On Wed, Aug 19, 2015 at 03:37:06PM +0000, Tim Ruehsen wrote:
> Regarding MITM and other attacks... did you notice that OCSP responder URLs
> are HTTP (plain text) will all the insecurity ? I never saw a HTTPS URL, did
> you ?
> 
There is no need for HTTPS. The OCSP response is signed by the CA's OCSP
responder. So the problem of OCSP response integrity reduces to verifying the
OCSP response signature. Of course to verify the signature, one needs to
verify OCSP responder's certificate. But this is the same story as with CRLs.

-- Petr

Attachment: signature.asc
Description: PGP signature

Reply via email to