) will all the insecurity ? I never saw a HTTPS URL, did > you ? > There is no need for HTTPS. The OCSP response is signed by the CA's OCSP responder. So the problem of OCSP response integrity reduces to verifying the OCSP response signature. Of course to verify the signature, one needs to verify OCSP responder's certificate. But this is the same story as with CRLs.
Description: PGP signature